From 671007bb79ba1941d83673a66d203c5f65777932 Mon Sep 17 00:00:00 2001
From: "Namhyeon, Go" <gnh1201@gmail.com>
Date: Mon, 9 Sep 2024 12:05:39 +0900
Subject: [PATCH] Update FileEventMonitor.cs and related files

---
 .../WelsonJS.Service/FileEventMonitor.cs      | 50 +++++++++++++------
 app/assets/yar/ExampleRule.yar                |  9 ++++
 app/assets/yar/pe.yar                         | 25 ----------
 3 files changed, 44 insertions(+), 40 deletions(-)
 create mode 100644 app/assets/yar/ExampleRule.yar
 delete mode 100644 app/assets/yar/pe.yar

diff --git a/WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs b/WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs
index 8761162..32ea8e9 100644
--- a/WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs
+++ b/WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs
@@ -8,6 +8,9 @@ using libyaraNET;
 using System.Collections.Generic;
 using System.ServiceProcess;
 using WelsonJS.Service.Model;
+using System.Threading.Tasks;
+using System.Runtime.ExceptionServices;
+using System.Security;
 
 namespace WelsonJS.Service
 {
@@ -17,6 +20,16 @@ namespace WelsonJS.Service
         private EventLogWatcher eventLogWatcher;
         private ServiceMain parent;
         private string ruleDirectoryPath;
+        private enum EventType11: int {
+            RuleName,
+            UtcTime,
+            ProcessGuid,
+            ProcessId,
+            Image,
+            TargetFilename,
+            CreationUtcTime,
+            User
+        };
 
         public FileEventMonitor(ServiceBase parent, string workingDirectory)
         {
@@ -25,11 +38,11 @@ namespace WelsonJS.Service
 
             try
             {
-                AddYaraRules(new List<string>(Directory.GetFiles(ruleDirectoryPath, "*.yar")));
+                AddYaraRulesFromDirectory(ruleDirectoryPath);
             }
             catch (Exception ex)
             {
-                this.parent.Log($"Failed to read the rule files: {ex.Message}");
+                this.parent.Log($"Failed to read the rules: {ex.Message}");
             }
         }
 
@@ -37,12 +50,11 @@ namespace WelsonJS.Service
         {
             if (!Directory.Exists(directoryPath))
             {
-                Console.WriteLine($"Directory not found: {directoryPath}");
-                return;
+                throw new FileNotFoundException($"{directoryPath} directory not found.");
             }
 
-            var yarFiles = Directory.GetFiles(directoryPath, "*.yar");
-            AddYaraRules(new List<string>(yarFiles));
+            var ruleFiles = Directory.GetFiles(directoryPath, "*.yar");
+            AddYaraRules(new List<string>(ruleFiles));
         }
 
         public void AddYaraRules(List<string> ruleFiles)
@@ -60,11 +72,11 @@ namespace WelsonJS.Service
                             if (File.Exists(ruleFile))
                             {
                                 compiler.AddRuleFile(ruleFile);
-                                parent.Log($"Loaded file: {ruleFile}");
+                                parent.Log($"Added the rule: {ruleFile}");
                             }
                             else
                             {
-                                parent.Log($"File not found: {ruleFile}");
+                                throw new FileNotFoundException($"{ruleFile} file not found.");
                             }
                         }
 
@@ -73,7 +85,7 @@ namespace WelsonJS.Service
                 }
                 catch (Exception ex)
                 {
-                    parent.Log($"Error loading the rules: {ex.Message}");
+                    parent.Log($"Error adding the rules: {ex.Message}");
                 }
             }
         }
@@ -124,12 +136,21 @@ namespace WelsonJS.Service
             {
                 try
                 {
-                    string fileName = e.EventRecord.Properties[7]?.Value?.ToString();
-                    if (!string.IsNullOrEmpty(fileName) && File.Exists(fileName))
+                    string fileName = e.EventRecord.Properties[(int)EventType11.TargetFilename]?.Value?.ToString();
+
+                    if (string.IsNullOrEmpty(fileName))
+                    {
+                        throw new ArgumentException("Could not read the target filename.");
+                    }
+
+                    if (File.Exists(fileName))
                     {
                         parent.Log($"File created: {fileName}");
                         parent.DispatchServiceEvent("fileCreated", new string[] { fileName });
-                        ScanFileWithYara(fileName);
+                    }
+                    else
+                    {
+                        throw new FileNotFoundException($"{fileName} file not found.");
                     }
                 }
                 catch (Exception ex)
@@ -143,12 +164,11 @@ namespace WelsonJS.Service
             }
         }
 
-        private void ScanFileWithYara(string filePath)
+        private void CheckFile(string filePath)
         {
             if (rules == null)
             {
-                parent.Log("No rules loaded. Skipping file scan.");
-                return;
+                throw new ArgumentNullException("No rules added. Skipping check the file.");
             }
 
             using (var ctx = new YaraContext())
diff --git a/app/assets/yar/ExampleRule.yar b/app/assets/yar/ExampleRule.yar
new file mode 100644
index 0000000..c998361
--- /dev/null
+++ b/app/assets/yar/ExampleRule.yar
@@ -0,0 +1,9 @@
+rule ExampleRule
+{
+    strings:
+        $my_text_string = "text here"
+        $my_hex_string = { E2 34 A1 C8 23 FB }
+
+    condition:
+        $my_text_string or $my_hex_string
+}
diff --git a/app/assets/yar/pe.yar b/app/assets/yar/pe.yar
deleted file mode 100644
index ecd2705..0000000
--- a/app/assets/yar/pe.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-import "pe"
-
-rule single_section
-{
-    condition:
-        pe.number_of_sections == 1
-}
-
-rule control_panel_applet
-{
-    condition:
-        pe.exports("CPlApplet")
-}
-
-rule is_dll
-{
-    condition:
-        pe.characteristics & pe.DLL
-}
-
-rule is_pe
-{
-    condition:
-        pe.is_pe
-}