Beispiel #1
0
        private static void SaveJson(IPrefetch pf, bool pretty, string outDir)
        {
            try
            {
                if (Directory.Exists(outDir) == false)
                {
                    Directory.CreateDirectory(outDir);
                }

                var outName =
                    $"{DateTimeOffset.UtcNow:yyyyMMddHHmmss}_{Path.GetFileName(pf.SourceFilename)}.json";
                var outFile = Path.Combine(outDir, outName);


                if (pretty)
                {
                    File.WriteAllText(outFile, pf.Dump());
                }
                else
                {
                    File.WriteAllText(outFile, pf.ToJson());
                }
            }
            catch (Exception ex)
            {
                _logger.Error($"Error exporting json. Error: {ex.Message}");
            }
        }
Beispiel #2
0
        public static IPrefetch Open(Stream stream, string file)
        {
            IPrefetch pf = null;

            var rawBytes = new byte[stream.Length];

            stream.Read(rawBytes, (int)0, (int)(rawBytes.Length));

            var tempSig = Encoding.ASCII.GetString(rawBytes, 0, 3);

            if (tempSig.Equals("MAM"))
            {
                //windows 10, so we need to decompress

                //Size of decompressed data is at offset 4
                var size = BitConverter.ToUInt32(rawBytes, 4);

                //get our compressed bytes (skipping signature and uncompressed size)
                var compressedBytes = rawBytes.Skip(8).ToArray();
                var decom           = Xpress2.Decompress(compressedBytes, size);

                //update rawBytes with decompressed bytes so the rest works
                rawBytes = decom;
            }

            //at this point we have prefetch bytes we can process

            var fileVer = (Version)BitConverter.ToInt32(rawBytes, 0);

            var sig = BitConverter.ToInt32(rawBytes, 4);

            if (sig != Signature)
            {
                throw new Exception("Invalid signature! Should be 'SCCA'");
            }

            switch (fileVer)
            {
            case Version.WinXpOrWin2K3:
                pf = new Version17(rawBytes, file);
                break;

            case Version.VistaOrWin7:
                pf = new Version23(rawBytes, file);
                break;

            case Version.Win8xOrWin2012x:
                pf = new Version26(rawBytes, file);
                break;

            case Version.Win10:
                pf = new Version30(rawBytes, file);
                break;

            default:
                throw new Exception($"Unknown version '{fileVer:X}'");
            }

            return(pf);
        }
Beispiel #3
0
 public static void DumpToJson(IPrefetch pf, bool pretty, string outFile)
 {
     if (pretty)
     {
         File.WriteAllText(outFile, pf.Dump());
     }
     else
     {
         File.WriteAllText(outFile, pf.ToJson());
     }
 }
Beispiel #4
0
        private static object GetPartialDetails(IPrefetch pf)
        {
            var sb = new StringBuilder();

            if (string.IsNullOrEmpty(pf.SourceFilename) == false)
            {
                sb.AppendLine($"Source file name: {pf.SourceFilename}");
            }

            if (pf.SourceCreatedOn.Year != 1601)
            {
                sb.AppendLine(
                    $"Accessed on: {pf.SourceCreatedOn.ToUniversalTime().ToString(_fluentCommandLineParser.Object.DateTimeFormat)}");
            }

            if (pf.SourceModifiedOn.Year != 1601)
            {
                sb.AppendLine(
                    $"Modified on: {pf.SourceModifiedOn.ToUniversalTime().ToString(_fluentCommandLineParser.Object.DateTimeFormat)}");
            }

            if (pf.SourceAccessedOn.Year != 1601)
            {
                sb.AppendLine(
                    $"Last accessed on: {pf.SourceAccessedOn.ToUniversalTime().ToString(_fluentCommandLineParser.Object.DateTimeFormat)}");
            }

            if (pf.Header != null)
            {
                if (string.IsNullOrEmpty(pf.Header.Signature) == false)
                {
                    sb.AppendLine($"Source file name: {pf.SourceFilename}");
                }
            }


            return(sb.ToString());
        }
Beispiel #5
0
 public static void SavePrefetch(string file, IPrefetch pf)
 {
     File.WriteAllBytes(file, pf.RawBytes);
 }
Beispiel #6
0
        private static CsvOut GetCsvFormat(IPrefetch pf)
        {
            var created = _fluentCommandLineParser.Object.LocalTime
                ? pf.SourceCreatedOn.ToLocalTime()
                : pf.SourceCreatedOn;
            var modified = _fluentCommandLineParser.Object.LocalTime
                ? pf.SourceModifiedOn.ToLocalTime()
                : pf.SourceModifiedOn;
            var accessed = _fluentCommandLineParser.Object.LocalTime
                ? pf.SourceAccessedOn.ToLocalTime()
                : pf.SourceAccessedOn;

