public Form1()
{
Console.WriteLine("Please Input path to folder to save output, console, and ruleresult");
masterpath = Console.ReadLine();
outputFile = "\"" + masterpath + "\\" + "output.txt" + "\"";
consoleFile = masterpath + "\\" + "Console.txt";
RuleResultfile = masterpath + "\\" + "RuleResult.txt";
if (File.Exists(outputFile)) //Check If files exist and delete
{
File.Delete(outputFile);
}
if (File.Exists(consoleFile))
{
File.Delete(consoleFile);
}
if (File.Exists(RuleResultfile))
{
File.Delete(RuleResultfile);
}
if (File.Exists(masterpath + "\\" + "ProcLog.txt"))
{
File.Delete(masterpath + "\\" + "ProcLog.txt");
}
var PID = new List <int>();
var ProcList = new List <string>();
Process[] procs = Process.GetProcesses(); //Returns an array of all open processes into procs
IntPtr hWnd;
Console.WriteLine("Please Input Path to YARA exe: -->");
cmdArg0 = "\"" + Console.ReadLine() + "\"" + " ";
Console.WriteLine("\nPlease input path to yara rules: -->");
cmdArg1 = "\"" + Console.ReadLine() + "\"" + " ";
foreach (Process proc in procs)
{
if ((hWnd = proc.MainWindowHandle) != IntPtr.Zero)
{
Console.WriteLine("{0} : {1}", proc.ProcessName, hWnd);
Console.WriteLine("PID of {0} : {1}", proc.ProcessName, proc.Id);
PID.Add(proc.Id); //Save list of PID's into a int list named PID
ProcList.Add(proc.ProcessName); //Save list of PID's into string list
if (proc.ProcessName == "cmd")
{
procHandle = hWnd;
extfunc.SetForegroundWindow(procHandle);
System.Threading.Thread.Sleep(100);
SendKeys.SendWait("SET outPath=" + RuleResultfile);
SendKeys.SendWait("{ENTER}");//Injection handle
SendKeys.SendWait("SET cmd0=" + cmdArg0);
SendKeys.SendWait("{ENTER}");
SendKeys.SendWait("SET cmd1=" + cmdArg1);
SendKeys.SendWait("{ENTER}");
}
}
}
Console.WriteLine("Process Handle2 = {0}", procHandle);
if (ProcList.Contains("cmd") == false)
{
int whilecount = 1;
MyProc openProc = new MyProc();
openProc.OpenApplication("C:\\Windows\\System32\\cmd.exe");
cmdflag = 1;
System.Threading.Thread.Sleep(1000);
while (whilecount == 1)
{
Process[] procs1 = Process.GetProcesses();
foreach (Process proc in procs1)
{
if ((hWnd = proc.MainWindowHandle) != IntPtr.Zero || cmdflag == 1)
{
Console.WriteLine("{0} : {1}", proc.ProcessName, hWnd);
Console.WriteLine("PID of {0} : {1}", proc.ProcessName, proc.Id);
PID.Add(proc.Id); //Save list of PID's into a int list named PID
ProcList.Add(proc.ProcessName); //Save list of PID's into string list
if (proc.MainWindowTitle == "C:\\Windows\\System32\\cmd.exe" || proc.MainWindowTitle == "Administrator: C:\\Windows\\System32\\cmd.exe")
{
procHandle = hWnd;
extfunc.SetForegroundWindow(procHandle);
System.Threading.Thread.Sleep(100);
SendKeys.SendWait("SET outPath=" + RuleResultfile);
SendKeys.SendWait("{ENTER}");//Injection handle
SendKeys.SendWait("SET cmd0=" + cmdArg0);
SendKeys.SendWait("{ENTER}");
SendKeys.SendWait("SET cmd1=" + cmdArg1);
SendKeys.SendWait("{ENTER}");
whilecount = 0;
}
cmdflag = 0;
}
}
}
//MyProc openProc = new MyProc();
//openProc.OpenApplication("C:\\Windows\\System32\\cmd.exe");
//cmdflag = 1;
//System.Threading.Thread.Sleep(1000);
//procs = Process.GetProcesses();
//foreach (Process proc in procs)
//{
// if ((hWnd = proc.MainWindowHandle) != IntPtr.Zero || cmdflag == 1)
// {
// Console.WriteLine("{0} : {1}", proc.ProcessName, hWnd);
// Console.WriteLine("PID of {0} : {1}", proc.ProcessName, proc.Id);
// PID.Add(proc.Id); //Save list of PID's into a int list named PID
// ProcList.Add(proc.ProcessName); //Save list of PID's into string list
// if (proc.MainWindowTitle == "C:\\Windows\\System32\\cmd.exe")
// {
// procHandle = hWnd;
// extfunc.SetForegroundWindow(procHandle);
// System.Threading.Thread.Sleep(100);
// SendKeys.SendWait("SET outPath=" + RuleResultfile);
// SendKeys.SendWait("{ENTER}");//Injection handle
// SendKeys.SendWait("SET cmd0=" + cmdArg0);
// SendKeys.SendWait("{ENTER}");
// SendKeys.SendWait("SET cmd1=" + cmdArg1);
// SendKeys.SendWait("{ENTER}");
// }
// cmdflag = 0;
// }
//}
//Console.WriteLine("{0} : {1}", Process.ProcessName, procHandle);
}
int Fuzznumber = 0; //This function asks is directly after the program lists all open windows, to give you an idea of how high you need to go.
