public void Option_argument_descriptor_is_empty_for_boolean_values(Type type)
{
var description = "This is the option description";
var command = new Command(
"outer", "Help text for the outer command")
{
new Option("--opt", description)
{
Argument = new Argument
{
Description = description,
ArgumentType = type
}
}
};
HelpBuilder helpBuilder = GetHelpBuilder(SmallMaxWidth);
helpBuilder.Write(command);
_console.Out.ToString().Should().Contain($"--opt{_columnPadding}{description}");
}
private static OptionAction AddHelp() => new OptionAction()
{
Option = new Option(new[] { "--help", "-h" }, "Print this help statement."),
Stage = OptionAction.StageEnum.CommandBuilder,
HandleOption = (opt, cmd, ctx, cfg) =>
{
var console = new CommandLineConsole();
var helpBuilder = new HelpBuilder(console);
helpBuilder.Write(cmd.RootCommand);
var helpStr = $"Bifrost Compiler ({Core.AssemblyInfo.Version}) - Parse and extract hooks from C/C++ files.\n\n";
helpStr += $"Usage:\n {Core.AssemblyInfo.Name}.exe [options] <inputs>\n\n";
var optionString = console.ToString();
helpStr += optionString.ToString().Substring(optionString.IndexOf("Options:"));
helpStr = helpStr.Replace("_inputs_", "<inputs>");
helpStr += $"Example:\n {Core.AssemblyInfo.Name}.exe input.yaml -o C:/foo/bar";
Console.WriteLine(helpStr);
cmd.Stop = true;
}
};
public void Command_argument_descriptor_indicates_enums_values(Type type)
{
var description = "This is the argument description";
var command = new Command("outer", "Help text for the outer command")
{
new Argument
{
Description = description,
ArgumentType = type
}
};
HelpBuilder helpBuilder = GetHelpBuilder(SmallMaxWidth);
helpBuilder.Write(command);
var expected =
$"Arguments:{NewLine}" +
$"{_indentation}<Read|ReadWrite|Write>{_columnPadding}{description}";
_console.Out.ToString().Should().Contain(expected);
}
public void Option_argument_descriptor_indicates_enums_values(Type type)
{
var description = "This is the argument description";
var command = new Command(
"outer", "Help text for the outer command")
{
new Option("--opt")
{
Argument = new Argument
{
Description = description,
ArgumentType = type
}
}
};
HelpBuilder helpBuilder = GetHelpBuilder(SmallMaxWidth);
helpBuilder.Write(command);
_console.Out.ToString().Should().Contain("--opt <Read|ReadWrite|Write>");
}
public void Synopsis_section_removes_extra_whitespace()
{
var command = new RootCommand(
description: "test description\tfor synopsis");
_helpBuilder.Write(command);
_output.WriteLine(_console.Out.ToString());
var expected =
$"{_executableName}:{NewLine}" +
$"{_indentation}test description for synopsis{NewLine}{NewLine}";
_console.Out.ToString().Should().Contain(expected);
}
private static void DoWork(string f, string r, string d, string csv, string dt, bool debug, bool trace)
{
var levelSwitch = new LoggingLevelSwitch();
var template = "{Message:lj}{NewLine}{Exception}";
if (debug)
{
levelSwitch.MinimumLevel = LogEventLevel.Debug;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
if (trace)
{
levelSwitch.MinimumLevel = LogEventLevel.Verbose;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
var conf = new LoggerConfiguration()
.WriteTo.Console(outputTemplate: template)
.MinimumLevel.ControlledBy(levelSwitch);
Log.Logger = conf.CreateLogger();
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Console.WriteLine();
Log.Fatal("Non-Windows platforms not supported due to the need to load ESI specific Windows libraries! Exiting...");
Console.WriteLine();
Environment.Exit(0);
return;
}
if (f.IsNullOrEmpty() && d.IsNullOrEmpty())
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Log.Warning("Either -f or -d is required. Exiting\r\n");
return;
}
if (f.IsNullOrEmpty() == false && !File.Exists(f))
{
Log.Warning("File '{File}' not found. Exiting", f);
return;
}
if (d.IsNullOrEmpty() == false && !Directory.Exists(d))
{
Log.Warning("Directory '{D}' not found. Exiting", d);
return;
}
if (csv.IsNullOrEmpty())
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Log.Warning("--csv is required. Exiting\r\n");
return;
}
Log.Information("{Header}", Header);
Console.WriteLine();
Log.Information("Command line: {Args}\r\n", string.Join(" ", _args));
if (IsAdministrator() == false)
{
Log.Warning("Warning: Administrator privileges not found!\r\n");
}
var sw = new Stopwatch();
sw.Start();
var ts = DateTimeOffset.UtcNow;
Srum sr = null;
if (d.IsNullOrEmpty() == false)
{
IEnumerable <string> files2;
#if NET6_0
var enumerationOptions = new EnumerationOptions
{
IgnoreInaccessible = true,
MatchCasing = MatchCasing.CaseInsensitive,
RecurseSubdirectories = true,
AttributesToSkip = 0
};
files2 =
Directory.EnumerateFileSystemEntries(d, "SRUDB.DAT", enumerationOptions);
f = files2.FirstOrDefault();
if (f.IsNullOrEmpty())
{
Log.Warning("Did not locate any files named 'SRUDB.dat'! Exiting");
return;
}
Log.Information("Found SRUM database file '{F}'!", f);
files2 =
Directory.EnumerateFileSystemEntries(d, "SOFTWARE", enumerationOptions);
r = files2.FirstOrDefault();
if (r.IsNullOrEmpty())
{
Log.Warning("Did not locate any files named 'SOFTWARE'! Registry data will not be extracted");
}
else
{
Log.Information("Found SOFTWARE hive '{R}'!", r);
}
#elif NET462
//kape mode, so find the files
var ilter = new DirectoryEnumerationFilters();
ilter.InclusionFilter = fsei =>
{
if (fsei.FileSize == 0)
{
return(false);
}
if (fsei.FileName.ToUpperInvariant() == "SRUDB.DAT")
{
return(true);
}
return(false);
};
ilter.RecursionFilter = entryInfo => !entryInfo.IsMountPoint && !entryInfo.IsSymbolicLink;
ilter.ErrorFilter = (errorCode, errorMessage, pathProcessed) => true;
const DirectoryEnumerationOptions dirEnumOptions =
DirectoryEnumerationOptions.Files | DirectoryEnumerationOptions.Recursive |
DirectoryEnumerationOptions.SkipReparsePoints | DirectoryEnumerationOptions.ContinueOnException |
DirectoryEnumerationOptions.BasicSearch;
files2 =
Directory.EnumerateFileSystemEntries(d, dirEnumOptions, ilter);
f = files2.FirstOrDefault();
if (f.IsNullOrEmpty())
{
Log.Warning("Did not locate any files named 'SRUDB.dat'! Exiting");