            var volDate   = string.Empty;
            var volName   = string.Empty;
            var volSerial = string.Empty;

            if (pf.VolumeInformation.Count > 0)
            {
                var vol0Create = _fluentCommandLineParser.Object.LocalTime
                    ? pf.VolumeInformation[0].CreationTime.ToLocalTime()
                    : pf.VolumeInformation[0].CreationTime;

                volDate = vol0Create.ToString(_fluentCommandLineParser.Object.DateTimeFormat);

                if (vol0Create.Year == 1601)
                {
                    volDate = string.Empty;
                }

                volName   = pf.VolumeInformation[0].DeviceName;
                volSerial = pf.VolumeInformation[0].SerialNumber;
            }

            var lrTime = string.Empty;

            if (pf.LastRunTimes.Count > 0)
            {
                var lr = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[0].ToLocalTime()
                    : pf.LastRunTimes[0];

                lrTime = lr.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }


            var csOut = new CsvOut
            {
                SourceFilename = pf.SourceFilename,
                SourceCreated  = created.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
                SourceModified = modified.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
                SourceAccessed = accessed.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
                Hash           = pf.Header.Hash,
                ExecutableName = pf.Header.ExecutableFilename,
                Size           = pf.Header.FileSize.ToString(),
                Version        = GetDescriptionFromEnumValue(pf.Header.Version),
                RunCount       = pf.RunCount.ToString(),
                Volume0Created = volDate,
                Volume0Name    = volName,
                Volume0Serial  = volSerial,
                LastRun        = lrTime,
                ParsingError   = pf.ParsingError
            };

            if (pf.LastRunTimes.Count > 1)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[1].ToLocalTime()
                    : pf.LastRunTimes[1];
                csOut.PreviousRun0 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 2)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[2].ToLocalTime()
                    : pf.LastRunTimes[2];
                csOut.PreviousRun1 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 3)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[3].ToLocalTime()
                    : pf.LastRunTimes[3];
                csOut.PreviousRun2 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 4)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[4].ToLocalTime()
                    : pf.LastRunTimes[4];
                csOut.PreviousRun3 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 5)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[5].ToLocalTime()
                    : pf.LastRunTimes[5];
                csOut.PreviousRun4 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 6)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[6].ToLocalTime()
                    : pf.LastRunTimes[6];
                csOut.PreviousRun5 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 7)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[7].ToLocalTime()
                    : pf.LastRunTimes[7];
                csOut.PreviousRun6 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.VolumeInformation.Count > 1)
            {
                var vol1 = _fluentCommandLineParser.Object.LocalTime
                    ? pf.VolumeInformation[1].CreationTime.ToLocalTime()
                    : pf.VolumeInformation[1].CreationTime;
                csOut.Volume1Created = vol1.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
                csOut.Volume1Name    = pf.VolumeInformation[1].DeviceName;
                csOut.Volume1Serial  = pf.VolumeInformation[1].SerialNumber;
            }

            if (pf.VolumeInformation.Count > 2)
            {
                csOut.Note = "File contains > 2 volumes! Please inspect output from main program for full details!";
            }

            var sbDirs = new StringBuilder();

            foreach (var volumeInfo in pf.VolumeInformation)
            {
                sbDirs.Append(string.Join(", ", volumeInfo.DirectoryNames));
            }

            if (pf.ParsingError)
            {
                return(csOut);
            }

            csOut.Directories = sbDirs.ToString();

            csOut.FilesLoaded = string.Join(", ", pf.Filenames);

            return(csOut);
        }
Beispiel #7
0
        private static void Main(string[] args)
        {
            ExceptionlessClient.Default.Startup("x3MPpeQSBUUsXl3DjekRQ9kYjyN3cr5JuwdoOBpZ");

            SetupNLog();

            _keywords = new HashSet <string> {
                "temp", "tmp"
            };

            _logger = LogManager.GetCurrentClassLogger();

            if (!CheckForDotnet46())
            {
                _logger.Warn(".net 4.6 not detected. Please install .net 4.6 and try again.");
                return;
            }

            _fluentCommandLineParser = new FluentCommandLineParser <ApplicationArguments>
            {
                IsCaseSensitive = false
            };

            _fluentCommandLineParser.Setup(arg => arg.File)
            .As('f')
            .WithDescription("File to process. Either this or -d is required");

            _fluentCommandLineParser.Setup(arg => arg.Directory)
            .As('d')
            .WithDescription("Directory to recursively process. Either this or -f is required");

            _fluentCommandLineParser.Setup(arg => arg.Keywords)
            .As('k')
            .WithDescription(
                "Comma separated list of keywords to highlight in output. By default, 'temp' and 'tmp' are highlighted. Any additional keywords will be added to these.");

