root/capture-mod/trunk/Analyzer.h
| Revision 1766, 6.3 kB (checked in by xkovah, 3 months ago) |
|---|
| Line | |
|---|---|
| 1 | /* |
| 2 | * PROJECT: Capture |
| 3 | * FILE: Analyzer.h |
| 4 | * AUTHORS: Ramon Steenson (rsteenson@gmail.com) & Christian Seifert (christian.seifert@gmail.com) |
| 5 | * |
| 6 | * Developed by Victoria University of Wellington and the New Zealand Honeynet Alliance |
| 7 | * |
| 8 | * This file is part of Capture. |
| 9 | * |
| 10 | * Capture is free software; you can redistribute it and/or modify |
| 11 | * it under the terms of the GNU General Public License as published by |
| 12 | * the Free Software Foundation; either version 2 of the License, or |
| 13 | * (at your option) any later version. |
| 14 | * |
| 15 | * Capture is distributed in the hope that it will be useful, |
| 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | * GNU General Public License for more details. |
| 19 | * |
| 20 | * You should have received a copy of the GNU General Public License |
| 21 | * along with Capture; if not, write to the Free Software |
| 22 | * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
| 23 | */ |
| 24 | #pragma once |
| 25 | #include "CaptureGlobal.h" |
| 26 | #include <string> |
| 27 | #include <queue> |
| 28 | #include "shellapi.h" |
| 29 | #include <boost/signal.hpp> |
| 30 | #include <boost/bind.hpp> |
| 31 | #include "Server.h" |
| 32 | #include "Visitor.h" |
| 33 | #include "ProcessMonitor.h" |
| 34 | #include "RegistryMonitor.h" |
| 35 | #include "FileMonitor.h" |
| 36 | #include "NetworkPacketDumper.h" |
| 37 | #include "FileUploader.h" |
| 38 | |
| 39 | using namespace std; |
| 40 | |
| 41 | /* |
| 42 | Class: Analyzer |
| 43 | |
| 44 | The analyzer is the central part of the client component of Capture. |
| 45 | |
| 46 | All malicious events that occur on the system are passed onto the Analyzer, |
| 47 | where it is formatted to be outputted to the server, stdout, or a file. It |
| 48 | uses the signal slot design in Boost to achieve a common interface for which |
| 49 | the monitors can send events to it. These are the on*Event() methods and are |
| 50 | managed by connecting/binding a particular method in the an Analyzer to a |
| 51 | particular slot on a monitor. When a malicious event occurs in a monitor, |
| 52 | the monitor will signal the slot with the event information which is then |
| 53 | processed by the analyzer. |
| 54 | */ |
| 55 | class Analyzer |
| 56 | { |
| 57 | public: |
| 58 | Analyzer(Visitor* v, Server* s, RegistryMonitor * r, FileMonitor * f, ProcessMonitor * p); |
| 59 | ~Analyzer(void); |
| 60 | |
| 61 | /* |
| 62 | Function: start |
| 63 | |
| 64 | Connect to all of the available monitor slots so that the Analyzer can |
| 65 | receive malicious events |
| 66 | */ |
| 67 | void start(); |
| 68 | /* |
| 69 | Function: stop |
| 70 | |
| 71 | Disconnects all of the connections between the monitors slots so that |
| 72 | the Analyzer does not receive malicious events |
| 73 | */ |
| 74 | void stop(); |
| 75 | /* |
| 76 | Function: onVisitEvent |
| 77 | |
| 78 | Method to bind to the <Visitor> visit event slot. These are called when |
| 79 | operating in client server mode. During the visitation of the URL by and |
| 80 | application, the Visitor will signal various visit events which will be |
| 81 | passed onto the Analyzer. |
| 82 | */ |
| 83 | void onVisitEvent(DWORD majorErrorCode, DWORD minorErrorCode, wstring url, wstring applicationPath); |
| 84 | /* |
| 85 | Function: onProcessEvent |
| 86 | |
| 87 | Method which binds to the <ProcessMonitor> process event slot. This is called |
| 88 | whenever a malicious process event occurs on the system |
| 89 | */ |
| 90 | void onProcessEvent(BOOLEAN created, wstring time, |
| 91 | DWORD parentProcessId, wstring parentProcess, |
| 92 | DWORD processId, wstring process); |
| 93 | /* |
| 94 | Function: onRegistryEvent |
| 95 | |
| 96 | Method which binds to the <RegistryMonitor> registry event slot. Called when |