return;
}
Log.Information("Found SRUM database file '{F}'!", f);
ilter = new DirectoryEnumerationFilters();
ilter.InclusionFilter = fsei =>
{
if (fsei.FileSize == 0)
{
return(false);
}
if (fsei.FileName.ToUpperInvariant() == "SOFTWARE")
{
return(true);
}
return(false);
};
ilter.RecursionFilter = entryInfo => !entryInfo.IsMountPoint && !entryInfo.IsSymbolicLink;
ilter.ErrorFilter = (errorCode, errorMessage, pathProcessed) => true;
files2 =
Directory.EnumerateFileSystemEntries(d, dirEnumOptions, ilter);
r = files2.FirstOrDefault();
if (r.IsNullOrEmpty())
{
Log.Warning("Did not locate any files named 'SOFTWARE'! Registry data will not be extracted");
}
else
{
Log.Information("Found SOFTWARE hive '{R}'!", r);
}
#endif
Console.WriteLine();
}
try
{
Log.Information("Processing '{F}'...", f);
sr = new Srum(f, r);
Console.WriteLine();
Log.Information("Processing complete!");
Console.WriteLine();
Log.Information("{EnergyUse} {EnergyUsagesCount:N0}", "Energy Usage count:".PadRight(30),
sr.EnergyUsages.Count);
Log.Information("{Unknown312s} {Unknown312sCount:N0}", "Unknown 312 count:".PadRight(30),
sr.TimelineProviders.Count);
Log.Information("{UnknownD8Fs} {UnknownD8FsCount:N0}", "Unknown D8F count:".PadRight(30),
sr.Vfuprovs.Count);
Log.Information("{AppResourceUseInfos} {AppResourceUseInfosCount:N0}",
"App Resource Usage count:".PadRight(30), sr.AppResourceUseInfos.Count);
Log.Information("{NetworkConnections} {NetworkConnectionsCount:N0}",
"Network Connection count:".PadRight(30), sr.NetworkConnections.Count);
Log.Information("{NetworkUsages} {NetworkUsagesCount}", "Network Usage count:".PadRight(30),
sr.NetworkUsages.Count);
Log.Information("{PushNotifications} {PushNotificationsCount:N0}", "Push Notification count:".PadRight(30),
sr.PushNotifications.Count);
Console.WriteLine();
}
catch (Exception e)
{
Log.Error(e,
"Error processing file! Message: {Message}.\r\n\r\nThis almost always means the database is dirty and must be repaired. This can be verified by running 'esentutl.exe /mh SRUDB.dat' and examining the 'State' property",
e.Message);
Console.WriteLine();
Log.Information(
"If the database is dirty, **make a copy of your files**, ensure all files in the directory are not Read-only, open a PowerShell session as an admin, and repair by using the following commands (change directories to the location of SRUDB.dat first):\r\n\r\n'esentutl.exe /r sru /i'\r\n'esentutl.exe /p SRUDB.dat'\r\n\r\n");
Environment.Exit(0);
}
if (csv.IsNullOrEmpty() == false)
{
if (Directory.Exists(csv) == false)
{
Log.Information(
"Path to '{Csv}' doesn't exist. Creating...", csv);
try
{
Directory.CreateDirectory(csv);
}
catch (Exception)
{
Log.Fatal(
"Unable to create directory '{Csv}'. Does a file with the same name exist? Exiting", csv);
return;
}
}
string outName;
string outFile;
Log.Information("CSV output will be saved to '{Csv}'\r\n", csv);
StreamWriter swCsv;
CsvWriter csvWriter;
try
{
Log.Debug("Dumping Energy Usage tables '{TableName}'", EnergyUsage.TableName);
outName = $"{ts:yyyyMMddHHmmss}_SrumECmd_EnergyUsage_Output.csv";
outFile = Path.Combine(csv, outName);
swCsv = new StreamWriter(outFile, false, Encoding.UTF8);
csvWriter = new CsvWriter(swCsv, CultureInfo.InvariantCulture);
var foo = csvWriter.Context.AutoMap <EnergyUsage>();
foo.Map(t => t.Timestamp).Convert(t =>
$"{t.Value.Timestamp:yyyy-MM-dd HH:mm:ss}");
foo.Map(t => t.EventTimestamp).Convert(t =>
$"{t.Value.EventTimestamp?.ToString(dt)}");
csvWriter.Context.RegisterClassMap(foo);
csvWriter.WriteHeader <EnergyUsage>();
csvWriter.NextRecord();
csvWriter.WriteRecords(sr.EnergyUsages.Values);
csvWriter.Flush();
swCsv.Flush();
}
catch (Exception e)
{
Log.Error(e, "Error exporting 'EnergyUsage' data! Error: {Message}", e.Message);
}
try
{
Log.Debug("Dumping Unknown 312 table '{TableName}'", TimelineProvider.TableName);
outName = $"{ts:yyyyMMddHHmmss}_SrumECmd_Unknown312_Output.csv";
outFile = Path.Combine(csv, outName);
swCsv = new StreamWriter(outFile, false, Encoding.UTF8);
csvWriter = new CsvWriter(swCsv, CultureInfo.InvariantCulture);
var foo = csvWriter.Context.AutoMap <TimelineProvider>();
foo.Map(t => t.Timestamp).Convert(t =>
$"{t.Value.Timestamp:yyyy-MM-dd HH:mm:ss}");
foo.Map(t => t.EndTime).Convert(t =>
$"{t.Value.EndTime.ToString(dt)}");
csvWriter.Context.RegisterClassMap(foo);
csvWriter.WriteHeader <TimelineProvider>();
csvWriter.NextRecord();
csvWriter.WriteRecords(sr.TimelineProviders.Values);
csvWriter.Flush();
swCsv.Flush();
}
catch (Exception e)
{
Log.Error(e, "Error exporting 'Unknown312' data! Error: {Message}", e.Message);
}
try
{
Log.Debug("Dumping Unknown D8F table '{TableName}'", Vfuprov.TableName);
outName = $"{ts:yyyyMMddHHmmss}_SrumECmd_UnknownD8F_Output.csv";
outFile = Path.Combine(csv, outName);
swCsv = new StreamWriter(outFile, false, Encoding.UTF8);
csvWriter = new CsvWriter(swCsv, CultureInfo.InvariantCulture);
var foo = csvWriter.Context.AutoMap <Vfuprov>();
foo.Map(t => t.Timestamp).Convert(t =>
$"{t.Value.Timestamp:yyyy-MM-dd HH:mm:ss}");
foo.Map(t => t.EndTime).Convert(t =>
$"{t.Value.EndTime.ToString(dt)}");
foo.Map(t => t.StartTime).Convert(t =>
$"{t.Value.StartTime.ToString(dt)}");
csvWriter.Context.RegisterClassMap(foo);
csvWriter.WriteHeader <Vfuprov>();
csvWriter.NextRecord();
csvWriter.WriteRecords(sr.Vfuprovs.Values);
csvWriter.Flush();
swCsv.Flush();
}
catch (Exception e)
{
Log.Error(e, "Error exporting 'UnknownD8F' data! Error: {Message}", e.Message);
}
try
{
Log.Debug("Dumping App Resource Use Info table '{TableName}'", AppResourceUseInfo.TableName);
outName = $"{ts:yyyyMMddHHmmss}_SrumECmd_AppResourceUseInfo_Output.csv";
outFile = Path.Combine(csv, outName);
swCsv = new StreamWriter(outFile, false, Encoding.UTF8);
csvWriter = new CsvWriter(swCsv, CultureInfo.InvariantCulture);
var foo = csvWriter.Context.AutoMap <AppResourceUseInfo>();
foo.Map(t => t.Timestamp).Convert(t =>
$"{t.Value.Timestamp:yyyy-MM-dd HH:mm:ss}");
csvWriter.Context.RegisterClassMap(foo);
csvWriter.WriteHeader <AppResourceUseInfo>();
csvWriter.NextRecord();
