/// <summary> /// Uses ServiceController. /// </summary> public void ExecuteWindows() { System.Management.SelectQuery sQuery = new System.Management.SelectQuery("select * from Win32_Service"); // where name = '{0}'", "MCShield.exe")); using System.Management.ManagementObjectSearcher mgmtSearcher = new System.Management.ManagementObjectSearcher(sQuery); foreach (System.Management.ManagementObject service in mgmtSearcher.Get()) { try { var val = service.GetPropertyValue("Name").ToString(); if (val != null) { var obj = new ServiceObject(val); val = service.GetPropertyValue("AcceptPause")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.AcceptPause = bool.Parse(val); } val = service.GetPropertyValue("AcceptStop")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.AcceptStop = bool.Parse(val); } obj.Caption = service.GetPropertyValue("Caption")?.ToString(); val = service.GetPropertyValue("CheckPoint")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.CheckPoint = uint.Parse(val, CultureInfo.InvariantCulture); } obj.CreationClassName = service.GetPropertyValue("CreationClassName")?.ToString(); val = service.GetPropertyValue("DelayedAutoStart")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.DelayedAutoStart = bool.Parse(val); } obj.Description = service.GetPropertyValue("Description")?.ToString(); val = service.GetPropertyValue("DesktopInteract")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.DesktopInteract = bool.Parse(val); } obj.DisplayName = service.GetPropertyValue("DisplayName")?.ToString(); obj.ErrorControl = service.GetPropertyValue("ErrorControl")?.ToString(); val = service.GetPropertyValue("ExitCode")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.ExitCode = uint.Parse(val, CultureInfo.InvariantCulture); } if (DateTime.TryParse(service.GetPropertyValue("InstallDate")?.ToString(), out DateTime dateTime)) { obj.InstallDate = dateTime; } obj.PathName = service.GetPropertyValue("PathName")?.ToString(); val = service.GetPropertyValue("ProcessId")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.ProcessId = uint.Parse(val, CultureInfo.InvariantCulture); } val = service.GetPropertyValue("ServiceSpecificExitCode")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.ServiceSpecificExitCode = uint.Parse(val, CultureInfo.InvariantCulture); } obj.ServiceType = service.GetPropertyValue("ServiceType")?.ToString(); val = service.GetPropertyValue("Started").ToString(); if (!string.IsNullOrEmpty(val)) { obj.Started = bool.Parse(val); } obj.StartMode = service.GetPropertyValue("StartMode")?.ToString(); obj.StartName = service.GetPropertyValue("StartName")?.ToString(); obj.State = service.GetPropertyValue("State")?.ToString(); obj.Status = service.GetPropertyValue("Status")?.ToString(); obj.SystemCreationClassName = service.GetPropertyValue("SystemCreationClassName")?.ToString(); obj.SystemName = service.GetPropertyValue("SystemName")?.ToString(); val = service.GetPropertyValue("TagId")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.TagId = uint.Parse(val, CultureInfo.InvariantCulture); } val = service.GetPropertyValue("WaitHint")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.WaitHint = uint.Parse(val, CultureInfo.InvariantCulture); } Results.Push(obj); } } catch (Exception e) when( e is TypeInitializationException || e is PlatformNotSupportedException) { Log.Warning(Strings.Get("CollectorNotSupportedOnPlatform"), GetType().ToString()); } } foreach (var file in DirectoryWalker.WalkDirectory("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")) { var name = file.Split(Path.DirectorySeparatorChar)[^ 1];
public override void Execute() { if (!CanRunOnPlatform()) { return; } wb = new WriteBuffer(runId); Start(); if (this.roots == null || this.roots.Count() == 0) { if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { foreach (var driveInfo in DriveInfo.GetDrives()) { if (driveInfo.IsReady && driveInfo.DriveType == DriveType.Fixed) { this.roots.Add(driveInfo.Name); } } } else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) { this.roots.Add("/"); // @TODO Improve this } else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) { this.roots.Add("/"); // @TODO Improve this } } foreach (var root in this.roots) { Log.Information("{0} root {1}", Strings.Get("Scanning"), root.ToString()); try { var fileInfoEnumerable = DirectoryWalker.WalkDirectory(root); Parallel.ForEach(fileInfoEnumerable, (fileInfo => { try { FileSystemObject obj = null; if (fileInfo is DirectoryInfo) { if (!Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "File", "Path", fileInfo.FullName)) { obj = new FileSystemObject() { Path = fileInfo.FullName, Permissions = FileSystemUtils.GetFilePermissions(fileInfo) }; } } else { if (!Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "File", "Path", fileInfo.FullName)) { obj = new FileSystemObject() { Path = fileInfo.FullName, Permissions = FileSystemUtils.GetFilePermissions(fileInfo), Size = (ulong)(fileInfo as FileInfo).Length, }; if (WindowsFileSystemUtils.NeedsSignature(obj.Path)) { obj.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(fileInfo.FullName); obj.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(fileInfo.FullName); } if (INCLUDE_CONTENT_HASH) { obj.ContentHash = FileSystemUtils.GetFileHash(fileInfo); } } } if (obj != null) { Write(obj); } } catch (Exception ex) { Log.Warning(ex, "Error processing {0}", fileInfo?.FullName); } })); } catch (Exception ex) { Log.Warning(ex, "Error collecting file system information: {0}", ex.Message); } } Stop(); DatabaseManager.Commit(); }
public override void ExecuteInternal() { if (!roots.Any()) { if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { foreach (var driveInfo in DriveInfo.GetDrives()) { if (driveInfo.IsReady && driveInfo.DriveType == DriveType.Fixed) { roots.Add(driveInfo.Name); } } } else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) { roots.Add("/"); } else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) { roots.Add("/"); } } Action <string> IterateOn = Path => { StallIfHighMemoryUsageAndLowMemoryModeEnabled(); Log.Verbose("Started parsing {0}", Path); FileSystemObject obj = FilePathToFileSystemObject(Path, downloadCloud, INCLUDE_CONTENT_HASH); if (obj != null) { Results.Push(obj); // TODO: Also try parse .DER as a key if (Path.EndsWith(".cer", StringComparison.CurrentCulture) || Path.EndsWith(".der", StringComparison.CurrentCulture) || Path.EndsWith(".p7b", StringComparison.CurrentCulture) || Path.EndsWith(".pfx", StringComparison.CurrentCulture)) { try { using var certificate = new X509Certificate2(Path); var certObj = new CertificateObject( StoreLocation: StoreLocation.LocalMachine.ToString(), StoreName: StoreName.Root.ToString(), Certificate: new SerializableCertificate(certificate)); Results.Push(certObj); } catch (Exception e) { Log.Verbose($"Could not parse certificate from file: {Path}, {e.GetType().ToString()}"); } } } Log.Verbose("Finished parsing {0}", Path); }; foreach (var root in roots) { if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { var info = new FileInfo(root); GetDiskFreeSpace(info.Directory.Root.FullName, out uint lpSectorsPerCluster, out uint lpBytesPerSector, out _, out _); ClusterSizes[info.Directory.Root.FullName] = lpSectorsPerCluster * lpBytesPerSector; } Log.Information("{0} root {1}", Strings.Get("Scanning"), root); var filePathEnumerable = DirectoryWalker.WalkDirectory(root); if (parallel) { filePathEnumerable.AsParallel().ForAll(filePath => { IterateOn(filePath); }); } else { foreach (var filePath in filePathEnumerable) { IterateOn(filePath); } } } }