public void addFile(HttpPostedFileBase file, user user, string source)
{
var fileName = Path.GetFileName(file.FileName);
MemoryStream target = new MemoryStream();
file.InputStream.CopyTo(target);
byte[] data = target.ToArray();
ViniSandbox.Models.file f = new ViniSandbox.Models.file();
//f.analyzed = true;
f.date = DateTime.Now;
f.name = fileName;
f.source = source;
string md5 = MD5Helper.ByteToMD5(data);
file_detail fd = db.file_detail.FirstOrDefault(p => p.md5 == md5);
if (fd == null)
{
fd = new file_detail();
fd.md5 = md5;
fd.data = data;
fd.analyzed = false;
}
user.files.Add(f);
f.user = user;
f.file_detail = fd;
fd.files.Add(f);
db.SaveChanges();
}
public List <Info> HashMapper(file_detail det)
{
List <Info> hs = new List <Info>();
hs.Add(new Info()
{
Nome = "CRC32", Valor = det.crc32
});
hs.Add(new Info()
{
Nome = "MD5", Valor = det.md5
});
hs.Add(new Info()
{
Nome = "SHA1", Valor = det.sha1
});
hs.Add(new Info()
{
Nome = "SHA256", Valor = det.sha256
});
hs.Add(new Info()
{
Nome = "SHA512", Valor = det.sha512
});
hs.Add(new Info()
{
Nome = "SSDEEP", Valor = det.ssdeep
});
hs.Add(new Info()
{
Nome = "Tipo", Valor = det.type
});
if (det.pe_file != null)
{
hs.Add(new Info()
{
Nome = "Arquitetura", Valor = det.pe_file.architecture
});
hs.Add(new Info()
{
Nome = "Data de Compilação", Valor = det.pe_file.compilation_date.HasValue?det.pe_file.compilation_date.Value.ToString():""
});
hs.Add(new Info()
{
Nome = "Língua", Valor = det.pe_file.language
});
hs.Add(new Info()
{
Nome = "Packer", Valor = det.pe_file.packer
});
hs.Add(new Info()
{
Nome = "Entry Point", Valor = det.pe_file.entry_point
});
}
return(hs);
}
public void addObject(object obj)
{
if (obj is analysis)
{
analysis = (analysis)obj;
}
else if (obj is List <computer_event> )
{
computer_events.AddRange((List <computer_event>)obj);
}
else if (obj is List <antivirus_scan> )
{
antivirus_scans.AddRange((List <antivirus_scan>)obj);
}
else if (obj is List <dns> )
{
dns_list.AddRange((List <dns>)obj);
}
else if (obj is List <miscellaneous> )
{
miscellaneous.AddRange((List <miscellaneous>)obj);
}
else if (obj is List <resource> )
{
resources.AddRange((List <resource>)obj);
}
else if (obj is file_detail)
{
file_detail = (file_detail)obj;
}
else if (obj is pe_file)
{
pe_file = (pe_file)obj;
}
else if (obj is List <export_function> )
{
export_functions.AddRange((List <export_function>)obj);
}
else if (obj is List <import_function> )
{
import_functions.AddRange((List <import_function>)obj);
}
else if (obj is List <section> )
{
sections.AddRange((List <section>)obj);
}
else if (obj is result_file)
{
result_file.Add((result_file)obj);
}
else if (obj is List <import_library> )
{
import_libraries.AddRange((List <import_library>)obj);
}
}
public ActionResult MaliciousConfirmed(int id, bool isChecked)
{
file_detail fd = db.files.Find(id).file_detail;
if (fd != null)
{
fd.malicious = !isChecked;
db.Entry(fd).State = EntityState.Modified;
db.SaveChanges();
return(Content("ok"));
}
return(Content(""));
}
public void Clean()
{
analysis = null;
computer_events.Clear();
antivirus_scans.Clear();
dns_list.Clear();
