gnh1201/welsonjs
1
0
Fork 0
mirror of https://github.com/gnh1201/welsonjs.git synced 2025-02-06 15:04:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add event type: registry modification

Browse Source
This commit is contained in:
Namhyeon Go 2024-09-09 17:09:31 +09:00
parent 91b73186d3
commit 672a3637de
3 changed files with 85 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs
View File

@ -15,7 +15,10 @@ namespace WelsonJS.Service
private enum EventType: int private enum EventType: int
{ {
FileCreate = 11, FileCreate = 11,
NetworkConnection = 3 NetworkConnection = 3,
RegistryEvent_1 = 12,
RegistryEvent_2 = 13,
RegistryEvent_3 = 14
}; };
private enum FileCreateEvent: int { private enum FileCreateEvent: int {
RuleName, RuleName,
@ -48,6 +51,18 @@ namespace WelsonJS.Service
DestinationPort, DestinationPort,
DestinationPortName, DestinationPortName,
}; };
private enum RegistryEvent: int
{
RuleName,
EventType,
UtcTime,
ProcessGuid,
ProcessId,
Image,
TargetObject,
Details,
User
}
public FileEventMonitor(ServiceBase parent, string workingDirectory) public FileEventMonitor(ServiceBase parent, string workingDirectory)
{ {
@ -100,50 +115,71 @@ namespace WelsonJS.Service
try try
{ {
if (eventId == (int)EventType.FileCreate) switch (eventId)
{ {
string ruleName = e.EventRecord.Properties[(int)FileCreateEvent.RuleName]?.Value?.ToString(); case (int)EventType.FileCreate:
string processId = e.EventRecord.Properties[(int)FileCreateEvent.ProcessId]?.Value?.ToString(); {
string image = e.EventRecord.Properties[(int)FileCreateEvent.Image]?.Value?.ToString(); string ruleName = e.EventRecord.Properties[(int)FileCreateEvent.RuleName]?.Value?.ToString();
string fileName = e.EventRecord.Properties[(int)FileCreateEvent.TargetFilename]?.Value?.ToString(); string processId = e.EventRecord.Properties[(int)FileCreateEvent.ProcessId]?.Value?.ToString();
string image = e.EventRecord.Properties[(int)FileCreateEvent.Image]?.Value?.ToString();
string fileName = e.EventRecord.Properties[(int)FileCreateEvent.TargetFilename]?.Value?.ToString();
if (string.IsNullOrEmpty(fileName)) parent.Log($"> Detected the file creation: {fileName}");
{ parent.Log(parent.DispatchServiceEvent("fileCreated", new string[] {
throw new ArgumentException("Could not read the target filename."); ruleName,
} processId,
image,
fileName
}));
if (File.Exists(fileName)) break;
{ }
parent.Log($"> Detected the file creation: {fileName}");
parent.Log(parent.DispatchServiceEvent("fileCreated", new string[] {
ruleName,
processId,
image,
fileName
}));
}
else
{
throw new FileNotFoundException($"{fileName} file not found.");
}
}
else if (eventId == (int)EventType.NetworkConnection)
{
string ruleName = e.EventRecord.Properties[(int)NetworkConnectionEvent.RuleName]?.Value?.ToString();
string processId = e.EventRecord.Properties[(int)NetworkConnectionEvent.ProcessId]?.Value?.ToString();
string image = e.EventRecord.Properties[(int)NetworkConnectionEvent.Image]?.Value?.ToString();
string protocol = e.EventRecord.Properties[(int)NetworkConnectionEvent.Protocol]?.Value?.ToString();
string destinationIp = e.EventRecord.Properties[(int)NetworkConnectionEvent.DestinationIp]?.Value?.ToString();
string desinationPort = e.EventRecord.Properties[(int)NetworkConnectionEvent.DestinationPort]?.Value?.ToString();
string dstinationAddress = $"{protocol}://{destinationIp}:{desinationPort}";
parent.Log($"> Detected the network connection: {dstinationAddress}"); case (int)EventType.NetworkConnection:
parent.Log(parent.DispatchServiceEvent("networkConnected", new string[] { {
ruleName, string ruleName = e.EventRecord.Properties[(int)NetworkConnectionEvent.RuleName]?.Value?.ToString();
processId, string processId = e.EventRecord.Properties[(int)NetworkConnectionEvent.ProcessId]?.Value?.ToString();
image, string image = e.EventRecord.Properties[(int)NetworkConnectionEvent.Image]?.Value?.ToString();
dstinationAddress string protocol = e.EventRecord.Properties[(int)NetworkConnectionEvent.Protocol]?.Value?.ToString();
})); string destinationIp = e.EventRecord.Properties[(int)NetworkConnectionEvent.DestinationIp]?.Value?.ToString();
string desinationPort = e.EventRecord.Properties[(int)NetworkConnectionEvent.DestinationPort]?.Value?.ToString();
string dstinationAddress = $"{protocol}://{destinationIp}:{desinationPort}";
parent.Log($"> Detected the network connection: {dstinationAddress}");
parent.Log(parent.DispatchServiceEvent("networkConnected", new string[] {
ruleName,
processId,
image,
dstinationAddress
}));
break;
}
case (int)EventType.RegistryEvent_1:
case (int)EventType.RegistryEvent_2:
case (int)EventType.RegistryEvent_3:
{
string ruleName = e.EventRecord.Properties[(int)RegistryEvent.RuleName]?.Value?.ToString();
string processId = e.EventRecord.Properties[(int)RegistryEvent.ProcessId]?.Value?.ToString();
string image = e.EventRecord.Properties[(int)RegistryEvent.Image]?.Value?.ToString();
string eventType = e.EventRecord.Properties[(int)RegistryEvent.EventType]?.Value?.ToString();
string targetObject = e.EventRecord.Properties[(int)RegistryEvent.TargetObject]?.Value?.ToString();
parent.Log($"> Detected the registry modification: {targetObject}");
parent.Log(parent.DispatchServiceEvent("registryModified", new string[] {
ruleName,
processId,
image,
eventType,
targetObject
}));
break;
}
default:
throw new ArgumentException("Not supported event type");
} }
} }
catch (Exception ex) catch (Exception ex)

