Esempio n. 1
0
        private static void READ_Local_Log_Dirs_for_Powershell_or_IIS(string directory)
        {
            try
            {
                if (Directory.Exists(directory))
                {
                    string[] SubDirs = Directory.GetDirectories(directory);

                    for (int x = 0; x < SubDirs.Length; ++x)
                    {
                        string[] FilePaths = Directory.GetFiles(SubDirs[x]);

                        for (int c = 0; c < FilePaths.Length; ++c)
                        {
                            if (FilePaths[c].Contains(".txt") && (FilePaths[c].ToLower().Contains("powershell_transcript.") || FilePaths[c].ToLower().Contains("iis")))
                            {
                                string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(c));
                                File.Delete(FilePaths.ElementAt(c));
                                FileContents_From_FileReads.Add("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "  " + FileContent);
                            }
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
            }
        }
Esempio n. 2
0
        internal static void Encrypt_File_Contents(string InputFilePath)
        {
            byte[] encrypted;

            using (Aes AES = Aes.Create())
            {
                AES.KeySize   = AES256KeySize;
                AES.BlockSize = 128;
                AES.Padding   = PaddingMode.PKCS7;

                var key = new Rfc2898DeriveBytes(CONVERT_To_UTF8_Bytes(GET_Password()), CONVERT_To_UTF8_Bytes(SALT), 50000);
                AES.Key = key.GetBytes(AES.KeySize / 8);
                AES.IV  = key.GetBytes(AES.BlockSize / 8);

                ICryptoTransform encryptor = AES.CreateEncryptor(AES.Key, AES.IV);

                using (MemoryStream msEncrypt = new MemoryStream())
                {
                    using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
                    {
                        using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
                        {
                            swEncrypt.Write(File.ReadAllText(InputFilePath));
                        }
                        encrypted = msEncrypt.ToArray();
                    }
                }
                File_Operation.Turnicate_File(InputFilePath, encrypted);
            }
        }
Esempio n. 3
0
        internal static bool CHECK_File_Encrypted(string FilePath)
        {
            try
            {
                FileInfo fi    = new FileInfo(FilePath);
                string   Check = File.ReadAllText(FilePath);

                if ((Check.Any(s => Crypto_Operation.Common_Encrypted_Chars.Contains(s)) && Check.Any(s => s >= 128)) && fi.Attributes.HasFlag(FileAttributes.Encrypted))
                {
                    return(true);//File Encrypted
                }
                else
                {
                    if ((Check.Any(s => Crypto_Operation.Common_Encrypted_Chars.Contains(s)) && Check.Any(s => s >= 128)) && fi.Attributes.HasFlag(FileAttributes.Encrypted) == false)
                    {
                        File.Encrypt(FilePath);
                        return(true);//File needed encrypted attrib and was encrypted
                    }
                    else
                    {
                        return(false);//File not encrypted
                    }
                }
            }
            catch (Exception e)
            {
                bool FileExists = File_Operation.CHECK_if_File_Exists(FilePath);
                if (FileExists == true && e.Message.Contains("Access to the path") && e.Message.Contains("denied"))
                {
                    //File_Operation.DELETE_File(FilePath);
                }
                Error_Operation.Log_Error("CHECK_File_Encrypted()", e.Message.ToString() + ". Is file on disk check=" + FileExists.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Verbose);
                return(false);//File NOT Encrypted
            }
        }
Esempio n. 4
0
        internal static void READ_Local_Log_Dirs()
        {
            try
            {
                List <string> DirPaths = File_Operation.READ_File_In_List(File_Operation.GET_DirToMonitor_Path()).ToList();
                for (int z = 0; z < DirPaths.Count; ++z)
                {
                    if (Directory.Exists(DirPaths.ElementAt(z)))
                    {
                        if (DirPaths.ElementAt(z).ToLower().Contains("powershell") || DirPaths.ElementAt(z).ToLower().Contains("iis"))
                        {
                            READ_Local_Log_Dirs_for_Powershell_or_IIS(DirPaths.ElementAt(z));
                        }
                        else
                        {
                            string[] FilePaths = Directory.GetFiles(DirPaths.ElementAt(z));

