public override void ExecuteInternal() { foreach (var hive in Hives) { Log.Debug("Starting " + hive.ToString()); if (!Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()) && Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex Capturer)) { Log.Debug("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer.ToString()); return; } Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString()); var registryInfoEnumerable = RegistryWalker.WalkHive(hive); Parallel.ForEach(registryInfoEnumerable, (registryKey => { try { var regObj = RegistryKeyToRegistryObject(registryKey); if (regObj != null) { DatabaseManager.Write(regObj, RunId); } } catch (InvalidOperationException e) { Log.Debug(e, JsonConvert.SerializeObject(registryKey) + " invalid op exept"); } })); Log.Debug("Finished " + hive.ToString()); } }
private void OnChanged(object source, FileSystemEventArgs e) { if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Monitor", "File", "Path", e.FullPath)) { return; } // Inspect the file if (getFileDetails && e.ChangeType != WatcherChangeTypes.Deleted) { // Switch to using Mono here if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) { var unixFileInfo = new Mono.Unix.UnixFileInfo(e.FullPath); var result = unixFileInfo.FileAccessPermissions.ToString(); WriteChange(e, result); return; } if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { // Found this example but it isn't working on osx //FileSecurity fSecurity = File.GetAccessControl(e.FullPath); } } WriteChange(e); customChangeHandler?.Invoke(e); }
public override void ExecuteInternal() { foreach (var hive in Hives) { Log.Debug("Starting " + hive.ToString()); if (!Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()) && Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex? Capturer)) { Log.Debug("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer?.ToString()); return; } Action <RegistryKey, RegistryView> IterateOn = (registryKey, registryView) => { try { var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey, registryView); if (regObj != null) { DatabaseManager.Write(regObj, RunId); } } catch (InvalidOperationException e) { Log.Debug(e, JsonSerializer.Serialize(registryKey) + " invalid op exept"); } }; Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString()); var x86_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry32); var x64_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry64); if (Parallelize) { Parallel.ForEach(x86_Enumerable, (registryKey => { IterateOn(registryKey, RegistryView.Registry32); })); Parallel.ForEach(x86_Enumerable, (registryKey => { IterateOn(registryKey, RegistryView.Registry64); })); } else { foreach (var registryKey in x86_Enumerable) { IterateOn(registryKey, RegistryView.Registry32); } foreach (var registryKey in x64_Enumerable) { IterateOn(registryKey, RegistryView.Registry64); } } Log.Debug("Finished " + hive.ToString()); } }
private void OnRenamed(object source, RenamedEventArgs e) { if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Monitor", "File", "Path", e.FullPath)) { return; } WriteRename(e); }
public ActionResult StartMonitoring(string RunId, string Directory, string Extension) { if (RunId != null) { using (var cmd = new SqliteCommand(INSERT_RUN, DatabaseManager.Connection, DatabaseManager.Transaction)) { cmd.Parameters.AddWithValue("@run_id", RunId.Trim()); cmd.Parameters.AddWithValue("@file_system", true); cmd.Parameters.AddWithValue("@ports", false); cmd.Parameters.AddWithValue("@users", false); cmd.Parameters.AddWithValue("@services", false); cmd.Parameters.AddWithValue("@registry", false); cmd.Parameters.AddWithValue("@certificates", false); cmd.Parameters.AddWithValue("@firewall", false); cmd.Parameters.AddWithValue("@comobjects", false); cmd.Parameters.AddWithValue("@type", "monitor"); cmd.Parameters.AddWithValue("@timestamp", DateTime.Now.ToString("o", CultureInfo.InvariantCulture)); cmd.Parameters.AddWithValue("@version", AsaHelpers.GetVersionString()); cmd.Parameters.AddWithValue("@platform", AsaHelpers.GetPlatformString()); try { cmd.ExecuteNonQuery(); DatabaseManager.Commit(); } catch (SqliteException e) { Log.Warning(e.StackTrace); Log.Warning(e.Message); return(Json((int)GUI_ERROR.UNIQUE_ID)); } } MonitorCommandOptions opts = new MonitorCommandOptions { RunId = RunId, EnableFileSystemMonitor = true, MonitoredDirectories = Directory, FilterLocation = "filters.json" }; AttackSurfaceAnalyzerClient.ClearMonitors(); return(Json((int)AttackSurfaceAnalyzerClient.RunGuiMonitorCommand(opts))); } return(Json(-1)); }