public static void InsertRun(string runId, Dictionary <RESULT_TYPE, bool> dictionary) { if (dictionary == null) { return; } string INSERT_RUN = "insert into runs (run_id, file_system, ports, users, services, registry, certificates, firewall, comobjects, eventlogs, type, timestamp, version, platform) values (@run_id, @file_system, @ports, @users, @services, @registry, @certificates, @firewall, @comobjects, @eventlogs, @type, @timestamp, @version, @platform)"; using var cmd = new SQLiteCommand(INSERT_RUN, Connection, Transaction); cmd.Parameters.AddWithValue("@run_id", runId); cmd.Parameters.AddWithValue("@file_system", (dictionary.ContainsKey(RESULT_TYPE.FILE) && dictionary[RESULT_TYPE.FILE]) || (dictionary.ContainsKey(RESULT_TYPE.FILEMONITOR) && dictionary[RESULT_TYPE.FILEMONITOR])); cmd.Parameters.AddWithValue("@ports", (dictionary.ContainsKey(RESULT_TYPE.PORT) && dictionary[RESULT_TYPE.PORT])); cmd.Parameters.AddWithValue("@users", (dictionary.ContainsKey(RESULT_TYPE.USER) && dictionary[RESULT_TYPE.USER])); cmd.Parameters.AddWithValue("@services", (dictionary.ContainsKey(RESULT_TYPE.SERVICE) && dictionary[RESULT_TYPE.SERVICE])); cmd.Parameters.AddWithValue("@registry", (dictionary.ContainsKey(RESULT_TYPE.REGISTRY) && dictionary[RESULT_TYPE.REGISTRY])); cmd.Parameters.AddWithValue("@certificates", (dictionary.ContainsKey(RESULT_TYPE.CERTIFICATE) && dictionary[RESULT_TYPE.CERTIFICATE])); cmd.Parameters.AddWithValue("@firewall", (dictionary.ContainsKey(RESULT_TYPE.FIREWALL) && dictionary[RESULT_TYPE.FIREWALL])); cmd.Parameters.AddWithValue("@comobjects", (dictionary.ContainsKey(RESULT_TYPE.COM) && dictionary[RESULT_TYPE.COM])); cmd.Parameters.AddWithValue("@eventlogs", (dictionary.ContainsKey(RESULT_TYPE.LOG) && dictionary[RESULT_TYPE.LOG])); cmd.Parameters.AddWithValue("@type", (dictionary.ContainsKey(RESULT_TYPE.FILEMONITOR) && dictionary[RESULT_TYPE.FILEMONITOR]) ? "monitor" : "collect"); cmd.Parameters.AddWithValue("@timestamp", DateTime.Now.ToString("o", CultureInfo.InvariantCulture)); cmd.Parameters.AddWithValue("@version", AsaHelpers.GetVersionString()); cmd.Parameters.AddWithValue("@platform", AsaHelpers.GetPlatformString()); try { cmd.ExecuteNonQuery(); Commit(); } catch (SQLiteException e) { Log.Warning(e.StackTrace); Log.Warning(e.Message); AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } }
public static string GetOsName() { if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { return(AsaHelpers.GetPlatformString()); } else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux) || RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) { return(ExternalCommandRunner.RunExternalCommand("uname", "-s")); } return(""); }
public static IEnumerable <RegistryObject> WalkHive(RegistryHive Hive, string startingKey = null) { Stack <RegistryKey> keys = new Stack <RegistryKey>(); RegistryKey x86_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry32); if (startingKey != null) { x86_View = x86_View.OpenSubKey(startingKey); } keys.Push(x86_View); RegistryKey x64_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry64); if (startingKey != null) { x64_View = x64_View.OpenSubKey(startingKey); } keys.Push(x64_View); while (keys.Count > 0) { RegistryKey currentKey = keys.Pop(); if (currentKey == null) { continue; } if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", currentKey.Name)) { continue; } // First push all the new subkeys onto our stack. foreach (string key in currentKey.GetSubKeyNames()) { try { var next = currentKey.OpenSubKey(name: key, writable: false); keys.Push(next); } // These are expected as we are running as administrator, not System. catch (System.Security.SecurityException e) { Log.Verbose(e, "Permission Denied: {0}", currentKey.Name); } // There seem to be some keys which are listed as existing by the APIs but don't actually exist. // Unclear if these are just super transient keys or what the other cause might be. // Since this isn't user actionable, also just supress these to the verbose stream. catch (System.IO.IOException e) { Log.Verbose(e, "Error Reading: {0}", currentKey.Name); } catch (Exception e) { Log.Information(e, "Unexpected error when parsing {0}:", currentKey.Name); AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } var regObj = RegistryKeyToRegistryObject(currentKey); if (regObj != null) { yield return(regObj); } } x86_View.Dispose(); x64_View.Dispose(); }