                            for (int x = 0; x < FilePaths.Length - 1; ++x)
                            {
                                if (File_Operation.CHECK_if_File_Exists(FilePaths.ElementAt(x)) && (FilePaths.ElementAt(x).Contains(".txt") || FilePaths.ElementAt(x).Contains(".log")))
                                {
                                    string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(x));
                                    File.Delete(FilePaths.ElementAt(x));
                                    FileContents_From_FileReads.Add(FileContent);
                                }
                            }
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
            }
        }
Esempio n. 5
0
        internal static void Start_Output_Post_Run()
        {
            if (Settings.SWELF_Events_Of_Interest_Matching_EventLogs.Count > 0)
            {
                try
                {
                    if (Settings.output_csv && Program_Start_Args.Count >= 3 && (Settings.Log_Forwarders_HostNames.Count < 1))
                    {
                        File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
                    }
                    else
                    {
                        Log_Network_Forwarder.SEND_Logs(Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
                    }
                }
                catch (Exception e)
                {
                    Error_Operation.Log_Error("Start_Output_Post_Run()  Network_Forwarder.SEND_Logs() File_Operation.Write_Ouput_CSV()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
                }

                if (Settings.Logs_Sent_to_ALL_Collectors)
                {
                    Start_Write_To_SWELF_EventLogs();
                }
                Sec_Checks.Post_Run_Sec_Checks();
            }
            Settings.UPDATE_EventLog_w_PlaceKeeper_File();
        }
Esempio n. 6
0
        private static void Start_Send_File_Based_Logs()
        {
            bool Data_Sent = false;

            try
            {
                if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false)
                {
                    for (int z = 0; z < Read_Local_Files.FileContents_From_FileReads.Count; ++z)
                    {
                        EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
                        Data_Sent = Log_Network_Forwarder.SEND_Logs(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
                        if (Data_Sent == true && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location) && Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[15]))
                        {
                            File.Delete(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
                            File.Create(Read_Local_Files.FileContents_From_FileReads.ElementAt(z)).Close();
                        }
                    }
                }
            }
            catch (Exception e)//network resource unavailable. Dont send data and try again next run. No logs will be queued by app only re read
            {
                Settings.Log_Storage_Location_Unavailable(" Start_Send_File_Based_Logs() " + e.Message.ToString());
            }
        }
Esempio n. 7
0
        internal static void Start_EVTX_Process()
        {
            try
            {
                Read_EventLog EvntLogSearch = new Read_EventLog();

                PARSE_Commandline_Input(EvntLogSearch);

                Search_EventLog search_Obj = new Search_EventLog(EvntLogSearch.EVTX_File_Logs);

                Settings.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.CMDLine_EVTX_File);

                if (Settings.output_csv)
                {
                    File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
                }
                else
                {
                    Start_Write_To_SWELF_EventLogs();
                }

                if (Settings.CMDLine_Dissolve)
                {
                    Settings.Dissolve();
                }
                Error_Operation.WRITE_Stored_Errors();
            }
            catch (Exception e)
            {
                Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_EVTX_Process() ", e.Message.ToString(), e.StackTrace.ToString());
            }
        }
Esempio n. 8
0
 internal static void CHECK_Reg_vs_File_Config(string Settings_FilePath)
 {
     if (Settings.GET_AppConfigFile_Path == Settings_FilePath)//Appconfig
     {
         if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false)
         {
             EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The app config file(ConsoleAppConfig.conf) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
             if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
             {
                 File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path);
                 File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents);
             }
             else
             {
                 File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path);
                 File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
                 Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Crypto_Operation.Decrypt_File_Contents(Settings.GET_AppConfigFile_Path));
             }
         }
     }
     else if (Settings.GET_EventLogID_PlaceHolder_Path == Settings_FilePath)//EventLog ID
     {
         EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The file that tracks the event id of an eventlog config file (Eventlog_with_PlaceKeeper.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
         File_Operation.DELETE_AND_CREATE_File(Settings.GET_EventLogID_PlaceHolder_Path);
         File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents);
     }
     else if (Settings.GET_SearchTermsFile_Path == Settings_FilePath)//Search SearchFile
     {
         if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false)
         {
             EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Search term file (Searchs.txt) config file did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
             File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_Path);
             File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents);
         }
     }
     else if (Settings.GET_WhiteList_SearchTermsFile_Path == Settings_FilePath)//Search WHitelist
     {
         EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The white list search terms file (WhiteList_Searchs.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
         File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_Path);
         File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents);
     }
     else if (Settings.GET_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLUGIN Search
     {
         EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (Search.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
         File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_PLUGIN_Path);
         File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents);
     }
     else if (Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLugin WHitelist
     {
         EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (WhiteList_Searchs.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
         File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path);
         File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents);
     }
     else
     {
         LOG_SEC_CHECK_Fail("CHECK_Reg_vs_File_Config() File Path:" + Settings_FilePath + " did not match encrypted config file path");
     }
 }
Esempio n. 9
0
        internal static string Decrypt_File_Contents(string InputEncryptedFilePath, bool ReWriteDecryptedFile = true)
        {
            string       plaintext = null;
            CryptoStream csDecrypt = null;

            try
            {
                using (Aes AES = Aes.Create())
                {
                    AES.KeySize   = AES256KeySize;
                    AES.BlockSize = 128;
                    AES.Padding   = PaddingMode.PKCS7;

                    var key = new Rfc2898DeriveBytes(CONVERT_To_UTF8_Bytes(GET_Password()), CONVERT_To_UTF8_Bytes(SALT), 50000);
                    AES.Key = key.GetBytes(AES.KeySize / 8);
                    AES.IV  = key.GetBytes(AES.BlockSize / 8);

