C# (CSharp) AttackSurfaceAnalyzer.Utils AsaTelemetry Beispiele

Programmiersprache: C# (CSharp)

Namespace / Paketname: AttackSurfaceAnalyzer.Utils

Klasse / Typ: AsaTelemetry

Beispiele auf hotexamples.com: 6

C# (CSharp) AttackSurfaceAnalyzer.Utils AsaTelemetry - 6 Beispiele gefunden. Dies sind die am besten bewerteten C# (CSharp) Beispiele für die AttackSurfaceAnalyzer.Utils.AsaTelemetry, die aus Open Source-Projekten extrahiert wurden. Sie können Beispiele bewerten, um die Qualität der Beispiele zu verbessern.

Häufig verwendete Methoden

Anzeigen Verbergen

TrackTrace(5)

TrackEvent(4)

SetEnabled(3)

Beispiel #1

Datei anzeigen

Datei: Analyzer.cs Projekt: tools-env/AttackSurfaceAnalyzer

        protected ANALYSIS_RESULT_TYPE Apply(Rule rule, CompareResult compareResult)
        {
            if (compareResult != null && rule != null)
            {
                var properties = _Properties[compareResult.ResultType];

                foreach (Clause clause in rule.Clauses)
                {
                    PropertyInfo property = properties.FirstOrDefault(iProp => iProp.Name.Equals(clause.Field));
                    if (property == null)
                    {
                        //Custom field logic will go here
                        return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);
                    }

                    try
                    {
                        var valsToCheck = new List <string>();
                        List <KeyValuePair <string, string> > dictToCheck = new List <KeyValuePair <string, string> >();

                        if (property != null)
                        {
                            if (compareResult.ChangeType == CHANGE_TYPE.CREATED || compareResult.ChangeType == CHANGE_TYPE.MODIFIED)
                            {
                                try
                                {
                                    if (GetValueByPropertyName(compareResult.Compare, property.Name) is List <string> )
                                    {
                                        foreach (var value in (List <string>)GetValueByPropertyName(compareResult.Compare, property.Name))
                                        {
                                            valsToCheck.Add(value);
                                        }
                                    }
                                    else if (GetValueByPropertyName(compareResult.Compare, property.Name) is Dictionary <string, string> )
                                    {
                                        dictToCheck = ((Dictionary <string, string>)GetValueByPropertyName(compareResult.Compare, property.Name)).ToList();
                                    }
                                    else if (GetValueByPropertyName(compareResult.Compare, property.Name) is List <KeyValuePair <string, string> > )
                                    {
                                        dictToCheck = (List <KeyValuePair <string, string> >)GetValueByPropertyName(compareResult.Compare, property.Name);
                                    }
                                    else
                                    {
                                        valsToCheck.Add(GetValueByPropertyName(compareResult.Compare, property.Name).ToString());
                                    }
                                }
                                catch (Exception e)
                                {
                                    Log.Debug(e, "Error fetching Property {0} of Type {1}", property.Name, compareResult.ResultType);

                                    Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>();
                                    ExceptionEvent.Add("Exception Type", e.GetType().ToString());
                                    AsaTelemetry.TrackEvent("ApplyCreatedModifiedException", ExceptionEvent);
                                }
                            }
                            if (compareResult.ChangeType == CHANGE_TYPE.DELETED || compareResult.ChangeType == CHANGE_TYPE.MODIFIED)
                            {
                                try
                                {
                                    if (GetValueByPropertyName(compareResult.Base, property.Name) is List <string> )
                                    {
                                        foreach (var value in (List <string>)GetValueByPropertyName(compareResult.Base, property.Name))
                                        {
                                            valsToCheck.Add(value);
                                        }
                                    }
                                    else if (GetValueByPropertyName(compareResult.Base, property.Name) is Dictionary <string, string> )
                                    {
                                        dictToCheck = ((Dictionary <string, string>)GetValueByPropertyName(compareResult.Base, property.Name)).ToList();
                                    }
                                    else if (GetValueByPropertyName(compareResult.Base, property.Name) is List <KeyValuePair <string, string> > )
                                    {
                                        dictToCheck = (List <KeyValuePair <string, string> >)GetValueByPropertyName(compareResult.Base, property.Name);
                                    }
                                    else
                                    {
                                        valsToCheck.Add(GetValueByPropertyName(compareResult.Base, property.Name).ToString());
                                    }
                                }
                                catch (Exception e)
                                {
                                    Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>();
                                    ExceptionEvent.Add("Exception Type", e.GetType().ToString());
                                    AsaTelemetry.TrackEvent("ApplyDeletedModifiedException", ExceptionEvent);
                                }
                            }
                        }

