/// <summary>
/// Uses ServiceController.
/// </summary>
internal void ExecuteWindows(CancellationToken cancellationToken)
{
try
{
SelectQuery sQuery = new SelectQuery("select * from Win32_Service"); // where name = '{0}'", "MCShield.exe"));
using ManagementObjectSearcher mgmtSearcher = new ManagementObjectSearcher(sQuery);
if (opts.SingleThread)
{
foreach (ManagementObject service in mgmtSearcher.Get())
{
if (cancellationToken.IsCancellationRequested)
{
return;
}
ProcessManagementObject(service);
}
}
else
{
var list = new List <ManagementObject>();
foreach (ManagementObject service in mgmtSearcher.Get())
{
list.Add(service);
}
ParallelOptions po = new ParallelOptions()
{
CancellationToken = cancellationToken
};
Parallel.ForEach(list, po, x => ProcessManagementObject(x));
}
}
catch (Exception e)
{
Log.Warning(e, "Failed to run Service Collector.");
}
var fsc = new FileSystemCollector(new CollectorOptions()
{
SingleThread = opts.SingleThread
});
foreach (var file in Directory.EnumerateFiles("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"))
{
var name = file.Split(Path.DirectorySeparatorChar)[^ 1];
public FileSystemMonitor(MonitorCommandOptions opts, Action <FileMonitorObject> changeHandler)
{
options = opts ?? new MonitorCommandOptions();
#pragma warning disable CA1303 // Do not pass literals as localized parameters
this.changeHandler = changeHandler ?? throw new NullReferenceException(nameof(changeHandler));
#pragma warning restore CA1303 // This string doesn't need to be localized, it is the name of the variable
fsc = new FileSystemCollector(new CollectorOptions()
{
DownloadCloud = false,
GatherHashes = options.GatherHashes,
});
foreach (var dir in options?.MonitoredDirectories?.Any() is true ? options.MonitoredDirectories : fsc.Roots.ToArray())
{
foreach (var filter in defaultFiltersList)
{
var watcher = new FileSystemWatcher();
watcher.Path = dir;
watcher.NotifyFilter = filter;
watcher.IncludeSubdirectories = true;
// Changed, Created and Deleted can share a handler, because they throw the same
// type of event
watcher.Changed += GetFunctionForFilterType(filter);
watcher.Created += GetFunctionForFilterType(filter);
watcher.Deleted += GetFunctionForFilterType(filter);
// Renamed needs a different handler because it throws a different kind of event
watcher.Renamed += GetRenamedFunctionForFilterType(filter);
watchers.Add(watcher);
}
}
}
public void ParseComObjects(RegistryKey SearchKey, RegistryView View)
{
if (SearchKey == null)
{
return;
}
List <ComObject> comObjects = new List <ComObject>();
try
{
Parallel.ForEach(SearchKey.GetSubKeyNames(), (SubKeyName) =>
{
try
{
RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);
var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View);
if (RegObj != null)
{
ComObject comObject = new ComObject(RegObj);
foreach (string ComDetails in CurrentKey.GetSubKeyNames())
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View);
if (obj != null)
{
comObject.AddSubKey(obj);
}
}
//Get the information from the InProcServer32 Subkey (for 32 bit)
string?BinaryPath32 = null;
var InProcServer32SubKeys = comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32"));
if (InProcServer32SubKeys.Any() && InProcServer32SubKeys.First().Values?.TryGetValue("", out BinaryPath32) is bool successful)
{
if (BinaryPath32 != null && successful)
{
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath32 = BinaryPath32.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
{
BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString();
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
{
BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
}
comObject.x86_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath32.Trim(), true);
comObject.x86_BinaryName = BinaryPath32;
}
}
// And the InProcServer64 for 64 bit
string?BinaryPath64 = null;
var InProcServer64SubKeys = comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64"));
if (InProcServer64SubKeys.Any() && InProcServer64SubKeys.First().Values?.TryGetValue("", out BinaryPath64) is bool successful64)
{
if (BinaryPath64 != null && successful64)
{
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath64 = BinaryPath64.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
{
BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2);
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
{
BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
}
comObject.x64_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath64.Trim(), true);
comObject.x64_BinaryName = BinaryPath64;
}
}
comObjects.Add(comObject);
}
}
catch (Exception e) when(
e is System.Security.SecurityException ||
e is ObjectDisposedException ||
e is UnauthorizedAccessException ||
e is IOException)
{
Log.Debug($"Couldn't parse {SubKeyName}");
}
});
}
catch (Exception e) when(
e is System.Security.SecurityException ||
e is ObjectDisposedException ||
e is UnauthorizedAccessException ||
e is IOException)
{