                    ICryptoTransform decryptor = AES.CreateDecryptor(AES.Key, AES.IV);

                    using (MemoryStream msDecrypt = new MemoryStream(File.ReadAllBytes(InputEncryptedFilePath)))
                    {
                        using (csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                        {
                            using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                            {
                                try
                                {
                                    plaintext = srDecrypt.ReadToEnd();
                                }
                                catch (Exception e)
                                {
                                    File_Operation.DELETE_File(InputEncryptedFilePath);
                                    File_Operation.WRITE_Default_Critical_Files();
                                }
                            }
                            csDecrypt = null;
                        }
                    }
                }
                if (ReWriteDecryptedFile)
                {
                    File_Operation.Turnicate_File(InputEncryptedFilePath);
                }
            }
            finally
            {
                if (csDecrypt != null)
                {
                    csDecrypt.Dispose();
                }
            }
            return(plaintext);
        }
Esempio n. 10
0
 internal static void ErrorLogging_Level()
 {
     try
     {
         if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level) == false)
         {
             Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
         }
         else if (string.IsNullOrEmpty(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level)))
         {
             if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate))
             {
                 Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
             }
             else
             {
                 //error in logic here
             }
         }
         else if (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level) != Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]])
         {
             if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate))
             {
                 Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
             }
             else
             {
                 ErrorsLog.Add("ErrorLogging_Level()" + "Possible Tampering (Reg.Reg_Keys_and_Values[\"logging_level\"] != Settings.AppConfig_File_Args[\"logging_level\"] settings changed to match.");
                 Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
             }
         }
         else
         {
             Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
         }
         int index = Array.FindIndex(Severity_Levels, row => row == Settings.Logging_Level_To_Report);
         Logging_Level_To_Report = Convert.ToInt32(index);
     }
     catch (Exception e)
     {
         if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level))
         {
             Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
         }
         else
         {
             Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
             Logging_Level_To_Report          = 1;
         }
     }
 }
Esempio n. 11
0
 internal static void UnSecure_File(string FilePath, int RetryNumber = 0)
 {
     try
     {
         if (File_Operation.CHECK_File_Encrypted(FilePath) == true)
         {
             File.AppendAllText(FilePath, Decrypt_File_Contents(FilePath));
         }
         File.Decrypt(FilePath);
     }
     catch (Exception e)
     {
         if (RetryNumber == 0)
         {
             if (e.Message.ToString().Contains("The input data is not a complete block.") && File_Operation.CHECK_File_Encrypted(FilePath) == false)
             {
                 Encrypt_File_Contents(FilePath);
                 File.Encrypt(FilePath);
                 UnSecure_File(FilePath, 1);
             }
             else
             {
                 File.Decrypt(FilePath);
             }
         }
         if (e.Message.Contains("Padding"))
         {
             Sec_Checks.CHECK_Reg_vs_File_Config(FilePath);
         }
         else if (e.Message.Contains("The input data is not a complete block."))
         {
             if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
             {
                 File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
             }
             else if (FilePath.Contains(Settings.SearchTermsFileName_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents))
             {
                 File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents));
             }
             else
             {
                 //error is logic
             }
         }
         else
         {
             Error_Operation.Log_Error("UnLock_File()", e.Message.ToString() + " " + FilePath + "  retry=" + RetryNumber, "", Error_Operation.LogSeverity.FailureAudit);
         }
     }
 }
Esempio n. 12
0
 internal static void Secure_File(string FilePath)
 {
     try
     {
         File.Encrypt(FilePath);
         if (File_Operation.CHECK_File_Encrypted(FilePath) == false)
         {
             Encrypt_File_Contents(FilePath);
         }
     }
     catch (Exception e)
     {
         File.Decrypt(FilePath);
     }
 }
Esempio n. 13
0
        internal static void WRITE_Errors_To_Log(string MethodInCode, string msg, LogSeverity LogSeverity, EventID eventID = 0)
        {
            ErrorLogging_Level();

            if (Logging_Level_To_Report >= (int)LogSeverity)
            {
                string err_msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "   SourceComputer=" + Settings.ComputerName + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   MethodInCode=" + MethodInCode + "   Message=" + msg + "\n";