miscellaneous.Clear();
resources.Clear();
file_detail = null;
pe_file = new pe_file();
export_functions.Clear();
import_functions.Clear();
sections.Clear();
result_file.Clear();
import_libraries.Clear();
}
public file_detail ParseFileDetails(string logContent)
{
file_detail fd = new file_detail();
var ma = Regex.Match(logContent, @"MD5: (?<MD5>.+)\r\nSHA1: (?<SHA1>.+)\r\nSHA256: (?<SHA256>.+)\r\nSHA512: (?<SHA512>.+)\r\nCRC32: (?<CRC32>.+)\r\nSSDEEP: (?<SSDEEP>.+)\r\nType: (?<TYPE>.+)\r\nCreation Date: (?<CD>.+)\r\nModification Date: (?<MD>.+)\r\n");
fd.md5 = ma.Groups["MD5"].Value;
fd.sha1 = ma.Groups["SHA1"].Value;
fd.sha256 = ma.Groups["SHA256"].Value;
fd.sha512 = ma.Groups["SHA512"].Value;
fd.crc32 = ma.Groups["CRC32"].Value;
fd.ssdeep = ma.Groups["SSDEEP"].Value;
fd.type = ma.Groups["TYPE"].Value;
fd.create_date = DateTime.ParseExact(ma.Groups["CD"].Value, "dd/MM/yyyy HH:mm:ss", CultureInfo.InvariantCulture);
fd.modified_date = DateTime.ParseExact(ma.Groups["MD"].Value, "dd/MM/yyyy HH:mm:ss", CultureInfo.InvariantCulture);
return(fd);
}
public void Save(file_detail file_det)
{
vinisandboxContext cx = new vinisandboxContext();
file_det = cx.file_detail.Find(file_det.id);
foreach (var anti_scan in antivirus_scans)
{
var antivirus = anti_scan.antivirus;
var bdV = cx.antivirus.ToArray().FirstOrDefault(p => p.Equals(antivirus));
if (bdV != null)
{
anti_scan.antivirus = bdV;
bdV.antivirus_scan.Add(anti_scan);
}
analysis.antivirus_scan.Add(anti_scan);
}
foreach (var comp_event in computer_events)
{
analysis.computer_event.Add(comp_event);
}
foreach (var dns in dns_list)
{
var domain = dns;
var bdDns = cx.dns.ToArray().FirstOrDefault(p => p.Equals(dns));
if (bdDns != null)
{
domain = bdDns;
}
domain.analyses.Add(analysis);
analysis.dns.Add(domain);
}
foreach (var re_file in result_file)
{
analysis.result_file.Add(re_file);
}
foreach (var misc in miscellaneous)
{
analysis.miscellaneous.Add(misc);
}
file_det.analyses.Add(analysis);
foreach (var res in resources)
{
var bdRes = cx.resource_type.ToArray().FirstOrDefault(p => p.Equals(res.resource_type));
if (bdRes != null)
{
res.resource_type = bdRes;
bdRes.resources.Add(res);
}
pe_file.resources.Add(res);
}
foreach (var sec in sections)
{
pe_file.sections.Add(sec);
}
foreach (var exp_func in export_functions)
{
pe_file.export_function.Add(exp_func);
}
foreach (var imp_lib in import_libraries)
{
var imp_lib_rec = imp_lib;
var bdIl = cx.import_library.ToArray().FirstOrDefault(p => p.Equals(imp_lib));
if (bdIl != null)
{
imp_lib_rec = bdIl;
}
foreach (var imp_func in imp_lib.import_function)
{
imp_func.import_library = imp_lib_rec;
var imp_func_rec = imp_func;
var bdIf = cx.import_function.ToArray().FirstOrDefault(p => p.Equals(imp_func));
if (bdIf != null)
{
imp_func_rec = bdIf;
}
else
{
imp_func_rec.import_library = imp_lib_rec;
}
pe_file.import_function.Add(imp_func_rec);
}
}
pe_file aux2 = cx.pe_file.SingleOrDefault(p => p.id == file_det.id);
if (aux2 != null)
{
var remRes = aux2.resources.ToList();
for (int i = 0; i < remRes.Count; i++)
{
cx.resources.Remove(remRes[i]);
}
aux2.resources.Clear();
