public override void ExecuteInternal()
{
foreach (var hive in Hives)
{
Log.Debug("Starting " + hive.ToString());
if (!Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()) && Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex Capturer))
{
Log.Debug("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer.ToString());
return;
}
Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString());
var registryInfoEnumerable = RegistryWalker.WalkHive(hive);
Parallel.ForEach(registryInfoEnumerable,
(registryKey =>
{
try
{
var regObj = RegistryKeyToRegistryObject(registryKey);
if (regObj != null)
{
DatabaseManager.Write(regObj, RunId);
}
}
catch (InvalidOperationException e)
{
Log.Debug(e, JsonConvert.SerializeObject(registryKey) + " invalid op exept");
}
}));
Log.Debug("Finished " + hive.ToString());
}
}
private void OnChanged(object source, FileSystemEventArgs e)
{
if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Monitor", "File", "Path", e.FullPath))
{
return;
}
// Inspect the file
if (getFileDetails && e.ChangeType != WatcherChangeTypes.Deleted)
{
// Switch to using Mono here
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
var unixFileInfo = new Mono.Unix.UnixFileInfo(e.FullPath);
var result = unixFileInfo.FileAccessPermissions.ToString();
WriteChange(e, result);
return;
}
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
// Found this example but it isn't working on osx
//FileSecurity fSecurity = File.GetAccessControl(e.FullPath);
}
}
WriteChange(e);
customChangeHandler?.Invoke(e);
}
public override void ExecuteInternal()
{
foreach (var hive in Hives)
{
Log.Debug("Starting " + hive.ToString());
if (!Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()) && Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex? Capturer))
{
Log.Debug("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer?.ToString());
return;
}
Action <RegistryKey, RegistryView> IterateOn = (registryKey, registryView) =>
{
try
{
var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey, registryView);
if (regObj != null)
{
DatabaseManager.Write(regObj, RunId);
}
}
catch (InvalidOperationException e)
{
Log.Debug(e, JsonSerializer.Serialize(registryKey) + " invalid op exept");
}
};
Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString());
var x86_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry32);
var x64_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry64);
if (Parallelize)
{
Parallel.ForEach(x86_Enumerable,
(registryKey =>
{
IterateOn(registryKey, RegistryView.Registry32);
}));
Parallel.ForEach(x86_Enumerable,
(registryKey =>
{
IterateOn(registryKey, RegistryView.Registry64);
}));
}
else
{
foreach (var registryKey in x86_Enumerable)
{
IterateOn(registryKey, RegistryView.Registry32);
}
foreach (var registryKey in x64_Enumerable)
{
IterateOn(registryKey, RegistryView.Registry64);
}
}
Log.Debug("Finished " + hive.ToString());
}
}
private void OnRenamed(object source, RenamedEventArgs e)
{
if (Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Monitor", "File", "Path", e.FullPath))
{
return;
}
WriteRename(e);
}
public ActionResult StartMonitoring(string RunId, string Directory, string Extension)
{
if (RunId != null)
{
using (var cmd = new SqliteCommand(INSERT_RUN, DatabaseManager.Connection, DatabaseManager.Transaction))
{
cmd.Parameters.AddWithValue("@run_id", RunId.Trim());
cmd.Parameters.AddWithValue("@file_system", true);
cmd.Parameters.AddWithValue("@ports", false);
cmd.Parameters.AddWithValue("@users", false);
cmd.Parameters.AddWithValue("@services", false);
cmd.Parameters.AddWithValue("@registry", false);
cmd.Parameters.AddWithValue("@certificates", false);
cmd.Parameters.AddWithValue("@firewall", false);
cmd.Parameters.AddWithValue("@comobjects", false);
cmd.Parameters.AddWithValue("@type", "monitor");
cmd.Parameters.AddWithValue("@timestamp", DateTime.Now.ToString("o", CultureInfo.InvariantCulture));
cmd.Parameters.AddWithValue("@version", AsaHelpers.GetVersionString());
cmd.Parameters.AddWithValue("@platform", AsaHelpers.GetPlatformString());
try
{
cmd.ExecuteNonQuery();
DatabaseManager.Commit();
}
catch (SqliteException e)
{
Log.Warning(e.StackTrace);
Log.Warning(e.Message);
return(Json((int)GUI_ERROR.UNIQUE_ID));
}
}
MonitorCommandOptions opts = new MonitorCommandOptions
{
RunId = RunId,
EnableFileSystemMonitor = true,
MonitoredDirectories = Directory,
FilterLocation = "filters.json"
};
AttackSurfaceAnalyzerClient.ClearMonitors();
return(Json((int)AttackSurfaceAnalyzerClient.RunGuiMonitorCommand(opts)));
}
return(Json(-1));
}