Example #1
0
        public void ParseComObjects(RegistryKey SearchKey)
        {
            if (SearchKey == null)
            {
                return;
            }
            foreach (string SubKeyName in SearchKey.GetSubKeyNames())
            {
                try
                {
                    RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);

                    var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey);

                    ComObject comObject = new ComObject()
                    {
                        Key     = RegObj,
                        Subkeys = new List <RegistryObject>()
                    };

                    foreach (string ComDetails in CurrentKey.GetSubKeyNames())
                    {
                        var ComKey = CurrentKey.OpenSubKey(ComDetails);
                        comObject.Subkeys.Add(RegistryWalker.RegistryKeyToRegistryObject(ComKey));
                    }

                    //Get the information from the InProcServer32 Subkey (for 32 bit)
                    if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.ContainsKey(""))
                    {
                        comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.TryGetValue("", out string BinaryPath32);

                        // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
                        BinaryPath32 = BinaryPath32.Trim();
                        // Clean up cases where the binary is quoted (also breaks permission checker)
                        if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
                        {
                            BinaryPath32 = BinaryPath32.Substring(1, BinaryPath32.Length - 2);
                        }
                        // Unqualified binary name probably comes from Windows\System32
                        if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
                        {
                            BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
                        }


                        comObject.x86_Binary     = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath32.Trim()), true);
                        comObject.x86_BinaryName = BinaryPath32;
                    }
                    // And the InProcServer64 for 64 bit
                    if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.ContainsKey(""))
                    {
                        comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.TryGetValue("", out string BinaryPath64);

                        // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
                        BinaryPath64 = BinaryPath64.Trim();
                        // Clean up cases where the binary is quoted (also breaks permission checker)
                        if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
                        {
                            BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2);
                        }
                        // Unqualified binary name probably comes from Windows\System32
                        if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
                        {
                            BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
                        }
                        comObject.x64_Binary     = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath64.Trim()), true);
                        comObject.x64_BinaryName = BinaryPath64;
                    }

                    DatabaseManager.Write(comObject, runId);
                }
                catch (Exception e)
                {
                    Log.Debug(e, "Couldn't parse {0}", SubKeyName);
                }
            }
        }
        public void ParseComObjects(RegistryKey SearchKey)
        {
            if (SearchKey == null)
            {
                return;
            }
            List <ComObject> comObjects = new List <ComObject>();

            try
            {
                Parallel.ForEach(SearchKey.GetSubKeyNames(), (SubKeyName) =>
                {
                    try
                    {
                        RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);

                        var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey);

                        ComObject comObject = new ComObject()
                        {
                            Key = RegObj,
                        };

                        foreach (string ComDetails in CurrentKey.GetSubKeyNames())
                        {
                            var ComKey = CurrentKey.OpenSubKey(ComDetails);
                            comObject.Subkeys.Add(RegistryWalker.RegistryKeyToRegistryObject(ComKey));
                        }

                        //Get the information from the InProcServer32 Subkey (for 32 bit)
                        if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).Any() && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.ContainsKey(""))
                        {
                            comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.TryGetValue("", out string BinaryPath32);

                            // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
                            BinaryPath32 = BinaryPath32.Trim();
                            // Clean up cases where the binary is quoted (also breaks permission checker)
                            if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
                            {
                                BinaryPath32 = BinaryPath32.Substring(1, BinaryPath32.Length - 2);
                            }
                            // Unqualified binary name probably comes from Windows\System32
                            if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
                            {
                                BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
                            }

                            comObject.x86_Binary     = FileSystemCollector.FilePathToFileSystemObject(BinaryPath32.Trim(), true);
                            comObject.x86_BinaryName = BinaryPath32;
                        }
                        // And the InProcServer64 for 64 bit
                        if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).Any() && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.ContainsKey(""))
                        {
                            comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.TryGetValue("", out string BinaryPath64);

                            // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
                            BinaryPath64 = BinaryPath64.Trim();
                            // Clean up cases where the binary is quoted (also breaks permission checker)
                            if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
                            {
                                BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2);
                            }
                            // Unqualified binary name probably comes from Windows\System32
                            if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
                            {
                                BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
                            }
                            comObject.x64_Binary     = FileSystemCollector.FilePathToFileSystemObject(BinaryPath64.Trim(), true);
                            comObject.x64_BinaryName = BinaryPath64;
                        }

                        comObjects.Add(comObject);
                    }
                    catch (Exception e) when(
                        e is System.Security.SecurityException ||
                        e is ObjectDisposedException ||
                        e is UnauthorizedAccessException ||
                        e is IOException)
                    {
                        Log.Debug($"Couldn't parse {SubKeyName}");
                    }
                });
            }
            catch (Exception e) when(
                e is System.Security.SecurityException ||
                e is ObjectDisposedException ||
                e is UnauthorizedAccessException ||
                e is IOException)
            {
                Log.Debug($"Failing parsing com objects {SearchKey.Name} {e.GetType().ToString()} {e.Message}");
            }

            foreach (var comObject in comObjects)
            {
                DatabaseManager.Write(comObject, RunId);
            }
        }