public AgentScanner() { AgentScanLog = new StringBuilder(); AgentSettings = new Dictionary<string, string>(); AgentHeuristicMatches = new CwXML.CodewordAgentHeuristicMatches(); AgentHeuristicMatches.KernelModeMatches = new CwXML.KernelModeHeuristicMatches(); AgentHeuristicMatches.UserModeMatches = new CwXML.UserModeHeuristicMatches(); AgentSignatureMatches = new CwXML.CodewordAgentSignatureMatches(); AgentSignatureMatches.RegistrySignatureMatches = new CwXML.RegistrySignatureMatch[0]; AgentSignatureMatches.MemorySignatureMatches = new CwXML.MemorySignatureMatch[0]; AgentSignatureMatches.FileSignatureMatches = new CwXML.FileSignatureMatch[0]; }
///////////////////////////////////////////////////// // // // StartScanTask() // // // ///////////////////////////////////////////////////// //Description: This function only performs the setup // necessary to perform a scan of registry, // disk and memory, and to report those // results back to the admin console. // //Returns: a stringbuilder object containing log data. ///////////////////////////////////////////////////// internal StringBuilder StartScanTask(ref CwXML.CodewordAgentAnomalyReport anomalyReport) { //clear any existing results anomalyReport = new CwXML.CodewordAgentAnomalyReport(); AgentHeuristicMatches = new CwXML.CodewordAgentHeuristicMatches(); AgentHeuristicMatches.KernelModeMatches = new CwXML.KernelModeHeuristicMatches(); AgentHeuristicMatches.UserModeMatches = new CwXML.UserModeHeuristicMatches(); AgentSignatureMatches = new CwXML.CodewordAgentSignatureMatches(); AgentSignatureMatches.RegistrySignatureMatches = new CwXML.RegistrySignatureMatch[0]; AgentSignatureMatches.MemorySignatureMatches = new CwXML.MemorySignatureMatch[0]; AgentSignatureMatches.FileSignatureMatches = new CwXML.FileSignatureMatch[0]; // //1. Load settings from XML file extracted to local dir from MSI // AgentScanLog.AppendLine("INITIALIZE: Loading scan settings..."); if (!LoadAgentSettings(ref AgentSettings)) return AgentScanLog; // //2. Load signatures - this only needs to be done once here for the whole file // AgentScanLog.AppendLine("SCAN: Loading signatures from XML file..."); if (!LoadAgentSignatures()) return AgentScanLog; // //3. Disable .NET security // EnvironmentHelper.ToggleDotnetSecurity("Off", "INITIALIZE"); // //4. kick off scan // AgentScanLog.AppendLine("SCAN: Scan starting on " + DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss")); DoSignatureScan(); //IMPORTANT: pin the scan results object so the garbage collector doesn't mangle it... //GCHandle gchAgentSignatureMatches = GCHandle.Alloc(AgentSignatureMatches, GCHandleType.Pinned); //only auto-mitigate if option set. if (AgentSettings["Option_AutoMitigate"] == "True") DoMitigate(); DoUserModeHeuristics(); DoKernelModeHeuristics(); AgentScanLog.AppendLine("SCAN: Scan finished on " + DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss")); // //5. re-enable .NET security // EnvironmentHelper.ToggleDotnetSecurity("On", "FINALIZE"); // //6. return our results object byref // //sanitize the XML by escaping invalid characters first int count = 0; foreach (CwXML.RegistrySignatureMatch match in AgentSignatureMatches.RegistrySignatureMatches) { match.RegistryValueData = CwXML.ReplaceInvalidXmlChars(match.RegistryValueData); match.RegistryValueName = CwXML.ReplaceInvalidXmlChars(match.RegistryValueName); AgentSignatureMatches.RegistrySignatureMatches[count] = match; count++; } count = 0; foreach (CwXML.MemorySignatureMatch match in AgentSignatureMatches.MemorySignatureMatches) { //keywords are not required in memory search - could just be looking for presence of a process name if (match.Keywords != null) match.Keywords = CwXML.ReplaceInvalidXmlChars(match.Keywords); match.MatchingBlock = CwXML.ReplaceInvalidXmlChars(match.MatchingBlock); AgentSignatureMatches.MemorySignatureMatches[count] = match; count++; } //assign the fields of the passed-in object byref anomalyReport.SignatureMatches = AgentSignatureMatches; anomalyReport.HeuristicMatches = AgentHeuristicMatches; //release our pinned handle to results //gchAgentSignatureMatches.Free(); return AgentScanLog; }