Beispiel #1
0
        public void DetectWithIoNtfs()
        {
            var fileInfo = new FileInfo(path);

            foreach (var alternateDataStream in fileInfo.ListAlternateDataStreams())
            {
                Console.WriteLine("{0} - {1}", alternateDataStream.Name, alternateDataStream.Size);
            }

            // Read the "Zone.Identifier" stream, if it exists:
            if (fileInfo.AlternateDataStreamExists("Zone.Identifier"))
            {
                Console.WriteLine("Found zone identifier stream:");

                var s = fileInfo.GetAlternateDataStream("Zone.Identifier",FileMode.Open);
                using (TextReader reader = s.OpenText())
                {
                    Console.WriteLine(reader.ReadToEnd());
                }
            }
            else
            {
                Console.WriteLine("No zone identifier stream found.");
            }
        }
        /// <summary>
        /// 
        /// </summary>
        /// <param name="outputPath"></param>
        /// <param name="autoHttp"></param>
        /// <param name="autoGzip"></param>
        /// <param name="maxSize"></param>
        public PacketReconstructor(string outputPath, 
                                   long maxSize)
        {
            _outputPath = outputPath;
            _maxSize = maxSize;

            this.Guid = System.Guid.NewGuid().ToString();
            //ResetTcpReassembly();

            _packetParsers = new List<InterfaceParser>();

            if (Directory.Exists(Path.Combine(_outputPath, Guid.Substring(0,2))) == false)
            {
                woanware.IO.CreateDirectory(Path.Combine(_outputPath, Guid.Substring(0,2)));
            }

            //if (File.Exists(Path.Combine(_outputPath, Guid.Substring(0, 2), Guid + ".bin")) == false)
            //{
            //    File.Create(Path.Combine(_outputPath, Guid.Substring(0, 2), Guid + ".bin"));
            //}

            _storage = new System.IO.FileStream(Path.Combine(_outputPath, Guid.Substring(0, 2), Guid + ".bin"), System.IO.FileMode.Create);

            FileInfo file = new FileInfo(Path.Combine(_outputPath, Guid.Substring(0, 2), Guid + ".bin"));

            if (file.AlternateDataStreamExists("html") == false)
            {
                _storageHtml = file.GetAlternateDataStream("html").OpenWrite();
            }
            else
            {
                AlternateDataStreamInfo s = file.GetAlternateDataStream("html", FileMode.Open);
                _storageHtml = s.OpenWrite();
            }

            woanware.IO.WriteToFileStream(_storageHtml, Global.HTML_HEADER);
        }
Beispiel #3
0
        /// <summary>
        /// 
        /// </summary>
        /// <param name="session"></param>
        /// <param name="fileInfo"></param>
        private void ProcessUrls(Session session, FileInfo fileInfo)
        {
            AlternateDataStreamInfo ads = fileInfo.GetAlternateDataStream("info", FileMode.Open);
            using (TextReader reader = ads.OpenText())
            {
                UrlDetails urlDetails = new UrlDetails();
                urlDetails.SrcIp = session.SrcIpText;
                urlDetails.SrcPort = session.SourcePort;
                urlDetails.DstIp = session.DstIpText;
                urlDetails.DstPort = session.DestinationPort;

                string line;
                while ((line = reader.ReadLine()) != null)
                {
                    if (line.StartsWith("LINK: ") == false)
                    {
                        continue;
                    }

                    string url = line.Substring(6);

                    if (urlDetails.Urls.Contains(session.HttpHost + url) == false)
                    {
                        urlDetails.Urls.Add(session.HttpHost + url);
                    }
                }

                if (urlDetails.Urls.Count > 0)
                {
                    string dir = session.SrcIpText + "." + session.SourcePort + "-" + session.DstIpText + "." + session.DestinationPort;
                    if (System.IO.Directory.Exists(System.IO.Path.Combine(this.outputDirectory, dir)) == false)
                    {
                        IO.CreateDirectory(System.IO.Path.Combine(this.outputDirectory, dir));
                    }

                    urlDetails.Save(System.IO.Path.Combine(this.outputDirectory, dir, "Url.Details." + session.Guid + ".xml"));
                }
            }
        }
Beispiel #4
0
        /// <summary>
        /// 
        /// </summary>
        /// <param name="session"></param>
        private void LoadSession(Session session)
        {
            (new Thread(() =>
            {
                MethodInvoker methodInvoker = delegate
                {
                    try
                    {
                        using (new HourGlass(this))
                        {
                            if (session == null)
                            {
                                UserInterface.DisplayErrorMessageBox(this, "Unable to locate session");
                                return;
                            }

