From df0f3d0e4bacb74f7680673a68aab087318393fb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Nov 2020 10:12:49 +0100 Subject: [PATCH 1/8] feat: remove new line characters in log messages --- source/RaccineLib/Utils.cpp | 9 +++++++++ source/RaccineLib/Utils.h | 2 ++ source/RaccineLib/raccine.cpp | 5 ++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/source/RaccineLib/Utils.cpp b/source/RaccineLib/Utils.cpp index dd199bd..857a3e4 100644 --- a/source/RaccineLib/Utils.cpp +++ b/source/RaccineLib/Utils.cpp @@ -534,4 +534,13 @@ std::wstring getFileName(const std::wstring& s) return(s); } +int removeNewLines(std::wstring& str) +{ + const wchar_t* chars = L"\r\n"; + for (int i = 0; i < sizeof(chars); i++) + str.erase(std::remove(str.begin(), str.end(), chars[i]), str.end()); + + return 0; +} + } diff --git a/source/RaccineLib/Utils.h b/source/RaccineLib/Utils.h index 5c90bf6..3639e42 100644 --- a/source/RaccineLib/Utils.h +++ b/source/RaccineLib/Utils.h @@ -74,4 +74,6 @@ DWORD getCurrentSessionId(); std::wstring getUserSid(); +int removeNewLines(std::wstring& str); + } diff --git a/source/RaccineLib/raccine.cpp b/source/RaccineLib/raccine.cpp index 4320481..0603a2a 100644 --- a/source/RaccineLib/raccine.cpp +++ b/source/RaccineLib/raccine.cpp @@ -242,9 +242,12 @@ void logSend(const std::wstring& logStr) return; // bail out if we can't log } } + // Replace new line characters + std::wstring logString = logStr; + utils::removeNewLines(logString); if (logFile != nullptr) { - fwprintf(logFile, L"%s", logStr.c_str()); + fwprintf(logFile, L"%s\n", logString.c_str()); fflush(logFile); fclose(logFile); logFile = nullptr; From 60da28cb71026b6264684c4709efc9dcaf3c839a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Nov 2020 10:13:29 +0100 Subject: [PATCH 2/8] feat: set eventtype of eventlog entries --- source/RaccineLib/Raccine.h | 1 + source/RaccineLib/raccine.cpp | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/source/RaccineLib/Raccine.h b/source/RaccineLib/Raccine.h index 86e23db..6640998 100644 --- a/source/RaccineLib/Raccine.h +++ b/source/RaccineLib/Raccine.h @@ -20,6 +20,7 @@ // Log Config and Flags #define RACCINE_DEFAULT_EVENTID 1 #define RACCINE_EVENTID_MALICIOUS_ACTIVITY 2 +#define RACCINE_EVENTID_BENIGN_ACTIVITY 3 #define RACCINE_DATA_DIRECTORY L"%PROGRAMDATA%\\Raccine" #define RACCINE_YARA_DIRECTORY L"%PROGRAMFILES%\\Raccine\\yara" diff --git a/source/RaccineLib/raccine.cpp b/source/RaccineLib/raccine.cpp index 0603a2a..e05e7c0 100644 --- a/source/RaccineLib/raccine.cpp +++ b/source/RaccineLib/raccine.cpp @@ -123,10 +123,16 @@ void WriteEventLogEntryWithId(const std::wstring& pszMessage, DWORD dwEventId) LPCWSTR lpszStrings[2] = { pszMessage.c_str() , nullptr }; + // Select an eventlog message type + WORD eventType = EVENTLOG_INFORMATION_TYPE; + if (dwEventId == RACCINE_EVENTID_MALICIOUS_ACTIVITY) { + eventType = EVENTLOG_WARNING_TYPE; + } + constexpr PSID NO_USER_SID = nullptr; constexpr LPVOID NO_BINARY_DATA = nullptr; - ReportEventW(hEventSource, // Event log handle - EVENTLOG_INFORMATION_TYPE, // Event type + ReportEventW(hEventSource, // Event log handle + eventType, // Event type 0, // Event category dwEventId, // Event identifier NO_USER_SID, // No security identifier From e4e5faac31c825f2013fbbab131c3e319baee964 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Nov 2020 10:13:42 +0100 Subject: [PATCH 3/8] fix: missing benign eventlogs --- source/Raccine/raccine.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/source/Raccine/raccine.cpp b/source/Raccine/raccine.cpp index 6bc65e4..1a0f1d9 100644 --- a/source/Raccine/raccine.cpp +++ b/source/Raccine/raccine.cpp @@ -104,6 +104,7 @@ int wmain(int argc, WCHAR* argv[]) std::wstring message; // Eventlog message = L"Raccine detected benign activity:\r\n" + sCommandLine + L"\r\n(simulation mode)"; + WriteEventLogEntryWithId(message, RACCINE_EVENTID_BENIGN_ACTIVITY); // Log to the text log file sListLogs.append(logFormat(sCommandLine, L"Raccine detected benign activity (simulation mode)")); } From 167c75d6039167eec010fadca0b1352f19c07a86 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Nov 2020 10:13:50 +0100 Subject: [PATCH 4/8] docs: README update --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 92c6bf2..1276e7d 100644 --- a/README.md +++ b/README.md @@ -204,6 +204,12 @@ An entry is generated by every blocking event in the `Application` eventlog. ![Eventlog](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/eventlog2.png) +The IDs that Raccine generates + +- EventId 1 - Setup activity +- EventId 2 - Malicious activity detected +- EventId 3 - Benign activity detected + ## Simulation Mode Since version 0.10.0, Raccine can be installed in "simulation mode", which activates all triggers, logs all actions but doesn't kill anything. This mode should be used in environments in which backup solutions or other legitimate software for a reasonable amount of time to check if Raccine would interfere with other software. The idea is to install Raccine in simulation mode, let it log for a week or month and then check the logs to see if it would have blocked legitimate software used in the organisation. From 6c92232f5b7faeee0ea4356d9c38a7ad0f1320be Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Nov 2020 10:49:33 +0100 Subject: [PATCH 5/8] fix: replace new lines --- source/RaccineLib/Utils.cpp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/source/RaccineLib/Utils.cpp b/source/RaccineLib/Utils.cpp index 857a3e4..164eb03 100644 --- a/source/RaccineLib/Utils.cpp +++ b/source/RaccineLib/Utils.cpp @@ -536,10 +536,8 @@ std::wstring getFileName(const std::wstring& s) int removeNewLines(std::wstring& str) { - const wchar_t* chars = L"\r\n"; - for (int i = 0; i < sizeof(chars); i++) - str.erase(std::remove(str.begin(), str.end(), chars[i]), str.end()); - + std::replace(str.begin(), str.end(), L'\r', L' '); + std::replace(str.begin(), str.end(), L'\n', L' '); return 0; } From aaa4128f5e3a45e4cdebbace1366d59810e2c773 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Nov 2020 10:49:49 +0100 Subject: [PATCH 6/8] feat: event id 3 registration --- install-raccine.bat | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install-raccine.bat b/install-raccine.bat index 60d1d6e..65244cb 100644 --- a/install-raccine.bat +++ b/install-raccine.bat @@ -132,7 +132,6 @@ COPY RaccineRulesSync.exe "%ProgramFiles%\Raccine\" COPY Raccine%ARCH%.exe "%ProgramFiles%\Raccine\Raccine.exe" COPY yara\yara%ARCHITECTURE_SUFFIX%.exe "%ProgramFiles%\Raccine\" COPY yara\yarac%ARCHITECTURE_SUFFIX%.exe "%ProgramFiles%\Raccine\" - :: YARA Rules MKDIR "%ProgramFiles%\Raccine\yara" MKDIR "%ProgramFiles%\Raccine\yara\in-memory" @@ -148,8 +147,9 @@ ECHO Creating empty log file ... echo. 2>"%ProgramData%\Raccine\Raccine_log.txt" icacls "%ProgramData%\Raccine\Raccine_log.txt" /grant Users:F ECHO Registering Eventlog Events -eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine Setup: Registration of Event ID 1" 2> nul -eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine Setup: Registration of Event ID 2" 2> nul +eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine Setup: Registration of Event ID 1 - Used for Informational Messages" 2> nul +eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine Setup: Registration of Event ID 2 - Used for Malicious Actitivty" 2> nul +eventcreate.exe /L Application /T Information /id 3 /so Raccine /d "Raccine Setup: Registration of Event ID 3 - Used for Benign Activity" 2> nul :: Registry Settings REG.EXE ADD HKLM\Software\Raccine /v ShowGui /t REG_DWORD /d 1 /F REG.EXE ADD HKLM\Software\Raccine /v ScanMemory /t REG_DWORD /d 1 /F From 2ffa105733da95975ad9ad2136bf1334628e71df Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Nov 2020 10:49:59 +0100 Subject: [PATCH 7/8] fix: typo - missing upper tick --- source/RaccineLib/raccine.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/RaccineLib/raccine.cpp b/source/RaccineLib/raccine.cpp index e05e7c0..fbcdcc2 100644 --- a/source/RaccineLib/raccine.cpp +++ b/source/RaccineLib/raccine.cpp @@ -211,7 +211,7 @@ std::wstring logFormat(const std::wstring& cmdLine, const std::wstring& comment) { const std::string timeString = getTimeStamp(); const std::wstring timeStringW(timeString.cbegin(), timeString.cend()); - std::wstring logLine = timeStringW + L" DETECTED_CMD: '" + cmdLine + L" COMMENT: " + comment + L"\n"; + std::wstring logLine = timeStringW + L" DETECTED_CMD: '" + cmdLine + L"' COMMENT: " + comment + L"\n"; return logLine; } From 1180e22cee54b1904990076d9cda9eadf2458fb3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Nov 2020 11:06:15 +0100 Subject: [PATCH 8/8] fix: robot tests detecting benign messages --- robot-tests/robot-tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/robot-tests/robot-tests.ps1 b/robot-tests/robot-tests.ps1 index a46a26b..4b670a6 100644 --- a/robot-tests/robot-tests.ps1 +++ b/robot-tests/robot-tests.ps1 @@ -133,7 +133,7 @@ Foreach ($Cmd in $GoodCmds) { # Eventlog $Result = Get-EventLog -LogName Application -Message *Raccine* -Newest 1 - If ( $Result.Message -Match $Cmd ) { + If ( $Result.Message -Match $Cmd -and $Result.Message -Match 'malicious') { Write-Host $Result.Message Write-Host "Error: Eventlog entry of detection found" exit 1