            _fluentCommandLineParser.Setup(arg => arg.OutFile)
            .As('o')
            .WithDescription(
                "When specified, save prefetch file bytes to the given path. Useful to look at decompressed Win10 files");

            _fluentCommandLineParser.Setup(arg => arg.Quiet)
            .As('q')
            .WithDescription(
                "Do not dump full details about each file processed. Speeds up processing when using --json or --csv\r\n")
            .SetDefault(false);

            _fluentCommandLineParser.Setup(arg => arg.JsonDirectory)
            .As("json")
            .WithDescription(
                "Directory to save json representation to. Use --pretty for a more human readable layout");

            _fluentCommandLineParser.Setup(arg => arg.CsvDirectory)
            .As("csv")
            .WithDescription(
                "Directory to save CSV results to. Be sure to include the full path in double quotes");

            _fluentCommandLineParser.Setup(arg => arg.xHtmlDirectory)
            .As("html")
            .WithDescription(
                "Directory to save xhtml formatted results to. Be sure to include the full path in double quotes");

            _fluentCommandLineParser.Setup(arg => arg.JsonPretty)
            .As("pretty")
            .WithDescription(
                "When exporting to json, use a more human readable layout\r\n").SetDefault(false);

            _fluentCommandLineParser.Setup(arg => arg.CsvSeparator)
            .As("cs")
            .WithDescription(
                "When true, use comma instead of tab for field separator. Default is true").SetDefault(true);

            _fluentCommandLineParser.Setup(arg => arg.DateTimeFormat)
            .As("dt")
            .WithDescription(
                "The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss")
            .SetDefault("yyyy-MM-dd HH:mm:ss");

            _fluentCommandLineParser.Setup(arg => arg.PreciseTimestamps)
            .As("mp")
            .WithDescription(
                "When true, display higher precision for timestamps. Default is false").SetDefault(false);


            var header =
                $"PECmd version {Assembly.GetExecutingAssembly().GetName().Version}" +
                "\r\n\r\nAuthor: Eric Zimmerman ([email protected])" +
                "\r\nhttps://github.com/EricZimmerman/PECmd";

            var footer = @"Examples: PECmd.exe -f ""C:\Temp\CALC.EXE-3FBEF7FD.pf""" + "\r\n\t " +
                         @" PECmd.exe -f ""C:\Temp\CALC.EXE-3FBEF7FD.pf"" --json ""D:\jsonOutput"" --jsonpretty" +
                         "\r\n\t " +
                         @" PECmd.exe -d ""C:\Temp"" -k ""system32, fonts""" + "\r\n\t " +
                         @" PECmd.exe -d ""C:\Temp"" --csv ""c:\temp"" --json c:\temp\json" +
                         "\r\n\t " +
                         @" PECmd.exe -d ""C:\Windows\Prefetch""" + "\r\n\t " +
                         "\r\n\t" +
                         "  Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes\r\n";

            _fluentCommandLineParser.SetupHelp("?", "help")
            .WithHeader(header)
            .Callback(text => _logger.Info(text + "\r\n" + footer));

            var result = _fluentCommandLineParser.Parse(args);

            if (result.HelpCalled)
            {
                return;
            }

            if (result.HasErrors)
            {
                _logger.Error("");
                _logger.Error(result.ErrorText);

                _fluentCommandLineParser.HelpOption.ShowHelp(_fluentCommandLineParser.Options);

                return;
            }

            if (UsefulExtension.IsNullOrEmpty(_fluentCommandLineParser.Object.File) &&
                UsefulExtension.IsNullOrEmpty(_fluentCommandLineParser.Object.Directory))
            {
                _fluentCommandLineParser.HelpOption.ShowHelp(_fluentCommandLineParser.Options);

                _logger.Warn("Either -f or -d is required. Exiting");
                return;
            }

            if (UsefulExtension.IsNullOrEmpty(_fluentCommandLineParser.Object.File) == false &&
                !File.Exists(_fluentCommandLineParser.Object.File))
            {
                _logger.Warn($"File '{_fluentCommandLineParser.Object.File}' not found. Exiting");
                return;
            }

            if (UsefulExtension.IsNullOrEmpty(_fluentCommandLineParser.Object.Directory) == false &&
                !Directory.Exists(_fluentCommandLineParser.Object.Directory))
            {
                _logger.Warn($"Directory '{_fluentCommandLineParser.Object.Directory}' not found. Exiting");
                return;
            }

            if (_fluentCommandLineParser.Object.Keywords?.Length > 0)
            {
                var kws = _fluentCommandLineParser.Object.Keywords.ToLowerInvariant().Split(new[] { ',' },
                                                                                            StringSplitOptions.RemoveEmptyEntries);

                foreach (var kw in kws)
                {
                    _keywords.Add(kw.Trim());
                }
            }

            if (_fluentCommandLineParser.Object.CsvSeparator)
            {
                _exportExt = "csv";
            }

