-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathAnalyzer.h
208 lines (179 loc) · 6.35 KB
/
Analyzer.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
/*
* PROJECT: Capture
* FILE: Analyzer.h
* AUTHORS: Ramon Steenson ([email protected]) & Christian Seifert ([email protected])
*
* Developed by Victoria University of Wellington and the New Zealand Honeynet Alliance
*
* This file is part of Capture.
*
* Capture is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* Capture is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Capture; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#pragma once
#include "CaptureGlobal.h"
#include <string>
#include <queue>
#include "shellapi.h"
#include <boost/signal.hpp>
#include <boost/bind.hpp>
#include "Server.h"
#include "Visitor.h"
#include "ProcessMonitor.h"
#include "RegistryMonitor.h"
#include "FileMonitor.h"
#include "NetworkPacketDumper.h"
#include "FileUploader.h"
using namespace std;
/*
Class: Analyzer
The analyzer is the central part of the client component of Capture.
All malicious events that occur on the system are passed onto the Analyzer,
where it is formatted to be outputted to the server, stdout, or a file. It
uses the signal slot design in Boost to achieve a common interface for which
the monitors can send events to it. These are the on*Event() methods and are
managed by connecting/binding a particular method in the an Analyzer to a
particular slot on a monitor. When a malicious event occurs in a monitor,
the monitor will signal the slot with the event information which is then
processed by the analyzer.
*/
class Analyzer
{
public:
Analyzer(Visitor* v, Server* s, RegistryMonitor * r, FileMonitor * f, ProcessMonitor * p);
~Analyzer(void);
/*
Function: start
Connect to all of the available monitor slots so that the Analyzer can
receive malicious events
*/
void start();
/*
Function: stop
Disconnects all of the connections between the monitors slots so that
the Analyzer does not receive malicious events
*/
void stop();
/*
Function: onVisitEvent
Method to bind to the <Visitor> visit event slot. These are called when
operating in client server mode. During the visitation of the URL by and
application, the Visitor will signal various visit events which will be
passed onto the Analyzer.
*/
void onVisitEvent(DWORD majorErrorCode, DWORD minorErrorCode, wstring url, wstring applicationPath);
/*
Function: onProcessEvent
Method which binds to the <ProcessMonitor> process event slot. This is called
whenever a malicious process event occurs on the system
*/
void onProcessEvent(BOOLEAN created, wstring time,
DWORD parentProcessId, wstring parentProcess,
DWORD processId, wstring process);
/*
Function: onRegistryEvent
Method which binds to the <RegistryMonitor> registry event slot. Called when
ever a malcious registry event occurs
*/
void onRegistryEvent(wstring registryEventType, wstring time,
wstring processPath, wstring registryEventPath, vector<wstring> extra);
/*
Function: onFileEvent
Method which binds to the <FileMonitor> file event slot. Called when
ever a malcious file event occurs
*/
void onFileEvent(wstring fileEventType, wstring time,
wstring processPath, wstring fileEventPath, vector<wstring> extra);
/*
Function: onOptionChanged
Called when an option changes in OptionsManager
*/
void onOptionChanged(wstring option);
private:
/*
Variable: malcious
Whether or not the system is in a malicious state
*/
bool malicious;
/*
Variable: collectModifiedFiles
Whether or not the anaylyzer has been asked to collect all of the
modified files that occur during the objects start() state.
*/
bool collectModifiedFiles;
bool captureNetworkPackets;
/*
Method: compressLogDirectory
If collectModifiedFiles is true, this method will compress the log directory
so that it can be saved or sent to the server. It uses both tar.exe and gzip.exe
to perform this functionality
*/
bool compressLogDirectory(wstring logFileName);
/*
Method: sendSystemEvent
Helper method which parses the monitor events into a readible XML document
which can be saved to a file as a CSV or sent to the server.
*/
void sendSystemEvent(wstring* type, wstring* time, wstring* process, wstring* action, wstring* object, vector<wstring>* extra);
/*
Method: sendVisitEvent
Helper method which parses a visit event from <onVisitEvent> and sends it to the
server.
*/
void sendVisitEvent(wstring* type, wstring* time,
wstring* url, wstring* classification, wstring* application,
wstring* majorErrorCode, wstring* minorErrorCode);
wstring errorCodeToString(DWORD errorCode);
/*
Variable: visitor
Contains the <Visitor> component
*/
Visitor* visitor;
/*
Variable: server
Contains the <Server> component. The analyzer is the only object allowed to
send data to the remote server
*/
Server* server;
/*
Variable: processMonitor
Pointer to a <ProcessMonitor> instance
*/
ProcessMonitor* processMonitor;
/*
Variable: registryMonitor
Pointer to a <RegistryMonitor> instance
*/
RegistryMonitor* registryMonitor;
/*
Variable: fileMonitor
Pointer to a <FileMonitor> instance
*/
FileMonitor* fileMonitor;
/*
Variable: networkPacketDumper
If required this contains a pointer to a <NetworkPacketDumper>. This is only
loaded when required and only if WinPCAP is installed on the system
*/
NetworkPacketDumper* networkPacketDumper;
/*
Variable: on*EventConnection
Various connections to the slots of monitors. These are an easy way to stop
listening for various methods
*/
boost::signals::connection onProcessEventConnection;
boost::signals::connection onRegistryEventConnection;
boost::signals::connection onFileEventConnection;
boost::signals::connection onOptionChangedConnection;
};