csvWriter.WriteRecords(sr.AppResourceUseInfos.Values);
csvWriter.Flush();
swCsv.Flush();
}
catch (Exception e)
{
Log.Error(e, "Error exporting 'AppResourceUseInfo' data! Error: {Message}", e.Message);
}
try
{
Log.Debug("Dumping Network Connection table '{TableName}'", NetworkConnection.TableName);
outName = $"{ts:yyyyMMddHHmmss}_SrumECmd_NetworkConnections_Output.csv";
outFile = Path.Combine(csv, outName);
swCsv = new StreamWriter(outFile, false, Encoding.UTF8);
csvWriter = new CsvWriter(swCsv, CultureInfo.InvariantCulture);
var foo = csvWriter.Context.AutoMap <NetworkConnection>();
foo.Map(t => t.Timestamp).Convert(t =>
$"{t.Value.Timestamp:yyyy-MM-dd HH:mm:ss}");
foo.Map(t => t.ConnectStartTime).Convert(t =>
$"{t.Value.ConnectStartTime.ToString(dt)}");
csvWriter.Context.RegisterClassMap(foo);
csvWriter.WriteHeader <NetworkConnection>();
csvWriter.NextRecord();
csvWriter.WriteRecords(sr.NetworkConnections.Values);
csvWriter.Flush();
swCsv.Flush();
}
catch (Exception e)
{
Log.Error(e, "Error exporting 'NetworkConnection' data! Error: {Message}", e.Message);
}
try
{
Log.Debug("Dumping Network Usage table '{TableName}'", NetworkUsage.TableName);
outName = $"{ts:yyyyMMddHHmmss}_SrumECmd_NetworkUsages_Output.csv";
outFile = Path.Combine(csv, outName);
swCsv = new StreamWriter(outFile, false, Encoding.UTF8);
csvWriter = new CsvWriter(swCsv, CultureInfo.InvariantCulture);
var foo = csvWriter.Context.AutoMap <NetworkUsage>();
foo.Map(t => t.Timestamp).Convert(t =>
$"{t.Value.Timestamp:yyyy-MM-dd HH:mm:ss}");
csvWriter.Context.RegisterClassMap(foo);
csvWriter.WriteHeader <NetworkUsage>();
csvWriter.NextRecord();
csvWriter.WriteRecords(sr.NetworkUsages.Values);
csvWriter.Flush();
swCsv.Flush();
}
catch (Exception e)
{
Log.Error(e, "Error exporting 'NetworkUsage' data! Error: {Message}", e.Message);
}
try
{
Log.Debug("Dumping Push Notification table '{TableName}'", PushNotification.TableName);
outName = $"{ts:yyyyMMddHHmmss}_SrumECmd_PushNotifications_Output.csv";
outFile = Path.Combine(csv, outName);
swCsv = new StreamWriter(outFile, false, Encoding.UTF8);
csvWriter = new CsvWriter(swCsv, CultureInfo.InvariantCulture);
var foo = csvWriter.Context.AutoMap <PushNotification>();
foo.Map(t => t.Timestamp).Convert(t =>
$"{t.Value.Timestamp:yyyy-MM-dd HH:mm:ss}");
csvWriter.Context.RegisterClassMap(foo);
csvWriter.WriteHeader <PushNotification>();
csvWriter.NextRecord();
csvWriter.WriteRecords(sr.PushNotifications.Values);
csvWriter.Flush();
swCsv.Flush();
}
catch (Exception e)
{
Log.Error(e, "Error exporting 'PushNotification' data! Error: {Message}", e.Message);
}
sw.Stop();
Log.Information("Processing completed in {TotalSeconds:N4} seconds\r\n", sw.Elapsed.TotalSeconds);
}
}
public void Help_describes_default_values_for_complex_root_command_scenario()
{
var command = new RootCommand(description: "Test description")
{
new Argument <string>("the-root-arg-no-description-no-default"),
new Argument <string>("the-root-arg-no-description-default",
argResult => "the-root-arg-no-description-default-value",
isDefault: true),
new Argument <string>("the-root-arg-no-default")
{
Description = "the-root-arg-no-default-description",
},
new Argument <string>("the-root-arg", () => "the-root-arg-one-value")
{
Description = "the-root-arg-description"
},
new Argument <FileAccess>("the-root-arg-enum-default", () => FileAccess.Read)
{
Description = "the-root-arg-enum-default-description",
ArgumentType = typeof(FileAccess)
},
new Option(aliases: new string[] { "--the-root-option-no-arg", "-trna" })
{
Description = "the-root-option-no-arg-description",
Required = true
},
new Option <string>(
aliases: new string[] { "--the-root-option-no-description-default-arg", "-trondda" },
parseArgument: _ => "the-root-option--no-description-default-arg-value",
isDefault: true
),
new Option(aliases: new string[] { "--the-root-option-no-default-arg", "-tronda" })
{
Description = "the-root-option-no-default-description",
Argument = new Argument <string>("the-root-option-arg-no-default-arg")
{
Description = "the-root-option-arg-no-default-description"
},
Required = true
},
new Option(aliases: new string[] { "--the-root-option-default-arg", "-troda" })
{
Description = "the-root-option-default-arg-description",
Argument = new Argument <string>("the-root-option-arg", () => "the-root-option-arg-value")
{
Description = "the-root-option-arg-description"
},
},
new Option(aliases: new string[] { "--the-root-option-enum-arg", "-troea" })
{
Description = "the-root-option-description",
Argument = new Argument <FileAccess>("the-root-option-arg", () => FileAccess.Read)
{
Description = "the-root-option-arg-description",
}
},
new Option(aliases: new string[] { "--the-root-option-required-enum-arg", "-trorea" })
{
Description = "the-root-option-description",
Argument = new Argument <FileAccess>("the-root-option-arg", () => FileAccess.Read)
{
Description = "the-root-option-arg-description",
},
Required = true
}
};
command.Name = "the-root-command";
HelpBuilder helpBuilder = GetHelpBuilder(LargeMaxWidth);
helpBuilder.Write(command);
var output = _console.Out.ToString();
Approvals.Verify(output);
}
private static void DoWork(string d, string f, string @out, bool ca, bool cn, bool debug, bool trace)
{
if (f.IsNullOrEmpty() == false ||
d.IsNullOrEmpty() == false)
{
if (@out.IsNullOrEmpty())
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Console.WriteLine();
_logger.Warn("--out is required. Exiting");
Console.WriteLine();
return;
}
}
if (debug)
{
foreach (var r in LogManager.Configuration.LoggingRules)
{
r.EnableLoggingForLevel(LogLevel.Debug);
}
LogManager.ReconfigExistingLoggers();
_logger.Debug("Enabled debug messages...");
}
if (trace)
{
foreach (var r in LogManager.Configuration.LoggingRules)
{
r.EnableLoggingForLevel(LogLevel.Trace);
}
LogManager.ReconfigExistingLoggers();
_logger.Trace("Enabled trace messages...");
}
var hivesToProcess = new List <string>();
_logger.Info(Header);
_logger.Info("");
_logger.Info($"Command line: {string.Join(" ", Environment.GetCommandLineArgs().Skip(1))}\r\n");