3
app.js
View File

@ -628,7 +628,8 @@ function dispatchServiceEvent(name, eventType, w_args, argl) {
elapsedTime: bind("ServiceElapsedTime"), elapsedTime: bind("ServiceElapsedTime"),
screenTime: bind("ServiceScreenTime"), screenTime: bind("ServiceScreenTime"),
fileCreated: bind("FileCreated"), fileCreated: bind("FileCreated"),
networkConnected: bind("NetworkConnected") networkConnected: bind("NetworkConnected"),
registryModified: bind("RegistryModified")
}); });
} else { } else {
console.error("Could not find", name + ".js"); console.error("Could not find", name + ".js");

6
defaultService.js
View File

@ -36,6 +36,11 @@ function onNetworkConnected(args) {
return "onNetworkConnected recevied. " + args.join(', '); return "onNetworkConnected recevied. " + args.join(', ');
} }
function onRegistryModified(args) {
return "onRegistryModified recevied. " + args.join(', ');
}
exports.main = main; exports.main = main;
exports.getDeviceID = getDeviceID; exports.getDeviceID = getDeviceID;
exports.onServiceStart = onServiceStart; exports.onServiceStart = onServiceStart;
@ -44,3 +49,4 @@ exports.onServiceElapsedTime = onServiceElapsedTime;
exports.onServiceScreenTime = onServiceScreenTime; exports.onServiceScreenTime = onServiceScreenTime;
exports.onFileCreated = onFileCreated; exports.onFileCreated = onFileCreated;
exports.onNetworkConnected = onNetworkConnected; exports.onNetworkConnected = onNetworkConnected;
exports.onRegistryModified = onRegistryModified;