240 lines
8.7 KiB
C#
240 lines
8.7 KiB
C#
using Catswords.DataType.Client.Helper;
|
|
using Catswords.DataType.Client.Model;
|
|
using System;
|
|
using System.Diagnostics;
|
|
using System.IO;
|
|
using System.Windows.Forms;
|
|
|
|
namespace Catswords.DataType.Client
|
|
{
|
|
public partial class UserControl1 : UserControl
|
|
{
|
|
private ImageList imageList = new ImageList();
|
|
|
|
public string filePath;
|
|
public string fileMagic;
|
|
public string fileName;
|
|
public string fileExtension;
|
|
|
|
public UserControl1(Form parent)
|
|
{
|
|
InitializeComponent();
|
|
|
|
// Set image size
|
|
imageList.Images.Add(Properties.Resources.data_database_icon_177024);
|
|
imageList.Images.Add(Properties.Resources.message_bubble_conversation_speech_communication_talk_chat_icon_219299);
|
|
imageList.Images.Add(Properties.Resources._2333410_android_os_smartphone_85588);
|
|
imageList.Images.Add(Properties.Resources.office_18907);
|
|
imageList.Images.Add(Properties.Resources.link_symbol_icon_icons_com_56927);
|
|
imageList.Images.Add(Properties.Resources.tags_icon_icons_com_73382);
|
|
|
|
// set image list
|
|
listView1.SmallImageList = imageList;
|
|
|
|
// Store the file path.
|
|
filePath = OpenFileDialog();
|
|
if (string.IsNullOrEmpty(filePath))
|
|
{
|
|
MessageBox.Show("Failed to get a file name", "Catswords.DataType.Client");
|
|
parent.Close();
|
|
return;
|
|
}
|
|
|
|
// Get first 4 bytes from the file.
|
|
fileMagic = FileMagic.Read(filePath);
|
|
|
|
// Show file magic to the label
|
|
label1.Text = "#0x" + fileMagic;
|
|
if (FileMagic.Error != string.Empty)
|
|
{
|
|
textBox1.Text = FileMagic.Error;
|
|
}
|
|
|
|
// Get file name and file extension
|
|
try
|
|
{
|
|
fileExtension = Path.GetExtension(filePath);
|
|
fileName = Path.GetFileName(filePath);
|
|
if (fileExtension.Length > 0 && fileExtension.Substring(0, 1) == ".")
|
|
{
|
|
fileExtension = fileExtension.Substring(1);
|
|
}
|
|
}
|
|
catch
|
|
{
|
|
fileExtension = "";
|
|
fileName = "";
|
|
}
|
|
|
|
// Get data from file extension database
|
|
FetchFromFileExtensionDB();
|
|
|
|
// Get data from Android manifest
|
|
ExtractAndroidManifest();
|
|
|
|
// Get data from timeline
|
|
FetchFromTimeline();
|
|
|
|
// Get links from file
|
|
ExtractLink();
|
|
|
|
// Get EXIF tags from file
|
|
ExtractExif();
|
|
}
|
|
|
|
private void FetchFromFileExtensionDB()
|
|
{
|
|
var search = new FileExtensionDB();
|
|
search.Fetch(fileExtension);
|
|
foreach (Indicator ind in search.Indicators)
|
|
{
|
|
listView1.Items.Add(new ListViewItem(new string[] { ind.CreatedAt.ToString(), ind.Content }, 0));
|
|
}
|
|
}
|
|
|
|
private void FetchFromTimeline()
|
|
{
|
|
// Request a timeline
|
|
var search = new Timeline(Config.MASTODON_HOST, Config.MASTODON_ACCESS_TOKEN);
|
|
|
|
// fetch data by file magic
|
|
search.Fetch("0x" + fileMagic);
|
|
|
|
// if PE format (ImpHash)
|
|
if (fileMagic.StartsWith("4d5a"))
|
|
{
|
|
try
|
|
{
|
|
string imphash = ImpHash.Calculate(filePath);
|
|
search.Fetch(imphash);
|
|
|
|
string organization = (new PeOrganizationExtractor(filePath)).GetString();
|
|
search.Fetch(organization);
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "This file are distributed by " + organization }, 4));
|
|
|
|
textBox1.Text = "ImpHash=" + imphash + "; Organization=" + organization;
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
textBox1.Text = ex.Message;
|
|
}
|
|
}
|
|
|
|
// fetch data by file extension
|
|
if (fileExtension.Length > 0)
|
|
{
|
|
search.Fetch(fileExtension);
|
|
|
|
