/// <summary>
/// Uses ServiceController.
/// </summary>
public void ExecuteWindows()
{
System.Management.SelectQuery sQuery = new System.Management.SelectQuery("select * from Win32_Service"); // where name = '{0}'", "MCShield.exe"));
using System.Management.ManagementObjectSearcher mgmtSearcher = new System.Management.ManagementObjectSearcher(sQuery);
foreach (System.Management.ManagementObject service in mgmtSearcher.Get())
{
try
{
var val = service.GetPropertyValue("Name").ToString();
if (val != null)
{
var obj = new ServiceObject(val);
val = service.GetPropertyValue("AcceptPause")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.AcceptPause = bool.Parse(val);
}
val = service.GetPropertyValue("AcceptStop")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.AcceptStop = bool.Parse(val);
}
obj.Caption = service.GetPropertyValue("Caption")?.ToString();
val = service.GetPropertyValue("CheckPoint")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.CheckPoint = uint.Parse(val, CultureInfo.InvariantCulture);
}
obj.CreationClassName = service.GetPropertyValue("CreationClassName")?.ToString();
val = service.GetPropertyValue("DelayedAutoStart")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.DelayedAutoStart = bool.Parse(val);
}
obj.Description = service.GetPropertyValue("Description")?.ToString();
val = service.GetPropertyValue("DesktopInteract")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.DesktopInteract = bool.Parse(val);
}
obj.DisplayName = service.GetPropertyValue("DisplayName")?.ToString();
obj.ErrorControl = service.GetPropertyValue("ErrorControl")?.ToString();
val = service.GetPropertyValue("ExitCode")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.ExitCode = uint.Parse(val, CultureInfo.InvariantCulture);
}
if (DateTime.TryParse(service.GetPropertyValue("InstallDate")?.ToString(), out DateTime dateTime))
{
obj.InstallDate = dateTime;
}
obj.PathName = service.GetPropertyValue("PathName")?.ToString();
val = service.GetPropertyValue("ProcessId")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.ProcessId = uint.Parse(val, CultureInfo.InvariantCulture);
}
val = service.GetPropertyValue("ServiceSpecificExitCode")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.ServiceSpecificExitCode = uint.Parse(val, CultureInfo.InvariantCulture);
}
obj.ServiceType = service.GetPropertyValue("ServiceType")?.ToString();
val = service.GetPropertyValue("Started").ToString();
if (!string.IsNullOrEmpty(val))
{
obj.Started = bool.Parse(val);
}
obj.StartMode = service.GetPropertyValue("StartMode")?.ToString();
obj.StartName = service.GetPropertyValue("StartName")?.ToString();
obj.State = service.GetPropertyValue("State")?.ToString();
obj.Status = service.GetPropertyValue("Status")?.ToString();
obj.SystemCreationClassName = service.GetPropertyValue("SystemCreationClassName")?.ToString();
obj.SystemName = service.GetPropertyValue("SystemName")?.ToString();
val = service.GetPropertyValue("TagId")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.TagId = uint.Parse(val, CultureInfo.InvariantCulture);
}
val = service.GetPropertyValue("WaitHint")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.WaitHint = uint.Parse(val, CultureInfo.InvariantCulture);
}
Results.Push(obj);
}
}
catch (Exception e) when(
e is TypeInitializationException ||
e is PlatformNotSupportedException)
{
Log.Warning(Strings.Get("CollectorNotSupportedOnPlatform"), GetType().ToString());
}
}
foreach (var file in DirectoryWalker.WalkDirectory("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"))
{
var name = file.Split(Path.DirectorySeparatorChar)[^ 1];
public override void Execute()
{
if (!CanRunOnPlatform())
{
return;
}
wb = new WriteBuffer(runId);
Start();
if (this.roots == null || this.roots.Count() == 0)