                            string filePath = System.IO.Path.Combine(this.dataDirectory, session.Guid.Substring(0, 2), session.Guid + ".bin");

                            if (File.Exists(filePath) == false)
                            {
                                UserInterface.DisplayErrorMessageBox(this, "Session data file does not exist: " + filePath);
                                return;
                            }

                            byte[] temp = File.ReadAllBytes(filePath);
                            DynamicByteProvider dynamicByteProvider = new DynamicByteProvider(temp);
                            hexBox.ByteProvider = dynamicByteProvider;

                            temp = woanware.Text.ReplaceNulls(temp);

                            FileInfo fileInfo = new FileInfo(filePath);

                            // Colourised (HTML)
                            if (fileInfo.AlternateDataStreamExists("html") == true)
                            {
                                AlternateDataStreamInfo ads = fileInfo.GetAlternateDataStream("html", FileMode.Open);
                                using (TextReader reader = ads.OpenText())
                                {
                                    webControl.DocumentText = reader.ReadToEnd();
                                }
                            }
                            else
                            {
                                webControl.DocumentText = string.Empty;
                            }

                            // ASCII
                            if (fileInfo.AlternateDataStreamExists("txt") == true)
                            {
                                AlternateDataStreamInfo ads = fileInfo.GetAlternateDataStream("txt", FileMode.Open);
                                using (TextReader reader = ads.OpenText())
                                {
                                    txtSession.Text = reader.ReadToEnd();
                                    txtSession.ScrollToTop();
                                }
                            }
                            else
                            {
                                txtSession.Text = ASCIIEncoding.ASCII.GetString(temp);
                                txtSession.ScrollToTop();
                            }

                            // Info
                            if (fileInfo.AlternateDataStreamExists("info") == true)
                            {
                                AlternateDataStreamInfo ads = fileInfo.GetAlternateDataStream("info", FileMode.Open);
                                using (TextReader reader = ads.OpenText())
                                {
                                    txtInfo.Text = reader.ReadToEnd();
                                    txtInfo.ScrollToTop();
                                }
                            }
                            else
                            {
                                txtInfo.Text = string.Empty;
                                txtInfo.ScrollToTop();
                            }
                        }
                    }
                    catch (Exception ex)
                    {
                        this.Log().Error(ex.ToString());
                    }
                };

                if (this.InvokeRequired == true)
                {
                    this.BeginInvoke(methodInvoker);
                }
                else
                {
                    methodInvoker.Invoke();
                }

            })).Start();
        }
        static int Main(string[] args)
        {
            // parse + validate args:
            if (args.Length < 2 || args[0] != "x") { WriteUsageAndExit(); }
            string zipFileName = args.Last();
            Console.WriteLine("Processing archive: " + zipFileName);
            if (!File.Exists(zipFileName))
            {
                Console.WriteLine("Error: cannot find archive: " + zipFileName);
                return 2;
            }
            var destinationDir = (args[1].StartsWith("-o")) ? args[1].Substring(2) : ".";

            // open archive, prepare vars:
            ZipFile zipFile = new ZipFile(zipFileName);
            byte[] buffer = new byte[2048];
            int numExtracted = 0, numSkipped = 0;

            foreach (ZipEntry entry in zipFile)
            {
                var combinedPath = Path.Combine(destinationDir, entry.Name);
                if (entry.IsDirectory)
                {
                    Directory.CreateDirectory(combinedPath);
                    continue;
                }
                if (!entry.IsFile)
                    continue; // skip dirs
                var fileInfo = new FileInfo(combinedPath);
                string md5_str = ComputeStreamHash_MD5(zipFile.GetInputStream(entry));

