gnh1201/welsonjs
1
0
Fork 0
mirror of https://github.com/gnh1201/welsonjs.git synced 2025-11-27 18:11:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update FileEventMonitor.cs and related files
Some checks are pending
CodeQL / Analyze (csharp) (push) Waiting to run
Details
CodeQL / Analyze (javascript) (push) Waiting to run
Details
CodeQL / Analyze (python) (push) Waiting to run
Details

Browse Source
This commit is contained in:
Namhyeon Go 2024-09-09 12:05:39 +09:00
parent bdee21a66f
commit 671007bb79
3 changed files with 44 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs
View File

@ -8,6 +8,9 @@ using libyaraNET;
using System.Collections.Generic; using System.Collections.Generic;
using System.ServiceProcess; using System.ServiceProcess;
using WelsonJS.Service.Model; using WelsonJS.Service.Model;
using System.Threading.Tasks;
using System.Runtime.ExceptionServices;
using System.Security;
namespace WelsonJS.Service namespace WelsonJS.Service
{ {
@ -17,6 +20,16 @@ namespace WelsonJS.Service
private EventLogWatcher eventLogWatcher; private EventLogWatcher eventLogWatcher;
private ServiceMain parent; private ServiceMain parent;
private string ruleDirectoryPath; private string ruleDirectoryPath;
private enum EventType11: int {
RuleName,
UtcTime,
ProcessGuid,
ProcessId,
Image,
TargetFilename,
CreationUtcTime,
User
};
public FileEventMonitor(ServiceBase parent, string workingDirectory) public FileEventMonitor(ServiceBase parent, string workingDirectory)
{ {
@ -25,11 +38,11 @@ namespace WelsonJS.Service
try try
{ {
AddYaraRules(new List<string>(Directory.GetFiles(ruleDirectoryPath, "*.yar"))); AddYaraRulesFromDirectory(ruleDirectoryPath);
} }
catch (Exception ex) catch (Exception ex)
{ {
this.parent.Log($"Failed to read the rule files: {ex.Message}"); this.parent.Log($"Failed to read the rules: {ex.Message}");
} }
} }
@ -37,12 +50,11 @@ namespace WelsonJS.Service
{ {
if (!Directory.Exists(directoryPath)) if (!Directory.Exists(directoryPath))
{ {
Console.WriteLine($"Directory not found: {directoryPath}"); throw new FileNotFoundException($"{directoryPath} directory not found.");
return;
} }
var yarFiles = Directory.GetFiles(directoryPath, "*.yar"); var ruleFiles = Directory.GetFiles(directoryPath, "*.yar");
AddYaraRules(new List<string>(yarFiles)); AddYaraRules(new List<string>(ruleFiles));
} }
public void AddYaraRules(List<string> ruleFiles) public void AddYaraRules(List<string> ruleFiles)
@ -60,11 +72,11 @@ namespace WelsonJS.Service
if (File.Exists(ruleFile)) if (File.Exists(ruleFile))
{ {
compiler.AddRuleFile(ruleFile); compiler.AddRuleFile(ruleFile);
parent.Log($"Loaded file: {ruleFile}"); parent.Log($"Added the rule: {ruleFile}");
} }
else else
{ {
parent.Log($"File not found: {ruleFile}"); throw new FileNotFoundException($"{ruleFile} file not found.");
} }
} }
@ -73,7 +85,7 @@ namespace WelsonJS.Service
} }
catch (Exception ex) catch (Exception ex)
{ {
parent.Log($"Error loading the rules: {ex.Message}"); parent.Log($"Error adding the rules: {ex.Message}");
} }
} }
} }
@ -124,12 +136,21 @@ namespace WelsonJS.Service
{ {
try try
{ {
string fileName = e.EventRecord.Properties[7]?.Value?.ToString(); string fileName = e.EventRecord.Properties[(int)EventType11.TargetFilename]?.Value?.ToString();
if (!string.IsNullOrEmpty(fileName) && File.Exists(fileName))
if (string.IsNullOrEmpty(fileName))
{
throw new ArgumentException("Could not read the target filename.");
}
if (File.Exists(fileName))
{ {
parent.Log($"File created: {fileName}"); parent.Log($"File created: {fileName}");
parent.DispatchServiceEvent("fileCreated", new string[] { fileName }); parent.DispatchServiceEvent("fileCreated", new string[] { fileName });
ScanFileWithYara(fileName); }
else
{
throw new FileNotFoundException($"{fileName} file not found.");
} }
} }
catch (Exception ex) catch (Exception ex)
@ -143,12 +164,11 @@ namespace WelsonJS.Service
} }
} }
private void ScanFileWithYara(string filePath) private void CheckFile(string filePath)
{ {
if (rules == null) if (rules == null)
{ {
parent.Log("No rules loaded. Skipping file scan."); throw new ArgumentNullException("No rules added. Skipping check the file.");
return;
} }
using (var ctx = new YaraContext()) using (var ctx = new YaraContext())

9
app/assets/yar/ExampleRule.yar Normal file
View File

@ -0,0 +1,9 @@
rule ExampleRule
{
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
$my_text_string or $my_hex_string
}

25
app/assets/yar/pe.yar
View File

@ -1,25 +0,0 @@
import "pe"
rule single_section
{
condition:
pe.number_of_sections == 1
}
rule control_panel_applet
{
condition:
pe.exports("CPlApplet")
}
rule is_dll
{
condition:
pe.characteristics & pe.DLL
}
rule is_pe
{
condition:
pe.is_pe
}