if (f?.Length > 0)
{
if (File.Exists(f) == false)
{
_logger.Error($"File '{f}' does not exist.");
return;
}
hivesToProcess.Add(f);
}
else if (d?.Length > 0)
{
if (Directory.Exists(d) == false)
{
_logger.Error($"Directory '{d}' does not exist.");
return;
}
var okFileParts = new HashSet <string>();
okFileParts.Add("USRCLASS");
okFileParts.Add("NTUSER");
okFileParts.Add("SYSTEM");
okFileParts.Add("SAM");
okFileParts.Add("SOFTWARE");
okFileParts.Add("AMCACHE");
okFileParts.Add("SYSCACHE");
okFileParts.Add("SECURITY");
okFileParts.Add("DRIVERS");
okFileParts.Add("COMPONENTS");
var directoryEnumerationFilters = new DirectoryEnumerationFilters();
directoryEnumerationFilters.InclusionFilter = fsei =>
{
if (fsei.Extension.ToUpperInvariant() == ".LOG1" || fsei.Extension.ToUpperInvariant() == ".LOG2" ||
fsei.Extension.ToUpperInvariant() == ".DLL" ||
fsei.Extension.ToUpperInvariant() == ".LOG" ||
fsei.Extension.ToUpperInvariant() == ".CSV" ||
fsei.Extension.ToUpperInvariant() == ".BLF" ||
fsei.Extension.ToUpperInvariant() == ".REGTRANS-MS" ||
fsei.Extension.ToUpperInvariant() == ".EXE" ||
fsei.Extension.ToUpperInvariant() == ".TXT" || fsei.Extension.ToUpperInvariant() == ".INI")
{
return(false);
}
var foundOkFilePart = false;
foreach (var okFilePart in okFileParts)
{
if (fsei.FileName.ToUpperInvariant().Contains(okFilePart))
{
foundOkFilePart = true;
// return true;
}
}
if (foundOkFilePart == false)
{
return(false);
}
var fi = new FileInfo(fsei.FullPath);
if (fi.Length < 4)
{
return(false);
}
try
{
using (var fs = new FileStream(fsei.FullPath, FileMode.Open, FileAccess.Read))
{
using (var br = new BinaryReader(fs, new ASCIIEncoding()))
{
try
{
var chunk = br.ReadBytes(4);
var sig = BitConverter.ToInt32(chunk, 0);
if (sig == 0x66676572)
{
return(true);
}
}
catch (Exception)
{
}
return(false);
}
}
}
catch (IOException)
{
if (Helper.IsAdministrator() == false)
{
throw new UnauthorizedAccessException("Administrator privileges not found!");
}
var files = new List <string>();
files.Add(fsei.FullPath);
var rawf = Helper.GetRawFiles(files);
if (rawf.First().FileStream.Length == 0)
{
return(false);
}
try
{
var b = new byte[4];
rawf.First().FileStream.ReadExactly(b, 4);
var sig = BitConverter.ToInt32(b, 0);
if (sig == 0x66676572)
{
return(true);
}
}
catch (Exception)
{
}
return(false);
}
};
directoryEnumerationFilters.RecursionFilter = entryInfo => !entryInfo.IsMountPoint && !entryInfo.IsSymbolicLink;
directoryEnumerationFilters.ErrorFilter = (errorCode, errorMessage, pathProcessed) => true;
var dirEnumOptions =
DirectoryEnumerationOptions.Files | DirectoryEnumerationOptions.Recursive |
DirectoryEnumerationOptions.SkipReparsePoints | DirectoryEnumerationOptions.ContinueOnException |
DirectoryEnumerationOptions.BasicSearch;
if (Directory.Exists(@out) == false)
{
_logger.Info($"Creating --out directory '{@out}'...");
Directory.CreateDirectory(@out);
}
else
{
if (Directory.GetFiles(@out).Length > 0 && cn)
{
_logger.Warn($"'{@out}' contains files! This may cause --cn to revert back to uncompressed names. Ideally, '{@out}' should be empty.");
Console.WriteLine();
}
}
_logger.Fatal($"Searching '{d}' for hives...");
var files2 =
Alphaleonis.Win32.Filesystem.Directory.EnumerateFileSystemEntries(d, dirEnumOptions, directoryEnumerationFilters);
var count = 0;
try
{
hivesToProcess.AddRange(files2);
count = hivesToProcess.Count;
_logger.Info($"\tHives found: {count:N0}");
}
catch (Exception ex)
{
_logger.Fatal($"Could not access all files in '{d}'! Error: {ex.Message}");
_logger.Error("");
_logger.Fatal("Rerun the program with Administrator privileges to try again\r\n");
//Environment.Exit(-1);
}
}
else
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
return;
}
if (hivesToProcess.Count == 0)
{
_logger.Warn("No hives were found. Exiting...");
return;
}
_sw = new Stopwatch();
_sw.Start();
foreach (var hiveToProcess in hivesToProcess)
{
_logger.Info("");
byte[] updatedBytes = null;
_logger.Info($"Processing hive '{hiveToProcess}'");
if (File.Exists(hiveToProcess) == false)
{
_logger.Warn($"'{hiveToProcess}' does not exist. Skipping");
continue;
}
try
{
RegistryHive reg;
var dirname = Path.GetDirectoryName(hiveToProcess);
var hiveBase = Path.GetFileName(hiveToProcess);
List <RawCopyReturn> rawFiles = null;
try
{
using (var fs = new FileStream(hiveToProcess, FileMode.Open, FileAccess.Read))
{
reg = new RegistryHive(fs.ReadFully(), hiveToProcess);
}
}
catch (IOException)
{
//file is in use
if (Helper.IsAdministrator() == false)
{
throw new UnauthorizedAccessException("Administrator privileges not found!");
}
_logger.Warn($"\t'{hiveToProcess}' is in use. Rerouting...\r\n");
var files = new List <string>();
files.Add(hiveToProcess);
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
foreach (var logFile in logFiles)
{
files.Add(logFile);
}
rawFiles = Helper.GetRawFiles(files);
if (rawFiles.First().FileStream.Length == 0)
{
continue;
}
var bb = rawFiles.First().FileStream.ReadFully();
reg = new RegistryHive(bb, rawFiles.First().InputFilename);
}
if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
{
if (string.IsNullOrEmpty(dirname))
{
dirname = ".";
}
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
if (logFiles.Length == 0)
{
if (ca)
{
_logger.Info($"\tHive '{hiveToProcess}' is dirty, but no logs were found in the same directory. --ca is true. Copying...");
updatedBytes = File.ReadAllBytes(hiveToProcess);
}
else
{
_logger.Info($"\tHive '{hiveToProcess}' is dirty and no transaction logs were found in the same directory. --ca is false. Skipping...");
continue;
}
}
if (updatedBytes == null)
{
if (rawFiles != null)
{
var lt = new List <TransactionLogFileInfo>();
foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
{
var bb1 = rawCopyReturn.FileStream.ReadFully();
var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, bb1);
lt.Add(tt);
}
updatedBytes = reg.ProcessTransactionLogs(lt);
}
else
{
updatedBytes = reg.ProcessTransactionLogs(logFiles.ToList());
}
}
}
if (updatedBytes == null)
{
if (ca)
{