            _logger.Info(header);
            _logger.Info("");
            _logger.Info($"Command line: {string.Join(" ", Environment.GetCommandLineArgs().Skip(1))}");

            if (IsAdministrator() == false)
            {
                _logger.Fatal("\r\nWarning: Administrator privileges not found!");
            }

            _logger.Info("");
            _logger.Info($"Keywords: {string.Join(", ", _keywords)}");
            _logger.Info("");

            if (_fluentCommandLineParser.Object.PreciseTimestamps)
            {
                _fluentCommandLineParser.Object.DateTimeFormat = _preciseTimeFormat;
            }

            _processedFiles = new List <IPrefetch>();

            _failedFiles = new List <string>();

            if (_fluentCommandLineParser.Object.File?.Length > 0)
            {
                IPrefetch pf = null;

                try
                {
                    pf = LoadFile(_fluentCommandLineParser.Object.File);

                    if (pf != null)
                    {
                        if (_fluentCommandLineParser.Object.OutFile.IsNullOrEmpty() == false)
                        {
                            try
                            {
                                if (Directory.Exists(Path.GetDirectoryName(_fluentCommandLineParser.Object.OutFile)) ==
                                    false)
                                {
                                    Directory.CreateDirectory(
                                        Path.GetDirectoryName(_fluentCommandLineParser.Object.OutFile));
                                }

                                PrefetchFile.SavePrefetch(_fluentCommandLineParser.Object.OutFile, pf);
                                _logger.Info($"Saved prefetch bytes to '{_fluentCommandLineParser.Object.OutFile}'");
                            }
                            catch (Exception e)
                            {
                                _logger.Error($"Unable to save prefetch file. Error: {e.Message}");
                            }
                        }


                        _processedFiles.Add(pf);
                    }
                }
                catch (UnauthorizedAccessException ex)
                {
                    _logger.Error(
                        $"Unable to access '{_fluentCommandLineParser.Object.File}'. Are you running as an administrator? Error: {ex.Message}");
                }
                catch (Exception ex)
                {
                    _logger.Error(
                        $"Error getting prefetch files in '{_fluentCommandLineParser.Object.Directory}'. Error: {ex.Message}");
                }
            }
            else
            {
                _logger.Info($"Looking for prefetch files in '{_fluentCommandLineParser.Object.Directory}'");
                _logger.Info("");

                string[] pfFiles = null;

                try
                {
                    pfFiles = Directory.GetFiles(_fluentCommandLineParser.Object.Directory, "*.pf",
                                                 SearchOption.AllDirectories);
                }
                catch (UnauthorizedAccessException ua)
                {
                    _logger.Error(
                        $"Unable to access '{_fluentCommandLineParser.Object.Directory}'. Are you running as an administrator? Error: {ua.Message}");
                    return;
                }
                catch (Exception ex)
                {
                    _logger.Error(
                        $"Error getting prefetch files in '{_fluentCommandLineParser.Object.Directory}'. Error: {ex.Message}");
                    return;
                }

                _logger.Info($"Found {pfFiles.Length:N0} Prefetch files");
                _logger.Info("");

                var sw = new Stopwatch();
                sw.Start();

                foreach (var file in pfFiles)
                {
                    var pf = LoadFile(file);

                    if (pf != null)
                    {
                        _processedFiles.Add(pf);
                    }
                }

                sw.Stop();

                if (_fluentCommandLineParser.Object.Quiet)
                {
                    _logger.Info("");
                }

                _logger.Info(
                    $"Processed {pfFiles.Length - _failedFiles.Count:N0} out of {pfFiles.Length:N0} files in {sw.Elapsed.TotalSeconds:N4} seconds");

                if (_failedFiles.Count > 0)
                {
                    _logger.Info("");
                    _logger.Warn("Failed files");
                    foreach (var failedFile in _failedFiles)
                    {
                        _logger.Info($"  {failedFile}");
                    }
                }
            }

            if (_processedFiles.Count > 0)
            {
                _logger.Info("");

                try
                {
                    CsvWriter    csv          = null;
                    StreamWriter streamWriter = null;