public static IEnumerable <string> WalkDirectory(string root) { // Data structure to hold names of subfolders to be // examined for files. Stack <string> dirs = new Stack <string>(); // Master list of all directories seen, to prevent loops from Hard Links. HashSet <string> dirsSet = new HashSet <string>(); if (System.IO.Directory.Exists(root)) { dirs.Push(root); dirsSet.Add(root); } while (dirs.Count > 0) { string currentDir = dirs.Pop(); if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "File", "Path", currentDir)) { continue; } else { yield return(currentDir); try { var fileInfo = new DirectoryInfo(currentDir); // Skip symlinks to avoid loops if (fileInfo.Attributes.HasFlag(FileAttributes.ReparsePoint)) { Log.Verbose($"Skipping symlink at {currentDir}"); continue; } } catch (Exception e) when( e is UnauthorizedAccessException) { } catch (Exception e) { Log.Debug("Should be catching {0} in DirectoryWalker.", e.GetType().ToString()); } } string[] subDirs; try { subDirs = Directory.GetDirectories(currentDir); } catch (Exception e) when( e is ArgumentException || e is ArgumentNullException || e is PathTooLongException || e is IOException || e is DirectoryNotFoundException || e is UnauthorizedAccessException) { Log.Verbose("Failed to get Directories for {0} {1}", currentDir, e.GetType().ToString()); continue; } string[] files; try { files = Directory.GetFiles(currentDir); } catch (Exception e) when( e is UnauthorizedAccessException || e is IOException || e is ArgumentException || e is ArgumentNullException || e is PathTooLongException || e is DirectoryNotFoundException) { Log.Verbose("Failed to get files for {0} {1}", currentDir, e.GetType().ToString()); continue; } foreach (string file in files) { if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "File", "Path", file)) { continue; } yield return(file); //FileInfo fileInfo = null; } // Push the subdirectories onto the stack for traversal. // This could also be done before handing the files. foreach (string dir in subDirs) { try { DirectoryInfo directoryInfo = new DirectoryInfo(dir); // Skip symlinks to avoid loops // Future improvement: log it as a symlink in the data if (directoryInfo.Attributes.HasFlag(FileAttributes.ReparsePoint)) { continue; } if (!dirsSet.Contains(dir)) { dirs.Push(dir); dirsSet.Add(dir); } else { Log.Verbose("Loop detected. Skipping duplicate directory {0} as a subdirectory of {1}", dir, currentDir); } } catch (Exception e) when( e is SecurityException || e is ArgumentException || e is ArgumentException || e is PathTooLongException || e is UnauthorizedAccessException || e is IOException) { Log.Verbose("Failed to create DirectoryInfo from Directory at {0} {1}", dir, e.GetType().ToString()); continue; } } } }
public static IEnumerable <RegistryKey> WalkHive(RegistryHive Hive, RegistryView View, string startingKey = "") { Stack <RegistryKey> keys = new Stack <RegistryKey>(); RegistryKey?BaseKey = null; try { BaseKey = RegistryKey.OpenBaseKey(Hive, View); } catch (Exception e) when( e is IOException || e is ArgumentException || e is UnauthorizedAccessException || e is System.Security.SecurityException) { } if (BaseKey != null) { if (startingKey != null) { BaseKey = BaseKey.OpenSubKey(startingKey, writable: false); } keys.Push(BaseKey); } while (keys.Count > 0) { RegistryKey currentKey = keys.Pop(); if (currentKey == null) { continue; } if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", currentKey.Name)) { continue; } // First push all the new subkeys onto our stack. foreach (string key in currentKey.GetSubKeyNames()) { try { var next = currentKey.OpenSubKey(name: key, writable: false); keys.Push(next); } // These are expected as we are running as administrator, not System. catch (System.Security.SecurityException) { Log.Debug("Permission Denied Opening Subkey: {0}\\{1}", currentKey.Name, key); } // There seem to be some keys which are listed as existing by the APIs but don't actually exist. // Unclear if these are just super transient keys or what the other cause might be. // Since this isn't user actionable, also just supress these to the verbose stream. catch (System.IO.IOException) { Log.Debug("IOError Reading: {0}\\{1}", currentKey.Name, key); } catch (Exception e) { Log.Information(e, "Unexpected error when parsing {0}\\{1}", currentKey.Name, key); AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } yield return(currentKey); } BaseKey?.Dispose(); }
public static IEnumerable <FileSystemInfo> WalkDirectory(string root) { // Data structure to hold names of subfolders to be // examined for files. Stack <string> dirs = new Stack <string>(); if (!System.IO.Directory.Exists(root)) { throw new ArgumentException("Unable to find [" + root + "]"); } dirs.Push(root); while (dirs.Count > 0) { string currentDir = dirs.Pop(); if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "File", "Path", currentDir)) { continue; } string[] subDirs; try { subDirs = System.IO.Directory.GetDirectories(currentDir); } // An UnauthorizedAccessException exception will be thrown if we do not have // discovery permission on a folder or file. It may or may not be acceptable // to ignore the exception and continue enumerating the remaining files and // folders. It is also possible (but unlikely) that a DirectoryNotFound exception // will be raised. This will happen if currentDir has been deleted by // another application or thread after our call to Directory.Exists. The // choice of which exceptions to catch depends entirely on the specific task // you are intending to perform and also on how much you know with certainty // about the systems on which this code will run. catch (UnauthorizedAccessException) { Log.Debug("Unable to access: {0}", currentDir); continue; } catch (System.IO.DirectoryNotFoundException) { Log.Debug("Directory not found: {0}", currentDir); continue; } // @TODO: Improve this catch. // This catches a case where we sometimes try to walk a file // even though its not a directory on Mac OS. // System.IO.Directory.GetDirectories is how we get the // directories which sometimes gives you things that aren't directories. catch (IOException) { Log.Debug("IO Error: {0}", currentDir); continue; } string[] files = null; try { files = System.IO.Directory.GetFiles(currentDir); } catch (UnauthorizedAccessException e) { Log.Debug(e.Message); continue; } catch (System.IO.DirectoryNotFoundException e) { Log.Debug(e.Message); continue; } // Perform the required action on each file here. // Modify this block to perform your required task. foreach (string file in files) { FileInfo fileInfo = null; try { fileInfo = new FileInfo(file); } catch (System.IO.FileNotFoundException e) { // If file was deleted by a separate application // or thread since the call to TraverseTree() // then just continue. Log.Debug(e.Message); continue; } if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "File", "Path", file)) { continue; } yield return(fileInfo); } // Push the subdirectories onto the stack for traversal. // This could also be done before handing the files. foreach (string str in subDirs) { DirectoryInfo fileInfo = null; try { fileInfo = new DirectoryInfo(str); // Skip symlinks to avoid loops // Future improvement: log it as a symlink in the data if (fileInfo.Attributes.HasFlag(FileAttributes.ReparsePoint)) { continue; } } catch (System.IO.DirectoryNotFoundException) { // If file was deleted by a separate application // or thread since the call to TraverseTree() // then just continue. continue; } catch (IOException) { continue; } dirs.Push(str); yield return(fileInfo); } } }