public void ParseComObjects(RegistryKey SearchKey) { if (SearchKey == null) { return; } foreach (string SubKeyName in SearchKey.GetSubKeyNames()) { try { RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName); var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey); ComObject comObject = new ComObject() { Key = RegObj, Subkeys = new List <RegistryObject>() }; foreach (string ComDetails in CurrentKey.GetSubKeyNames()) { var ComKey = CurrentKey.OpenSubKey(ComDetails); comObject.Subkeys.Add(RegistryWalker.RegistryKeyToRegistryObject(ComKey)); } //Get the information from the InProcServer32 Subkey (for 32 bit) if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.ContainsKey("")) { comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.TryGetValue("", out string BinaryPath32); // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath32 = BinaryPath32.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\"")) { BinaryPath32 = BinaryPath32.Substring(1, BinaryPath32.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%")) { BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim()); } comObject.x86_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath32.Trim()), true); comObject.x86_BinaryName = BinaryPath32; } // And the InProcServer64 for 64 bit if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.ContainsKey("")) { comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.TryGetValue("", out string BinaryPath64); // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath64 = BinaryPath64.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\"")) { BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%")) { BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim()); } comObject.x64_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath64.Trim()), true); comObject.x64_BinaryName = BinaryPath64; } DatabaseManager.Write(comObject, runId); } catch (Exception e) { Log.Debug(e, "Couldn't parse {0}", SubKeyName); } } }
public void ParseComObjects(RegistryKey SearchKey) { if (SearchKey == null) { return; } List <ComObject> comObjects = new List <ComObject>(); try { Parallel.ForEach(SearchKey.GetSubKeyNames(), (SubKeyName) => { try { RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName); var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey); ComObject comObject = new ComObject() { Key = RegObj, }; foreach (string ComDetails in CurrentKey.GetSubKeyNames()) { var ComKey = CurrentKey.OpenSubKey(ComDetails); comObject.Subkeys.Add(RegistryWalker.RegistryKeyToRegistryObject(ComKey)); } //Get the information from the InProcServer32 Subkey (for 32 bit) if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).Any() && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.ContainsKey("")) { comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.TryGetValue("", out string BinaryPath32); // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath32 = BinaryPath32.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\"")) { BinaryPath32 = BinaryPath32.Substring(1, BinaryPath32.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%")) { BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim()); } comObject.x86_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath32.Trim(), true); comObject.x86_BinaryName = BinaryPath32; } // And the InProcServer64 for 64 bit if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).Any() && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.ContainsKey("")) { comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.TryGetValue("", out string BinaryPath64); // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath64 = BinaryPath64.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\"")) { BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%")) { BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim()); } comObject.x64_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath64.Trim(), true); comObject.x64_BinaryName = BinaryPath64; } comObjects.Add(comObject); } catch (Exception e) when( e is System.Security.SecurityException || e is ObjectDisposedException || e is UnauthorizedAccessException || e is IOException) { Log.Debug($"Couldn't parse {SubKeyName}"); } }); } catch (Exception e) when( e is System.Security.SecurityException || e is ObjectDisposedException || e is UnauthorizedAccessException || e is IOException) { Log.Debug($"Failing parsing com objects {SearchKey.Name} {e.GetType().ToString()} {e.Message}"); } foreach (var comObject in comObjects) { DatabaseManager.Write(comObject, RunId); } }