Exemplo n.º 1
0
        /////////////////////////////////////////////////////
        //                                                 //
        // DoCollect()                                     //
        //                                                 //
        /////////////////////////////////////////////////////
        //Description:  Collects all files identified in the scan
        //              as malicious and stuffs them into a
        //              password-protected, encrypted ZIP file.
        //
        //              NOTE:  depends on DoSignatureScan()
        //
        //
        //Returns:      true if successful
        //////////////////////////////////////////////////////
        private unsafe bool DoCollect()
        {
            AgentScanLog.AppendLine("");
            AgentScanLog.AppendLine("*********************************************");
            AgentScanLog.AppendLine("                  COLLECT                    ");
            AgentScanLog.AppendLine("*********************************************");
            AgentScanLog.AppendLine("");
            AgentScanLog.AppendLine("COLLECT:  Collecting evidence files...");

            //collect the following files to wrap up in archive file:
            //  1. all identified malware files
            //  2. infection log (Infection_Log.txt) which we create
            //  3. usb device list file (USB_Devices.txt) which we create
            //  4. .net installation log (if exists)
            //

            //---------------------------------
            //          BUILD ZIP NAME
            //---------------------------------
            ZipFileName = Collect.BuildZipName(TotalFindingsCount);
            ZipFile zip = new ZipFile(ZipFileName);

            if (AgentSettings.ContainsKey("Reporting_Archive_Password"))
            {
                IntPtr pptr = IntPtr.Zero;
                //do this secure string thing if password specified
                char[] str = AgentSettings["Reporting_Archive_Password"].ToCharArray();

                fixed (char* pChars = str)
                {
                    ZipPassword = new SecureString(pChars, str.Length);
                }

                //decrypt our password in memory
                pptr = Marshal.SecureStringToBSTR(ZipPassword);
                zip.Password = Marshal.PtrToStringBSTR(pptr);

                //zero the password memory
                Marshal.ZeroFreeBSTR(pptr);
            }

            zip.TempFileFolder = ".";
            ArrayList CollectList = new ArrayList();
            int count = 0;

            AgentScanLog.AppendLine("COLLECT:  Searching file signature matches for files...");

            //loop through file signatures
            foreach (CwXML.FileSignatureMatch fileMatch in AgentSignatureMatches.FileSignatureMatches)
                if (Collect.AddToZip(zip, fileMatch.FullPath))
                    count++;

            AgentScanLog.AppendLine("COLLECT:  Added " + count + " files.");
            count = 0;
            AgentScanLog.AppendLine("COLLECT:  Searching registry signature matches for files...");

            //loop through registry signatures
            foreach (CwXML.RegistrySignatureMatch registryMatch in AgentSignatureMatches.RegistrySignatureMatches)
                if (registryMatch.IsFileOnDisk)
                    if (Collect.AddToZip(zip, registryMatch.RegistryValueData))
                        count++;

            AgentScanLog.AppendLine("COLLECT:  Added " + count + " files.");
            AgentScanLog.AppendLine("COLLECT:  Generating infection summary report...");

            //---------------------------------
            //          ADD INFECTION LOG
            //---------------------------------
            //2.  infection log (Infection_Log.txt) which we create
            StreamWriter infectionlog = new StreamWriter("InfectionLog.txt");
            StringBuilder InfectionSummaryReport = new StringBuilder();

            //print infection summary for each signature type
            RegistryHelper RegHelper = new RegistryHelper();
            FileHelper FileHelper = new FileHelper();
            MemoryHelper MemHelper = new MemoryHelper();
            RegHelper.PrintRegistryFindings(AgentSignatureMatches.RegistrySignatureMatches, ref InfectionSummaryReport);
            FileHelper.PrintFileFindings(AgentSignatureMatches.FileSignatureMatches, ref InfectionSummaryReport);
            MemHelper.PrintMemoryFindings(AgentSignatureMatches.MemorySignatureMatches, ref InfectionSummaryReport);
            infectionlog.WriteLine(InfectionSummaryReport.ToString());
            infectionlog.Close();
            zip.AddFile("InfectionLog.txt");

            AgentScanLog.AppendLine("COLLECT:  Enumerating USB Devices...");

            //---------------------------------
            //          ADD USB DEVICES LOG
            //---------------------------------
            //3.  usb device list file (USB_Devices.txt) which we create
            StreamWriter usblogfile = new StreamWriter("USB_Devices.txt");
            StringBuilder UsbDevicesReport = new StringBuilder();
            Collect.EnumerateUSBDevices(ref UsbDevicesReport);
            usblogfile.WriteLine(UsbDevicesReport.ToString());
            usblogfile.Close();
            zip.AddFile("USB_Devices.txt");

            //---------------------------------
            //          ADD .NET LOG
            //---------------------------------
            //4.  .net installation log (if exists)
            try
            {
                FileInfo dotnetfxLogfile = new FileInfo("dotnetfx_install_log.txt");
                if (dotnetfxLogfile.Exists)
                    zip.AddFile("dotnetfx_install_log.txt");
            }
            catch { } //no biggie..

            AgentScanLog.AppendLine("COLLECT:  All evidence collected.");
            AgentScanLog.AppendLine("COLLECT:  Saving zip to disk...");
            zip.Save();
            zip.Dispose();  //at this point zip is closed and written to disk

            return true;
        }