                        int count = 0, dictCount = 0;

                        switch (clause.Operation)
                        {
                        case OPERATION.EQ:
                            foreach (string datum in clause.Data)
                            {
                                foreach (string val in valsToCheck)
                                {
                                    count += (datum.Equals(val)) ? 1 : 0;
                                    break;
                                }
                            }
                            if (count == clause.Data.Count)
                            {
                                break;
                            }
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);

                        case OPERATION.NEQ:
                            foreach (string datum in clause.Data)
                            {
                                foreach (string val in valsToCheck)
                                {
                                    if (datum.Equals(val))
                                    {
                                        return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);
                                    }
                                }
                            }
                            break;

                        case OPERATION.CONTAINS:
                            if (dictToCheck.Count > 0)
                            {
                                foreach (KeyValuePair <string, string> value in clause.DictData)
                                {
                                    if (dictToCheck.Where((x) => x.Key == value.Key && x.Value == value.Value).Any())
                                    {
                                        dictCount++;
                                    }
                                }
                                if (dictCount == clause.DictData.Count)
                                {
                                    break;
                                }
                            }
                            else if (valsToCheck.Count > 0)
                            {
                                foreach (string datum in clause.Data)
                                {
                                    foreach (string val in valsToCheck)
                                    {
                                        count += (!val.Contains(datum)) ? 1 : 0;
                                        break;
                                    }
                                }
                                if (count == clause.Data.Count)
                                {
                                    break;
                                }
                            }
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);

                        case OPERATION.DOES_NOT_CONTAIN:
                            if (dictToCheck.Count > 0)
                            {
                                foreach (KeyValuePair <string, string> value in clause.DictData)
                                {
                                    if (dictToCheck.Where((x) => x.Key == value.Key && x.Value == value.Value).Any())
                                    {
                                        return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);
                                    }
                                }
                            }
                            else if (valsToCheck.Count > 0)
                            {
                                foreach (string datum in clause.Data)
                                {
                                    if (valsToCheck.Contains(datum))
                                    {
                                        return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);
                                    }
                                }
                            }
                            break;

                        case OPERATION.GT:
                            foreach (string val in valsToCheck)
                            {
                                count += (int.Parse(val, CultureInfo.InvariantCulture) > int.Parse(clause.Data[0], CultureInfo.InvariantCulture)) ? 1 : 0;
                            }
                            if (count == valsToCheck.Count)
                            {
                                break;
                            }
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);

                        case OPERATION.LT:
                            foreach (string val in valsToCheck)
                            {
                                count += (int.Parse(val, CultureInfo.InvariantCulture) < int.Parse(clause.Data[0], CultureInfo.InvariantCulture)) ? 1 : 0;
                            }
                            if (count == valsToCheck.Count)
                            {
                                break;
                            }
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);

                        case OPERATION.REGEX:
                            foreach (string val in valsToCheck)
                            {
                                foreach (string datum in clause.Data)
                                {
                                    var r = new Regex(datum);
                                    if (r.IsMatch(val))
                                    {
                                        count++;
                                    }
                                }
                            }
                            if (count == valsToCheck.Count)
                            {
                                break;
                            }
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);

                        case OPERATION.WAS_MODIFIED:
                            if ((valsToCheck.Count == 2) && (valsToCheck[0] == valsToCheck[1]))
                            {
                                break;
                            }
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);