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
foreach (var driveInfo in DriveInfo.GetDrives())
{
if (driveInfo.IsReady && driveInfo.DriveType == DriveType.Fixed)
{
this.roots.Add(driveInfo.Name);
}
}
}
else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
this.roots.Add("/"); // @TODO Improve this
}
else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
{
this.roots.Add("/"); // @TODO Improve this
}
}
foreach (var root in this.roots)
{
Log.Information("{0} root {1}", Strings.Get("Scanning"), root.ToString());
try
{
var fileInfoEnumerable = DirectoryWalker.WalkDirectory(root);
Parallel.ForEach(fileInfoEnumerable,
(fileInfo =>
{
try
{
FileSystemObject obj = null;
if (fileInfo is DirectoryInfo)
{
if (!Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "File", "Path", fileInfo.FullName))
{
obj = new FileSystemObject()
{
Path = fileInfo.FullName,
Permissions = FileSystemUtils.GetFilePermissions(fileInfo)
};
}
}
else
{
if (!Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "File", "Path", fileInfo.FullName))
{
obj = new FileSystemObject()
{
Path = fileInfo.FullName,
Permissions = FileSystemUtils.GetFilePermissions(fileInfo),
Size = (ulong)(fileInfo as FileInfo).Length,
};
if (WindowsFileSystemUtils.NeedsSignature(obj.Path))
{
obj.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(fileInfo.FullName);
obj.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(fileInfo.FullName);
}
if (INCLUDE_CONTENT_HASH)
{
obj.ContentHash = FileSystemUtils.GetFileHash(fileInfo);
}
}
}
if (obj != null)
{
Write(obj);
}
}
catch (Exception ex)
{
Log.Warning(ex, "Error processing {0}", fileInfo?.FullName);
}
}));
}
catch (Exception ex)
{
Log.Warning(ex, "Error collecting file system information: {0}", ex.Message);
}
}
Stop();
DatabaseManager.Commit();
}
public override void ExecuteInternal()
{
if (!roots.Any())
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
foreach (var driveInfo in DriveInfo.GetDrives())
{
if (driveInfo.IsReady && driveInfo.DriveType == DriveType.Fixed)
{
roots.Add(driveInfo.Name);
}
}
}
else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
roots.Add("/");
}
else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
{
roots.Add("/");
}
}
Action <string> IterateOn = Path =>
{
StallIfHighMemoryUsageAndLowMemoryModeEnabled();
Log.Verbose("Started parsing {0}", Path);
FileSystemObject obj = FilePathToFileSystemObject(Path, downloadCloud, INCLUDE_CONTENT_HASH);
if (obj != null)
{
Results.Push(obj);
// TODO: Also try parse .DER as a key
if (Path.EndsWith(".cer", StringComparison.CurrentCulture) ||
Path.EndsWith(".der", StringComparison.CurrentCulture) ||
Path.EndsWith(".p7b", StringComparison.CurrentCulture) ||
Path.EndsWith(".pfx", StringComparison.CurrentCulture))
{
try
{
using var certificate = new X509Certificate2(Path);
var certObj = new CertificateObject(
StoreLocation: StoreLocation.LocalMachine.ToString(),
StoreName: StoreName.Root.ToString(),
Certificate: new SerializableCertificate(certificate));
Results.Push(certObj);
}
catch (Exception e)
{
Log.Verbose($"Could not parse certificate from file: {Path}, {e.GetType().ToString()}");
}
}
}
Log.Verbose("Finished parsing {0}", Path);
};
foreach (var root in roots)
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
var info = new FileInfo(root);
GetDiskFreeSpace(info.Directory.Root.FullName, out uint lpSectorsPerCluster, out uint lpBytesPerSector, out _, out _);
ClusterSizes[info.Directory.Root.FullName] = lpSectorsPerCluster * lpBytesPerSector;
}
Log.Information("{0} root {1}", Strings.Get("Scanning"), root);
var filePathEnumerable = DirectoryWalker.WalkDirectory(root);
if (parallel)
{
filePathEnumerable.AsParallel().ForAll(filePath =>
{
IterateOn(filePath);
});
}
else
{
foreach (var filePath in filePathEnumerable)
{
IterateOn(filePath);
}
}
}
}