Console.WriteLine("Max processes to be Fuzzed? -->"); //At which point, it attempts to guess the PID's by simply using a loop with exception handlers for Process.GetProcessById(d);
try
{
Fuzznumber = Convert.ToInt32(Console.ReadLine());
}
catch
{
Console.WriteLine("Error: That's not a number"); //exception handler in case you don't enter a number.
System.Environment.Exit(0); //I hate exceptions as a malware analyst, but boy are they useful.
}
for (int d = 0; d < Fuzznumber; d++) //Here's the start of the loop that tries to guess the PID
{
// var v1 = extfunc.SetForegroundWindow(procHandle);
var v2 = extfunc.GetLastError(); //I'll probably need this eventually.
// Console.WriteLine("SetForeGroundWindow: {0}", v1);
//Console.WriteLine("Last error code: {0}", v2);
try
{
Process localbyId = Process.GetProcessById(d);
PIDarray.Add(d);
Console.WriteLine("Process Name: {0} | PID: {1}\n", localbyId, d);
string fileout = String.Format("Process Name: {0} | PID: {1}\n", localbyId, d);
File.AppendAllText(masterpath + "\\" + "ProcLog.txt", fileout); //This is the loop to obtain a list of all processes.
}
catch (ArgumentException)
{
string console = "Process " + d + " does not exist\n";
string Cf = masterpath + "\\" + "Console.txt";
// Console.WriteLine("Process %d does not exist", d);
File.AppendAllText(Cf, console); //This txt file contains a list of misc outputs.
}
// // Console.ReadLine();
}
foreach (int item in PIDarray)
{
var v1 = extfunc.SetForegroundWindow(procHandle);
SendKeys.SendWait("SET /A procID=" + item);
SendKeys.SendWait("{ENTER}");
SendKeys.SendWait("{%}cmd0{%}" + " " + "{%}cmd1{%}" + " " + "{%}procID{%}" + " >> \"{%}outPath{%}\""); //This file contains a list of all of our rule outputs.
SendKeys.SendWait("{ENTER}");
}
InitializeComponent();
System.Threading.Thread.Sleep(1000);
List <string> RuleReturn = new List <string>();
string loadfile = "\"" + RuleResultfile + "\"";
richTextBox1.LoadFile(RuleResultfile, RichTextBoxStreamType.PlainText);
ParseInputs inputParser = new ParseInputs();
inputParser.FormatRules(RuleResultfile, out RuleReturn);
}
public Form1()
{
Console.WriteLine("Please Input path to folder to save output, console, and ruleresult");
masterpath = Console.ReadLine();
outputFile = "\"" + masterpath + "\\" + "output.txt" + "\"";
consoleFile = masterpath + "\\" + "Console.txt";
RuleResultfile = masterpath + "\\" + "RuleResult.txt";
if (File.Exists(outputFile)) //Check If files exist and delete
{
File.Delete(outputFile);
}
if (File.Exists(consoleFile))
{
File.Delete(consoleFile);
}
if (File.Exists(RuleResultfile))
{
File.Delete(RuleResultfile);
}
if (File.Exists(masterpath + "\\" + "ProcLog.txt"))
{
File.Delete(masterpath + "\\" + "ProcLog.txt");
}
var PID = new List <int>();
var ProcList = new List <string>();
Process[] procs = Process.GetProcesses(); //Returns an array of all open processes into procs
IntPtr hWnd;
Console.WriteLine("Please Input Path to YARA exe: -->");
cmdArg0 = "\"" + Console.ReadLine() + "\"" + " ";
Console.WriteLine("\nPlease input path to yara rules: -->");
cmdArg1 = "\"" + Console.ReadLine() + "\"" + " ";
foreach (Process proc in procs)
{
if ((hWnd = proc.MainWindowHandle) != IntPtr.Zero)
//set Window Handle variable (hWnd) = proc.MainWindowHandle and then if not zero, continue.
{
Console.WriteLine("{0} : {1}", proc.ProcessName, hWnd); //Process Name, Handle
Console.WriteLine("PID of {0} : {1}", proc.ProcessName, proc.Id); //Process Name, PID
PID.Add(proc.Id); //Save list of PID's into a int list named PID for each PID found
ProcList.Add(proc.ProcessName); //Save list of PID's into string list
if (proc.ProcessName == "cmd") //If you already have CMD open, GREAT! it locates it and injects the necessary commands.