                        case OPERATION.ENDS_WITH:
                            foreach (string datum in clause.Data)
                            {
                                foreach (var val in valsToCheck)
                                {
                                    if (val.EndsWith(datum, StringComparison.CurrentCulture))
                                    {
                                        count++;
                                        break;
                                    }
                                }
                            }
                            if (count == clause.Data.Count)
                            {
                                break;
                            }
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);

                        case OPERATION.STARTS_WITH:
                            foreach (string datum in clause.Data)
                            {
                                foreach (var val in valsToCheck)
                                {
                                    if (val.StartsWith(datum, StringComparison.CurrentCulture))
                                    {
                                        count++;
                                        break;
                                    }
                                }
                            }
                            if (count == clause.Data.Count)
                            {
                                break;
                            }
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);

                        default:
                            Log.Debug("Unimplemented operation {0}", clause.Operation);
                            return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);
                        }
                    }
                    catch (Exception e)
                    {
                        Log.Debug(e, $"Hit while parsing {JsonConvert.SerializeObject(rule)} onto {JsonConvert.SerializeObject(compareResult)}");
                        Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>();
                        ExceptionEvent.Add("Exception Type", e.GetType().ToString());
                        AsaTelemetry.TrackEvent("ApplyOverallException", ExceptionEvent);
                        return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]);
                    }
                }
                compareResult.Rules.Add(rule);
                return(rule.Flag);
            }
            else
            {
                throw new NullReferenceException();
            }
        }

Beispiel #2

Datei anzeigen

Datei: SystemSqliteDatabaseManager.cs Projekt: wmmsf/AttackSurfaceAnalyzer

        public static bool Setup(string filename, DBSettings?dbSettingsIn = null)
        {
            dbSettings = (dbSettingsIn == null) ? new DBSettings() : dbSettingsIn;

            if (filename != null)
            {
                if (SQLiteFilename != filename)
                {
                    SQLiteFilename = filename;
                }
            }

            if (Connections.Count > 0)
            {
                CloseDatabase();
            }

            if (Connections == null || Connections.Count == 0)
            {
                Connections = new List <SystemSQLiteSqlConnectionHolder>();

                PopulateConnections();

                var settings = GetSettings();
                if (settings != null)
                {
                    FirstRun = false;

                    if (SCHEMA_VERSION != settings.SchemaVersion)
                    {
                        Log.Fatal("Database has schema version {settings.SchemaVersion} but database has schema version {SCHEMA_VERSION}.");
                        Environment.Exit((int)ASA_ERROR.MATCHING_SCHEMA);
                    }

                    if (dbSettingsIn != null && settings.ShardingFactor != dbSettingsIn.ShardingFactor)
                    {
                        Log.Information($"Requested sharding level of {dbSettingsIn.ShardingFactor} but database was created with {settings.ShardingFactor}. Ignoring request and using {settings.ShardingFactor}.");
                    }

                    dbSettings.ShardingFactor = settings.ShardingFactor;

                    AsaTelemetry.SetEnabled(settings.TelemetryEnabled);
                }
                else
                {
                    FirstRun = true;
                }

                PopulateConnections();

                if (MainConnection == null)
                {
                    Log.Warning("Failed to set up Main Database connection. Cannot set up database.");
                    return(false);
                }

                if (FirstRun)
                {
                    try
                    {
                        BeginTransaction();

                        using var cmd2 = new SQLiteCommand(SQL_CREATE_RUNS, MainConnection.Connection, MainConnection.Transaction);
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_RESULTS;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_RESULTS;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_LEVEL_INDEX;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_RESULT_TYPE_INDEX;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_IDENTITY_INDEX;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_LEVEL_RESULT_TYPE_INDEX;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FILE_MONITORED;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_PERSISTED_SETTINGS;
                        cmd2.ExecuteNonQuery();

                        SetSettings(new Settings()
                        {
                            SchemaVersion    = SCHEMA_VERSION,
                            ShardingFactor   = dbSettings.ShardingFactor,
                            TelemetryEnabled = true
                        });

                        Connections.AsParallel().ForAll(cxn =>
                        {
                            using (var innerCmd = new SQLiteCommand(SQL_CREATE_COLLECT_RESULTS, cxn.Connection, cxn.Transaction))
                            {
                                innerCmd.ExecuteNonQuery();

