static List <SemanticUnit> OnCreateProcess(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (CreateProcessParameter)seq.API.Parameter;
CreateProcessSemanticUnit su = new CreateProcessSemanticUnit();
su.ProcessName = cParam.ProcessName.ToUpper().Trim();
foreach (APIUnit api in seq.Consumers)
{
var remote = api.Parameter as CreateRemoteThreadParameter;
if (remote != null)
{
su.Injected = true;
sem.Add(new CodeInjectionSemanticUnit());
}
}
List <string> pathes = sample.APIs.Select(ss => { var f = (APIUnit)ss; if (f != null && f.Parameter is CreateFileParameter)
{
return(((CreateFileParameter)f.Parameter).Path);
}
else
{
return("");
} }).ToList();
if (pathes != null)
{
su.Dropped = pathes.Contains(su.ProcessName, StringComparer.OrdinalIgnoreCase);
}
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnProcess32First(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (Process32FirstParameter)seq.API.Parameter;
var su = new Process32FirstSemanticUnit();
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnCreateToolHelp(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (CreateToolhelp32Snapshot)seq.API.Parameter;
var su = new CreateToolHelpSemanticUnit();
su.Flags = cParam.Flags;
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnSetWindowsHook(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (SetWindowsHookParameter)seq.API.Parameter;
var su = new SetWindowsHookSemanticUnit();
su.HookMode = cParam.HookType;
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnSocketBind(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (ConnectionParameter)seq.API.Parameter;
var su = new SocketBindSemanticUnit();
su.Port = cParam.Port;
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnShellExecute(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (ShellExecuteParameter)seq.API.Parameter;
var su = new ShellExecuteSemanticUnit();
su.Name = Path.Combine(cParam.Directory, cParam.Name);
su.Parameters = cParam.Parameters;
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnCreateService(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (CreateServiceParameter)seq.API.Parameter;
var su = new CreateServiceSemanticUnit();
su.Name = cParam.Name;
su.Mode = cParam.Mode;/// ?Drop service
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnFindFirstFile(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (FindFirstFileParameter)seq.API.Parameter;
var su = new FindFirstFileSemanticUnit();
su.Pattern = cParam.FileName.ToUpper().Trim();
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnUrlDownloadFile(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
InternetOperationSemanticUnit su = new InternetOperationSemanticUnit();
var p = s.API.Parameter as UrlDownloadToFileParameter;
su.URL = p.Url;
su.FilePath = p.FilePath;
su.Operation = "Download";
try { su.FileDirectory = Path.GetDirectoryName(p.FilePath); }
catch { }
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnLoadLibrary(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
RuntimeLoadingSemanticUnit sU = new RuntimeLoadingSemanticUnit();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (LoadLibraryParameter)seq.API.Parameter;
foreach (APIUnit api in seq.Consumers)
{
sem.Add(new RuntimeLoadingSemanticUnit()
{
Module = cParam.LibraryName.ToUpper().Trim(), Function = ((GetProcAddressParameter)api.Parameter).Proc
});
}
return(sem);
}
static List <SemanticUnit> OnRegOpenKey(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (RegOpenKeyParameter)seq.API.Parameter;
foreach (APIUnit api in seq.Consumers)
{
RegSetValueParameter sParam = (RegSetValueParameter)api.Parameter;
string value = string.Format(@"{0:X2}\{1}\{2}", cParam.HKey.ToInt32(), cParam.SubKey, sParam.Value);
sem.Add(new RegSetValueSemanticUnit()
{
Value = value.ToUpper().Trim(), Data = sParam.Data.ToUpper().Trim()
});
}
return(sem);
}
static List <SemanticUnit> OnDeleteFile(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (DeleteFileParameter)seq.API.Parameter;
var su = new DeleteFileSemanticUnit();
try { su.File = Path.GetDirectoryName(cParam.File).ToUpper().Trim(); }
catch { su.File = cParam.File; }
try { su.Extension = Path.GetExtension(cParam.File).ToUpper().Trim(); }
catch { }
if (IsExecutable(cParam.File))
{
su.Extension = "EXE";
}
sem.Add(su);
return(sem);
}
static List <SemanticUnit> OnCreateFile(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
CreateFileSemanticUnit sU = new CreateFileSemanticUnit();
var cParam = (CreateFileParameter)(((SequenceUnit)s).API.Parameter);
sU.Access = cParam.Access;
sU.Mode = cParam.Mode;
try { sU.Directory = Path.GetDirectoryName(cParam.Path).ToUpper().Trim(); }
catch { sU.Directory = cParam.Path; }
try { sU.Extension = Path.GetExtension(cParam.Path).ToUpper().Trim(); }
catch { }
if (IsExecutable(cParam.Path))
{
sU.Extension = "EXE";
}
sem.Add(sU);
return(sem);
}
