import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu

def dll_hijacking_submenu():
    """
    Submenu for DLL Hijacking detection techniques.
    """
    actions = {
        "1": {"description": "File System Analysis", "function": file_system_analysis},
        "2": {"description": "Memory Analysis", "function": memory_analysis},
        "3": {"description": "Command Line Analysis", "function": command_line_analysis},
        "4": {"description": "SANS DFIR Insights", "function": sans_dfir_insights},
    }
    build_submenu("DLL Hijacking Detection", actions)

# Individual submenu functions

def file_system_analysis():
    """
    Displays information about file system analysis for DLL hijacking detection.
    """
    title = "DLL Hijacking File System Analysis"
    content = """
- Look for new or unsigned `.exe` and `.dll` files in unusual locations.
- Example Indicators:
    - Timestamp: 2021-02-18 03:42:31
        - Impact: -
        - Method: mach Meta
        - File Name: `c:/ProgramData/mcoemcpy.exe` (size: 77824)
    - File: `c:/ProgramData/McUtil.dll` (size: 131072)
"""
    print_info(title, content)

def memory_analysis():
    """
    Displays memory analysis techniques for DLL hijacking detection.
    """
    title = "DLL Hijacking Memory Analysis"
    content = """
- Identify system processes or DLLs loaded from unusual locations.
- Pay attention to:
    - Processes running unexpected code.
    - DLLs loaded from locations outside expected directories.
- Newly created DLLs and executables can indicate malicious activity.
"""
    print_info(title, content)

def command_line_analysis():
    """
    Displays command-line analysis techniques for DLL hijacking detection.
    """
    title = "DLL Hijacking Command-Line Analysis"
    content = """
- Review suspicious command-line execution patterns.
    - Example:
        - Command: `C:\\ProgramData\\ncoenchy.exe 0x4`
        - Method: mach Meta
- Check for signs of injection or other manipulation.
"""
    print_info(title, content)

def sans_dfir_insights():
    """
    Displays insights from SANS DFIR training for DLL hijacking detection.
    """
    title = "DLL Hijacking Insights from SANS DFIR"
    content = """
- Nearly all DLL hijacks require placing a new DLL or executable onto the file system.
- Investigative Techniques:
    - **File Timeline Analysis**:
        - Focus on newly created files during times of interest.
    - **Memory Forensics**:
        - Analyze running processes for unexpected DLL locations.
- Obscure DLLs are more likely to be targeted since common DLLs are usually preloaded into memory.
- Other anomalous actions like network beaconing or named pipe creation can lead to detection.
"""
    print_info(title, content)