                    CsvWriter    csvTl          = null;
                    StreamWriter streamWriterTl = null;


                    if (_fluentCommandLineParser.Object.CsvDirectory?.Length > 0)
                    {
                        var outName   = $"{DateTimeOffset.Now:yyyyMMddHHmmss}_PECmd_Output.{_exportExt}";
                        var outNameTl = $"{DateTimeOffset.Now:yyyyMMddHHmmss}_PECmd_Output_Timeline.{_exportExt}";
                        var outFile   = Path.Combine(_fluentCommandLineParser.Object.CsvDirectory, outName);
                        var outFileTl = Path.Combine(_fluentCommandLineParser.Object.CsvDirectory, outNameTl);


                        if (Directory.Exists(_fluentCommandLineParser.Object.CsvDirectory) == false)
                        {
                            _logger.Warn(
                                $"Path to '{_fluentCommandLineParser.Object.CsvDirectory}' does not exist. Creating...");
                            Directory.CreateDirectory(_fluentCommandLineParser.Object.CsvDirectory);
                        }

                        _logger.Warn($"CSV output will be saved to '{outFile}'");
                        _logger.Warn($"CSV time line output will be saved to '{outFileTl}'");

                        try
                        {
                            streamWriter = new StreamWriter(outFile);
                            csv          = new CsvWriter(streamWriter);
                            if (_fluentCommandLineParser.Object.CsvSeparator == false)
                            {
                                csv.Configuration.Delimiter = "\t";
                            }

                            csv.WriteHeader(typeof(CsvOut));
                            csv.NextRecord();

                            streamWriterTl = new StreamWriter(outFileTl);
                            csvTl          = new CsvWriter(streamWriterTl);
                            if (_fluentCommandLineParser.Object.CsvSeparator == false)
                            {
                                csvTl.Configuration.Delimiter = "\t";
                            }

                            csvTl.WriteHeader(typeof(CsvOutTl));
                            csvTl.NextRecord();
                        }
                        catch (Exception ex)
                        {
                            _logger.Error(
                                $"Unable to open '{outFile}' for writing. CSV export canceled. Error: {ex.Message}");
                        }
                    }

                    if (_fluentCommandLineParser.Object.JsonDirectory?.Length > 0)
                    {
                        if (Directory.Exists(_fluentCommandLineParser.Object.JsonDirectory) == false)
                        {
                            _logger.Warn(
                                $"'{_fluentCommandLineParser.Object.JsonDirectory} does not exist. Creating...'");
                            Directory.CreateDirectory(_fluentCommandLineParser.Object.JsonDirectory);
                        }

                        _logger.Warn($"Saving json output to '{_fluentCommandLineParser.Object.JsonDirectory}'");
                    }

                    XmlTextWriter xml = null;

                    if (_fluentCommandLineParser.Object.xHtmlDirectory?.Length > 0)
                    {
                        if (Directory.Exists(_fluentCommandLineParser.Object.xHtmlDirectory) == false)
                        {
                            _logger.Warn(
                                $"'{_fluentCommandLineParser.Object.xHtmlDirectory} does not exist. Creating...'");
                            Directory.CreateDirectory(_fluentCommandLineParser.Object.xHtmlDirectory);
                        }

                        var outDir = Path.Combine(_fluentCommandLineParser.Object.xHtmlDirectory,
                                                  $"{DateTimeOffset.UtcNow:yyyyMMddHHmmss}_PECmd_Output_for_{_fluentCommandLineParser.Object.xHtmlDirectory.Replace(@":\", "_").Replace(@"\", "_")}");

                        if (Directory.Exists(outDir) == false)
                        {
                            Directory.CreateDirectory(outDir);
                        }

                        var styleDir = Path.Combine(outDir, "styles");
                        if (Directory.Exists(styleDir) == false)
                        {
                            Directory.CreateDirectory(styleDir);
                        }

                        File.WriteAllText(Path.Combine(styleDir, "normalize.css"), Resources.normalize);
                        File.WriteAllText(Path.Combine(styleDir, "style.css"), Resources.style);

                        Resources.directories.Save(Path.Combine(styleDir, "directories.png"));
                        Resources.filesloaded.Save(Path.Combine(styleDir, "filesloaded.png"));

                        var outFile = Path.Combine(_fluentCommandLineParser.Object.xHtmlDirectory, outDir,
                                                   "index.xhtml");

                        _logger.Warn($"Saving HTML output to '{outFile}'");

                        xml = new XmlTextWriter(outFile, Encoding.UTF8)
                        {
                            Formatting  = Formatting.Indented,
                            Indentation = 4
                        };

                        xml.WriteStartDocument();

                        xml.WriteProcessingInstruction("xml-stylesheet", "href=\"styles/normalize.css\"");
                        xml.WriteProcessingInstruction("xml-stylesheet", "href=\"styles/style.css\"");