                if (File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
                {
                    File.AppendAllText(Settings.GET_ErrorLog_Location, err_msg);
                }
                else
                {
                    File.Create(Settings.GET_ErrorLog_Location).Close();
                    File.AppendAllText(Settings.GET_ErrorLog_Location, err_msg);
                }

                if (LogSeverity == LogSeverity.Informataion)
                {
                    EventLog_SWELF.WRITE_Info_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Message=" + err_msg + "\n", eventID);
                }
                else if (LogSeverity == LogSeverity.Verbose)
                {
                    EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Message=" + err_msg + "\n", eventID);
                }
                else if (LogSeverity == LogSeverity.Warning)
                {
                    EventLog_SWELF.WRITE_Warning_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Message=" + err_msg + "\n", eventID);
                }
                else if (LogSeverity == LogSeverity.FailureAudit)
                {
                    EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Message=" + err_msg + "\n", eventID);
                }
                else if (LogSeverity == LogSeverity.Critical)
                {
                    EventLog_SWELF.WRITE_ERROR_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Message=" + err_msg + "\n", eventID);
                }
                else
                {
                    EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Message=" + err_msg + "\n", eventID);
                }

                File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
            }
        }
Esempio n. 14
0
        internal static string Run_PS_Script(String PowershellSciptLocation, string PowershellSciptArgs = "")
        {
            if (File_Operation.CHECK_if_File_Exists(PowershellSciptLocation))
            {
                ScriptContents = File_Operation.READ_AllText(PowershellSciptLocation);

                if (CallAntimalwareScanInterface(Get_SHA256(PowershellSciptLocation), ScriptContents) < 32768)
                {
                    powershellSciptLocation = PowershellSciptLocation;
                    powershellSciptArgs     = PowershellSciptArgs;

                    ProcessStartInfo startInfo = new ProcessStartInfo("powershell", "-ExecutionPolicy Bypass .\\" + Path.GetFileName(PowershellSciptLocation));
                    startInfo.WorkingDirectory       = Path.GetDirectoryName(PowershellSciptLocation);
                    startInfo.RedirectStandardOutput = true;
                    startInfo.RedirectStandardError  = true;
                    startInfo.LoadUserProfile        = true;
                    startInfo.UseShellExecute        = false;
                    startInfo.CreateNoWindow         = true;
                    Process process = new Process();
                    process.StartInfo = startInfo;
                    process.Start();
                    string output = process.StandardOutput.ReadToEnd();
                    if (string.IsNullOrEmpty(output))
                    {
                        output += "\nPS Plugin ERROR: " + process.StandardError.ReadToEnd();
                    }
                    if (string.IsNullOrEmpty(ScriptContents) == false || string.IsNullOrWhiteSpace(ScriptContents) == false)
                    {
                        Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "microsoft-windows-powershell/operational" + "~");
                        Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "windows powershell" + "~");
                    }
                    return(output);
                }
                else
                {
                    Error_Operation.Log_Error("Run_PS_Script() POSSIBLE MALWARE DETECTED", "Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents), "", Error_Operation.LogSeverity.Critical);
                    return("POSSIBLE MALWARE DETECTED - Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents));
                }
            }
            else
            {
                Error_Operation.Log_Error("Run_PS_Script()", PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName, "", Error_Operation.LogSeverity.Warning);
                return(PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName);
            }
        }
Esempio n. 15
0
        private static Dictionary <string, int> ReadLocalFiles_Log_File_Tracking = new Dictionary <string, int>();//Filepath,Line Number where it left off

        internal static void READ_Local_Log_Files()
        {
            List <string> FilePaths = File_Operation.READ_File_In_List(File_Operation.GET_FilesToMonitor_Path()).ToList();