                                innerCmd.CommandText = SQL_CREATE_COLLECT_RUN_ID_INDEX;
                                innerCmd.ExecuteNonQuery();

                                innerCmd.CommandText = SQL_CREATE_COLLECT_RUN_KEY_IDENTITY_COMBINED_INDEX;
                                innerCmd.ExecuteNonQuery();

                                innerCmd.CommandText = SQL_CREATE_COLLECT_RUN_ID_IDENTITY_INDEX;
                                innerCmd.ExecuteNonQuery();
                            }
                        });
                    }
                    catch (SQLiteException e)
                    {
                        Log.Debug(e, "Failed to set up fresh database.");
                        Environment.Exit((int)ASA_ERROR.FAILED_TO_CREATE_DATABASE);
                    }
                    finally
                    {
                        Commit();
                    }
                }

                return(true);
            }
            return(false);
        }

Beispiel #3

Datei anzeigen

Datei: DatabaseManager.cs Projekt: sycomix/AttackSurfaceAnalyzer

        public static ASA_ERROR Setup(string filename, DBSettings?dbSettingsIn = null)
        {
            dbSettings = (dbSettingsIn == null) ? new DBSettings() : dbSettingsIn;

            if (filename != null)
            {
                if (SqliteFilename != filename)
                {
                    SqliteFilename = filename;
                }
            }

            if (Connections.Count > 0)
            {
                CloseDatabase();
            }

            if (Connections == null || Connections.Count == 0)
            {
                Connections = new List <SqlConnectionHolder>();

                if (!EstablishMainConnection())
                {
                    Log.Fatal(Strings.Get("FailedToEstablishMainConnection"), SqliteFilename);
                    return(ASA_ERROR.FAILED_TO_ESTABLISH_MAIN_DB_CONNECTION);
                }

                var settingsFromDb = GetSettings();
                if (settingsFromDb != null)
                {
                    dbSettings.ShardingFactor = settingsFromDb.ShardingFactor;

                    FirstRun = false;

                    if (SCHEMA_VERSION != settingsFromDb.SchemaVersion)
                    {
                        Log.Fatal(Strings.Get("WrongSchema"), settingsFromDb.SchemaVersion, SCHEMA_VERSION);
                        return(ASA_ERROR.MATCHING_SCHEMA);
                    }

                    if (dbSettingsIn != null && settingsFromDb.ShardingFactor != dbSettingsIn.ShardingFactor)
                    {
                        Log.Information(Strings.Get("InvalidShardingRequest"), dbSettingsIn.ShardingFactor, dbSettings.ShardingFactor);
                    }

                    AsaTelemetry.SetEnabled(settingsFromDb.TelemetryEnabled);
                }
                else
                {
                    FirstRun = true;
                }

                PopulateConnections();

                if (MainConnection == null)
                {
                    Log.Fatal(Strings.Get("FailedToEstablishMainConnection"), SqliteFilename);
                    return(ASA_ERROR.FAILED_TO_ESTABLISH_MAIN_DB_CONNECTION);
                }

                if (FirstRun)
                {
                    try
                    {
                        BeginTransaction();

                        using var cmd2 = new SqliteCommand(SQL_CREATE_RUNS, MainConnection.Connection, MainConnection.Transaction);
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_RESULTS;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_RESULTS;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_LEVEL_INDEX;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_RESULT_TYPE_INDEX;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_IDENTITY_INDEX;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FINDINGS_LEVEL_RESULT_TYPE_INDEX;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_FILE_MONITORED;
                        cmd2.ExecuteNonQuery();

                        cmd2.CommandText = SQL_CREATE_PERSISTED_SETTINGS;
                        cmd2.ExecuteNonQuery();

                        SetSettings(new Settings()
                        {
                            SchemaVersion    = SCHEMA_VERSION,
                            ShardingFactor   = dbSettings.ShardingFactor,
                            TelemetryEnabled = true
                        });

