private FileSystemObject FileEntryToFileSystemObject(FileEntry fileEntry)
{
var fso = new FileSystemObject(Path: fileEntry.FullPath)
{
Size = fileEntry.Content.Length
};
if (opts.GatherHashes == true)
{
fso.ContentHash = CryptoHelpers.CreateHash(fileEntry.Content);
}
var exeType = FileSystemUtils.GetExecutableType(fileEntry.FullPath, fileEntry.Content);
if (exeType != EXECUTABLE_TYPE.NONE && exeType != EXECUTABLE_TYPE.UNKNOWN)
{
fso.IsExecutable = true;
}
if (exeType == EXECUTABLE_TYPE.WINDOWS)
{
fso.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(fileEntry.FullPath, fileEntry.Content);
fso.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(fileEntry.FullPath, fileEntry.Content);
}
return(fso);
}
public static string GetFileHash(FileSystemInfo fileInfo)
{
if (fileInfo != null)
{
Log.Debug("{0} {1}", Strings.Get("FileHash"), fileInfo.FullName);
string hashValue = null;
try
{
using (var stream = new FileStream(fileInfo.FullName, FileMode.Open, FileAccess.Read))
{
hashValue = CryptoHelpers.CreateHash(stream);
}
}
catch (Exception e) when(
e is ArgumentNullException ||
e is ArgumentException ||
e is NotSupportedException ||
e is FileNotFoundException ||
e is IOException ||
e is System.Security.SecurityException ||
e is DirectoryNotFoundException ||
e is UnauthorizedAccessException ||
e is PathTooLongException ||
e is ArgumentOutOfRangeException)
{
Log.Verbose("{0}: {1} {2}", Strings.Get("Err_UnableToHash"), fileInfo.FullName, e.GetType().ToString());
}
return(hashValue);
}
return(string.Empty);
}
public void WriteRename(RenamedEventArgs obj)
{
var evt = new FileMonitorEvent()
{
ChangeType = ChangeTypeToChangeType(obj.ChangeType),
Path = obj.FullPath,
Name = obj.Name,
OldPath = obj.OldFullPath,
OldName = obj.OldName
};
string timestamp = DateTime.Now.ToString("O");
var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction);
cmd.Parameters.AddWithValue("@run_id", this.runId);
cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(obj.ToString() + timestamp + watcher.NotifyFilter.ToString() + obj.ChangeType.ToString()));
cmd.Parameters.AddWithValue("@timestamp", timestamp);
cmd.Parameters.AddWithValue("@path", obj.FullPath);
cmd.Parameters.AddWithValue("@old_path", obj.OldFullPath ?? "");
cmd.Parameters.AddWithValue("@name", obj.Name ?? "");
cmd.Parameters.AddWithValue("@old_name", obj.OldName ?? "");
cmd.Parameters.AddWithValue("@change_type", ChangeTypeToChangeType(obj.ChangeType));
cmd.Parameters.AddWithValue("@extended_results", "");
cmd.Parameters.AddWithValue("@notify_filters", watcher.NotifyFilter.ToString());
cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(evt));
cmd.ExecuteNonQuery();
}
public void WriteChange(FileSystemEventArgs obj)
{
string timestamp = DateTime.Now.ToString("O");
var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction);
cmd.Parameters.AddWithValue("@run_id", this.runId);
cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(obj.ToString() + timestamp + watcher.NotifyFilter.ToString() + obj.ChangeType.ToString()));
cmd.Parameters.AddWithValue("@timestamp", timestamp);
cmd.Parameters.AddWithValue("@path", obj.FullPath);
cmd.Parameters.AddWithValue("@old_path", "");
cmd.Parameters.AddWithValue("@name", obj.Name);
cmd.Parameters.AddWithValue("@old_name", "");
cmd.Parameters.AddWithValue("@change_type", ChangeTypeStringToChangeType(obj.ChangeType.ToString()));
cmd.Parameters.AddWithValue("@extended_results", "");
cmd.Parameters.AddWithValue("@notify_filters", watcher.NotifyFilter.ToString());
cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(obj));
FileSystemMonitorResult fileSystemObject = new FileSystemMonitorResult()
{
evt = obj,
filter = watcher.NotifyFilter
};
cmd.ExecuteNonQuery();
}
private WriteObject(byte[] SerializedIn, RESULT_TYPE ResultTypeIn, string RunIdIn)
{
_serialized = SerializedIn;
_rowKey = CryptoHelpers.CreateHash(_serialized);
RunId = RunIdIn;
ColObj = JsonUtils.Hydrate(SerializedIn, ResultTypeIn) !;
}
public void WriteChange(FileSystemEventArgs objIn, string details)
{
if (objIn != null)
{
var evt = new FileMonitorEvent()
{
ChangeType = ChangeTypeToChangeType(objIn.ChangeType),
Path = objIn.FullPath,
Name = objIn.Name
};
string timestamp = DateTime.Now.ToString("O", CultureInfo.InvariantCulture);
using var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction);
cmd.Parameters.AddWithValue("@run_id", this.RunId);
cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(objIn.ToString() + timestamp + watcher.NotifyFilter.ToString() + objIn.ChangeType.ToString()));
cmd.Parameters.AddWithValue("@timestamp", timestamp);
