public static void PopulateDB(DotNetBinary dnb)
{
try
{
SetConnection();
m_dbConnection.Open();
string sql = "SELECT * FROM " + dbName + " WHERE hash = '" + dnb.hash + "' AND application = '" + dnb.application + "';";
SQLiteCommand command = new SQLiteCommand(sql, m_dbConnection);
SQLiteDataReader reader = command.ExecuteReader();
// check if we've seen this file before (in terms of hash and file location). If not, add it to the db
if (!reader.HasRows)
{
sql = "INSERT into " + dbName + " (name, application, hash, numSQLi, numCodEx, numFileEx, numInfoLeak, numXSS, numRedirect, numXPath, numLDAP) values ('" + dnb.name + "','" + dnb.application + "','" + dnb.hash + "'," + dnb.numSQLi + "," + dnb.numCodEx + "," + dnb.numFileEx + "," + dnb.numInfoLeak + "," + dnb.numXSS + "," + dnb.numRedirect + "," + dnb.numXPath + "," + dnb.numLDAP + ")";
ExecuteQuery(sql);
}
}
catch (Exception e)
{
System.Windows.Forms.MessageBox.Show(e.ToString());
}
}
public static bool seenBefore(DotNetBinary dnb)
{
SetConnection();
m_dbConnection.Open();
string sql = "SELECT * FROM " + dbName + " WHERE hash = '" + dnb.hash + "' AND application = '" + dnb.application + "';";
SQLiteCommand command = new SQLiteCommand(sql, m_dbConnection);
SQLiteDataReader reader = command.ExecuteReader();
return(reader.HasRows);
}
// extract bug classes and number of bugs where > 0
public static string getBugs(DotNetBinary dnb)
{
string retstring = "";
retstring += (dnb.numCodEx > 0) ? "CodeExecution:" + dnb.numCodEx + "," : "";
retstring += (dnb.numFileEx > 0) ? "FileCanonicalisation:" + dnb.numFileEx + "," : "";
retstring += (dnb.numInfoLeak > 0) ? "InfoLeak:" + dnb.numInfoLeak + "," : "";
retstring += (dnb.numLDAP > 0) ? "LDAPi:" + dnb.numLDAP + "," : "";
retstring += (dnb.numRedirect > 0) ? "Redirect:" + dnb.numRedirect + "," : "";
retstring += (dnb.numSQLi > 0) ? "SQLi:" + dnb.numSQLi + "," : "";
retstring += (dnb.numXPath > 0) ? "XPathi:" + dnb.numXPath + "," : "";
retstring += (dnb.numXSS > 0) ? "XSS:" + dnb.numXSS + "," : "";
retstring = retstring.Substring(0, retstring.Length - 1);
return(retstring);
}
public static void PopulateDB(DotNetBinary dnb)
{
try
{
SetConnection();
m_dbConnection.Open();
string sql = "SELECT * FROM " + dbName + " WHERE hash = '" + dnb.hash + "' AND application = '" + dnb.application + "';";
SQLiteCommand command = new SQLiteCommand(sql, m_dbConnection);
SQLiteDataReader reader = command.ExecuteReader();
// check if we've seen this file before (in terms of hash and file location). If not, add it to the db
if (!reader.HasRows)
{
sql = "INSERT into " + dbName + " (name, application, hash, numSQLi, numCodEx, numFileEx, numInfoLeak, numXSS, numRedirect, numXPath, numLDAP) values ('" + dnb.name + "','" + dnb.application + "','" + dnb.hash + "'," + dnb.numSQLi + "," + dnb.numCodEx + "," + dnb.numFileEx + "," + dnb.numInfoLeak + "," + dnb.numXSS + "," + dnb.numRedirect + "," + dnb.numXPath + "," + dnb.numLDAP + ")";
ExecuteQuery(sql);
}
}
catch (Exception e)
{
System.Windows.Forms.MessageBox.Show(e.ToString());
}
}
// extract bug classes and number of bugs where > 0
public static string getBugs(DotNetBinary dnb)
{
string retstring = "";
retstring += (dnb.numCodEx > 0) ? "CodeExecution:" + dnb.numCodEx + "," : "";
retstring += (dnb.numFileEx > 0) ? "FileCanonicalisation:" + dnb.numFileEx + "," : "";
retstring += (dnb.numInfoLeak > 0) ? "InfoLeak:" + dnb.numInfoLeak + "," : "";
retstring += (dnb.numLDAP > 0) ? "LDAPi:" + dnb.numLDAP + "," : "";
retstring += (dnb.numRedirect > 0) ? "Redirect:" + dnb.numRedirect + "," : "";
retstring += (dnb.numSQLi > 0) ? "SQLi:" + dnb.numSQLi + "," : "";
retstring += (dnb.numXPath > 0) ? "XPathi:" + dnb.numXPath + "," : "";