                        xml.WriteStartElement("document");
                    }

                    if (_fluentCommandLineParser.Object.CsvDirectory.IsNullOrEmpty() == false ||
                        _fluentCommandLineParser.Object.JsonDirectory.IsNullOrEmpty() == false ||
                        _fluentCommandLineParser.Object.xHtmlDirectory.IsNullOrEmpty() == false)
                    {
                        foreach (var processedFile in _processedFiles)
                        {
                            var o = GetCsvFormat(processedFile);

                            try
                            {
                                foreach (var dateTimeOffset in processedFile.LastRunTimes)
                                {
                                    var t = new CsvOutTl();

                                    var exePath =
                                        processedFile.Filenames.FirstOrDefault(
                                            y => y.EndsWith(processedFile.Header.ExecutableFilename));

                                    if (exePath == null)
                                    {
                                        exePath = processedFile.Header.ExecutableFilename;
                                    }

                                    t.ExecutableName = exePath;
                                    t.RunTime        = dateTimeOffset.ToString(_fluentCommandLineParser.Object.DateTimeFormat);

                                    csvTl?.WriteRecord(t);
                                    csvTl?.NextRecord();
                                }
                            }
                            catch (Exception ex)
                            {
                                _logger.Error(
                                    $"Error getting time line record for '{processedFile.SourceFilename}' to '{_fluentCommandLineParser.Object.CsvDirectory}'. Error: {ex.Message}");
                            }

                            try
                            {
                                csv?.WriteRecord(o);
                                csv?.NextRecord();
                            }
                            catch (Exception ex)
                            {
                                _logger.Error(
                                    $"Error writing CSV record for '{processedFile.SourceFilename}' to '{_fluentCommandLineParser.Object.CsvDirectory}'. Error: {ex.Message}");
                            }

                            if (_fluentCommandLineParser.Object.JsonDirectory?.Length > 0)
                            {
                                SaveJson(processedFile, _fluentCommandLineParser.Object.JsonPretty,
                                         _fluentCommandLineParser.Object.JsonDirectory);
                            }

                            //XHTML
                            xml?.WriteStartElement("Container");
                            xml?.WriteElementString("SourceFile", o.SourceFilename);
                            xml?.WriteElementString("SourceCreated", o.SourceCreated);
                            xml?.WriteElementString("SourceModified", o.SourceModified);
                            xml?.WriteElementString("SourceAccessed", o.SourceAccessed);

                            xml?.WriteElementString("LastRun", o.LastRun);

                            xml?.WriteElementString("PreviousRun0", $"{o.PreviousRun0}");
                            xml?.WriteElementString("PreviousRun1", $"{o.PreviousRun1}");
                            xml?.WriteElementString("PreviousRun2", $"{o.PreviousRun2}");
                            xml?.WriteElementString("PreviousRun3", $"{o.PreviousRun3}");
                            xml?.WriteElementString("PreviousRun4", $"{o.PreviousRun4}");
                            xml?.WriteElementString("PreviousRun5", $"{o.PreviousRun5}");
                            xml?.WriteElementString("PreviousRun6", $"{o.PreviousRun6}");

                            xml?.WriteStartElement("ExecutableName");
                            xml?.WriteAttributeString("title",
                                                      "Note: The name of the executable tracked by the pf file");
                            xml?.WriteString(o.ExecutableName);
                            xml?.WriteEndElement();

                            xml?.WriteElementString("RunCount", $"{o.RunCount}");

                            xml?.WriteStartElement("Size");
                            xml?.WriteAttributeString("title", "Note: The size of the executable in bytes");
                            xml?.WriteString(o.Size);
                            xml?.WriteEndElement();

                            xml?.WriteStartElement("Hash");
                            xml?.WriteAttributeString("title",
                                                      "Note: The calculated hash for the pf file that should match the hash in the source file name");
                            xml?.WriteString(o.Hash);
                            xml?.WriteEndElement();

                            xml?.WriteStartElement("Version");
                            xml?.WriteAttributeString("title",
                                                      "Note: The operating system that generated the prefetch file");
                            xml?.WriteString(o.Version);
                            xml?.WriteEndElement();

                            xml?.WriteElementString("Note", o.Note);

                            xml?.WriteElementString("Volume0Name", o.Volume0Name);
                            xml?.WriteElementString("Volume0Serial", o.Volume0Serial);
                            xml?.WriteElementString("Volume0Created", o.Volume0Created);

                            xml?.WriteElementString("Volume1Name", o.Volume1Name);
                            xml?.WriteElementString("Volume1Serial", o.Volume1Serial);
                            xml?.WriteElementString("Volume1Created", o.Volume1Created);


                            xml?.WriteStartElement("Directories");
                            xml?.WriteAttributeString("title",
                                                      "A comma separated list of all directories accessed by the executable");
                            xml?.WriteString(o.Directories);
                            xml?.WriteEndElement();

