private static void StaticAnalyzeThreadFunc(string _method, string _target, StaticAnalyzeCppWrap _StaticAnalyzeCppWrapInst, System.Windows.Forms.NotifyIcon _notifyIcon)
{
IToolResParse resParser = GetTool(_method, _target);
if (_method == "csharp")
{
string[] args_arr = new string[] { _target };
de4dot.cui.Program.Main(args_arr);
}
else if (_method == "cpp")
{
string _toolpath = @"..\..\..\__LIBS\Manalyze\bin\manalyze.exe";
string _argflags = "--output=json --hashes --plugins=all";
string _fext = ".cpp.res.txt";
SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
}
else if (_method == "yara")
{
string _toolpath = @"..\..\..\__LIBS\YARA\yara64.exe";
string _argflags = @"..\..\..\__LIBS\YARA\rules\index.yar -w";
string _fext = ".yara.res.txt";
SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
}
ResContainer res = resParser.ParseResVerbose();
_notifyIcon.Visible = true;
string appInfo = string.Empty;
if (res.isMalware)
{
_notifyIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + _target, System.Windows.Forms.ToolTipIcon.Error);
appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
}
if (res.isSuspicious)
{
_notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + _target, System.Windows.Forms.ToolTipIcon.Warning);
appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
}
else
{
_notifyIcon.ShowBalloonTip(5000, "Nothing Suspitious in App", "App: " + _target, System.Windows.Forms.ToolTipIcon.Info);
}
}
private void Read()
{
Console.WriteLine("C# pipe server Read");
//Client client = (Client)clientObj;
//clientse.stream = new FileStream(clientse.handle, FileAccess.ReadWrite, BUFFER_SIZE, true);
byte[] buffer = null;
ASCIIEncoding encoder = new ASCIIEncoding();
while (true)
{
int bytesRead = 0;
try {
buffer = new byte[BUFFER_SIZE];
bytesRead = clientse.stream.Read(buffer, 0, BUFFER_SIZE);
} catch {
//read error has occurred
break;
}
//client has disconnected
if (bytesRead == 0)
{
break;
}
//fire message received event
//if (this.MessageReceived != null)
// this.MessageReceived(clientse, encoder.GetString(buffer, 0, bytesRead));
int ReadLength = 0;
for (int i = 0; i < BUFFER_SIZE; i++)
{
if (buffer[i].ToString("x2") != "cc")
{
ReadLength++;
}
else
{
break;
}
}
if (ReadLength > 0)
{
byte[] Rc = new byte[ReadLength];
Buffer.BlockCopy(buffer, 0, Rc, 0, ReadLength);
//Console.WriteLine("C# App: Received " + ReadLength + " Bytes: " + retstr);
//Console.WriteLine("C# App: Received " + ReadLength + " Bytes: " + ByteArrayToString(Rc));
byte[] RcTrail = removeTrailingNulls(Rc);
string retstr = encoder.GetString(RcTrail, 0, RcTrail.Length);
Console.WriteLine("C# App: Received " + ReadLength + " Bytes: " + retstr);
buffer.Initialize();
if (method == "console")
{
string _target = "console.txt";
string _consoleIOCS = "consoleIOCS.txt";
System.IO.File.WriteAllText(_target, retstr);
string _toolpath = @"java";
string _argflags =
"-jar similarity-uniform-fuzzy-hash-1.8.4.jar -cfh "
+ _target + " " + _consoleIOCS + " -f 3 -x";
string _fext = "res.console.txt";
Console.WriteLine("CONSOOOLE " + _argflags);
IToolResParse resParser = new ToolResParse_ConsoleMon(_fext);
SAManager.RunToolOutCapture("", _toolpath, _argflags, _fext);
ResContainer res = resParser.ParseResVerbose();
notIcon.Visible = true;
if (res.isMalware)
{
notIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + processname, System.Windows.Forms.ToolTipIcon.Error);
}
else if (res.isSuspicious)
{
notIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + processname, System.Windows.Forms.ToolTipIcon.Warning);
}
}
else if (method == "apimon")
{
string _target = "apimon.txt";
System.IO.File.WriteAllText(_target, retstr);
IToolResParse resParser = new ToolResParse_ApiMon(_target);
ResContainer res = resParser.ParseResVerbose();
notIcon.Visible = true;
if (res.isMalware)
{
notIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + processname, System.Windows.Forms.ToolTipIcon.Error);
}
else if (res.isSuspicious)
{
notIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + processname, System.Windows.Forms.ToolTipIcon.Warning);
}
}
}
}
//clean up resources
clientse.stream.Close();
clientse.handle.Close();
}
private static void StaticAnalyzeThreadFunc(
string _method,
string _target,
System.Windows.Forms.NotifyIcon _notifyIcon,
System.Windows.Forms.TextBox _info_textbox
)
{
if (_target == null)
{
return;
}
IToolResParse resParser = GetTool(_method, _target);
if (resParser == null)
{
return;
}
System.Console.WriteLine(_method);
System.Console.WriteLine(_target);
System.Console.WriteLine(_notifyIcon.ToString());
if (!File.Exists(_target))
{
return;
}
if (_method == "csharp")
{
Console.WriteLine("csharp analyze.");
string[] args_arr = new string[] { _target };
de4dot.cui.Program.Main(args_arr);
Console.WriteLine("csharp done.");
}
else if (_method == "cpp")
{
string _toolpath = @"Manalyze\bin\manalyze.exe";
string _argflags = "--output=json --hashes --plugins=all";
string _fext = ".cpp.res.txt";
SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
}
else if (_method == "yara")
{
string _toolpath = @"YARA\yara64.exe";
string _argflags = @"YARA\rules\index.yar -w";
string _fext = ".yara.res.txt";
SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
}
ResContainer res = resParser.ParseResVerbose();
if (res == null)
{
return;
}
_notifyIcon.Visible = true;
_info_textbox.Clear();
string appInfo = string.Empty;
if (res.isMalware)
{
_notifyIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + _target, System.Windows.Forms.ToolTipIcon.Error);
appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
_info_textbox.Text = appInfo;
}
else if (res.isSuspicious)
{
_notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + _target, System.Windows.Forms.ToolTipIcon.Warning);
appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
_info_textbox.Text = appInfo;
}
else
{
_notifyIcon.ShowBalloonTip(5000, "Nothing Suspitious in App", "App: " + _target, System.Windows.Forms.ToolTipIcon.Info);
_info_textbox.Text = appInfo;
}
}