_logger.Info($"\tHive '{hiveToProcess}' is not dirty, but --ca is true. Copying...");
updatedBytes = File.ReadAllBytes(hiveToProcess);
}
else
{
_logger.Info($"\tHive '{hiveToProcess}' is not dirty and --ca is false. Skipping...");
continue;
}
}
var outFile = hiveToProcess.Replace(":", "").Replace("\\", "_");
var outFileAll = Path.Combine(@out, outFile);
if (cn &&
(outFileAll.ToUpperInvariant().Contains("NTUSER") || outFileAll.ToUpperInvariant().Contains("USRCLASS")))
{
var dl = hiveToProcess[0].ToString();
var segs = hiveToProcess.SplitAndTrim('\\');
var profile = segs[2];
var filename = Path.GetFileName(hiveToProcess);
var outFile2 = $"{dl}_{profile}_{filename}";
outFileAll = Path.Combine(@out, outFile2);
}
if (File.Exists(outFileAll))
{
var oldOut = outFileAll;
outFileAll = Path.Combine(@out, outFile);
_logger.Warn($"\tFile '{oldOut}' exists! Saving as non-compressed name: '{outFileAll}'");
}
_logger.Fatal($"\tSaving updated hive to '{outFileAll}'");
using (var fs = new FileStream(outFileAll, FileMode.Create))
{
fs.Write(updatedBytes, 0, updatedBytes.Length);
fs.Flush();
fs.Close();
}
}
catch (Exception ex)
{
if (ex.Message.Contains("Sequence numbers do not match and transaction") == false)
{
if (ex.Message.Contains("Administrator privileges not found"))
{
_logger.Fatal($"Could not access '{hiveToProcess}' because it is in use");
_logger.Error("");
_logger.Fatal("Rerun the program with Administrator privileges to try again\r\n");
}
else
{
_logger.Error($"There was an error: {ex.Message}");
}
}
}
}
_sw.Stop();
_logger.Info("");
_logger.Info($"Total processing time: {_sw.Elapsed.TotalSeconds:N3} seconds");
_logger.Info("");
}
private static void DoWork(string d, string f, bool q, string csv, string csvf, string dt, bool debug, bool trace)
{
ActiveDateTimeFormat = dt;
var formatter =
new DateTimeOffsetFormatter(CultureInfo.CurrentCulture);
var levelSwitch = new LoggingLevelSwitch();
var template = "{Message:lj}{NewLine}{Exception}";
if (debug)
{
levelSwitch.MinimumLevel = LogEventLevel.Debug;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
if (trace)
{
levelSwitch.MinimumLevel = LogEventLevel.Verbose;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
var conf = new LoggerConfiguration()
.WriteTo.Console(outputTemplate: template, formatProvider: formatter)
.MinimumLevel.ControlledBy(levelSwitch);
Log.Logger = conf.CreateLogger();
if (f.IsNullOrEmpty() &&
d.IsNullOrEmpty())
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Log.Warning("Either -f or -d is required. Exiting");
return;
}
if (f.IsNullOrEmpty() == false &&
!File.Exists(f))
{
Log.Warning("File {F} not found. Exiting", f);
return;
}
if (d.IsNullOrEmpty() == false &&
!Directory.Exists(d))
{
Log.Warning("Directory {D} not found. Exiting", d);
return;
}
Log.Information("{Header}", Header);
Console.WriteLine();
Log.Information("Command line: {Args}", string.Join(" ", Environment.GetCommandLineArgs().Skip(1)));
if (IsAdministrator() == false)
{
Log.Warning("Warning: Administrator privileges not found!");
Console.WriteLine();
}
_csvOuts = new List <CsvOut>();
_failedFiles = new List <string>();
var files = new List <string>();
var sw = new Stopwatch();
sw.Start();
if (f?.Length > 0)
{
files.Add(f);
}
else
{
Console.WriteLine();
Log.Information("Looking for files in {Dir}", d);
if (!q)
{
Console.WriteLine();
}
files = GetRecycleBinFiles(d);
}
Log.Information("Found {Count:N0} files. Processing...", files.Count);
if (!q)
{
Console.WriteLine();
}
foreach (var file in files)
{
ProcessFile(file, q, dt);
}
sw.Stop();
Console.WriteLine();
Log.Information(
"Processed {FailedFilesCount:N0} out of {Count:N0} files in {TotalSeconds:N4} seconds", files.Count - _failedFiles.Count, files.Count, sw.Elapsed.TotalSeconds);
Console.WriteLine();
if (_failedFiles.Count > 0)
{
Console.WriteLine();
Log.Information("Failed files");
foreach (var failedFile in _failedFiles)
{
Log.Information(" {FailedFile}", failedFile);
}
}
if (csv.IsNullOrEmpty() == false && files.Count > 0)
{
if (Directory.Exists(csv) == false)
{
Log.Information("{Csv} does not exist. Creating...", csv);
Directory.CreateDirectory(csv);
}
var outName = $"{DateTimeOffset.Now:yyyyMMddHHmmss}_RBCmd_Output.csv";
if (csvf.IsNullOrEmpty() == false)
{
outName = Path.GetFileName(csvf);
}
var outFile = Path.Combine(csv, outName);
outFile =
Path.GetFullPath(outFile);
Log.Warning("CSV output will be saved to {Path}", Path.GetFullPath(outFile));
try
{
var sw1 = new StreamWriter(outFile);
var csvWriter = new CsvWriter(sw1, CultureInfo.InvariantCulture);
csvWriter.WriteHeader(typeof(CsvOut));
csvWriter.NextRecord();
foreach (var csvOut in _csvOuts)
{
csvWriter.WriteRecord(csvOut);
csvWriter.NextRecord();
}
sw1.Flush();
sw1.Close();
}
catch (Exception ex)
{
Log.Error(ex,
"Unable to open {OutFile} for writing. CSV export canceled. Error: {Message}", outFile, ex.Message);
}
}
}
public static void Write(
this HelpBuilder builder,
Command command,
TextWriter writer) =>
builder.Write(new HelpContext(builder, command, writer));
private static void DoWork(string f, string csv, string dt, bool debug, bool trace)
{
var levelSwitch = new LoggingLevelSwitch();
_activeDateTimeFormat = dt;
var formatter =
new DateTimeOffsetFormatter(CultureInfo.CurrentCulture);
var template = "{Message:lj}{NewLine}{Exception}";
if (debug)
{
levelSwitch.MinimumLevel = LogEventLevel.Debug;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
if (trace)
{
levelSwitch.MinimumLevel = LogEventLevel.Verbose;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
var conf = new LoggerConfiguration()
.WriteTo.Console(outputTemplate: template, formatProvider: formatter)
.MinimumLevel.ControlledBy(levelSwitch);
Log.Logger = conf.CreateLogger();
if (f.IsNullOrEmpty())
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Log.Warning("-f is required. Exiting");
Console.WriteLine();
return;
}
if (csv.IsNullOrEmpty())
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Log.Warning("--csv is required. Exiting");
Console.WriteLine();
return;
}
if (!File.Exists(f))