            for (int z = 0; z < FilePaths.Count; ++z)
            {
                try
                {
                    string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(z));
                    File.Delete(FilePaths.ElementAt(z));
                    FileContents_From_FileReads.Add("DateTime = " + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "  " + FileContent);
                }
                catch (Exception e)
                {
                    Error_Operation.Log_Error("READ_Local_Log_Files() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
                }
            }
        }
Esempio n. 16
0
 internal static void UPDATE_Local_Config_With_Central_Config(string WebPath, string LocalPath, string FileName)
 {
     if (string.IsNullOrEmpty(Central_Config_File_Web_Cache))
     {
         File_Operation.DELETE_File(LocalPath);    //remove old config file
         Wclient.DownloadFile(WebPath, LocalPath); //if match read local files
     }
     else
     {
         File_Operation.DELETE_File(LocalPath);//remove old config file
         File_Operation.APPEND_AllTXT(LocalPath, Central_Config_File_Web_Cache);
     }
     Error_Operation.Log_Error("GET_Central_Config_File()", "Updated " + FileName + " from " + WebPath + ". It was downloaded to " + LocalPath, "", Error_Operation.LogSeverity.Verbose, Error_Operation.EventID.SWELF_Central_Config_Changed);//log change
     if (File_Operation.CHECK_File_Encrypted(LocalPath) == false)
     {
         Crypto_Operation.Secure_File(LocalPath);
     }
 }
Esempio n. 17
0
 private static void RUN_Thread_Whitelist_SearchFile()
 {
     if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents))//use reg
     {
         READ_WhiteList_Search_Terms_File(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents));
     }
     else if (File_Operation.CHECK_if_File_Exists(GET_WhiteList_SearchTermsFile_Path))//no reg, look for file
     {
         READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
         File_Operation.DELETE_File(GET_WhiteList_SearchTermsFile_Path);
     }
     else//no file, no reg, Create Default then load it into the reg to use later
     {
         File_Operation.VERIFY_Search_Default_Files_Ready();
         READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
         Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
     }
     ++ThreadsDone_Setup;
 }
Esempio n. 18
0
        private static void READ_WhiteList_Search_Terms_File(string Contents)
        {
            try
            {
                List <string> ConfigLines = Contents.Split(SplitNewLine, StringSplitOptions.RemoveEmptyEntries).ToList();

                for (int x = 0; x < ConfigLines.Count; ++x)
                {
                    if (ConfigLines.ElementAt(x).StartsWith(CommentCharConfigs.ToString()) == false && String.IsNullOrWhiteSpace(ConfigLines.ElementAt(x)) == false)
                    {
                        WhiteList_Search_Terms_Unparsed.Add(ConfigLines.ElementAt(x).Replace("\r", String.Empty).ToLower());
                    }
                }
            }
            catch (Exception e)
            {
                Error_Operation.Log_Error("READ_WhiteList_Search_Terms_File() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Critical);
                File_Operation.CREATE_NEW_Files_And_Dirs(Search_File_Location, Search_WhiteList_FileName, "#SearchTerm ~ EventLogName ~ EventID");
            }
        }
Esempio n. 19
0
        internal static string Hash(string Value)
        {
            var sha256 = SHA256.Create();

            try
            {
                if (File_Operation.CHECK_if_File_Exists(Value) && (File_Operation.CHECK_File_Encrypted(Value)))
                {
                    return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Decrypt_File_Contents(Value, false)))));
                }
                else
                {
                    return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Value))));
                }
            }
            catch (Exception e)
            {
                return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Value))));
            }
        }
Esempio n. 20
0
        internal static void WRITE_Default_Configs_Files_and_Reg()
        {
            File_Operation.Turnicate_File(GET_AppConfigFile_Path);
            File_Operation.Turnicate_File(GET_EventLogID_PlaceHolder_Path);
            File_Operation.Turnicate_File(GET_SearchTermsFile_Path);
            File_Operation.Turnicate_File(GET_WhiteList_SearchTermsFile_Path);
            File_Operation.Turnicate_File(GET_SearchTermsFile_PLUGIN_Path);

            File_Operation.CREATE_NEW_Files_And_Dirs(Config_File_Location, AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents, true);
            File_Operation.CREATE_NEW_Files_And_Dirs(Config_File_Location, EventLogID_PlaceHolde_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents, true);

            File_Operation.CREATE_NEW_Files_And_Dirs(Search_File_Location, SearchTermsFileName_FileName, File_Operation.GET_Default_Logs_Search_File_Contents, true);
            File_Operation.CREATE_NEW_Files_And_Dirs(Search_File_Location, Search_WhiteList_FileName, "", true);

            File_Operation.CREATE_NEW_Files_And_Dirs(Plugin_Search_Location, SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents, true);

            Reg_Operation.WRITE_Default_SWELF_Reg_Keys();

