public void run(SignatureController patterns)
{
t = new Thread(() =>
{
Result = PatternAnalyzer.AnalyzeByteArray(this.Buffer, patterns);
this.Buffer = null;
Complete = true;
});
t.IsBackground = true;
t.SetApartmentState(ApartmentState.MTA);
t.Start();
}
public static Signature ScanProcess(System.Diagnostics.Process process, ref SignatureController Signatures)
{
try
{
if (process.ProcessName == "runnable")
{
//System.IO.File.WriteAllBytes("dump.txt", buffer);
Console.Write("");
}
// Get the start address of the main module
int regionStart = process.MainModule.EntryPointAddress.ToInt32();
int regionEnd = 0;
// Could add multiple module support here ...
// for now just get end address
regionEnd = process.MainModule.ModuleMemorySize;
// Create variables to read the block
byte[] buffer = new byte[regionEnd];
IntPtr zero = IntPtr.Zero;
// Try to read the section
ReadProcessMemory(process.Handle, (IntPtr)regionStart, buffer, (UInt32)buffer.Length, out zero);
//if (zero != IntPtr.Zero)
{
// Run a scan pass of the buffer
var result = PatternAnalyzer.AnalyzeByteArray(buffer, Signatures);
// Check for results
if (result != null)
{
return(result);
}
}
// nothing found
return(null);
}
catch (Exception ex)
{
return(null);
}
//throw new NotImplementedException();
}
/// <summary>
/// Non referenced file scan
/// </summary>
/// <param name="filePath">File to scan.</param>
/// <param name="Signatures">Signatures to scan with</param>
/// <returns>Null or signature matching or found in file. </returns>
//public static ScanResultArgs ScanFile(string filePath, SignatureController Signatures)
//{
// return ScanFile(filePath, ref Signatures);
//}
/// <summary>
/// Performs a scan on the provided file
/// </summary>
/// <param name="filePath">The file to scan.</param>
/// <param name="Signatures">The signature controller</param>
/// <param name="cached">The cache controller</param>
/// <returns>Null or a signature</returns>
public static ScanResultArgs ScanFile(string filePath, SignatureController Signatures)
{
//return ScanFileV2(filePath, Signatures);
try
{
// Final args to return
var args = new ScanResultArgs();
// *** NEW ***
// Create a new filestream to read the file with
FileStream fs = new FileStream(filePath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite);
// Before performing any kind of scan, we need to make sure it's a executable file
if (!isScannable(filePath))
{
// If it's not, return null and theres no point of scanning it
//return null;
return(new ScanResultArgs()
{
Detection = null, Size = fs.Length
});
}
// Determine if the file is too large to scan based on settings
if (fs.Length > Settings.MaxFileSize)
{
// If so, just return null...
return(new ScanResultArgs()
{
Detection = null, Size = fs.Length
});
}
// ***********
// Some local variables to store scan information in
//byte[] hash = MD5.quickMD5(filePath);
// If a cache database is supplied with the scan request
//if (cached != null)
//{
// // Try to obtain a md5 hash from the file (see exception below for possible issues)
// //hash = MD5.FromFile(ref fs);
// hash = MD5.quickMD5(filePath);
// // Check the file cache to see if the file has already been scanned
// var found = cached.GetById(hash);
// // If a cached item was found in the db
// if(found != null)
// {
// // Return the matching signature if any...
// //return Signatures.GetById(found.SignatureId);
// return new ScanResultArgs() { Detection = Signatures.GetById(found.SignatureId), Size = fs.Length, Cached = found };
// }
//}
// Either the file cache database is not being used or no entry was found
// So we must perform a new scan on the file
byte[] buffer = new byte[1024 * Settings.BufferSize]; // Scan in 32kb increments
int read = -1; // count how many bytes have been read on each read here
// Make sure our buffer isn't bigger than the file
if (buffer.Length > fs.Length)
{
// If it is, resize the buffer accordinly
buffer = new byte[fs.Length];
}
// While there is data to read in the file stream
while (read != 0)
{
// Attempt to read the buffered amount..
read = fs.Read(buffer, 0, buffer.Length);
// If the buffered amount if greater than the amount read...
// Lets shrink buffer to speed up the pattern search
if (read < buffer.Length)
{
Array.Resize(ref buffer, read);
}
// Analyze the buffer with the pattern analyzer
var result = PatternAnalyzer.AnalyzeByteArray(buffer, Signatures);
// try version 2....
//var result = PatternAnalyzer.AnyalyzeByteArrayv2(buffer, Signatures);
// If the result is not null... a detection was found
if (result != null)
{
// Create args before closing
args = new ScanResultArgs()
{
Detection = result,
Size = fs.Length,
};
// Detected upx packing...
if (args.Detection.Definition == "PACKED")
{
// UPX ISNT WORKING YET
//return new ScanResultArgs() { Detection = null, Size = 0 };
// unpack the file and store the unpacked path...
string unpacked = API.UPXHelper.UnpackFile(filePath);
// Perform another scan
args = ScanFile(unpacked, Signatures);
// this was an unpacked program...
//if(args.Detection != null)
//{
// //args.Detection.Definition = args.Detection.Definition + "/UPX";
//}
// delete the unpacked file
File.DeleteFile(unpacked);
// Remove the unpacked file from white lsit
Settings.WhiteList.Remove(unpacked);
}
// We already detected the threat so we do not need to read any more..
fs.Dispose();
// return the threat
return(args);
}
}
// We finished reading the file and no threat was detected
// Time to clean and and may be log to cache
// Create clean args
args = new ScanResultArgs()
{
Detection = null,
Size = fs.Length,
};
// Close up the file stream
fs.Close();
fs.Dispose();
// clear buffer
buffer = null;
// Return a clean scan
return(args);
}
catch (Exception ex) // for debugging purposes
{
#if DEBUG
Console.WriteLine(ex.Message);
#endif
// Throw an exception with info about what may have caused the error.
throw new Exception(String.Format("[2] Unable to scan file at location {0}. File may be use or additional rights may be required.", filePath));
//return new ScanResultArgs() { Detection = null, Size = 0 };
}
}