                // check if md5 is same as in Alternate stream in existing file:
                string prev_md5 = TryReadAlternateStream(fileInfo, STREAM_NAME);
                if (prev_md5 == md5_str && fileInfo.Length == entry.Size)
                {
                    if (numSkipped++ == 0)
                        Console.WriteLine("Skip unchanged: " + fileInfo.FullName +  " (md5 match: "+md5_str + ")");
                    continue;
                }

                if (!fileInfo.Directory.Exists)
                    fileInfo.Directory.Create();

                // now extract the file, followed by the alt stream containing MD5:
                using (FileStream targetFileStr = fileInfo.OpenWrite())
                using (var zipStream = zipFile.GetInputStream(entry))
                {
                    Console.WriteLine("Extracting file " + fileInfo);
                    StreamUtils.Copy(zipStream, targetFileStr, buffer);
                }
                fileInfo.Refresh();
                using (FileStream altStream = fileInfo.GetAlternateDataStream(STREAM_NAME, FileMode.CreateNew).OpenWrite())
                using (StreamWriter writer = new StreamWriter(altStream))
                {
                    //Console.WriteLine("Writing file " + fileInfo + ":" + STREAM_NAME + " = " + md5_str);
                    writer.Write(md5_str);
                }
                numExtracted++;
            }
            Console.WriteLine("END archive, " + numExtracted  +" extracted, " + numSkipped + " skipped");
            return 0;
        }
 static string TryReadAlternateStream(FileInfo fileInfo, string streamName)
 {
     if (fileInfo.Exists && fileInfo.AlternateDataStreamExists(streamName))
     {
         using (var altStream = fileInfo.GetAlternateDataStream(streamName).OpenText())
         {
             string prev_md5 = altStream.ReadToEnd();
             return prev_md5;
         }
     }
     return null;
 }
Beispiel #7
0
        /// <summary>
        /// Output the parsed HTTP data to a HTML file
        /// </summary>
        /// <param name="parser"></param>
        private void SaveToHtml()
        {
            FileInfo file = new FileInfo(outputFile);

            FileStream fs = null;
            try
            {
                if (file.AlternateDataStreamExists("html") == false)
                {
                    fs = file.GetAlternateDataStream("html").OpenWrite();
                }
                else
                {
                    // Delete the existing HTML ADS since we will replace it
                    file.DeleteAlternateDataStream("html");
                    fs = file.GetAlternateDataStream("html").OpenWrite();
                }

                this.parser.WriteToHtmlFile(fs);
            }
            finally
            {
                if (fs!= null)
                {
                    fs.Dispose();
                }
            }
        }
Beispiel #8
0
        /// <summary>
        /// 
        /// </summary>
        /// <param name="guid"></param>
        private void ParseHttpData(string outputPath, Session session)
        {
            //string fileName = string.Empty;
            //if (File.Exists(System.IO.Path.Combine(outputPath, session.Guid + ".txt")) == true)
            //{
            //    fileName = System.IO.Path.Combine(outputPath, session.Guid + ".txt");
            //}
            //else
            //{
            //    fileName = System.IO.Path.Combine(outputPath, session.Guid + ".bin");
            //}

            FileInfo file = new FileInfo(this.outputFile);

            FileStream fs = null;
            try
            {
                // Open up the "info" ADS
                if (file.AlternateDataStreamExists("info") == false)
                {
                    fs = file.GetAlternateDataStream("info").OpenWrite();
                }
                else
                {
                    AlternateDataStreamInfo s = file.GetAlternateDataStream("info", FileMode.Open);
                    fs = s.OpenWrite();
                }

                foreach (Message message in this.parser.Messages)
                {
                    // Ensure that the response object is valid
                    if (message.Response.StatusCode == 0)
                    {
                        continue;
                    }

                    // Check the Content-Type header? e.g. contains "HTML"
                    if (message.Response.ContentType.IndexOf("text/html", StringComparison.InvariantCultureIgnoreCase) == -1)
                    {
                        continue;
                    }

                    ParseLinks(fs, message.Response);
                }
            }
            finally
            {
                if (fs != null)
                {
                    fs.Dispose();
                }
            }
        }