public static bool IsFiltered(string Platform, string ScanType, string ItemType, string Property, string FilterType, string Target, out Regex regex) { regex = null; if (config == null) { return(false); } try { string key = String.Format("{0}:{1}:{2}:{3}:{4}", Platform, ScanType, ItemType, Property, FilterType); List <Regex> filters = new List <Regex>(); try { filters = _filters[key]; } catch (KeyNotFoundException) { try { JArray jFilters = (JArray)config[Platform][ScanType][ItemType][Property][FilterType]; foreach (var filter in jFilters) { try { filters.Add(new Regex(filter.ToString())); } catch (Exception e) { Logger.DebugException(e); Log.Debug("Failed to make a regex from {0}", filter.ToString()); Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } try { _filters.Add(key, filters); } catch (ArgumentException) { // We are running in parallel, its possible someone added it in between the original check and now. No problem here. filters = _filters[key]; } Log.Debug(Strings.Get("SuccessParsed"), Platform, ScanType, ItemType, Property, FilterType); } catch (NullReferenceException) { try { _filters.Add(key, new List <Regex>()); Log.Debug(Strings.Get("FailedParsed"), Platform, ScanType, ItemType, Property, FilterType); } catch (ArgumentException) { // We are running in parallel, its possible someone added it in between the original check and now. No problem here. } catch (Exception e) { Logger.DebugException(e); Log.Debug(e.StackTrace); } //Since there were no filters for this, it is not filtered return(false); } catch (JsonReaderException) { try { _filters.Add(key, new List <Regex>()); Log.Information(Strings.Get("Err_FiltersFile"), Platform, ScanType, ItemType, Property, FilterType); } catch (ArgumentException) { // We are running in parallel, its possible someone added it in between the original check and now. No problem here. } catch (Exception e) { Logger.DebugException(e); Log.Debug(e.StackTrace); } return(false); } } catch (Exception e) { Logger.DebugException(e); Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } foreach (Regex filter in _filters[key]) { try { if (filter.IsMatch(Target)) { regex = filter; Log.Verbose("{0} caught {1}", filter, Target); return(true); } } catch (Exception e) { Log.Debug("Probably this is some of those garbled keys or a bad regex"); Logger.DebugException(e); Log.Debug(filter.ToString()); Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } } catch (NullReferenceException e) { Log.Debug("No Filter Entry {0}, {1}, {2}, {3}, {4}", Platform, ScanType, ItemType, Property, FilterType); Logger.DebugException(e); } return(false); }
public static IEnumerable <RegistryObject> WalkHive(RegistryHive Hive, string startingKey = null) { Stack <RegistryKey> keys = new Stack <RegistryKey>(); RegistryKey x86_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry32); if (startingKey != null) { x86_View = x86_View.OpenSubKey(startingKey); } keys.Push(x86_View); RegistryKey x64_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry64); if (startingKey != null) { x64_View = x64_View.OpenSubKey(startingKey); } keys.Push(x64_View); while (keys.Count > 0) { RegistryKey currentKey = keys.Pop(); if (currentKey == null) { continue; } if (Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "Registry", "Key", currentKey.Name)) { continue; } // First push all the new subkeys onto our stack. foreach (string key in currentKey.GetSubKeyNames()) { try { var next = currentKey.OpenSubKey(name: key, writable: false); keys.Push(next); } // These are expected as we are running as administrator, not System. catch (System.Security.SecurityException e) { Log.Verbose(e, "Permission Denied: {0}", currentKey.Name); } // There seem to be some keys which are listed as existing by the APIs but don't actually exist. // Unclear if these are just super transient keys or what the other cause might be. // Since this isn't user actionable, also just supress these to the verbose stream. catch (System.IO.IOException e) { Log.Verbose(e, "Error Reading: {0}", currentKey.Name); } catch (Exception e) { Log.Information(e, "Unexpected error when parsing {0}:", currentKey.Name); Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } var regObj = RegistryKeyToRegistryObject(currentKey); if (regObj != null) { yield return(regObj); } } }
public static IEnumerable <FileSystemInfo> WalkDirectory(string root) { // Data structure to hold names of subfolders to be // examined for files. Stack <string> dirs = new Stack <string>(); if (!System.IO.Directory.Exists(root)) { throw new ArgumentException("Unable to find [" + root + "]"); } dirs.Push(root); while (dirs.Count > 0) { string currentDir = dirs.Pop(); if (Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "File", "Path", currentDir)) { continue; } string[] subDirs; try { subDirs = System.IO.Directory.GetDirectories(currentDir); } // An UnauthorizedAccessException exception will be thrown if we do not have // discovery permission on a folder or file. It may or may not be acceptable // to ignore the exception and continue enumerating the remaining files and // folders. It is also possible (but unlikely) that a DirectoryNotFound exception // will be raised. This will happen if currentDir has been deleted by // another application or thread after our call to Directory.Exists. The // choice of which exceptions to catch depends entirely on the specific task // you are intending to perform and also on how much you know with certainty // about the systems on which this code will run. catch (UnauthorizedAccessException) { Log.Debug("Unable to access: {0}", currentDir); continue; } catch (System.IO.DirectoryNotFoundException) { Log.Debug("Directory not found: {0}", currentDir); continue; } // @TODO: Improve this catch. // This catches a case where we sometimes try to walk a file // even though its not a directory on Mac OS. // System.IO.Directory.GetDirectories is how we get the // directories. catch (Exception ex) { Log.Debug(ex.StackTrace); Log.Debug(ex.GetType().ToString()); continue; } string[] files = null; try { files = System.IO.Directory.GetFiles(currentDir); } catch (UnauthorizedAccessException e) { Log.Debug(e.Message); continue; } catch (System.IO.DirectoryNotFoundException e) { Log.Debug(e.Message); continue; } // Perform the required action on each file here. // Modify this block to perform your required task. foreach (string file in files) { FileInfo fileInfo = null; try { fileInfo = new FileInfo(file); } catch (System.IO.FileNotFoundException e) { // If file was deleted by a separate application // or thread since the call to TraverseTree() // then just continue. Log.Debug(e.Message); continue; } if (Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "File", "Path", file)) { continue; } yield return(fileInfo); } // Push the subdirectories onto the stack for traversal. // This could also be done before handing the files. foreach (string str in subDirs) { DirectoryInfo fileInfo = null; try { fileInfo = new DirectoryInfo(str); // Skip symlinks to avoid loops // Future improvement: log it as a symlink in the data if (fileInfo.Attributes.HasFlag(FileAttributes.ReparsePoint)) { continue; } } catch (System.IO.DirectoryNotFoundException) { // If file was deleted by a separate application // or thread since the call to TraverseTree() // then just continue. continue; } catch (Exception e) { Logger.DebugException(e); Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Warning, e); continue; } dirs.Push(str); yield return(fileInfo); } } }