GuardCode gives you the ability to monitor your application and catch rogue events.
The usage of the tool is when you want to check a library\module does not have malicious intention. To use one of the releases you will need to do those steps:
- Extract files from Release.rar.
- Get the driver (microsoft's or openprocmon's) and GuardCode executable in the same folder.
example of doing the steps for the application with microsoft's driver: - Run cmd in administrator mode and change its directory to the GuardCode's folder.
- Use the tool!!☺
For "fast usage" you should run the tool before you install the library\module with this command:
GuardCode.exe -e <your_executable_name> -f Format.gcf
Then run your code and execute all of it's abilities.
This will create a rule file with all the occured events in GuardCode Format and in whitelist, that means that the all of rules allow events but the last one "drops" all other events.
Afterwards you can install the library\module and catch all of the library\module events maybe event stop them.
If you trust the library\module a little bit you can use the tool with 'w' mode like so:
GuardCode.exe -e <your_executable_name> -m w -fi rules.gcf
This will alert you of events that deviated from the rules.
If you do not trust the library\module you can use the tool with 'a' mode like so:
GuardCode.exe -e <your_executable_name> -m a -fi rules.gcf
This will stop your application if the events deviated from the rules.
example of running the application with microsoft's driver:
If you want to only monitor your application:
GuardCode.exe -e example.exe
If you want that the tool will write rules for your application:
GuardCode.exe -e <your_executable_name> -f Format.gcf
If you want to check your rules for your application:
GuardCode.exe -e <your_executable_name> -m w -fi Format.gcf
If you want to activly protect your computer with your rules from your application:
GuardCode.exe -e <your_executable_name> -m a -fi Format.gcf
sidenotes:
- All of those examples by default write into a log file named "log.gcf".
- If you want to change the log file just add the flag:
-fo <name_of_log_file>.gcf
- If you want to see the logs file and the rules file in a user friendly way.
download GuardCodeFormat and notepad++ and add it like so:- Open notepad++ and go to "Language" tab.
- Go to "User Defined Language", then "Define your language".
- Click on import and find the path of "GuardCodeFormat.xml".
- When imported successfully you should see it in one of the "User language:" tabs, Then restart the notepad++ application.
- When needed click on "Language" tab, then on GuardCodeFormat and you should see the colors.
For "advanced usage" you will need to understand of how the rules works.
Pointers of How to write the rules:
- Rules can contain every event to a "file" or "registry key"(WIP) or socket\connections(WIP).
- Rules works like a firewall rules, that means that you can write rules to "drop" an event or to "accept" it and if a rule above accepts an event and below does not then the event will be accepted and vice versa. like in this example:
- if you have this in the rule file:
[+]do process create
[-]do process create
- Then the event "process create" will be accepted even though you have a rule to not accept it.
- Rules are written in a certain format like so:
- To accept an event :
[+]do <event> for <path\registry key\socket\connections>
- To "drop" an event :
[-]do <event> for <path\registry key\socket\connections>
- For event that a process related :
[-\+] <process-event>
- To write a comments to your rules (not in the same line) :
# <your comments>
- To accept an event :
- Rules are written in regex format.
- If you do not know what is it you can got to here Understanding Regex.
- If you want a visible representation of you doing use Regex101.
- If you do not know what is it you can got to here Understanding Regex.
If you want to allow every event for a path:
[+]do .* for c:\\windows\\system32\\.*
If you want to allow a event for all path:
[+]do createfile for .*
If you want to specify some events to a path:
[+]do (createfile|readfile) for c:\\test\.txt
If you want to allow a process related event:
[+]do thread exit
If you want to disallow all events:
[-].*
- Get registry key events.
- Get socket\connections events.
- Make GuardCode much faster with checking if event is allowed or not.
- GUI for writing the rules in GuardCode format.
- Make GuardCode run in driver meaning that checking if event is allowed or not will be in the kernel level and much faster.
If you see any problems with the tool or you have any suggestions. You can open an issues in this github repostoriy or you can write me an email to here [email protected]
The project that made me to start this project hagana.
The project that made my life much easier openprocmon.
Link to an article that i have written about open source and suppliy chain DigitalWhisper (it is in hebrew sorry non speakers).