cmd.Parameters.AddWithValue("@path", objIn.FullPath);
cmd.Parameters.AddWithValue("@old_path", "");
cmd.Parameters.AddWithValue("@name", objIn.Name);
cmd.Parameters.AddWithValue("@old_name", "");
cmd.Parameters.AddWithValue("@change_type", ChangeTypeToChangeType(objIn.ChangeType));
cmd.Parameters.AddWithValue("@extended_results", details);
cmd.Parameters.AddWithValue("@notify_filters", watcher.NotifyFilter.ToString());
cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(evt));
cmd.ExecuteNonQuery();
}
}
public WriteObject(CollectObject ColObj, string RunId)
{
this.ColObj = ColObj;
this.RunId = RunId;
_serialized = JsonUtils.Dehydrate(ColObj);
_rowKey = CryptoHelpers.CreateHash(_serialized);
}
public WriteObject(CollectObject ColObjIn, string RunIdIn)
{
ColObj = ColObjIn;
RunId = RunIdIn;
_serialized = JsonUtils.Dehydrate(ColObjIn);
_rowKey = CryptoHelpers.CreateHash(_serialized);
}
public WriteObject(CollectObject ColObj, string RunId)
{
if (ColObj == null)
{
throw new ArgumentNullException(nameof(ColObj));
}
this.ColObj = ColObj;
this.RunId = RunId;
_serialized = JsonUtils.Dehydrate(ColObj);
_rowKey = CryptoHelpers.CreateHash(_serialized);
Shard = DatabaseManager.ModuloString(ColObj.Identity);
}
public void Write(StoreLocation storeLocation, StoreName storeName, X509Certificate2 obj)
{
try
{
recordCounter++;
var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction);
cmd.Parameters.AddWithValue("@run_id", runId);
cmd.Parameters.AddWithValue("@store_location", storeLocation.ToString());
cmd.Parameters.AddWithValue("@store_name", storeName.ToString());
cmd.Parameters.AddWithValue("@hash", obj.GetCertHashString());
cmd.Parameters.AddWithValue("@hash_plus_store", obj.GetCertHashString() + storeLocation.ToString() + storeName.ToString());
cmd.Parameters.AddWithValue("@cn", obj.Subject);
if (obj.HasPrivateKey)
{
cmd.Parameters.AddWithValue("@pkcs12", "redacted");
}
else
{
cmd.Parameters.AddWithValue("@pkcs12", obj.Export(X509ContentType.Pfx));
}
cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(runId + recordCounter));
var cert = new CertificateObject()
{
StoreLocation = storeLocation.ToString(),
StoreName = storeName.ToString(),
CertificateHashString = obj.GetCertHashString(),
Subject = obj.Subject
};
cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(cert));
cmd.ExecuteNonQuery();
}
catch (NullReferenceException e)
{
Log.Warning(e.StackTrace);
}
catch (Microsoft.Data.Sqlite.SqliteException e)
{
Log.Warning(e.Message);
//This catches duplicate certificates
}
catch (Exception e)
{
Log.Warning(e.GetType().ToString());
Log.Warning(e.StackTrace);
}
}
protected internal static string GetFileHash(FileSystemInfo fileInfo)
{
Log.Debug("Generating file hash for {0}", fileInfo.FullName);
string hashValue = null;
try
{
using (var stream = new FileStream(fileInfo.FullName, FileMode.Open, FileAccess.Read))
{
hashValue = CryptoHelpers.CreateHash(stream);
}
}
catch (Exception ex)
{
Log.Warning("Unable to take hash of file: {0}: {1}", fileInfo.FullName, ex.Message);
}
return(hashValue);
}
protected internal static string GetFileHash(FileSystemInfo fileInfo)
{
Log.Debug("{0} {1}", Strings.Get("FileHash"), fileInfo.FullName);
string hashValue = null;
try
{
using (var stream = new FileStream(fileInfo.FullName, FileMode.Open, FileAccess.Read))
{
hashValue = CryptoHelpers.CreateHash(stream);
}
}
catch (Exception ex)
{
Log.Warning("{0}: {1} {2}", Strings.Get("Err_UnableToHash"), fileInfo.FullName, ex.Message);
}
return(hashValue);
}
public void Write(RegistryObject obj)
{
try
{
string hashSeed = String.Format("{0}{1}", obj.Key, JsonConvert.SerializeObject(obj));
using (var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction))
{
cmd.Parameters.AddWithValue("@run_id", this.runId);
cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(hashSeed));
cmd.Parameters.AddWithValue("@key", obj.Key);
cmd.Parameters.AddWithValue("@value", JsonConvert.SerializeObject(obj.Values));
cmd.Parameters.AddWithValue("@subkeys", JsonConvert.SerializeObject(obj.Subkeys));
cmd.Parameters.AddWithValue("@permissions", obj.Permissions);
cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(obj));
try
{
cmd.ExecuteNonQuery();
}
catch (Exception e)
{
Log.Debug(e.GetType() + "thrown in registry collector");
Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e);
}
}
}
catch (Exception)
{
Log.Debug("Had trouble writing {0}", obj.Key);
}
customCrawlHandler?.Invoke(obj);
}
public string GetHash()
{
return(CryptoHelpers.CreateHash(JsonConvert.SerializeObject(this)));
}
public string GetUniqueHash()
{
return(CryptoHelpers.CreateHash(this.ToString()));
}