private static string CheckModule(ProcessModule module)
{
try
{
var metadata = $"{FileChecker.GetFileInfo(module.FileName)}";
var allattribs = $"{module.FileName} - {metadata}";
var matches = new List <string>();
foreach (var edrstring in EDRData.edrlist)
{
if (allattribs.ToString().ToLower().Contains(edrstring.ToLower()))
{
matches.Add(edrstring);
}
}
if (matches.Count > 0)
{
Console.WriteLine("[-] Suspicious modload found in your process:" +
$"\n\tSuspicious Module: {module.FileName}" +
$"\n\tFile Metadata: {metadata}" +
$"\n[!] Matched on: {string.Join(", ", matches)}\n");
return($"\t[-] {module.FileName} : {string.Join(", ", matches)}\n");
}
return("");
}
catch (Exception e)
{
Console.WriteLine($"[-] Errored on checking individual module: {module.FileName}\n{e.Message}\n{e.StackTrace}");
return($"\t[-] {module.FileName} : Failed to perform checks\n");
}
}
private static string CheckService(ManagementBaseObject service)
{
try
{
var serviceName = service["Name"];
var serviceDisplayName = service["DisplayName"];
var serviceDescription = service["Description"];
var serviceCaption = service["Caption"];
var servicePathName = service["PathName"];
var serviceState = service["State"];
var servicePID = service["ProcessId"];
var metadata = "";
var allattribs = $"{serviceName} - " +
$"{serviceDisplayName} - " +
$"{serviceDescription} - " +
$"{serviceCaption} - " +
$"{servicePathName}";
if (servicePathName != null)
{
var indexOfExe = servicePathName.ToString().ToLower().IndexOf(".exe");
var filePath = servicePathName.ToString().Substring(0, indexOfExe + ".exe".Length).Trim('"');
metadata = $"{FileChecker.GetFileInfo(filePath)}";
allattribs = $"{allattribs} - {metadata}";
}
var matches = new List <string>();
foreach (var edrstring in EDRData.edrlist)
{
if (allattribs.ToLower().Contains(edrstring.ToLower()))
{
matches.Add(edrstring);
}
}
if (matches.Count > 0)
{
Console.WriteLine($"[-] Suspicious service found:" +
$"\n\tName: {serviceName}" +
$"\n\tDisplayName: {serviceDisplayName}" +
$"\n\tDescription: {serviceDescription}" +
$"\n\tCaption: {serviceCaption}" +
$"\n\tBinary: {servicePathName}" +
$"\n\tStatus: {serviceState}" +
$"\n\tProcess ID: {servicePID}" +
$"\n\tFile Metadata: {metadata}" +
$"\n[!] Matched on: {string.Join(", ", matches.ToArray())}\n");
return($"\t[-] {serviceName} : {string.Join(", ", matches.ToArray())}\n");
}
return("");
}
catch (Exception e)
{
Console.WriteLine($"[-] Errored on checking individual service: {service["Name"]}\n{e.Message}\n{e.StackTrace}");
return($"\t[-] {service["Name"]} : Failed to perform checks\n");
}
}
private static string CheckProcess(ManagementBaseObject process)
{
try
{
var processName = process["Name"];
var processPath = process["ExecutablePath"];
var processDescription = process["Description"];
var processCaption = process["Caption"];
var processCmdLine = process["CommandLine"];
var processPID = process["ProcessId"];
var processParent = process["ParentProcessId"];
var metadata = "";
var allattribs = $"{processName} - " +
$"{processPath} - " +
$"{processDescription} - " +
$"{processCaption} - " +
$"{processCmdLine}";
if (processPath != null)
{
metadata = $"{FileChecker.GetFileInfo(processPath.ToString())}";
allattribs = $"{allattribs} - {metadata}";
}
var matches = new List <string>();
foreach (var edrstring in EDRData.edrlist)
{
if (allattribs.ToLower().Contains(edrstring.ToLower()))
{
matches.Add(edrstring);
}
}
if (matches.Count > 0)
{
Console.WriteLine($"[-] Suspicious process found:" +
$"\n\tName: {processName}" +
$"\n\tDescription: {processDescription}" +
$"\n\tCaption: {processCaption}" +
$"\n\tBinary: {processPath}" +
$"\n\tProcess ID: {processPID}" +
$"\n\tParent Process: {processParent}" +
$"\n\tProcess CmdLine: {processCmdLine}" +
$"\n\tFile Metadata: {metadata}" +
$"\n[!] Matched on: {string.Join(", ", matches)}\n");
return($"\t[-] {processName} : {string.Join(", ", matches)}\n");
}
return("");
}
catch (Exception e)
{
Console.WriteLine($"[-] Errored on checking individual process: {process["Name"]} : {process["ProcessId"]}\n{e.Message}\n{e.StackTrace}");
return($"\t[-] {process["Name"]} : Failed to perform checks\n");
}
}
internal static string CheckDriver(string driverFileName, string driverBaseName)
{
try
{
var fixedDriverPath = driverFileName.ToLower().Replace(@"\systemroot\".ToLower(), @"c:\windows\".ToLower());
if (fixedDriverPath.StartsWith(@"\windows\"))
{
fixedDriverPath = fixedDriverPath.Replace(@"\windows\".ToLower(), @"c:\windows\".ToLower());
}
else if (fixedDriverPath.ToLower().StartsWith(@"\??\"))
{
fixedDriverPath = fixedDriverPath.ToLower().Replace(@"\??\", @"");
}
var metadata = $"{FileChecker.GetFileInfo(fixedDriverPath)}";
var allattribs = $"{driverBaseName} - {metadata}";
var matches = new List <string>();
foreach (var edrstring in EDRData.edrlist)
{
if (allattribs.ToString().ToLower().Contains(edrstring.ToLower()))
{
matches.Add(edrstring);
}
}
if (matches.Count > 0)
{
Console.WriteLine("[-] Suspicious driver found:" +
$"\n\tSuspicious Module: {driverBaseName}" +
$"\n\tFile Metadata: {metadata}" +
$"\n[!] Matched on: {string.Join(", ", matches)}\n");
return($"\t[-] {driverBaseName} : {string.Join(", ", matches)}\n");
}
return("");
}
catch (Exception e)
{
Console.WriteLine($"[-] Errored on checking driver {driverBaseName} : {driverFileName}\n{e.Message}\n{e.StackTrace}");
return($"\t[-] {driverBaseName} : Failed to perform checks\n");
}
}