            Error_Operation.Log_Error("WRITE_Default_Configs()", "SWELF created new default config files for all settings", "", Error_Operation.LogSeverity.FailureAudit);
        }
Esempio n. 21
0
        private static void READ_Powershell_SearchTerms(string Contents)
        {
            try
            {
                List <string> ConfigLines = Contents.Split(SplitNewLine, StringSplitOptions.RemoveEmptyEntries).ToList();

                for (int x = 0; x < ConfigLines.Count; ++x)
                {
                    if (ConfigLines.ElementAt(x).StartsWith(CommentCharConfigs.ToString()) == false && String.IsNullOrWhiteSpace(ConfigLines.ElementAt(x)) == false)
                    {
                        Plugin_Search_Terms_Unparsed.Add(ConfigLines.ElementAt(x).Replace("\r", String.Empty).ToLower());
                    }
                }
            }
            catch (Exception e)
            {
                EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("READ_Powershell_SearchTerms()  " + e.Message.ToString());
                File_Operation.CREATE_NEW_Files_And_Dirs(Plugin_Search_Location, SearchTermsFileName_FileName, "#File Path to Powershell Script~ SearchTerm~ Powershell Script Arguments");
            }
        }
Esempio n. 22
0
 private static void RUN_Thread_Plugins()
 {
     if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents))//use reg
     {
         READ_Powershell_SearchTerms(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents));
     }
     else if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_PLUGIN_Path))//no reg, look for file
     {
         READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
         File_Operation.DELETE_File(GET_SearchTermsFile_PLUGIN_Path);
     }
     else//no file, no reg, Create Default then load it into the reg to use later
     {
         File_Operation.VERIFY_Search_Default_Files_Ready();
         File_Operation.GET_Plugin_Scripts_Ready();
         READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
         Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
     }
     ++ThreadsDone_Setup;
 }
Esempio n. 23
0
        private static void WRITE_Errors_To_Log(string msg, LogSeverity LogSeverity, EventID eventID = 0)
        {
            if (File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
            {
                File.AppendAllText(Settings.GET_ErrorLog_Location, msg);
            }
            else
            {
                File.Create(Settings.GET_ErrorLog_Location).Close();
                File.AppendAllText(Settings.GET_ErrorLog_Location, msg);
            }
            File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);

            if (LogSeverity == LogSeverity.Informataion)
            {
                EventLog_SWELF.WRITE_Info_EventLog(msg, eventID);
            }
            else if (LogSeverity == LogSeverity.Verbose)
            {
                EventLog_SWELF.WRITE_Verbose_EventLog(msg, eventID);
            }
            else if (LogSeverity == LogSeverity.Warning)
            {
                EventLog_SWELF.WRITE_Warning_EventLog(msg, eventID);
            }
            else if (LogSeverity == LogSeverity.FailureAudit)
            {
                EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog(msg, eventID);
            }
            else if (LogSeverity == LogSeverity.Critical)
            {
                EventLog_SWELF.WRITE_ERROR_EventLog(msg, eventID);
            }
            else
            {
                EventLog_SWELF.WRITE_Verbose_EventLog(msg, eventID);
            }
        }
Esempio n. 24
0
 private static void Write_HashFile_IPsFile()
 {
     if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]))
     {
         try
         {
             if (File_Operation.CHECK_if_File_Exists(Settings.Hashs_File_Path))
             {
                 File_Operation.CHECK_File_Size(Settings.Hashs_File_Path, .0002);
                 Settings.Hashs_From_EVT_Logs.AddRange(File_Operation.READ_File_In_List(Settings.Hashs_File_Path).Distinct().ToList());
                 Settings.Hashs_From_EVT_Logs = Settings.Hashs_From_EVT_Logs.Distinct().ToList();
             }
             File_Operation.Write_Hash_Output(Settings.Hashs_From_EVT_Logs.Distinct().ToList());
         }
         catch (Exception e)
         {
             Error_Operation.Log_Error("Write_HashFile_IPsFile()", Settings.SWELF_AppConfig_Args[12] + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
         }
     }
     if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
     {
         try
         {
             if (File_Operation.CHECK_if_File_Exists(Settings.IPs_File_Path))
             {
                 File_Operation.CHECK_File_Size(Settings.IPs_File_Path, .0002);
                 Settings.IP_List_EVT_Logs.AddRange(File_Operation.READ_File_In_List(Settings.IPs_File_Path).Distinct().ToList());
                 Settings.IP_List_EVT_Logs = Settings.IP_List_EVT_Logs.Distinct().ToList();
             }
         }
         catch (Exception e)
         {
             Error_Operation.Log_Error("Write_HashFile_IPsFile()", Settings.SWELF_AppConfig_Args[11] + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
         }
         File_Operation.Write_IP_Output(Settings.IP_List_EVT_Logs.Distinct().ToList());
     }
 }
Esempio n. 25
0
        internal static void SEND_Errors_To_Central_Location()
        {
            try
            {
                string[] Errors = File.ReadAllLines(Settings.GET_ErrorLog_Location);