Log.Debug($"Failing parsing com objects {SearchKey.Name} {e.GetType().ToString()} {e.Message}");
}
foreach (var comObject in comObjects)
{
DatabaseManager.Write(comObject, RunId);
}
}
/// <summary>
/// Parse all the Subkeys of the given SearchKey into ComObjects and returns a list of them
/// </summary>
/// <param name="SearchKey">The Registry Key to search</param>
/// <param name="View">The View of the registry to use</param>
public static IEnumerable <CollectObject> ParseComObjects(RegistryKey SearchKey, RegistryView View, bool SingleThreaded = false)
{
if (SearchKey == null)
{
return(new List <CollectObject>());
}
List <ComObject> comObjects = new List <ComObject>();
var fsc = new FileSystemCollector(new CollectCommandOptions()
{
SingleThread = SingleThreaded
});
Action <string> ParseComObjectsIn = SubKeyName =>
{
try
{
RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);
var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View);
if (RegObj != null)
{
ComObject comObject = new ComObject(RegObj);
foreach (string ComDetails in CurrentKey.GetSubKeyNames())
{
if (ComDetails.Contains("InprocServer32"))
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View);
string?BinaryPath32 = null;
if (obj != null && obj.Values?.TryGetValue("", out BinaryPath32) is bool successful)
{
if (successful && BinaryPath32 != null)
{
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath32 = BinaryPath32.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
{
BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString();
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
{
BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
}
comObject.x86_Binary = fsc.FilePathToFileSystemObject(BinaryPath32.Trim());
}
}
}
if (ComDetails.Contains("InprocServer64"))
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View);
string?BinaryPath64 = null;
if (obj != null && obj.Values?.TryGetValue("", out BinaryPath64) is bool successful)
{
if (successful && BinaryPath64 != null)
{
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath64 = BinaryPath64.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
{
BinaryPath64 = BinaryPath64.AsSpan().Slice(1, BinaryPath64.Length - 2).ToString();
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
{
BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
}
comObject.x64_Binary = fsc.FilePathToFileSystemObject(BinaryPath64.Trim());
}
}
}
}
comObjects.Add(comObject);
}
}
catch (Exception e) when(
e is System.Security.SecurityException ||
e is ObjectDisposedException ||
e is UnauthorizedAccessException ||
e is IOException)
{
Log.Debug($"Couldn't parse {SubKeyName}");
}
};
try
{
if (SingleThreaded)
{
foreach (var subKey in SearchKey.GetSubKeyNames())
{
ParseComObjectsIn(subKey);
}
}
else
{
SearchKey.GetSubKeyNames().AsParallel().ForAll(subKey => ParseComObjectsIn(subKey));
}
}
catch (Exception e)
{
Log.Debug("Failing parsing com objects {0} {1}", SearchKey.Name, e.GetType());
}
return(comObjects);
}
public void ParseComObjects(RegistryKey SearchKey)
{
if (SearchKey == null)
{
return;
}
foreach (string SubKeyName in SearchKey.GetSubKeyNames())
{
try
{
RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);
var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey);
ComObject comObject = new ComObject()
{
Key = RegObj,
Subkeys = new List <RegistryObject>()
};
foreach (string ComDetails in CurrentKey.GetSubKeyNames())
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
comObject.Subkeys.Add(RegistryWalker.RegistryKeyToRegistryObject(ComKey));
}
//Get the information from the InProcServer32 Subkey (for 32 bit)
if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.ContainsKey(""))
{
comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.TryGetValue("", out string BinaryPath32);
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath32 = BinaryPath32.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
{
BinaryPath32 = BinaryPath32.Substring(1, BinaryPath32.Length - 2);
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
{
BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
}
comObject.x86_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath32.Trim()), true);
comObject.x86_BinaryName = BinaryPath32;
}
// And the InProcServer64 for 64 bit
if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.ContainsKey(""))
{
comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.TryGetValue("", out string BinaryPath64);
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath64 = BinaryPath64.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
{
BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2);
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
{
BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
}
comObject.x64_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath64.Trim()), true);
comObject.x64_BinaryName = BinaryPath64;
}
DatabaseManager.Write(comObject, runId);
}
catch (Exception e)
{
Log.Debug(e, "Couldn't parse {0}", SubKeyName);
}
}
}
/// <summary>
/// Uses ServiceController.