                            xml?.WriteStartElement("FilesLoaded");
                            xml?.WriteAttributeString("title",
                                                      "A comma separated list of all files that were loaded by the executable");
                            xml?.WriteString(o.FilesLoaded);
                            xml?.WriteEndElement();

                            xml?.WriteEndElement();
                        }


                        //Close CSV stuff
                        streamWriter?.Flush();
                        streamWriter?.Close();

                        streamWriterTl?.Flush();
                        streamWriterTl?.Close();

                        //Close XML
                        xml?.WriteEndElement();
                        xml?.WriteEndDocument();
                        xml?.Flush();
                    }
                }
                catch (Exception ex)
                {
                    _logger.Error($"Error exporting data! Error: {ex.Message}");
                }
            }
        }
Beispiel #8
0
 public static void SavePrefetch(string file, IPrefetch pf)
 {
     File.WriteAllBytes(file, pf.RawBytes);
 }
Beispiel #9
0
        private static void SaveJson(IPrefetch pf, bool pretty, string outDir)
        {
            try
            {
                if (Directory.Exists(outDir) == false)
                {
                    Directory.CreateDirectory(outDir);
                }

                var outName =
                    $"{DateTimeOffset.UtcNow.ToString("yyyyMMddHHmmss")}_{Path.GetFileName(pf.SourceFilename)}.json";
                var outFile = Path.Combine(outDir, outName);


                if (pretty)
                {
                    File.WriteAllText(outFile, pf.Dump());
                }
                else
                {
                    File.WriteAllText(outFile, pf.ToJson());
                }
            }
            catch (Exception ex)
            {
                _logger.Error($"Error exporting json. Error: {ex.Message}");
            }
        }
Beispiel #10
0
        private static CsvOut GetCsvFormat(IPrefetch pf)
        {
            var created = _fluentCommandLineParser.Object.LocalTime
                ? pf.SourceCreatedOn.ToLocalTime()
                : pf.SourceCreatedOn;
            var modified = _fluentCommandLineParser.Object.LocalTime
                ? pf.SourceModifiedOn.ToLocalTime()
                : pf.SourceModifiedOn;
            var accessed = _fluentCommandLineParser.Object.LocalTime
                ? pf.SourceAccessedOn.ToLocalTime()
                : pf.SourceAccessedOn;

            var vol0Create = _fluentCommandLineParser.Object.LocalTime
                ? pf.VolumeInformation[0].CreationTime.ToLocalTime()
                : pf.VolumeInformation[0].CreationTime;

            var lr = _fluentCommandLineParser.Object.LocalTime
                ? pf.LastRunTimes[0].ToLocalTime()
                : pf.LastRunTimes[0];

            var csOut = new CsvOut
            {
                SourceFilename = pf.SourceFilename,
                SourceCreated = created.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
                SourceModified = modified.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
                SourceAccessed = accessed.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
                Hash = pf.Header.Hash,
                ExecutableName = pf.Header.ExecutableFilename,
                Size = pf.Header.FileSize.ToString(),
                Version = GetDescriptionFromEnumValue(pf.Header.Version),
                RunCount = pf.RunCount.ToString(),
                Volume0Created = vol0Create.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
                Volume0Name = pf.VolumeInformation[0].DeviceName,
                Volume0Serial = pf.VolumeInformation[0].SerialNumber,
                LastRun = lr.ToString(_fluentCommandLineParser.Object.DateTimeFormat)
            };

            if (pf.LastRunTimes.Count > 1)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[1].ToLocalTime()
                    : pf.LastRunTimes[1];
                csOut.PreviousRun0 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 2)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[2].ToLocalTime()
                    : pf.LastRunTimes[2];
                csOut.PreviousRun1 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 3)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[3].ToLocalTime()
                    : pf.LastRunTimes[3];
                csOut.PreviousRun2 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 4)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[4].ToLocalTime()
                    : pf.LastRunTimes[4];
                csOut.PreviousRun3 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 5)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[5].ToLocalTime()
                    : pf.LastRunTimes[5];
                csOut.PreviousRun4 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 6)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[6].ToLocalTime()
                    : pf.LastRunTimes[6];
                csOut.PreviousRun5 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.LastRunTimes.Count > 7)
            {
                var lrt = _fluentCommandLineParser.Object.LocalTime
                    ? pf.LastRunTimes[7].ToLocalTime()
                    : pf.LastRunTimes[7];
                csOut.PreviousRun6 = lrt.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
            }