                if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false)
                {
                    for (int x = 0; x < Errors.Length; ++x)
                    {
                        Settings.Logs_Sent_to_ALL_Collectors = Log_Network_Forwarder.SEND_Logs(Errors[x], Settings.GET_ErrorLog_Location, true);
                    }
                    if (Settings.Logs_Sent_to_ALL_Collectors && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[15]))
                    {
                        File_Operation.DELETE_File(Settings.GET_ErrorLog_Location);
                        File.Create(Settings.GET_ErrorLog_Location).Close();
                    }
                }
            }
            catch (Exception e)
            {
                Settings.Log_Storage_Location_Unavailable("SEND_Errors_To_Central_Location() " + e.Message.ToString());
            }
        }
Esempio n. 26
0
        private static void Start_Live_Process()
        {
            if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
            {
                if (Program_Start_Args.ElementAt(0).ToLower().Equals("-dissolve") && Settings.CHECK_If_EventLog_Exsits(Settings.SWELF_EventLog_Name) == false && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
                {
                    Settings.CMDLine_Dissolve = true;
                }

                Start_Setup();

                Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
                PS_Plugins_Thread.IsBackground = true;
                PS_Plugins_Thread.Priority     = ThreadPriority.Lowest;
                PS_Plugins_Thread.Start();

                Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
                READ_Local_LogFiles_Thread.IsBackground = true;
                READ_Local_LogFiles_Thread.Priority     = ThreadPriority.Lowest;
                READ_Local_LogFiles_Thread.Start();

                while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
                {
                    Thread.Sleep(10000);
                }
                PS_Plugins_Thread.Abort();
                READ_Local_LogFiles_Thread.Abort();

                Start_Read_Search_Write_Forward_EventLogs();

                Start_Send_File_Based_Logs();

                Write_HashFile_IPsFile();
            }
            else
            {
                Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
            }
            if (Settings.CMDLine_Dissolve)
            {
                Settings.Dissolve();
            }
            Error_Operation.WRITE_Stored_Errors();
        }
Esempio n. 27
0
 private static void GET_ErrorLog_Ready()
 {
     File_Operation.CREATE_NEW_Files_And_Dirs(SWELF_Log_File_Location, ErrorFile_FileName);
 }
Esempio n. 28
0
        internal static void Log_Error(string MethodNameInCode, string Message, string StackDetails, LogSeverity LogSeverity, EventID eventID = 0)
        {
            if (Settings.Logging_Level_To_Report.ToLower() == "verbose")
            {
                Message = Message + " Stack_Info=" + StackDetails;
            }

            string msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "   SourceComputer=" + Settings.ComputerName + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Error_MethodInCode=" + MethodNameInCode + "   Error_Message=" + Message + "\n";

            try//write ALL to local error log 1st
            {
                File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
                File_Operation.APPEND_AllTXT(Settings.GET_ErrorLog_Location, msg);
            }
            catch (Exception e)
            {
                try
                {
                    File_Operation.APPEND_AllTXT(Settings.SWELF_Log_File_Location + "\\" + Path.GetRandomFileName() + "_" + Settings.ErrorFile_FileName, msg);
                }
                catch (Exception ex)
                {
                    msg += "\nAdditional_ERROR: " + ex.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to a local file on this system at " + Settings.GET_ErrorLog_Location;
                }
            }
            if (Logging_Level_To_Report <= (int)LogSeverity)
            {
                try//write to eventlog
                {
                    WRITE_Errors_To_EventLog(MethodNameInCode, Message, LogSeverity, eventID);
                }
                catch (Exception exc)
                {
                    msg += "\nAdditional_ERROR: " + exc.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to the event log on this system";
                    try
                    {
                        File_Operation.APPEND_AllTXT(Settings.SWELF_Log_File_Location + "\\" + Path.GetRandomFileName() + "_" + Settings.ErrorFile_FileName, msg);
                    }
                    catch (Exception execp)
                    {
                        msg += "\nAdditional_ERROR: " + execp.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to a local file on this system at " + Settings.GET_ErrorLog_Location;
                    }
                }
                try// send eventlog to collector
                {
                    Log_Network_Forwarder.SEND_SINGLE_LOG(msg);
                }
                catch (Exception p)
                {
                    msg += "\nAdditional_ERROR: " + p.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write error to Event Log";
                    try//write to eventlog
                    {
                        WRITE_Errors_To_EventLog(MethodNameInCode, Message, LogSeverity, eventID);
                    }
                    catch (Exception exc)
                    {
                        msg += "\nAdditional_ERROR: " + exc.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to the event log on this system";
                        try
                        {
                            File_Operation.APPEND_AllTXT(Settings.SWELF_Log_File_Location + "\\" + Path.GetRandomFileName() + "_" + Settings.ErrorFile_FileName, msg);
                        }
                        catch (Exception execp)
                        {
                            msg += "\nAdditional_ERROR: " + execp.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to a local file on this system at " + Settings.GET_ErrorLog_Location;
                        }
                    }
                }
            }
            Data_Store.ErrorsLog.Add(msg);
        }
Esempio n. 29
0
        internal static bool VERIFY_Central_File_Config_Hash(string HTTP_File_Path, string Local_File_Path)
        {
            string HTTPFileHash;
            string LocalFileHash;

            try
            {
                HttpWebRequest request = (HttpWebRequest)WebRequest.Create(HTTP_File_Path);
                request.AllowAutoRedirect = false;
                request.UnsafeAuthenticatedConnectionSharing = false;
                request.Timeout = 150000;