var remSec = aux2.sections.ToList();
for (int i = 0; i < remSec.Count; i++)
{
cx.sections.Remove(remSec[i]);
}
aux2.sections.Clear();
var remExp = aux2.export_function.ToList();
for (int i = 0; i < remExp.Count; i++)
{
cx.export_function.Remove(remExp[i]);
}
aux2.export_function.Clear();
var remImp = aux2.import_function;
aux2.import_function.Clear();
cx.pe_file.Remove(aux2);
cx.SaveChanges();
}
file_det.pe_file = pe_file;
pe_file.file_detail = file_det;
file_det.type = file_detail.type;
file_det.md5 = file_detail.md5;
file_det.sha1 = file_detail.sha1;
file_det.sha256 = file_detail.sha256;
file_det.sha512 = file_detail.sha512;
file_det.crc32 = file_detail.crc32;
file_det.ssdeep = file_detail.ssdeep;
file_det.modified_date = file_detail.modified_date;
file_det.create_date = file_detail.create_date;
cx.SaveChanges();
}
public void Analyze(file_detail file_det)
{
dal.Clean();
LogManager.WriteLine("Starting analysis: file_details.id = " + file_det.id, LogManager.EVerboseLevel.Normal);
try
{
analysis ana = new analysis();
ana.start_date = DateTime.Now;
DirectoryInfo di = new DirectoryInfo(config.TempFolder);
string name = file_det.files.ToList().FirstOrDefault().name;
string path = di.FullName + "\\" + name;
if (File.Exists(path))
{
File.Delete(path);
}
File.WriteAllBytes(path, file_det.data);
string type = getType(path);
string ext = "exe";
var fi = new FileInfo(path);
if (type.ToLower().Contains("dll"))
{
ext = "dll";
}
if (fi.Extension != ext)
{
if (File.Exists(fi.FullName + "." + ext))
{
File.Delete(fi.FullName + "." + ext);
}
fi.MoveTo(fi.FullName + "." + ext);
}
LogManager.WriteLine("Temp File " + fi.FullName + " created", LogManager.EVerboseLevel.Debug);
LogManager.WriteLine("Static analysis started", LogManager.EVerboseLevel.Debug);
StaticAnalysis(fi.FullName, config.StaticAnalysis);
revertVM();
LogManager.WriteLine("VM Reverted", LogManager.EVerboseLevel.Debug);
string vmMode = config.DynamicAnalysis.Virtualization.VMMode;
vmMode = String.IsNullOrEmpty(vmMode) ? "headless" : vmMode;
vmControlMutex.WaitOne();
vmcontrol.StartVM(vmMode);
vmControlMutex.ReleaseMutex();
LogManager.WriteLine("VM Started", LogManager.EVerboseLevel.Debug);
LogManager.WriteLine("Dynamic analysis started", LogManager.EVerboseLevel.Debug);
DynamicAnalysis(fi.FullName, config.DynamicAnalysis);
LogManager.WriteLine("Waiting Steps", LogManager.EVerboseLevel.Debug);
foreach (var thread in threads)
{
if (thread.ThreadState == System.Threading.ThreadState.Running)
{
thread.Join();
}
}
threads.Clear();
vmControlMutex.WaitOne();
vmcontrol.SuspendVM();
vmControlMutex.ReleaseMutex();
LogManager.WriteLine("VM Suspended", LogManager.EVerboseLevel.Debug);
ana.file_name = fi.Name;
ana.final_date = DateTime.Now;
fi.Delete();
LogManager.WriteLine("Temp File deleted", LogManager.EVerboseLevel.Debug);
objExtracted(ana);
}
catch (Exception ex)
{
LogManager.WriteLine("Error on analysis: file_details.id = " + file_det.id + " - " + ex.ToString(), LogManager.EVerboseLevel.Error);
}
dal.Save(file_det);
LogManager.WriteLine("End of analysis: file_details.id = " + file_det.id, LogManager.EVerboseLevel.Normal);
}