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Log.Warning("File '{F}' not found. Exiting", f);
Console.WriteLine();
return;
}
var userProfile = string.Empty;
try {
userProfile = Regex.Match(f, @"\\Users\\(.+?)\\", RegexOptions.IgnoreCase).Groups[1].Value;
if (userProfile.Length > 0)
{
userProfile = $"_{userProfile}";
}
} catch (ArgumentException) {
// Syntax error in the regular expression
}
Log.Information("{Header}", Header);
Console.WriteLine();
Log.Information("Command line: {Args}", string.Join(" ", Environment.GetCommandLineArgs().Skip(1)));
Console.WriteLine();
if (IsAdministrator() == false)
{
Log.Warning("Warning: Administrator privileges not found!");
Console.WriteLine();
}
DumpSqliteDll();
var sw1 = new Stopwatch();
sw1.Start();
var apes = new List <ActivityPackageIdEntry>();
var activitys = new List <ActivityEntry>();
var aoes = new List <ActivityOperationEntry>();
var dbFactory = new OrmLiteConnectionFactory(f, SqliteDialect.Provider);
try
{
SqliteDialect.Provider.RegisterConverter <DateTimeOffset>(new EpochConverter());
SqliteDialect.Provider.RegisterConverter <DateTimeOffset?>(new EpochConverter());
using (var db = dbFactory.OpenDbConnection())
{
try
{
var activityOperations = db.Select <ActivityOperation>();
Log.Information("{Table} entries found: {Count:N0}", "ActivityOperation", activityOperations.Count);
foreach (var op in activityOperations)
{
string exeName;
var appIdInfo = op.AppId.FromJson <List <AppIdInfo> >();
var idInfo = appIdInfo.FirstOrDefault(t =>
t.Platform.EqualsIgnoreCase("windows_win32") ||
t.Platform.EqualsIgnoreCase("x_exe_path"));
if (idInfo == null)
{
idInfo = appIdInfo.First();
}
if (idInfo.Application.Contains(".exe"))
{
var segs = idInfo.Application.Split('\\');
if (segs[0].StartsWith("{"))
{
var newname = GuidMapping.GuidMapping.GetDescriptionFromGuid(segs[0]);
segs[0] = newname;
exeName = string.Join("\\", segs);
}
else
{
exeName = idInfo.Application;
}
}
else
{
exeName = idInfo.Application;
}
var displayText = string.Empty;
var contentInfo = string.Empty;
var devicePlatform = string.Empty;
var timeZone = string.Empty;
var description = string.Empty;
var payload = Encoding.ASCII.GetString(op.Payload);
var clipPay = string.Empty;
if (op.ClipboardPayload is { Length: > 0 })
{
clipPay = Encoding.ASCII.GetString(op.ClipboardPayload);
}
if (payload.StartsWith("{"))
{
var dti = payload.FromJson <PayloadData>();
timeZone = dti.UserTimezone;
devicePlatform = dti.DevicePlatform;
displayText = dti.DisplayText;
if (dti.ContentUri != null || dti.Description != null)
{
displayText = $"{dti.DisplayText} ({dti.AppDisplayName})";
var ci = dti.ContentUri.UrlDecode();
contentInfo = $"{dti.Description} ({dti.ContentUri.UrlDecode()})";
if (ci != null)
{
if (ci.Contains("{") & ci.Contains("}"))
{
var start = ci.Substring(0, 5);
var guid = ci.Substring(6, 36);
var end = ci.Substring(43);
var upContent =
$"{start}{GuidMapping.GuidMapping.GetDescriptionFromGuid(guid)}{end}";
contentInfo = $"{dti.Description} ({upContent})";
}
}
}
}
else
{
payload = "(Binary data)";
}
var aoe = new ActivityOperationEntry(op.Id.ToString(), op.OperationOrder, op.AppId, exeName,
op.ActivityType, op.LastModifiedTime, op.ExpirationTime, payload, op.CreatedTime,
op.EndTime, op.LastModifiedOnClient, op.OperationExpirationTime, op.PlatformDeviceId,
op.OperationType, devicePlatform, timeZone, description, op.StartTime, displayText,
clipPay, contentInfo);
aoes.Add(aoe);
}
}
catch (Exception e)
{
if (e.Message.Contains("no such table"))
{
Log.Error("{Table} table does not exist!", "ActivityOperation");
}
else
{
Log.Error(e, "Error processing {Table} table: {Message}", "ActivityOperation", e.Message);
}
}
try
{
var activityPackageIds = db.Select <ActivityPackageId>();
Log.Information("{Table} entries found: {Count:N0}", "Activity_PackageId", activityPackageIds.Count);
foreach (var packageId in activityPackageIds)
{
var exeName = string.Empty;
if (packageId.PackageName.Contains(".exe"))
{
var segs = packageId.PackageName.Split('\\');
if (segs[0].StartsWith("{"))
{
var newname = GuidMapping.GuidMapping.GetDescriptionFromGuid(segs[0]);
segs[0] = newname;
exeName = string.Join("\\", segs);
}
}
var ape = new ActivityPackageIdEntry(packageId.ActivityId.ToString(), packageId.Platform,
packageId.PackageName, exeName, packageId.ExpirationTime);
apes.Add(ape);
}
}
catch (Exception e)
{
if (e.Message.Contains("no such table"))
{
Log.Error("{Table} table does not exist!", "ActivityPackageId");
}
else
{
Log.Error(e, "Error processing {Table} table: {Message}", "ActivityPackageId", e.Message);
}
}
try
{
var activities = db.Select <Classes.Activity>();
Log.Information("{Table} entries found: {Count:N0}", "Activity", activities.Count);
foreach (var act in activities)
{
var foo = act.AppId.FromJson <List <AppIdInfo> >();
var win32 = foo.FirstOrDefault(
t => t.Platform == "windows_win32" || t.Platform == "x_exe_path");
string exe;
if (win32 != null)
{
exe = win32.Application;
}
else
{
var wu = foo.FirstOrDefault(t => t.Platform == "windows_universal");
if (wu != null)
{
exe = wu.Application;
}
else
{
exe = foo.First().Application;
}
}
if (exe.StartsWith("{"))
{
var segs = exe.Split('\\');
if (segs[0].StartsWith("{"))
{
var newname = GuidMapping.GuidMapping.GetDescriptionFromGuid(segs[0]);
segs[0] = newname;
exe = string.Join("\\", segs);
}
}
var displayText = string.Empty;
var contentInfo = string.Empty;
var devicePlatform = string.Empty;
var timeZone = string.Empty;
var clipPay = string.Empty;
if (act.ClipboardPayload is { Length: > 0 })
{
clipPay = Encoding.ASCII.GetString(act.ClipboardPayload);
}
var payload = Encoding.ASCII.GetString(act.Payload);
if (payload.StartsWith("{"))
{
var dti = payload.FromJson <PayloadData>();
timeZone = dti.UserTimezone;
devicePlatform = dti.DevicePlatform;
displayText = dti.DisplayText;
if (dti.ContentUri != null || dti.Description != null)
{
displayText = $"{dti.DisplayText} ({dti.AppDisplayName})";
var ci = dti.ContentUri.UrlDecode();
contentInfo = $"{dti.Description} ({dti.ContentUri.UrlDecode()})";
if (ci != null)
{
if (ci.Contains("{") & ci.Contains("}"))