                ServicePointManager.Expect100Continue = true;
                ServicePointManager.CheckCertificateRevocationList = false;
                ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;

                using (CustomWebClient response = new CustomWebClient())
                {
                    //string Web_Config_File_Contents = response.DownloadString(HTTP_File_Path);
                    if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == true)//determine if we use cache version
                    {
                        HTTPFileHash = Settings.Central_Config_Hashs[HTTP_File_Path];
                    }
                    else//no cache version get from network
                    {
                        Central_Config_File_Web_Cache = Crypto_Operation.CONVERT_To_String_From_Bytes(response.DownloadData(HTTP_File_Path), 2);//get file has from Network
                        using (var sha256 = SHA256.Create())
                        {
                            HTTPFileHash = BitConverter.ToString(sha256.ComputeHash(Encoding.UTF8.GetBytes(Central_Config_File_Web_Cache)));
                        }
                        if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == false)
                        {
                            Settings.Central_Config_Hashs.Add(HTTP_File_Path, HTTPFileHash);
                        }
                    }
                    using (var sha2562 = SHA256.Create())//Get local file hash
                    {
                        if (File_Operation.CHECK_if_File_Exists(Local_File_Path) == false)
                        {
                            return(false);//no local file
                        }
                        else
                        {
                            LocalFileHash = BitConverter.ToString(sha2562.ComputeHash(Encoding.UTF8.GetBytes(File_Operation.READ_AllText(Local_File_Path))));
                        }
                    }

                    if (HTTPFileHash == LocalFileHash)
                    {
                        return(true);
                    }
                    else
                    {
                        return(false);
                    }
                }
            }
            catch (Exception e)
            {
                Error_Operation.WRITE_Errors_To_Log("VERIFY_Central_File_Config_Hash()", e.Message.ToString() + " " + HTTP_File_Path + " " + Local_File_Path, Error_Operation.LogSeverity.Informataion);//log change
                return(false);
            }
            finally
            {
                Wclient.Dispose();
            }
        }
Esempio n. 30
0
 internal static void WRITE_Default_SWELF_Reg_Keys()
 {
     Microsoft.Win32.RegistryKey key;
     key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("Software\\SWELF");
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.First_Run].ToString(), Crypto_Operation.Protect_Data_Value("true"));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter].ToString(), Crypto_Operation.Protect_Data_Value("127.0.0.1"));
     //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_1].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
     //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_2].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
     //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_3].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
     //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_4].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
     //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_5].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.Encryption].ToString(), Crypto_Operation.Protect_Data_Value(Crypto_Operation.Generate_Decrypt()));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.logging_level].ToString(), Crypto_Operation.Protect_Data_Value(Settings.Logging_Level_To_Report));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.output_format].ToString(), Crypto_Operation.Protect_Data_Value("keyvalue"));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_Current_Version].ToString(), Crypto_Operation.Protect_Data_Value(Settings.SWELF_Version));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_CWD].ToString(), Crypto_Operation.Protect_Data_Value(Settings.SWELF_CWD));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_FAILED_SEC_CHECK].ToString(), Crypto_Operation.Protect_Data_Value("false"));
     //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_app_config].ToString(), Crypto_Operation.Protect_Data_Value(""));
     //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_plugin_search_config].ToString(), Crypto_Operation.Protect_Data_Value(""));
     // BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_search_config].ToString(), Crypto_Operation.Protect_Data_Value(""));
     //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_whitelist_search_config].ToString(),Crypto_Operation.Protect_Data_Value(""));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.ConsoleAppConfig_CreationDate].ToString(), Crypto_Operation.Protect_Data_Value(File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path)));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.ConsoleAppConfig_Contents], Crypto_Operation.Protect_Data_Value(File_Operation.READ_AllText(Settings.GET_AppConfigFile_Path)));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SearchTerms_File_Contents], Crypto_Operation.Protect_Data_Value(File_Operation.READ_AllText(Settings.GET_SearchTermsFile_Path)));
     BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.Logs_Last_Sent], Crypto_Operation.Protect_Data_Value(DateTime.Now.ToString()));
 }