                        Connections.AsParallel().ForAll(cxn =>
                        {
                            using (var innerCmd = new SqliteCommand(SQL_CREATE_COLLECT_RESULTS, cxn.Connection, cxn.Transaction))
                            {
                                innerCmd.ExecuteNonQuery();

                                innerCmd.CommandText = SQL_CREATE_COLLECT_RUN_ID_INDEX;
                                innerCmd.ExecuteNonQuery();

                                innerCmd.CommandText = SQL_CREATE_COLLECT_RUN_KEY_IDENTITY_COMBINED_INDEX;
                                innerCmd.ExecuteNonQuery();

                                innerCmd.CommandText = SQL_CREATE_COLLECT_RUN_ID_IDENTITY_INDEX;
                                innerCmd.ExecuteNonQuery();
                            }
                        });
                    }
                    catch (SqliteException e)
                    {
                        Log.Debug(e, "Failed to set up fresh database.");
                        return(ASA_ERROR.FAILED_TO_CREATE_DATABASE);
                    }
                    finally
                    {
                        Commit();
                    }
                }
            }
            return(ASA_ERROR.NONE);
        }

Beispiel #4

Datei anzeigen

Datei: RegistryWalker.cs Projekt: wade1990/AttackSurfaceAnalyzer

        public static IEnumerable <RegistryObject> WalkHive(RegistryHive Hive, string startingKey = null)
        {
            Stack <RegistryKey> keys = new Stack <RegistryKey>();

            RegistryKey x86_View = null, x64_View = null;

            try
            {
                x86_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry32);
            }
            catch (Exception e) when(
                e is IOException ||
                e is ArgumentException ||
                e is UnauthorizedAccessException ||
                e is System.Security.SecurityException)
            {
            }
            try
            {
                x64_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry32);
            }
            catch (Exception e) when(
                e is IOException ||
                e is ArgumentException ||
                e is UnauthorizedAccessException ||
                e is System.Security.SecurityException)
            {
            }

            if (x86_View != null)
            {
                if (startingKey != null)
                {
                    x86_View = x86_View.OpenSubKey(startingKey);
                }
                keys.Push(x86_View);
            }

            if (x64_View != null)
            {
                if (startingKey != null)
                {
                    x64_View = x64_View.OpenSubKey(startingKey);
                }
                keys.Push(x64_View);
            }

            while (keys.Count > 0)
            {
                RegistryKey currentKey = keys.Pop();

                if (currentKey == null)
                {
                    continue;
                }
                if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", currentKey.Name))
                {
                    continue;
                }

                // First push all the new subkeys onto our stack.
                foreach (string key in currentKey.GetSubKeyNames())
                {
                    try
                    {
                        var next = currentKey.OpenSubKey(name: key, writable: false);
                        keys.Push(next);
                    }
                    // These are expected as we are running as administrator, not System.
                    catch (System.Security.SecurityException e)
                    {
                        Log.Verbose(e, "Permission Denied: {0}", currentKey.Name);
                    }
                    // There seem to be some keys which are listed as existing by the APIs but don't actually exist.
                    // Unclear if these are just super transient keys or what the other cause might be.
                    // Since this isn't user actionable, also just supress these to the verbose stream.
                    catch (System.IO.IOException e)
                    {
                        Log.Verbose(e, "Error Reading: {0}", currentKey.Name);
                    }
                    catch (Exception e)
                    {
                        Log.Information(e, "Unexpected error when parsing {0}:", currentKey.Name);
                        AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e);
                    }
                }

                var regObj = RegistryKeyToRegistryObject(currentKey);

                if (regObj != null)
                {
                    yield return(regObj);
                }
            }

            x86_View.Dispose();
            x64_View.Dispose();
        }

Beispiel #5

Datei anzeigen

        public static string VerifyEmbeddedSignature(string filename)
        {
            try
            {
                WinTrustFileInfo winTrustFileInfo = null;
                WinTrustData     winTrustData     = null;

                // specify the WinVerifyTrust function/action that we want
                Guid action = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);

                // instantiate our WinTrustFileInfo and WinTrustData data structures
                winTrustFileInfo = new WinTrustFileInfo(filename);
                winTrustData     = new WinTrustData(filename);