            if (pf.VolumeCount > 1)
            {
                var vol1 = _fluentCommandLineParser.Object.LocalTime
                    ? pf.VolumeInformation[1].CreationTime.ToLocalTime()
                    : pf.VolumeInformation[1].CreationTime;
                csOut.Volume1Created = vol1.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
                csOut.Volume1Name = pf.VolumeInformation[1].DeviceName;
                csOut.Volume1Serial = pf.VolumeInformation[1].SerialNumber;
            }

            if (pf.VolumeCount > 2)
            {
                csOut.Note = "File contains > 2 volumes! Please inspect output from main program for full details!";
            }

            var sbDirs = new StringBuilder();
            foreach (var volumeInfo in pf.VolumeInformation)
            {
                sbDirs.Append(string.Join(", ", volumeInfo.DirectoryNames));
            }

            csOut.Directories = sbDirs.ToString();

            csOut.FilesLoaded = string.Join(", ", pf.Filenames);

            return csOut;
        }
        void AnalyizePrefetch()
        {
            schedulerStorage.Appointments.Clear();
            string[] prefetchFiles =
                Directory.GetFiles(Environment.GetFolderPath(Environment.SpecialFolder.Windows) + "\\Prefetch\\",
                                   "*.pf");
            IPrefetch pf = null;

            DataTable prefetchDataTable = new DataTable();

            prefetchDataTable.Columns.AddRange(new DataColumn[]
            {
                new DataColumn("Source File Name"),
                new DataColumn("Source Created"),
                new DataColumn("Source Modified"),
                new DataColumn("Source Accessed"),
                new DataColumn("Executable Name"),
                new DataColumn("Hash"),
                new DataColumn("Size"),
                new DataColumn("Version"),
                new DataColumn("Run Count"),
                new DataColumn("Last Run Times"),
                new DataColumn("Files Loaded")
            });

            foreach (string file in prefetchFiles)
            {
                try
                {
                    pf = Prefetch.PrefetchFile.Open(file);
                }
                catch (Exception ee)
                {
                    continue;
                }
                Appointment n = new AppointmentInstance();
                n.Subject = pf.SourceFilename;
                n.Start   = DateTimeOffset.Parse(pf.SourceModifiedOn.ToString(), null).DateTime;
                n.End     = DateTimeOffset.Parse(pf.SourceModifiedOn.ToString(), null).DateTime;

                string description = "Source Filename: " + pf.SourceFilename + "\nSourced Created on:" +
                                     pf.SourceAccessedOn + "\nSource Accessed on: " + pf.SourceAccessedOn +
                                     "\nSource Modified on:" + pf.SourceModifiedOn + "\nExecutable name "
                                     + pf.Header.ExecutableFilename + "\nHash:" + pf.Header.Hash + "\nSize" +
                                     pf.Header.FileSize.ToString() + "\nVersion:" + pf.Header.Version +
                                     "\nRun Count: " + pf.RunCount.ToString();


                n.Description = description;
                schedulerStorage.Appointments.Items.Add(n);


                string   sourceFilename   = pf.SourceFilename;
                DateTime sourceCreatedOn  = DateTimeOffset.Parse(pf.SourceCreatedOn.ToString(), null).DateTime;
                DateTime sourceAccessedOn = DateTimeOffset.Parse(pf.SourceAccessedOn.ToString(), null).DateTime;
                DateTime sourceModifiedOn = DateTimeOffset.Parse(pf.SourceModifiedOn.ToString(), null).DateTime;

                string executableName = pf.Header.ExecutableFilename;
                string hash           = pf.Header.Hash.ToString();
                int    size           = pf.Header.FileSize;

                Prefetch.Version version = pf.Header.Version;

                int runCount = pf.RunCount;



                /*foreach (var runTimes in pf.LastRunTimes)
                 * {
                 *   string runTimeDate = runTimes.ToString();
                 *
                 * }*/
                List <DateTimeOffset> lastRunTimes = pf.LastRunTimes;
                List <DateTime>       lrTimes      = new List <DateTime>();
                foreach (var rt in lastRunTimes)
                {
                    lrTimes.Add(DateTimeOffset.Parse(rt.ToString(), null).DateTime);
                }
                string runTimes = string.Join(", ", lrTimes.ToArray());


                List <string> filesloaded = pf.Filenames;
                List <string> floaded     = new List <string>();

                foreach (var files in filesloaded)
                {
                    floaded.Add(files.ToString());
                }

                string loadedFiles = string.Join(",", floaded.ToArray());


                /*  foreach (var loadedFilename in pf.Filenames)
                 * {
                 *     Console.WriteLine(loadedFilename);
                 * }*/



                prefetchDataTable.Rows.Add(sourceFilename, sourceCreatedOn, sourceAccessedOn, sourceModifiedOn,
                                           executableName, hash, size, version, runCount, runTimes, loadedFiles);
            }
            gridControl1.DataSource = prefetchDataTable;
        }