retstring += (dnb.numXSS > 0) ? "XSS:" + dnb.numXSS + "," : "";
retstring = retstring.Substring(0, retstring.Length - 1);
return retstring;
}
public void TraverseAndRun(string root, string binary, string rules, string dest)
{
label1.Text = "Enumerating .NET EXE and DLL Files...";
label1.Refresh();
DotNetBinary dnb = new DotNetBinary();
try
{
// enumerate all .NET dll and exe files in the given directory
var dotNetFiles = from file in Directory.EnumerateFiles(root, "*.*", SearchOption.AllDirectories)
where (isDotNet(file, "_CorDllMain") && file.EndsWith(".dll")) || (isDotNet(file, "_CorExeMain") && file.EndsWith(".exe"))
select new
{
File = file
};
label1.Text = "Enumerating Files... Complete. Found " + dotNetFiles.Count().ToString() + " files.";
label1.Refresh();
// only continue if we found >= 1 file
if (dotNetFiles.Count() != 0)
{
int count = 0;
progressBar1.Step = (int)(progressBar1.Maximum / dotNetFiles.Count());
// calculate the given CAT.NET timeout (how long before CAT gives up on processing a binary)
int timeout;
bool isNumeric = int.TryParse(CATtimeout.Text, out timeout);
if (isNumeric)
{
timeout = timeout * 1000 * 60;
}
else
{
timeout = 300000;
}
List<string> errorFiles = new List<string>();
foreach (var f in dotNetFiles)
{
System.IO.FileInfo fi = new System.IO.FileInfo(f.File);
string filePath = dest + "\\" + fi.Name;
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.CreateNoWindow = true;
startInfo.UseShellExecute = false;
startInfo.FileName = "\"" + binary + "\"";
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
startInfo.Arguments = "/file:" + "\"" + f.File + "\"" + rules + " /report:\"" + filePath + "\"" + ".xml" + " /reportxsloutput:\"" + filePath + "\"" + ".html";
label1.Text = "Processing " + fi.Name + " : " + (++count).ToString() + " of " + dotNetFiles.Count().ToString();
label1.Refresh();
dnb.hash = hashFile(fi);
dnb.name = fi.Name;
dnb.application = Path.GetDirectoryName(f.File);
// only run CAT.NET on the binary if we haven't done so before
if (!DbFuncs.seenBefore(dnb))
{
try
{
// Start the process with the info we specified. Call WaitForExit and then the using statement will close.
using (Process exeProcess = Process.Start(startInfo))
{
// give the process 5 minutes runtime before we kill it and move on to the next file
bool cleanExit = exeProcess.WaitForExit(timeout); // default is 300000
label1.Text = "Timeout reached. Moving to next file.";
if (!cleanExit)
{
exeProcess.Kill();
label1.Text = "Timout reached and process kill forced. Moving to next file.";
errorFiles.Add(fi.Name);
}
else
{
label1.Text = " ";
label1.Refresh();
// add the file to our TreeNode
TreeNode[] results = parseXML(filePath + ".xml");
TreeNode treeNode = new TreeNode(f.File.ToString(), results);
treeView1.Nodes.Add(treeNode);
treeView1.Refresh();
foreach (TreeNode tn in results)
{
string[] s = tn.Text.Split(':');
Console.Write(s[0] + " " + s[1]);
if (s[0].Equals("SQLi")) { int.TryParse(s[1], out dnb.numSQLi); }
if (s[0].Equals("Command Execution")) { int.TryParse(s[1], out dnb.numCodEx); }
if (s[0].Equals("File Canonicalisation")) { int.TryParse(s[1], out dnb.numFileEx); }
if (s[0].Equals("Info Leak")) { int.TryParse(s[1], out dnb.numInfoLeak); }
if (s[0].Equals("XSS")) { int.TryParse(s[1], out dnb.numXSS); }
if (s[0].Equals("User Redirection")) { int.TryParse(s[1], out dnb.numRedirect); }
if (s[0].Equals("XPath Injection")) { int.TryParse(s[1], out dnb.numXPath); }
if (s[0].Equals("LDAP Injection")) { int.TryParse(s[1], out dnb.numLDAP); }
}
// add the results to the database
DbFuncs.PopulateDB(dnb);
// refresh the datagrid
dataGridView1.DataSource = DbFuncs.DumpDB().Tables[0].DefaultView;
}
}
}
// error either opening file or running CAT.NET on that file.