| 97 | ever a malcious registry event occurs |
| 98 | */ |
| 99 | void onRegistryEvent(wstring registryEventType, wstring time, |
| 100 | wstring processPath, wstring registryEventPath, vector<wstring> extra); |
| 101 | /* |
| 102 | Function: onFileEvent |
| 103 | |
| 104 | Method which binds to the <FileMonitor> file event slot. Called when |
| 105 | ever a malcious file event occurs |
| 106 | */ |
| 107 | void onFileEvent(wstring fileEventType, wstring time, |
| 108 | wstring processPath, wstring fileEventPath, vector<wstring> extra); |
| 109 | |
| 110 | /* |
| 111 | Function: onOptionChanged |
| 112 | |
| 113 | Called when an option changes in OptionsManager |
| 114 | */ |
| 115 | void onOptionChanged(wstring option); |
| 116 | private: |
| 117 | /* |
| 118 | Variable: malcious |
| 119 | |
| 120 | Whether or not the system is in a malicious state |
| 121 | */ |
| 122 | bool malicious; |
| 123 | /* |
| 124 | Variable: collectModifiedFiles |
| 125 | |
| 126 | Whether or not the anaylyzer has been asked to collect all of the |
| 127 | modified files that occur during the objects start() state. |
| 128 | */ |
| 129 | bool collectModifiedFiles; |
| 130 | bool captureNetworkPackets; |
| 131 | /* |
| 132 | Method: compressLogDirectory |
| 133 | |
| 134 | If collectModifiedFiles is true, this method will compress the log directory |
| 135 | so that it can be saved or sent to the server. It uses both tar.exe and gzip.exe |
| 136 | to perform this functionality |
| 137 | */ |
| 138 | bool compressLogDirectory(wstring logFileName); |
| 139 | |
| 140 | /* |
| 141 | Method: sendSystemEvent |
| 142 | |
| 143 | Helper method which parses the monitor events into a readible XML document |
| 144 | which can be saved to a file as a CSV or sent to the server. |
| 145 | */ |
| 146 | void sendSystemEvent(wstring* type, wstring* time, wstring* process, wstring* action, wstring* object, vector<wstring>* extra); |
| 147 | /* |
| 148 | Method: sendVisitEvent |
| 149 | |
| 150 | Helper method which parses a visit event from <onVisitEvent> and sends it to the |
| 151 | server. |
| 152 | */ |
| 153 | void sendVisitEvent(wstring* type, wstring* time, |
| 154 | wstring* url, wstring* classification, wstring* application, |
| 155 | wstring* majorErrorCode, wstring* minorErrorCode); |
| 156 | |
| 157 | wstring errorCodeToString(DWORD errorCode); |
| 158 | |
| 159 | /* |
| 160 | Variable: visitor |
| 161 | |
| 162 | Contains the <Visitor> component |
| 163 | */ |
| 164 | Visitor* visitor; |
| 165 | /* |
| 166 | Variable: server |
| 167 | |
| 168 | Contains the <Server> component. The analyzer is the only object allowed to |
| 169 | send data to the remote server |
| 170 | */ |
| 171 | Server* server; |
| 172 | /* |
| 173 | Variable: processMonitor |
| 174 | |
| 175 | Pointer to a <ProcessMonitor> instance |
| 176 | */ |
| 177 | ProcessMonitor* processMonitor; |
| 178 | /* |
| 179 | Variable: registryMonitor |
| 180 | |
| 181 | Pointer to a <RegistryMonitor> instance |
| 182 | */ |
| 183 | RegistryMonitor* registryMonitor; |
| 184 | /* |
| 185 | Variable: fileMonitor |
| 186 | |
| 187 | Pointer to a <FileMonitor> instance |
| 188 | */ |
| 189 | FileMonitor* fileMonitor; |
| 190 | /* |
| 191 | Variable: networkPacketDumper |
| 192 | |
| 193 | If required this contains a pointer to a <NetworkPacketDumper>. This is only |
| 194 | loaded when required and only if WinPCAP is installed on the system |
| 195 | */ |
| 196 | NetworkPacketDumper* networkPacketDumper; |
| 197 | |
| 198 | /* |
| 199 | Variable: on*EventConnection |
| 200 | |
| 201 | Various connections to the slots of monitors. These are an easy way to stop |
| 202 | listening for various methods |
| 203 | */ |
| 204 | boost::signals::connection onProcessEventConnection; |
| 205 | boost::signals::connection onRegistryEventConnection; |
| 206 | boost::signals::connection onFileEventConnection; |
| 207 | boost::signals::connection onOptionChangedConnection; |
| 208 | }; |
Note: See TracBrowser for help on using the browser.
