public override void StopRun()
{
watchers.ForEach(x => x.EnableRaisingEvents = false);
// Write each accessed file once.
Parallel.ForEach(filesAccessed, e =>
{
var ToWrite = new FileMonitorObject(e.Value.FullPath)
{
ResultType = RESULT_TYPE.FILEMONITOR,
ChangeType = ChangeTypeStringToChangeType(e.Value.ChangeType.ToString()),
Name = e.Value.Name,
Timestamp = DateTime.Now.ToString("O", CultureInfo.InvariantCulture),
FileSystemObject = fsc.FilePathToFileSystemObject(e.Value.FullPath),
NotifyFilters = NotifyFilters.LastAccess
};
changeHandler(ToWrite);
});
RunStatus = RUN_STATUS.COMPLETED;
}
/// <summary>
/// Parse all the Subkeys of the given SearchKey into ComObjects and returns a list of them
/// </summary>
/// <param name="SearchKey"> The Registry Key to search </param>
/// <param name="View"> The View of the registry to use </param>
public static IEnumerable <CollectObject> ParseComObjects(RegistryKey SearchKey, RegistryView View, bool SingleThreaded = false)
{
if (SearchKey == null)
{
return(new List <CollectObject>());
}
List <ComObject> comObjects = new List <ComObject>();
var fsc = new FileSystemCollector(new CollectorOptions()
{
SingleThread = SingleThreaded
});
Action <string> ParseComObjectsIn = SubKeyName =>
{
try
{
RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);
var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View);
if (RegObj != null)
{
ComObject comObject = new ComObject(RegObj);
foreach (string ComDetails in CurrentKey.GetSubKeyNames())
{
if (ComDetails.Contains("InprocServer32"))
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View);
string?BinaryPath32 = null;
if (obj != null && obj.Values?.TryGetValue("", out BinaryPath32) is bool successful)
{
if (successful && BinaryPath32 != null)
{
// Clean up cases where some extra spaces are thrown into the start
// (breaks our permission checker)
BinaryPath32 = BinaryPath32.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
{
BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString();
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
{
BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
}
comObject.x86_Binary = fsc.FilePathToFileSystemObject(BinaryPath32.Trim());
}
}
}
if (ComDetails.Contains("InprocServer64"))
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View);
string?BinaryPath64 = null;
if (obj != null && obj.Values?.TryGetValue("", out BinaryPath64) is bool successful)
{
if (successful && BinaryPath64 != null)
{
// Clean up cases where some extra spaces are thrown into the start
// (breaks our permission checker)
BinaryPath64 = BinaryPath64.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
{
BinaryPath64 = BinaryPath64.AsSpan().Slice(1, BinaryPath64.Length - 2).ToString();
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
{
BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
}
comObject.x64_Binary = fsc.FilePathToFileSystemObject(BinaryPath64.Trim());
}
}
}
}
comObjects.Add(comObject);
}
}
catch (Exception e) when(
e is System.Security.SecurityException ||
e is ObjectDisposedException ||
e is UnauthorizedAccessException ||
e is IOException)
{
Log.Debug($"Couldn't parse {SubKeyName}");
}
};
try
{
if (SingleThreaded)
{
foreach (var subKey in SearchKey.GetSubKeyNames())
{
ParseComObjectsIn(subKey);
}
}
else
{
SearchKey.GetSubKeyNames().AsParallel().ForAll(subKey => ParseComObjectsIn(subKey));
}
}
catch (Exception e)
{
Log.Debug("Failing parsing com objects {0} {1}", SearchKey.Name, e.GetType());
}
return(comObjects);
}