1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
<?php
/**
* @copyright Copyright (c) 2017 Matthias Held <matthias.held@uni-konstanz.de>
* @author Matthias Held <matthias.held@uni-konstanz.de>
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
namespace OCA\RansomwareDetection\Analyzer;
use OCA\RansomwareDetection\AppInfo\Application;
use OCA\RansomwareDetection\FileSignatureList;
use OCP\Files\IRootFolder;
use OCP\Files\NotFoundException;
use OCP\Files\File;
use OCP\ILogger;
class FileCorruptionAnalyzer
{
/** @var ILogger */
private $logger;
/** @var IRootFolder */
private $rootFolder;
/** @var string */
private $userId;
/**
* @param ILogger $logger
* @param IRootFolder $rootFolder
* @param string $userId
*/
public function __construct(
ILogger $logger,
IRootFolder $rootFolder,
$userId
) {
$this->logger = $logger;
$this->rootFolder = $rootFolder;
$this->userId = $userId;
}
/**
* Analysis a file if it's corrupted or not.
*
* @param File $node
* @return FileCorruptionResult
*/
public function analyze($node)
{
return $this->isCorrupted($node);
}
/**
* Checks the file for existing file header informations and compares them,
* if found, to the file extension.
*
* @param File $node
* @return FileCorruptionResult
*/
protected function isCorrupted(File $node)
{
$signatures = FileSignatureList::getSignatures();
try {
$data = $node->getContent();
foreach ($signatures as $signature) {
if (strtolower($signature['byteSequence']) === strtolower(bin2hex(substr($data, $signature['offset'], strlen($signature['byteSequence']) / 2)))) {
$pathInfo = pathinfo($node->getPath());
if (in_array(strtolower($pathInfo['extension']), $signature['extension'])) {
return new FileCorruptionResult(false, $signature['file_class']);
}
return new FileCorruptionResult(true);
}
}
return new FileCorruptionResult(true);
} catch (\OCP\Files\NotPermittedException $exception) {
$this->logger->debug('isCorrupted: Not permitted.', array('app' => Application::APP_ID));
return new FileCorruptionResult(false);
} catch (\OCP\Lock\LockedException $exception) {
$this->logger->debug('isCorrupted: File is locked.', array('app' => Application::APP_ID));
return new FileCorruptionResult(false);
}
}
}
|