public static void honeyPotFileMonDetection()
{
//Fetch the ransomwarename
Logger.getPoCRansomware();
Thread.Sleep(1000);
//Inform the server that the ransomware has been fetched
Logger.postPoCFetched();
//Wait for response from the server
while (!Logger.getHasFetched())
{
Thread.Sleep(500);
}
//Sets the correct values in different classes
Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH);
ActionTaker.setBackingName(BACKINGNAME);
ActionTaker.setPathToBackingFile(pathToBackingFile);
ProcMon.setPathToProcMon(ProcMonPath);
BACKINGNAME = BACKINGNAME + 0;
//Start the procmon
var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME));
t.Start();
Console.WriteLine(Logger.getNAMEONTEST());
//Start the logger
Logger.LogWriter(PATH);
//Post that the ransomware succesfully has been tested
Logger.postPoCTested();
//Post the tested results
Logger.postPoCPosted();
Thread.Sleep(30000);
}
//A change has been registered to a honeypot
public static void honeypotChange(string path)
{
//Shut down procmon in order to get logfile
ProcMon.procmonTerminator(pathToBackingFile, BACKINGNAME + INDEXER);
INDEXER++;
//Start up procmon with a new backingfile
var cpmbf = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME + INDEXER));
cpmbf.Start();
Thread.Sleep(3000);
//Convert the PMLfile to CSV
ProcMon.convertPMLfileToCSV(pathToBackingFile, BACKINGNAME + (INDEXER - 1) + ".PML", "convertedFile" + (INDEXER - 1) + ".CSV");
bool hasCSVbeenWritten = false;
Console.WriteLine("Path to CSV file: " + pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV");
//Wait for the conversion to be completed
while (hasCSVbeenWritten == false)
{
try
{
using (Stream stream = new FileStream(pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV", FileMode.Open))
{
hasCSVbeenWritten = true;
stream.Dispose();
}
}
catch (IOException)
{
}
Thread.Sleep(50);
}
//Parse the CSVfile
List <CSVfileHandler> parsedData = CSVfileHandler.CSVparser(pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV");
//Kill every process that has touched a honeypot
foreach (var item in parsedData)
{
if (!item.processName.Equals("Explorer.EXE") || !item.processName.Equals("HoneyPotFilemon.exe"))
{
try
{
pID.Add(item.PID);
killedProcesses.Add(Process.GetProcessById(item.PID).ProcessName);
try
{
Console.WriteLine("Process: " + Process.GetProcessById(item.PID).ProcessName + " is killed due to suspicious behaviour");
killProcess(item.PID);
}
catch (Exception)
{
//Save processname as a temp
Console.WriteLine("Killing of the process failed");
}
}
catch
{
}
}
}
if (!killedFirstProcess)
{
firstKilledProcessTime = DateTime.Now;
killedFirstProcess = true;
}
}
public static void terminateProcmon()
{
ProcMon.procmonTerminator(pathToBackingFile, BACKINGNAME + INDEXER);
}