{
var start = ci.Substring(0, 5);
var guid = ci.Substring(6, 36);
var end = ci.Substring(43);
var upContent =
$"{start}{GuidMapping.GuidMapping.GetDescriptionFromGuid(guid)}{end}";
contentInfo = $"{dti.Description} ({upContent})";
}
}
}
}
else
{
payload = "(Binary data)";
}
var a = new ActivityEntry(act.Id.ToString(), exe, displayText, contentInfo,
act.LastModifiedTime, act.ExpirationTime, act.CreatedInCloud, act.StartTime,
act.EndTime,
act.LastModifiedOnClient, act.OriginalLastModifiedOnClient, act.ActivityType,
act.IsLocalOnly == 1, act.ETag, act.PackageIdHash, act.PlatformDeviceId, devicePlatform,
timeZone, payload, clipPay);
activitys.Add(a);
}
private static void DoWork(string f, string d, string csv, string csvf, string json, string jsonf, string xml, string xmlf, string dt, string inc, string exc, string sd, string ed, bool fj, int tdt, bool met, string maps, bool vss, bool dedupe, bool sync, bool debug, bool trace)
{
var levelSwitch = new LoggingLevelSwitch();
_activeDateTimeFormat = dt;
var formatter =
new DateTimeOffsetFormatter(CultureInfo.CurrentCulture);
var template = "{Message:lj}{NewLine}{Exception}";
if (debug)
{
levelSwitch.MinimumLevel = LogEventLevel.Debug;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
if (trace)
{
levelSwitch.MinimumLevel = LogEventLevel.Verbose;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
var conf = new LoggerConfiguration()
.WriteTo.Console(outputTemplate: template, formatProvider: formatter)
.MinimumLevel.ControlledBy(levelSwitch);
Log.Logger = conf.CreateLogger();
if (sync)
{
try
{
Log.Information("{Header}", Header);
UpdateFromRepo();
}
catch (Exception e)
{
Log.Error(e, "There was an error checking for updates: {Message}", e.Message);
}
Environment.Exit(0);
}
if (f.IsNullOrEmpty() &&
d.IsNullOrEmpty())
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Log.Warning("-f or -d is required. Exiting");
Console.WriteLine();
return;
}
Log.Information("{Header}", Header);
Console.WriteLine();
Log.Information("Command line: {Args}", string.Join(" ", Environment.GetCommandLineArgs().Skip(1)));
Console.WriteLine();
if (IsAdministrator() == false)
{
Log.Warning("Warning: Administrator privileges not found!");
Console.WriteLine();
}
if (vss & !RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
vss = false;
Log.Warning("{Vss} not supported on non-Windows platforms. Disabling...", "--vss");
Console.WriteLine();
}
if (vss & (IsAdministrator() == false))
{
Log.Error("{Vss} is present, but administrator rights not found. Exiting", "--vss");
Console.WriteLine();
return;
}
var sw = new Stopwatch();
sw.Start();
var ts = DateTimeOffset.UtcNow;
_errorFiles = new Dictionary <string, int>();
if (json.IsNullOrEmpty() == false)
{
if (Directory.Exists(json) == false)
{
Log.Information("Path to {Json} doesn't exist. Creating...", json);
try
{
Directory.CreateDirectory(json);
}
catch (Exception ex)
{
Log.Fatal(ex,
"Unable to create directory {Json}. Does a file with the same name exist? Exiting", json);
Console.WriteLine();
return;
}
}
var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.json";
if (jsonf.IsNullOrEmpty() == false)
{
outName = Path.GetFileName(jsonf);
}
var outFile = Path.Combine(json, outName);
Log.Information("json output will be saved to {OutFile}", outFile);
Console.WriteLine();
try
{
_swJson = new StreamWriter(outFile, false, Encoding.UTF8);
}
catch (Exception ex)
{
Log.Error(ex, "Unable to open {OutFile}! Is it in use? Exiting!", outFile);
Console.WriteLine();
Environment.Exit(0);
}
JsConfig.DateHandler = DateHandler.ISO8601;
}
if (xml.IsNullOrEmpty() == false)
{
if (Directory.Exists(xml) == false)
{
Log.Information("Path to {Xml} doesn't exist. Creating...", xml);
try
{
Directory.CreateDirectory(xml);
}
catch (Exception ex)
{
Log.Fatal(ex,
"Unable to create directory {Xml}. Does a file with the same name exist? Exiting", xml);
return;
}
}
var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.xml";
if (xmlf.IsNullOrEmpty() == false)
{
outName = Path.GetFileName(xmlf);
}
var outFile = Path.Combine(xml, outName);
Log.Information("XML output will be saved to {OutFile}", outFile);
Console.WriteLine();
try
{
_swXml = new StreamWriter(outFile, false, Encoding.UTF8);
}
catch (Exception ex)
{
Log.Error(ex, "Unable to open {OutFile}! Is it in use? Exiting!", outFile);
Console.WriteLine();
Environment.Exit(0);
}
}
if (sd.IsNullOrEmpty() == false)
{
if (DateTimeOffset.TryParse(sd, null, DateTimeStyles.AssumeUniversal, out var dateTimeOffset))
{
_startDate = dateTimeOffset;
Log.Information("Setting Start date to {StartDate}", _startDate.Value);
}
else
{
Log.Warning("Could not parse {Sd} to a valid datetime! Events will not be filtered by Start date!", sd);
}
}
if (ed.IsNullOrEmpty() == false)
{
if (DateTimeOffset.TryParse(ed, null, DateTimeStyles.AssumeUniversal, out var dateTimeOffset))
{
_endDate = dateTimeOffset;
Log.Information("Setting End date to {EndDate}", _endDate.Value);
}
else
{
Log.Warning("Could not parse {Ed} to a valid datetime! Events will not be filtered by End date!", ed);
}
}
if (_startDate.HasValue || _endDate.HasValue)
{
Console.WriteLine();
}
if (csv.IsNullOrEmpty() == false)
{
if (Directory.Exists(csv) == false)
{
Log.Information(
"Path to {Csv} doesn't exist. Creating...", csv);
try
{
Directory.CreateDirectory(csv);
}
catch (Exception ex)
{
Log.Fatal(ex,
"Unable to create directory {Csv}. Does a file with the same name exist? Exiting", csv);
return;
}
}
var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.csv";
if (csvf.IsNullOrEmpty() == false)
{
outName = Path.GetFileName(csvf);
}
var outFile = Path.Combine(csv, outName);
Log.Information("CSV output will be saved to {OutFile}", outFile);
Console.WriteLine();
try
{
_swCsv = new StreamWriter(outFile, false, Encoding.UTF8);
var opt = new CsvConfiguration(CultureInfo.InvariantCulture)
{
ShouldUseConstructorParameters = _ => false
};
_csvWriter = new CsvWriter(_swCsv, opt);
}
catch (Exception ex)
{
Log.Error(ex, "Unable to open {OutFile}! Is it in use? Exiting!", outFile);
Console.WriteLine();