// if Office365 format
|
|
if (fileExtension.StartsWith("xls") || fileExtension.StartsWith("ppt") || fileExtension.StartsWith("doc"))
|
|
{
|
|
if (fileExtension == "xlsx" || fileExtension == "pptx" || fileExtension == "docx")
|
|
{
|
|
ExtractOpenXML();
|
|
}
|
|
|
|
search.Fetch("msoffice");
|
|
search.Fetch("office365");
|
|
}
|
|
}
|
|
|
|
// if it contains ransomware keywords
|
|
if (fileName.ToLower().Contains("readme") || fileName.ToLower().Contains("decrypt"))
|
|
{
|
|
search.Fetch("ransomware");
|
|
}
|
|
|
|
// if IoC (Indicators of Compomise) mode
|
|
if (fileMagic == "58354f") // EICAR test file header
|
|
{
|
|
search.Fetch("malware");
|
|
}
|
|
|
|
// Show the timeline
|
|
foreach (Indicator ind in search.Indicators)
|
|
{
|
|
listView1.Items.Add(new ListViewItem(new string[] { ind.CreatedAt.ToString(), ind.Content }, 1));
|
|
}
|
|
}
|
|
|
|
private void ExtractAndroidManifest()
|
|
{
|
|
if (fileExtension == "apk")
|
|
{
|
|
var extractor = new ApkManifestExtractor(filePath);
|
|
extractor.Open();
|
|
foreach (AndroidPermission perm in extractor.GetPermissions())
|
|
{
|
|
listView1.Items.Add(new ListViewItem(new string[] { perm.CreatedAt.ToString(), perm.Name + ' ' + perm.Description }, 2));
|
|
}
|
|
extractor.Close();
|
|
}
|
|
}
|
|
|
|
private void ExtractOpenXML()
|
|
{
|
|
var extractor = new OpenXMLExtractor(filePath);
|
|
extractor.Open();
|
|
|
|
var metadata = extractor.GetMetadata();
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Author: " + metadata.Author }, 3));
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Title: " + metadata.Title }, 3));
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Subject: " + metadata.Subject }, 3));
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Category: " + metadata.Category }, 3));
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Description: " + metadata.Description }, 3));
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Created: " + metadata.CreatedAt.ToString() }, 3));
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Last updated: " + metadata.UpdatedAt.ToString() }, 3));
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Last updated by: " + metadata.LastUpdatedBy }, 3));
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), "Last printed: " + metadata.LastPrintedAt }, 3));
|
|
extractor.Close();
|
|
}
|
|
|
|
private void ExtractLink()
|
|
{
|
|
var extractor = new LinkExtractor(filePath);
|
|
var strings = extractor.GetStrings();
|
|
foreach (string str in strings)
|
|
{
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), str }, 4));
|
|
}
|
|
}
|
|
|
|
private void ExtractExif()
|
|
{
|
|
var extractor = new ExifTagExtractor(filePath);
|
|
var tags = extractor.GetTags();
|
|
foreach (ExifTag tag in tags)
|
|
{
|
|
listView1.Items.Add(new ListViewItem(new string[] { DateTime.Now.ToString(), $"{tag.Name} ({tag.Section}): {tag.Description}" }, 5));
|
|
}
|
|
}
|
|
|
|
public string OpenFileDialog()
|
|
{
|
|
string filePath = null;
|
|
|
|
using (OpenFileDialog openFileDialog = new OpenFileDialog())
|
|
{
|
|
if (openFileDialog.ShowDialog() == DialogResult.OK)
|
|
{
|
|
//Get the path of specified file
|
|
filePath = openFileDialog.FileName;
|
|
}
|
|
}
|
|
|
|
return filePath;
|
|
}
|
|
|
|
private void linkLabel1_LinkClicked(object sender, LinkLabelLinkClickedEventArgs e)
|
|
{
|
|
Process.Start("https://catswords.social/auth/sign_up");
|
|
}
|
|
|
|
private void button1_Click(object sender, EventArgs e)
|
|
{
|
|
Form newForm = new Form2(this);
|
|
newForm.Show();
|
|
}
|
|
}
|
|
}
|