/// </summary>
public void ExecuteWindows()
{
try
{
System.Management.SelectQuery sQuery = new System.Management.SelectQuery("select * from Win32_Service"); // where name = '{0}'", "MCShield.exe"));
using System.Management.ManagementObjectSearcher mgmtSearcher = new System.Management.ManagementObjectSearcher(sQuery);
foreach (System.Management.ManagementObject service in mgmtSearcher.Get())
{
try
{
var val = service.GetPropertyValue("Name").ToString();
if (val != null)
{
var obj = new ServiceObject(val);
val = service.GetPropertyValue("AcceptPause")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.AcceptPause = bool.Parse(val);
}
val = service.GetPropertyValue("AcceptStop")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.AcceptStop = bool.Parse(val);
}
obj.Caption = service.GetPropertyValue("Caption")?.ToString();
val = service.GetPropertyValue("CheckPoint")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.CheckPoint = uint.Parse(val, CultureInfo.InvariantCulture);
}
obj.CreationClassName = service.GetPropertyValue("CreationClassName")?.ToString();
val = service.GetPropertyValue("DelayedAutoStart")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.DelayedAutoStart = bool.Parse(val);
}
obj.Description = service.GetPropertyValue("Description")?.ToString();
val = service.GetPropertyValue("DesktopInteract")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.DesktopInteract = bool.Parse(val);
}
obj.DisplayName = service.GetPropertyValue("DisplayName")?.ToString();
obj.ErrorControl = service.GetPropertyValue("ErrorControl")?.ToString();
val = service.GetPropertyValue("ExitCode")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.ExitCode = uint.Parse(val, CultureInfo.InvariantCulture);
}
if (DateTime.TryParse(service.GetPropertyValue("InstallDate")?.ToString(), out DateTime dateTime))
{
obj.InstallDate = dateTime;
}
obj.PathName = service.GetPropertyValue("PathName")?.ToString();
val = service.GetPropertyValue("ProcessId")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.ProcessId = uint.Parse(val, CultureInfo.InvariantCulture);
}
val = service.GetPropertyValue("ServiceSpecificExitCode")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.ServiceSpecificExitCode = uint.Parse(val, CultureInfo.InvariantCulture);
}
obj.ServiceType = service.GetPropertyValue("ServiceType")?.ToString();
val = service.GetPropertyValue("Started").ToString();
if (!string.IsNullOrEmpty(val))
{
obj.Started = bool.Parse(val);
}
obj.StartMode = service.GetPropertyValue("StartMode")?.ToString();
obj.StartName = service.GetPropertyValue("StartName")?.ToString();
obj.State = service.GetPropertyValue("State")?.ToString();
obj.Status = service.GetPropertyValue("Status")?.ToString();
obj.SystemCreationClassName = service.GetPropertyValue("SystemCreationClassName")?.ToString();
obj.SystemName = service.GetPropertyValue("SystemName")?.ToString();
val = service.GetPropertyValue("TagId")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.TagId = uint.Parse(val, CultureInfo.InvariantCulture);
}
val = service.GetPropertyValue("WaitHint")?.ToString();
if (!string.IsNullOrEmpty(val))
{
obj.WaitHint = uint.Parse(val, CultureInfo.InvariantCulture);
}
Results.Push(obj);
}
}
catch (Exception e) when(
e is TypeInitializationException ||
e is PlatformNotSupportedException)
{
Log.Warning(Strings.Get("CollectorNotSupportedOnPlatform"), GetType().ToString());
}
catch (Exception e)
{
Log.Warning(e, "Failed to grok Service Collector object at {0}.", service.Path);
}
}
}
catch (Exception e)
{
Log.Warning(e, "Failed to run Service Collector.");
}
var fsc = new FileSystemCollector(new CollectCommandOptions()
{
SingleThread = opts.SingleThread
});
foreach (var file in Directory.EnumerateFiles("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"))
{
var name = file.Split(Path.DirectorySeparatorChar)[^ 1];