catch
{
errorFiles.Add(fi.Name);
}
}
else
{
label1.Text = "Seen this file before; moving to next file...";
}
progressBar1.PerformStep();
progressBar1.Refresh();
}
progressBar1.Step = progressBar1.Maximum;
progressBar1.PerformStep();
progressBar1.Refresh();
label1.Text = "Finished.";
if (errorFiles.Count > 0)
{
string errors = "There were errors processing the following files.\nTry again with a longer CAT timeout:\n" + string.Join("\n", errorFiles.ToArray());
MessageBox.Show(errors);
}
}
}
catch(Exception e)
{
// e.g. some sort of dir/file exception
MessageBox.Show(e.ToString());
}
}
public static bool seenBefore(DotNetBinary dnb)
{
SetConnection();
m_dbConnection.Open();
string sql = "SELECT * FROM " + dbName + " WHERE hash = '" + dnb.hash + "' AND application = '" + dnb.application + "';";
SQLiteCommand command = new SQLiteCommand(sql, m_dbConnection);
SQLiteDataReader reader = command.ExecuteReader();
return reader.HasRows;
}
public void TraverseAndRun(string root, string binary, string rules, string dest)
{
label1.Text = "Enumerating .NET EXE and DLL Files...";
label1.Refresh();
DotNetBinary dnb = new DotNetBinary();
try
{
// enumerate all .NET dll and exe files in the given directory
var dotNetFiles = from file in Directory.EnumerateFiles(root, "*.*", SearchOption.AllDirectories)
where (isDotNet(file, "_CorDllMain") && file.EndsWith(".dll")) || (isDotNet(file, "_CorExeMain") && file.EndsWith(".exe"))
select new
{
File = file
};
label1.Text = "Enumerating Files... Complete. Found " + dotNetFiles.Count().ToString() + " files.";
label1.Refresh();
// only continue if we found >= 1 file
if (dotNetFiles.Count() != 0)
{
int count = 0;
progressBar1.Step = (int)(progressBar1.Maximum / dotNetFiles.Count());
// calculate the given CAT.NET timeout (how long before CAT gives up on processing a binary)
int timeout;
bool isNumeric = int.TryParse(CATtimeout.Text, out timeout);
if (isNumeric)
{
timeout = timeout * 1000 * 60;
}
else
{
timeout = 300000;
}
List <string> errorFiles = new List <string>();
foreach (var f in dotNetFiles)
{
System.IO.FileInfo fi = new System.IO.FileInfo(f.File);
string filePath = dest + "\\" + fi.Name;
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.CreateNoWindow = true;
startInfo.UseShellExecute = false;
startInfo.FileName = "\"" + binary + "\"";
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
startInfo.Arguments = "/file:" + "\"" + f.File + "\"" + rules + " /report:\"" + filePath + "\"" + ".xml" + " /reportxsloutput:\"" + filePath + "\"" + ".html";
label1.Text = "Processing " + fi.Name + " : " + (++count).ToString() + " of " + dotNetFiles.Count().ToString();
label1.Refresh();
dnb.hash = hashFile(fi);
dnb.name = fi.Name;
dnb.application = Path.GetDirectoryName(f.File);
// only run CAT.NET on the binary if we haven't done so before
if (!DbFuncs.seenBefore(dnb))
{
try
{
// Start the process with the info we specified. Call WaitForExit and then the using statement will close.
using (Process exeProcess = Process.Start(startInfo))
{
// give the process 5 minutes runtime before we kill it and move on to the next file
bool cleanExit = exeProcess.WaitForExit(timeout); // default is 300000
label1.Text = "Timeout reached. Moving to next file.";
if (!cleanExit)
{
exeProcess.Kill();
label1.Text = "Timout reached and process kill forced. Moving to next file.";
errorFiles.Add(fi.Name);
}
else
{
label1.Text = " ";
label1.Refresh();
// add the file to our TreeNode
TreeNode[] results = parseXML(filePath + ".xml");
TreeNode treeNode = new TreeNode(f.File.ToString(), results);
treeView1.Nodes.Add(treeNode);
treeView1.Refresh();
foreach (TreeNode tn in results)
{
string[] s = tn.Text.Split(':');
Console.Write(s[0] + " " + s[1]);
if (s[0].Equals("SQLi"))
{
int.TryParse(s[1], out dnb.numSQLi);
}
if (s[0].Equals("Command Execution"))
{
int.TryParse(s[1], out dnb.numCodEx);
}
if (s[0].Equals("File Canonicalisation"))
{
int.TryParse(s[1], out dnb.numFileEx);
}
if (s[0].Equals("Info Leak"))
{
int.TryParse(s[1], out dnb.numInfoLeak);
}
if (s[0].Equals("XSS"))
{
int.TryParse(s[1], out dnb.numXSS);
}
if (s[0].Equals("User Redirection"))
{
int.TryParse(s[1], out dnb.numRedirect);
}
if (s[0].Equals("XPath Injection"))
{
int.TryParse(s[1], out dnb.numXPath);
}
if (s[0].Equals("LDAP Injection"))
{
int.TryParse(s[1], out dnb.numLDAP);
}
}
// add the results to the database
DbFuncs.PopulateDB(dnb);
// refresh the datagrid
dataGridView1.DataSource = DbFuncs.DumpDB().Tables[0].DefaultView;
}
}
}
// error either opening file or running CAT.NET on that file.
catch
{
errorFiles.Add(fi.Name);
}
}
else
{
label1.Text = "Seen this file before; moving to next file...";
}
progressBar1.PerformStep();
progressBar1.Refresh();
}
progressBar1.Step = progressBar1.Maximum;
progressBar1.PerformStep();
progressBar1.Refresh();
label1.Text = "Finished.";
if (errorFiles.Count > 0)
{
string errors = "There were errors processing the following files.\nTry again with a longer CAT timeout:\n" + string.Join("\n", errorFiles.ToArray());
MessageBox.Show(errors);
}
}
}
catch (Exception e)
{
// e.g. some sort of dir/file exception
MessageBox.Show(e.ToString());
}
}
