Exemplo n.º 1
0
        public static void honeyPotFileMonDetection()
        {
            //Fetch the ransomwarename
            Logger.getPoCRansomware();

            Thread.Sleep(1000);
            //Inform the server that the ransomware has been fetched
            Logger.postPoCFetched();

            //Wait for response from the server
            while (!Logger.getHasFetched())
            {
                Thread.Sleep(500);
            }

            //Sets the correct values in different classes
            Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH);

            ActionTaker.setBackingName(BACKINGNAME);
            ActionTaker.setPathToBackingFile(pathToBackingFile);

            ProcMon.setPathToProcMon(ProcMonPath);
            BACKINGNAME = BACKINGNAME + 0;

            //Start the procmon
            var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME));

            t.Start();

            Console.WriteLine(Logger.getNAMEONTEST());
            //Start the logger
            Logger.LogWriter(PATH);

            //Post that the ransomware succesfully has been tested
            Logger.postPoCTested();

            //Post the tested results
            Logger.postPoCPosted();


            Thread.Sleep(30000);
        }
Exemplo n.º 2
0
        //A change has been registered to a honeypot
        public static void honeypotChange(string path)
        {
            //Shut down procmon in order to get logfile
            ProcMon.procmonTerminator(pathToBackingFile, BACKINGNAME + INDEXER);

            INDEXER++;
            //Start up procmon with a new backingfile
            var cpmbf = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME + INDEXER));

            cpmbf.Start();

            Thread.Sleep(3000);

            //Convert the PMLfile to CSV
            ProcMon.convertPMLfileToCSV(pathToBackingFile, BACKINGNAME + (INDEXER - 1) + ".PML", "convertedFile" + (INDEXER - 1) + ".CSV");

            bool hasCSVbeenWritten = false;

            Console.WriteLine("Path to CSV file: " + pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV");

            //Wait for the conversion to be completed
            while (hasCSVbeenWritten == false)
            {
                try
                {
                    using (Stream stream = new FileStream(pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV", FileMode.Open))
                    {
                        hasCSVbeenWritten = true;
                        stream.Dispose();
                    }
                }
                catch (IOException)
                {
                }
                Thread.Sleep(50);
            }
            //Parse the CSVfile
            List <CSVfileHandler> parsedData = CSVfileHandler.CSVparser(pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV");

            //Kill every process that has touched a honeypot
            foreach (var item in parsedData)
            {
                if (!item.processName.Equals("Explorer.EXE") || !item.processName.Equals("HoneyPotFilemon.exe"))
                {
                    try
                    {
                        pID.Add(item.PID);
                        killedProcesses.Add(Process.GetProcessById(item.PID).ProcessName);
                        try
                        {
                            Console.WriteLine("Process: " + Process.GetProcessById(item.PID).ProcessName + " is killed due to suspicious behaviour");
                            killProcess(item.PID);
                        }
                        catch (Exception)
                        {
                            //Save processname as a temp
                            Console.WriteLine("Killing of the process failed");
                        }
                    }
                    catch
                    {
                    }
                }
            }

            if (!killedFirstProcess)
            {
                firstKilledProcessTime = DateTime.Now;
                killedFirstProcess     = true;
            }
        }
Exemplo n.º 3
0
 public static void terminateProcmon()
 {
     ProcMon.procmonTerminator(pathToBackingFile, BACKINGNAME + INDEXER);
 }