Git Product home page Git Product logo

decryptonite's Introduction

Decryptonite

Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.

Features

  • Monitors entire hard disk for suspicious IO behaviour
  • Whitelists known-good and system processes
  • Calculates a process' complete threat level by combining child suspicion with parent
  • Watches process' file system writes per second
  • Kills suspicious processes immediately if it passes the threshold
  • Low memory and CPU footprint

Installation

  • Install requirements
  • Clone the respository: git clone https://github.com/DecryptoniteTeam/Decryptonite
  • Open the project (decryptonite.sln) in Visual Studios
  • In Visual Studios its time to build the executable and driver:
    • Navigate to Build -> Configuration Manager
    • Change the platform from "Win32" to "x64" for both projects
    • Browse to Build -> Build Solution
    • When you get errors please open a ticket ... Compiling and building drivers is definitely not a straightforward process.
  • Disable Windows Signed Driver Enforcement:
  • Setting up Decryptonite:
    • Install the driver:
      • Browse to containing folder
      • Right-click "decryptonite.inf" and click "Install"
    • Load the driver:
      • Open PowerShell.exe with Administrative Privileges
      • Execute fltMc.exe load decryptonite
    • Finally... We can run the executable!

Usage

The first step is to open up an Administrative PowerShell and run Decryptonite. - .\decryptonite.exe

That's all the setup required! Decryptonite will automatically detect and attach to the "C:\" drive. If you decide to run either ransomware or executables with valid digital signatures, the output will resemble the following: Easter egg

To configure the application's behaviour: hit enter to bring up the prompt > and type help

Commands

  • /a [drive] attach Decryptonite to another drive e.g. "D:"
  • /d [drive] stop Decryptonite from monitoring on a given drive
  • /l - lists all drives that Decryptonite is attached to
  • /f [file name] redirect all output to a given file
  • /p Decryptonite will run, it will monitor, but it won't kill any processes
  • /v makes Decryptonite more verbose
  • /x makes Decryptonite much more verbose
  • exit exits the application

Contribute

Spotted a bug? Want to add features? Increase the performance?

Open an issue or submit a pull request!

Authors

The Decryptonite team includes:

Credits

A big thanks to Troy D. Hanson for his development of the open source libraries UTHash and UTArray.

Additionally, a big thanks goes to Microsoft for their development of the open source file system minifilter driver project MiniSpy.

License

This project is released under The Microsoft Public License.

decryptonite's People

Contributors

adamgreenhill avatar

Stargazers

 avatar

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.