                WinVerifyTrustResult result = WinVerifyTrust(INVALID_HANDLE_VALUE, action, winTrustData);
                // call into WinVerifyTrust
                switch (result)
                {
                case WinVerifyTrustResult.Success:
                    return("Valid");

                case WinVerifyTrustResult.ProviderUnknown:
                    return("ProviderUnknown");

                case WinVerifyTrustResult.ActionUnknown:
                    return("ActionUnknown");

                case WinVerifyTrustResult.SubjectFormUnknown:
                    return("SubjectFormUnknown");

                case WinVerifyTrustResult.SubjectNotTrusted:
                    return("SubjectNotTrusted");

                case WinVerifyTrustResult.FileNotSigned:
                    return("FileNotSigned");

                case WinVerifyTrustResult.SubjectExplicitlyDistrusted:
                    return("SubjectExplicitlyDistrusted");

                case WinVerifyTrustResult.SignatureOrFileCorrupt:
                    return("SignatureOrFileCorrupt");

                case WinVerifyTrustResult.SubjectCertExpired:
                    return("SubjectCertExpired");

                case WinVerifyTrustResult.SubjectCertificateRevoked:
                    return("SubjectCertificateRevoked");

                case WinVerifyTrustResult.UntrustedRoot:
                    return("UntrustedRoot");

                default:
                    // The UI was disabled in dwUIChoice or the admin policy
                    // has disabled user trust. lStatus contains the
                    // publisher or time stamp chain error.
                    return(result.ToString());
                }
            }
            catch (Exception e) when(
                e is System.AccessViolationException ||
                e is Exception)
            {
                Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>();

                ExceptionEvent.Add("Exception Type", e.GetType().ToString());
                AsaTelemetry.TrackEvent("VerifyEmbeddedSignatureException", ExceptionEvent);
                return("FailedToFetch");
            }
        }

Beispiel #6

Datei anzeigen

Datei: RegistryWalker.cs Projekt: wildragonx/AttackSurfaceAnalyzer

        public static IEnumerable <RegistryKey> WalkHive(RegistryHive Hive, RegistryView View, string startingKey = "")
        {
            Stack <RegistryKey> keys = new Stack <RegistryKey>();

            RegistryKey?BaseKey = null;

            try
            {
                BaseKey = RegistryKey.OpenBaseKey(Hive, View);
            }
            catch (Exception e) when(
                e is IOException ||
                e is ArgumentException ||
                e is UnauthorizedAccessException ||
                e is System.Security.SecurityException)
            {
            }

            if (BaseKey != null)
            {
                if (startingKey != null)
                {
                    BaseKey = BaseKey.OpenSubKey(startingKey, writable: false);
                }
                keys.Push(BaseKey);
            }

            while (keys.Count > 0)
            {
                RegistryKey currentKey = keys.Pop();

                if (currentKey == null)
                {
                    continue;
                }

                // First push all the new subkeys onto our stack.
                foreach (string key in currentKey.GetSubKeyNames())
                {
                    try
                    {
                        var next = currentKey.OpenSubKey(name: key, writable: false);
                        keys.Push(next);
                    }
                    // TODO: Capture that these keys exist but we couldn't access them in the results
                    // These are expected as we are running as administrator, not System.
                    catch (System.Security.SecurityException)
                    {
                        Log.Debug("Permission Denied Opening Subkey: {0}\\{1}", currentKey.Name, key);
                    }
                    // There seem to be some keys which are listed as existing by the APIs but don't actually exist.
                    // Unclear if these are just super transient keys or what the other cause might be.
                    // Since this isn't user actionable, also just supress these to the verbose stream.
                    catch (System.IO.IOException)
                    {
                        Log.Debug("IOError Reading: {0}\\{1}", currentKey.Name, key);
                    }
                    catch (Exception e)
                    {
                        Log.Information(e, "Unexpected error when parsing {0}\\{1}", currentKey.Name, key);
                        AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e);
                    }
                }

                yield return(currentKey);
            }

            BaseKey?.Dispose();
        }