public static Boolean LogWriter(string PATH)
{
cpuUsageCounter = new PerformanceCounter("Processor", "% Processor Time", "_Total");
ramUsageCounter = new PerformanceCounter("Memory", "Available MBytes");
harddiskUsageCounter = new PerformanceCounter("PhysicalDisk", "% Disk Time", "_Total");
threadCounter = new PerformanceCounter("Process", "Thread Count", "_Total");
handleCounter = new PerformanceCounter("Process", "Handle Count", "_Total");
ActionTaker.setKilledProcesses();
FilemonEventHandler.setFirstDetected();
postPoCTaken();
Dictionary <string, string> hashedFilesAtStart = new Dictionary <string, string>();
hashedFilesAtStart = testParseTXTfile(hashedFilePath);
ProcMon.setIsHasherDone(true);
amountOfLoops = 0;
ProgramExecuter.executeProgram(ransomwareDownloaderPath);
var fw = new Thread(() => FileMon.CreateFileWatcher(pathFileWatch));
fw.Start();
var tmp = new Thread(() => Filemon.CreateFileWatcher(pathFileWatch));
tmp.Start();
//Find the start timestamp
DateTime startTimeStamp = DateTime.Now;
TimeSpan span = DateTime.Now.Subtract(startTimeStamp);
while (span.Minutes < MINUTESOFLOGGING)
{
amountOfLoops++;
cpuList.Add(getCurrentCpuUsage());
ramList.Add(getAvailableRAM());
harddiskList.Add(getHarddiskUsage());
threadList.Add(getThreadCount());
handleList.Add(getHandleCount());
Thread.Sleep(INTERVALFORLOOP);
span = DateTime.Now.Subtract(startTimeStamp);
}
Filemon.setStopAddingToLog(true);
fileMonChanges = Filemon.getFilemonChanges();
Filemon.setWatcherToStop();
FileMon.setWatcherToStop();
ActionTaker.terminateProcmon();
Dictionary <string, string> hashedFilesAtEnd = new Dictionary <string, string>();
Dictionary <string, string> hashedFilesAtEndtemp1 = new Dictionary <string, string>();
Dictionary <string, string> hashedFilesAtEndtemp2 = new Dictionary <string, string>();
Dictionary <string, string> hashedFilesAtEndtemp3 = new Dictionary <string, string>();
Dictionary <string, string> hashedFilesAtEndtemp4 = new Dictionary <string, string>();
Hasher tempEndHasher1 = new Hasher();
hashedFilesAtEndtemp1 = tempEndHasher1.fileHasher(path1);
Hasher tempEndHasher2 = new Hasher();
hashedFilesAtEndtemp2 = tempEndHasher2.fileHasher(path2);
Hasher tempEndHasher3 = new Hasher();
hashedFilesAtEndtemp3 = tempEndHasher3.fileHasher(path3);
Hasher tempEndHasher4 = new Hasher();
hashedFilesAtEndtemp4 = tempEndHasher4.fileHasher(path4);
hashedFilesAtEndtemp1.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value));
hashedFilesAtEndtemp2.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value));
hashedFilesAtEndtemp3.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value));
hashedFilesAtEndtemp4.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value));
//Take a hash of the files at the end
//Find the end timestamp
DateTime endTimeStamp = DateTime.Now;
//Figure out what has changed.
removeKeyList = new List <string>();
changedKeyList = new List <string>();
inStartDictionary = new List <string>();
inEndDictionary = new List <string>();
foreach (var item in hashedFilesAtStart)
{
if (hashedFilesAtEnd.ContainsKey(item.Key))
{
if (hashedFilesAtStart[item.Key].Equals(hashedFilesAtEnd[item.Key]))
{
removeKeyList.Add(item.Key);
}
else
{
changedKeyList.Add(item.Key);
}
}
else
{
inStartDictionary.Add(item.Key);
}
}
//Removing non changed duplicates
for (int i = 0; i < removeKeyList.Count; i++)
{
hashedFilesAtStart.Remove(removeKeyList[i]);
hashedFilesAtEnd.Remove(removeKeyList[i]);
}
for (int i = 0; i < changedKeyList.Count; i++)
{
hashedFilesAtStart.Remove(changedKeyList[i]);
hashedFilesAtEnd.Remove(changedKeyList[i]);
}
//Finding files that has been created since start
foreach (var item in hashedFilesAtEnd)
{
if (!hashedFilesAtStart.ContainsKey(item.Key))
{
inEndDictionary.Add(item.Key);
}
}
hashedFilesAtStartKeys = hashedFilesAtStart.Keys;
hashedFilesAtEndKeys = hashedFilesAtEnd.Keys;
/*
* string filePath = PATH + "\\RansomwareLog.txt";
* if (!File.Exists(filePath))
* {
* // Create a file to write to.