//FOR THE LOVE OF ALL THAT IS HOLY AND SACRED, DO NOT CLOSE WHICHEVER CMD WINDOW IT OPENS TO END IT. Closing the program itself will end it just fine
{
procHandle = hWnd;
extfunc.SetForegroundWindow(procHandle);
System.Threading.Thread.Sleep(100);
SendKeys.SendWait("SET outPath=" + RuleResultfile);
SendKeys.SendWait("{ENTER}");//Injection handle
SendKeys.SendWait("SET cmd0=" + cmdArg0);
SendKeys.SendWait("{ENTER}");
SendKeys.SendWait("SET cmd1=" + cmdArg1);
SendKeys.SendWait("{ENTER}");
}
}
}
//Console.WriteLine("Process Handle2 = {0}", procHandle);
if (ProcList.Contains("cmd") == false) //CMD creation and injection
{
int whilecount = 1;
MyProc openProc = new MyProc();
openProc.OpenApplication("C:\\Windows\\System32\\cmd.exe"); //path to CMD. Change if that's not yours.
cmdflag = 1; //Flag used
System.Threading.Thread.Sleep(1000);
while (whilecount == 1)
{
Process[] procs1 = Process.GetProcesses();
foreach (Process proc in procs1)
{
if ((hWnd = proc.MainWindowHandle) != IntPtr.Zero || cmdflag == 1)
{
Console.WriteLine("{0} : {1}", proc.ProcessName, hWnd);
Console.WriteLine("PID of {0} : {1}", proc.ProcessName, proc.Id);
PID.Add(proc.Id); //Save list of PID's into a int list named PID
ProcList.Add(proc.ProcessName); //Save list of PID's into string list
if (proc.MainWindowTitle == "C:\\Windows\\System32\\cmd.exe" || proc.MainWindowTitle == "Administrator: C:\\Windows\\System32\\cmd.exe")
{
procHandle = hWnd;
extfunc.SetForegroundWindow(procHandle);
System.Threading.Thread.Sleep(100);
SendKeys.SendWait("SET outPath=" + RuleResultfile);
SendKeys.SendWait("{ENTER}");//Injection handle
SendKeys.SendWait("SET cmd0=" + cmdArg0);
SendKeys.SendWait("{ENTER}");
SendKeys.SendWait("SET cmd1=" + cmdArg1);
SendKeys.SendWait("{ENTER}");
whilecount = 0;
}
cmdflag = 0;
}
}
}
}
int Fuzznumber = 0; //While GetProcess gets most of the processes, it doesn't get ALL of them. However, its still useful to see how high you need to fuzz. I shoot for 10k over the highest process revealed by GetProcess.
Console.WriteLine("Max processes to be Fuzzed? -->"); //Using output from GetProcess, Enter in Highest PID to fuzz
try
{
Fuzznumber = Convert.ToInt32(Console.ReadLine()); //Basic error checking loop
}
catch
{
Console.WriteLine("Error: That's not a number"); //exception handler in case you don't enter a number.
System.Environment.Exit(0); //I hate exceptions as a malware analyst, but boy are they useful.
}
for (int d = 0; d <= Fuzznumber; d++) //Here's the start of the loop that tries to guess the PID
{
var v2 = extfunc.GetLastError(); //I'll probably need this eventually.
try //Exception Handler for if GetProcessByID fails
{
//If Successful
Process localbyId = Process.GetProcessById(d);
PIDarray.Add(d); //Add PID to list of PID's
Console.WriteLine("Process Name: {0} | PID: {1}\n", localbyId, d);
string fileout = String.Format("Process Name: {0} | PID: {1}\n", localbyId, d); //Write to console and File successful PID
File.AppendAllText(masterpath + "\\" + "ProcLog.txt", fileout); //This is the loop to obtain a list of all processes.
}
catch (ArgumentException)
{
//If Fail
string console = "Process " + d + " does not exist\n";
string Cf = masterpath + "\\" + "Console.txt";
// Console.WriteLine("Process %d does not exist", d);
File.AppendAllText(Cf, console); //This txt file contains a list of misc outputs.
}
// // Console.ReadLine();
}
foreach (int item in PIDarray) //FOR each PID in PIDarray
{
var v1 = extfunc.SetForegroundWindow(procHandle); //Set CMD as active window
//Use sendkeys to send commands to CMD.
SendKeys.SendWait("SET /A procID=" + item);
SendKeys.SendWait("{ENTER}");
//In the above, %procID% = PID in list
//In the below, cmd0 = [Path to Yara exe] , cmd1 = [Yara Rule List] , procId, [Output Directory]/RuleResult.txt
SendKeys.SendWait("{%}cmd0{%}" + " " + "{%}cmd1{%}" + " " + "{%}procID{%}" + " >> \"{%}outPath{%}\""); //RuleResult.txt in your Output directory contains a list of all of our rule outputs.
SendKeys.SendWait("{ENTER}");
}
InitializeComponent();
System.Threading.Thread.Sleep(10000);
//Early version of visual output
List <string> RuleReturn = new List <string>();
string loadfile = "\"" + RuleResultfile + "\"";
richTextBox1.LoadFile(RuleResultfile, RichTextBoxStreamType.PlainText);
ParseInputs inputParser = new ParseInputs();
inputParser.FormatRules(RuleResultfile, out RuleReturn);
}