/
daemon.py
153 lines (132 loc) · 6.22 KB
/
daemon.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
import win32evtlog
import ConfigParser
import os
import sys
from monitor_GUI import Ui_iAmVM
from PyQt4 import QtCore, QtGui
import logging
class MyForm(QtGui.QMainWindow):
def __init__(self, parent=None):
QtGui.QWidget.__init__(self, parent)
self.user_choice = None
self.ui = Ui_iAmVM()
self.ui.setupUi(self)
self.setStyle(QtGui.QStyleFactory.create("plastique"))
self.ui.allow.clicked.connect(self.allow_proc)
self.ui.allow_once.clicked.connect(self.allow_once_proc)
self.ui.block.clicked.connect(self.block_proc)
def allow_proc(self):
self.user_choice = 0
self.close()
def allow_once_proc(self):
self.user_choice = 1
self.close()
def block_proc(self):
self.user_choice = 2
self.close()
main_conf_path = r".\iAmVM_conf.ini"
def fileContains(fileLocation, processLocation, processCalled):
file_obj = open(fileLocation, 'r+')
fileList = file_obj.readlines()
file_obj.close()
found = False
for line in fileList:
if str(processLocation + "," + processCalled) in line:
found = True
break
return found
def addToFile(fileLocation, processLocation, processCalled):
file_obj = open(fileLocation, 'a')
file_obj.write(processLocation + "," + processCalled + "\n")
file_obj.close()
def killProcess(pid):
os.popen('TASKKILL /PID ' + str(pid) + ' /F')
def getUserChoice(eventCategory, timeGenererated, type, processId, processCalled, processLocation):
main_conf = ConfigParser.ConfigParser()
main_conf.read(main_conf_path)
allowedList = main_conf.get("Daemon", "allowedList")
blockedList = main_conf.get("Daemon", "blockedList")
my_app = MyForm()
my_app.ui.textBox.setText(
"Suspicious activity has been detected!\nThe requester Process: {}\nThe destination object:{}\nType:{}\nTime:{}".format(
processCalled, processLocation, type, timeGenererated))
proc = my_app.show()
app.exec_()
signal = my_app.user_choice
if signal == 0:
addToFile(allowedList, processLocation, processCalled)
if signal == 2:
addToFile(blockedList, processLocation, processCalled)
killProcess(processId)
def doAction(eventCategory, timeGenererated, type, processId, processCalled, processLocation):
main_conf = ConfigParser.ConfigParser()
main_conf.read(main_conf_path)
allowedList = main_conf.get("Daemon", "allowedList")
blockedList = main_conf.get("Daemon", "blockedList")
if fileContains(allowedList, processLocation, processCalled):
return
elif fileContains(blockedList, processLocation, processCalled):
killProcess(processId)
else:
getUserChoice(eventCategory, timeGenererated, type, processId, processCalled, processLocation)
if __name__ == '__main__':
logging.basicConfig(filename='iAmLog.log', format='%(asctime)s %(message)s', level=logging.DEBUG)
logging.info("Running Monitor...")
app = QtGui.QApplication(sys.argv)
# read ini file
main_conf_path = r".\iAmVM_conf.ini"
main_conf = ConfigParser.ConfigParser()
main_conf.read(main_conf_path)
# create a list of the filenames and keys
files_name_file = (main_conf.get("Paths", "fileNames"))
reg_keys_filename = (main_conf.get("Paths", "regKeysPath"))
files_name = open(files_name_file, 'r')
reg_keys = open(reg_keys_filename, 'r')
known_list = []
for f in files_name:
f = f.rstrip()
name = os.path.basename(f)
known_list.append(name)
for f in reg_keys:
f = f.rstrip()
name = os.path.basename(f)
known_list.append(name)
# define event listener
server = 'localhost'
logtype = 'Security'
hand = win32evtlog.OpenEventLog(server, logtype)
flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
while True:
events = win32evtlog.ReadEventLog(hand, flags, 0)
if events:
for event in events:
event_id = event.EventID
if event_id == 4656 or event_id == 4664:
data_list = event.StringInserts
if data_list:
for f in known_list:
for data in data_list:
try:
if len(data_list) > 6 and f in data_list[6]:
eventCategory = event.EventCategory
timeGenererated = event.TimeGenerated
type = event.EventType
processType = data_list[5].encode('utf-8')
processIdHex = data_list[len(data_list) - 3].encode('ascii', 'ignore')
processId = int(processIdHex, 16)
processCalled = data_list[len(data_list) - 2].encode('ascii', 'ignore')
processLocation = data_list[6]
# print 'Event Category:', event.EventCategory
# print 'Time Generated:', event.TimeGenerated
# print 'Event Type:', event.EventType
# print "Kind: {}".format(processType)
# print "Process that accessed: {}".format(processLocation)
# print "Process initiated the call: {}".format(processCalled)
# print "Process initiated ID: {}".format(processId)
# print "***********************"
doAction(eventCategory, timeGenererated, processType, processId, processCalled,
processLocation)
break
except Exception as e:
logging.warning(e)