* using (StreamWriter sw = File.CreateText(filePath))
* {
* sw.WriteLine(NAMEONTEST);
* sw.WriteLine(MONITORSTATUS);
* sw.WriteLine(startTimeStamp.ToString());
* sw.WriteLine(endTimeStamp.ToString());
* sw.WriteLine(amountOfLoops);
* sw.WriteLine(changedKeyList.Count);
* sw.WriteLine(hashedFilesAtStartKeys.Count);
* sw.WriteLine(hashedFilesAtEndKeys.Count);
* sw.WriteLine(fileMonChanges.Count);
* string cpuReturn = returnMonitorListAsString(cpuList);
* string ramReturn = returnMonitorListAsString(ramList);
* string harddiskReturn = returnMonitorListAsString(harddiskList);
* string threadReturn = returnMonitorListAsString(threadList);
* string handleReturn = returnMonitorListAsString(handleList);
*
* string changedFilesReturn = "";
* string deletedFilesReturn = "";
* string newFilesReturn = "";
* string filemonChangesReturn = "";
* string killedProcessesReturn = "";
*
* for (int i = 0; i < changedKeyList.Count; i++)
* {
* changedFilesReturn += changedKeyList[i];
* changedFilesReturn += "?";
* }
* foreach (string s in hashedFilesAtStartKeys)
* {
* deletedFilesReturn += s;
* deletedFilesReturn += "?";
* }
* foreach (string s in hashedFilesAtEndKeys)
* {
* newFilesReturn += s;
* newFilesReturn += "?";
* }
* foreach (var item in fileMonChanges)
* {
* filemonChangesReturn += item.Value + "<>" + item.Key.ToString("dd/MM/yyyy HH:mm:ss.fff");
* filemonChangesReturn += "?";
* }
* foreach (string s in killedProcesses)
* {
* killedProcessesReturn += s;
* killedProcessesReturn += "?";
* }
*
* sw.WriteLine(cpuReturn);
* sw.WriteLine(ramReturn);
* sw.WriteLine(harddiskReturn);
* sw.WriteLine(threadReturn);
* sw.WriteLine(handleReturn);
* sw.WriteLine(changedFilesReturn);
* sw.WriteLine(deletedFilesReturn);
* sw.WriteLine(newFilesReturn);
* sw.WriteLine(filemonChangesReturn);
* sw.WriteLine(killedProcessesReturn);
*
* }
* }*/
return(true);
}
public static async void postPoCPosted()
{
string cpuReturn = returnMonitorListAsString(cpuList);
string ramReturn = returnMonitorListAsString(ramList);
string harddiskReturn = returnMonitorListAsString(harddiskList);
string threadReturn = returnMonitorListAsString(threadList);
string handleReturn = returnMonitorListAsString(handleList);
List <string> killedProcesses = ActionTaker.getKilledProcesses();
string changedFilesReturn = "";
string deletedFilesReturn = "";
string newFilesReturn = "";
string filemonChangesReturn = "";
string killedProcessesReturn = "";
for (int i = 0; i < changedKeyList.Count - 1; i++)
{
changedFilesReturn += changedKeyList[i];
changedFilesReturn += "?";
}
foreach (string s in hashedFilesAtStartKeys)
{
deletedFilesReturn += s;
deletedFilesReturn += "?";
}
foreach (string s in hashedFilesAtEndKeys)
{
newFilesReturn += s;
newFilesReturn += "?";
}
foreach (var item in fileMonChanges)
{
filemonChangesReturn += item.Value + ":" + item.Key.ToString("dd/MM/yyyy HH:mm:ss.fff");
filemonChangesReturn += "?";
}
foreach (string s in killedProcesses)
{
killedProcessesReturn += s;
killedProcessesReturn += "?";
}
var options = new
{
RansomwareName = NAMEONTEST,
MonitorStatus = "1",
MonitorCount = amountOfLoops.ToString(),
CountChangedFiles = changedKeyList.Count().ToString(),
CountDeletedFiles = hashedFilesAtStartKeys.Count().ToString(),
CountNewFiles = hashedFilesAtEndKeys.Count().ToString(),
CountFilemonObservations = fileMonChanges.Count().ToString(),
CPU = cpuReturn,
RAM = ramReturn,
HDD = harddiskReturn,
ThreadCount = threadReturn,
HandleCount = handleReturn,
ListChangedFiles = changedFilesReturn,
ListDeletedFiles = deletedFilesReturn,
ListNewFiles = newFilesReturn,
ListFilemonObservations = filemonChangesReturn,
NameOfShutdownRansomware = killedProcessesReturn,
Detected = FilemonEventHandler.getFirstDetected().ToString("dd/MM/yyyy HH:mm:ss.fff"),
Shutdown = ActionTaker.getFirstKilledTime().ToString("dd/MM/yyyy HH:mm:ss.fff")
};
var stringPayload = JsonConvert.SerializeObject(options);
var content = new StringContent(stringPayload, Encoding.UTF8, "application/json");
var response = client.PostAsync("http://192.168.8.102/v1/index.php/postsh3posted", content).Result;
var result = await response.Content.ReadAsByteArrayAsync();
}