Environment.Exit(0);
}
var foo = _csvWriter.Context.AutoMap <EventRecord>();
foo.Map(t => t.RecordPosition).Ignore();
foo.Map(t => t.Size).Ignore();
foo.Map(t => t.Timestamp).Ignore();
foo.Map(t => t.RecordNumber).Index(0);
foo.Map(t => t.EventRecordId).Index(1);
foo.Map(t => t.TimeCreated).Index(2);
foo.Map(t => t.TimeCreated).Convert(t =>
$"{t.Value.TimeCreated.ToString(dt)}");
foo.Map(t => t.EventId).Index(3);
foo.Map(t => t.Level).Index(4);
foo.Map(t => t.Provider).Index(5);
foo.Map(t => t.Channel).Index(6);
foo.Map(t => t.ProcessId).Index(7);
foo.Map(t => t.ThreadId).Index(8);
foo.Map(t => t.Computer).Index(9);
foo.Map(t => t.UserId).Index(10);
foo.Map(t => t.MapDescription).Index(11);
foo.Map(t => t.UserName).Index(12);
foo.Map(t => t.RemoteHost).Index(13);
foo.Map(t => t.PayloadData1).Index(14);
foo.Map(t => t.PayloadData2).Index(15);
foo.Map(t => t.PayloadData3).Index(16);
foo.Map(t => t.PayloadData4).Index(17);
foo.Map(t => t.PayloadData5).Index(18);
foo.Map(t => t.PayloadData6).Index(19);
foo.Map(t => t.ExecutableInfo).Index(20);
foo.Map(t => t.HiddenRecord).Index(21);
foo.Map(t => t.SourceFile).Index(22);
foo.Map(t => t.Keywords).Index(23);
foo.Map(t => t.Payload).Index(24);
_csvWriter.Context.RegisterClassMap(foo);
_csvWriter.WriteHeader <EventRecord>();
_csvWriter.NextRecord();
}
if (Directory.Exists(maps) == false)
{
Log.Warning("Maps directory {Maps} does not exist! Event ID maps will not be loaded!!", maps);
}
else
{
Log.Debug("Loading maps from {Path}", Path.GetFullPath(maps));
var errors = EventLog.LoadMaps(Path.GetFullPath(maps));
if (errors)
{
return;
}
Log.Information("Maps loaded: {Count:N0}", EventLog.EventLogMaps.Count);
}
_includeIds = new HashSet <int>();
_excludeIds = new HashSet <int>();
if (exc.IsNullOrEmpty() == false)
{
var excSegs = exc.Split(',');
foreach (var incSeg in excSegs)
{
if (int.TryParse(incSeg, out var goodId))
{
_excludeIds.Add(goodId);
}
}
}
if (inc.IsNullOrEmpty() == false)
{
_excludeIds.Clear();
var incSegs = inc.Split(',');
foreach (var incSeg in incSegs)
{
if (int.TryParse(incSeg, out var goodId))
{
_includeIds.Add(goodId);
}
}
}
if (vss)
{
string driveLetter;
if (f.IsEmpty() == false)
{
driveLetter = Path.GetPathRoot(Path.GetFullPath(f))
.Substring(0, 1);
}
else
{
driveLetter = Path.GetPathRoot(Path.GetFullPath(d))
.Substring(0, 1);
}
Helper.MountVss(driveLetter, VssDir);
Console.WriteLine();
}
EventLog.TimeDiscrepancyThreshold = tdt;
if (f.IsNullOrEmpty() == false)
{
if (File.Exists(f) == false)
{
Log.Warning("\t{F} does not exist! Exiting", f);
Console.WriteLine();
return;
}
if (_swXml == null && _swJson == null && _swCsv == null)
{
//no need for maps
Log.Debug("Clearing map collection since no output specified");
EventLog.EventLogMaps.Clear();
}
dedupe = false;
ProcessFile(Path.GetFullPath(f), dedupe, fj, met);
if (vss)
{
var vssDirs = Directory.GetDirectories(VssDir);
var root = Path.GetPathRoot(Path.GetFullPath(f));
var stem = Path.GetFullPath(f).Replace(root, "");
foreach (var vssDir in vssDirs)
{
var newPath = Path.Combine(vssDir, stem);
if (File.Exists(newPath))
{
ProcessFile(newPath, dedupe, fj, met);
}
}
}
}
else
{
if (Directory.Exists(d) == false)
{
Log.Warning("\t{D} does not exist! Exiting", d);
Console.WriteLine();
return;
}
Log.Information("Looking for event log files in {D}", d);
Console.WriteLine();
#if !NET6_0
var directoryEnumerationFilters = new DirectoryEnumerationFilters
{
InclusionFilter = fsei => fsei.Extension.ToUpperInvariant() == ".EVTX",
RecursionFilter = entryInfo => !entryInfo.IsMountPoint && !entryInfo.IsSymbolicLink,
ErrorFilter = (errorCode, errorMessage, pathProcessed) => true
};
var dirEnumOptions =
DirectoryEnumerationOptions.Files | DirectoryEnumerationOptions.Recursive |
DirectoryEnumerationOptions.SkipReparsePoints | DirectoryEnumerationOptions.ContinueOnException |
DirectoryEnumerationOptions.BasicSearch;
var files2 =
Directory.EnumerateFileSystemEntries(Path.GetFullPath(d), dirEnumOptions, directoryEnumerationFilters);
#else
var enumerationOptions = new EnumerationOptions
{
IgnoreInaccessible = true,
MatchCasing = MatchCasing.CaseInsensitive,
RecurseSubdirectories = true,
AttributesToSkip = 0
};
var files2 =
Directory.EnumerateFileSystemEntries(d, "*.evtx", enumerationOptions);
#endif
if (_swXml == null && _swJson == null && _swCsv == null)
{
//no need for maps
Log.Debug("Clearing map collection since no output specified");
EventLog.EventLogMaps.Clear();
}
foreach (var file in files2)
{
ProcessFile(file, dedupe, fj, met);
}
if (vss)
{
var vssDirs = Directory.GetDirectories(VssDir);
Console.WriteLine();
foreach (var vssDir in vssDirs)
{
var root = Path.GetPathRoot(Path.GetFullPath(d));
var stem = Path.GetFullPath(d).Replace(root, "");
var target = Path.Combine(vssDir, stem);
Console.WriteLine();
Log.Information("Searching {Vss} for event logs...", $"VSS{target.Replace($"{VssDir}\\", "")}");
var vssFiles = Helper.GetFilesFromPath(target, "*.evtx", true);
foreach (var file in vssFiles)
{
ProcessFile(file, dedupe, fj, met);
}
}
}
}
try
{
_swCsv?.Flush();
_swCsv?.Close();
_swJson?.Flush();
_swJson?.Close();
_swXml?.Flush();
_swXml?.Close();
}
catch (Exception e)
{
Log.Error(e, "Error when flushing output files to disk! Error message: {Message}", e.Message);
}
sw.Stop();
Console.WriteLine();
if (_fileCount == 1)
{
Log.Information("Processed {FileCount:N0} file in {TotalSeconds:N4} seconds", _fileCount, sw.Elapsed.TotalSeconds);
}
else
{
Log.Information("Processed {FileCount:N0} files in {TotalSeconds:N4} seconds", _fileCount, sw.Elapsed.TotalSeconds);
}
Console.WriteLine();
if (_errorFiles.Count > 0)
{
Console.WriteLine();
Log.Information("Files with errors");
foreach (var errorFile in _errorFiles)
{
Log.Information("{Key} error count: {Value:N0}", errorFile.Key, errorFile.Value);
}
Console.WriteLine();
}
if (vss)
{
if (Directory.Exists(VssDir))
{
foreach (var directory in Directory.GetDirectories(VssDir))
{
Directory.Delete(directory);
}
#if !NET6_0
Directory.Delete(VssDir, true, true);
#else
Directory.Delete(VssDir, true);
#endif
}
}
}
