Click here to Skip to main content
15,867,686 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have a block of code where I call third party handle.exe (obtained from Sysinternals) in order to identify the process that has files in a certain folder open. When I use notepad to make changes to files in the folder, my code is able to output the process id and process name of notepad. The problem comes in when I try the test with a small app I made to act as a threat by modifying the files. Instead of my program identifying the threat process, it points to itself. I wonder whether the problem is handle.exe or my code. Kindly help me.

What I have tried:

C#
class FileMonitor
    {
        //The watcher class
        FileSystemWatcher sysWatcher;
        //directory to monitor
        string directoryPath = "C:\\AAAA";
        //An output label and listBox
        Label outputLabel;
        ListBox operationView;
        //process id
        int processId;
        string processNm;

        //Threat details
        List<object> threatDetails;

        //constructor function
        public FileMonitor()
        {
            sysWatcher = new FileSystemWatcher(this.directoryPath);
            sysWatcher.IncludeSubdirectories = true;
            sysWatcher.NotifyFilter = NotifyFilters.Attributes | NotifyFilters.FileName | NotifyFilters.LastWrite;
            //register event handlers
            sysWatcher.Changed += new FileSystemEventHandler(onChanged);
            sysWatcher.Deleted += new FileSystemEventHandler(onChanged);
            sysWatcher.Created += new FileSystemEventHandler(onChanged);
            sysWatcher.Renamed += new RenamedEventHandler(onRenamed);

            sysWatcher.EnableRaisingEvents = true;

        }

        public void setOutputComponents(Label myLable, ListBox myListBox)
        {
            this.outputLabel = myLable;
            this.operationView = myListBox;
        }

        private void onRenamed(object sender, RenamedEventArgs e)
        {

            this.doWork();
        }

        private void onChanged(object sender, FileSystemEventArgs e)
        {
            this.doWork();
        }
        // i believe this has some sort  of bug. Need help here
        private void callProcessChecker()
        {

            ProcessStartInfo sInfo = new ProcessStartInfo(@"C:\handle64.exe");

            sInfo.Arguments = this.directoryPath + " /accepteula";
            sInfo.UseShellExecute = false;
            sInfo.RedirectStandardOutput = true;
            sInfo.CreateNoWindow = true;

            Process pingHandle = Process.Start(sInfo);
            pingHandle.WaitForExit();

            string myOutput = pingHandle.StandardOutput.ReadToEnd();
            string matchPattern = @"(?<=\s+pid:\s+)\b(\d+)\b(?=\s+)";

            foreach (Match match in Regex.Matches(myOutput, matchPattern))
            {
                this.processId = int.Parse(match.Value);
            }
        }
        //a list to contain information about the process
        private void processDetails()
        {
            Process myprocess = Process.GetProcessById(this.processId);
            this.processNm = myprocess.ProcessName;
            this.threatDetails = new List<object>();
            this.threatDetails.Add(this.processNm);
            this.threatDetails.Add(this.processId);
            this.threatDetails.Add(1);
        }
        //display items in a listBox
        private void displayInfoListBox()
        {
            if (this.operationView.InvokeRequired)
            {
                this.operationView.Invoke(new MethodInvoker(
                    () => { this.operationView.Items.Add("Threat:" + this.processNm + "| Pid:" + this.processId + "| Status: "); }
                    ));
            }
            else
            {
                this.operationView.Items.Add("Threat:" + this.processNm + "| Pid:" + this.processId + "| Status: ");
            }
        }

        private void doWork()
        {

            this.callProcessChecker();
            this.processDetails();
            this.displayInfoListBox();
        }

    }
Posted
Comments
Richard MacCutchan 2-Dec-16 4:23am    
Where does the problem occur, and what exactly are the details?
Member 12882397 2-Dec-16 5:09am    
The program does not output the process that is responsible for modifying the files in that folder. When I make the changes using notepad and save the file my program is able to output the process name as notepad and its process id. If my malicious test application modifies the file, my application is not able to grab the process even when call handle.exe in my code.

This are the steps my application makes
1.Listens for changes in folder C:\AAAA using fileSystemWatcher
2.If a change is detected handle.exe is called using callProcessChecker method and the output read from which a regular expression is used to get matching process ids.
3.The obtained process id is output in a listbox with corresponding process name.

The steps the malicious test application takes
1.ReadsAllBytes in a text file in the folder C:\AAAA
2.Encrypts the byte array and writes the stream to a file then appends a new extension.
3.Delete the original file.

The question I have in mind is, could it be that fileSystemWatcher is only detecting changes once the malicious process has completed and therefore calling handle at that point is not of use?
Jason Gleim 2-Dec-16 9:23am    
Does the malicious app make the change then terminate or does it keep running like Notepad does? The FileSystemWatcher won't trigger until the changes have been committed so yeah... if the app makes changes, writes them, then terminates there is no handle to report back.
Member 12882397 2-Dec-16 15:26pm    
I now get the logic. :-). Is it really possible to be able to capture the malicious app(using c#) immediately it opens a file or will that require me to invoke win32API into my code?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900