/// <summary>
/// Print out bytes of a file header.
/// </summary>
/// <param name="fileName">file to read</param>
/// <param name="numBytes">number of bytes to read</param>
public static void PrintFileHeaderBytes(string fileName, int numBytes)
{
using (FileStream fileStream = File.OpenRead(fileName))
{
try
{
byte[] buffer = new byte[numBytes];
fileStream.Seek(0, SeekOrigin.Begin);
fileStream.Read(buffer, 0, numBytes);
Console.WriteLine(GuessFileFormat.BToChar(buffer));
}
catch (Exception ex)
{
Console.WriteLine("Error encountered when reading file");
Console.WriteLine(ex.Message);
}
}
}
/// <summary>
/// Main handles for scanning a file. Takes in the configurations bools to handle what to execute on file.
/// </summary>
/// <param name="filename">file name</param>
/// <param name="yaraScan">yara scan file</param>
/// <param name="stringSearch">search for strings</param>
/// <param name="guessFile">attempt to identify file</param>
/// <param name="pii">search for pii</param>
public static void ScanFile(string filename, bool yaraScan, bool stringSearch, bool guessFile, bool pii)
{
if (File.Exists(filename))
{
FileInfo fInfo = new FileInfo(filename);
FAFileInfo.PrintFileInfo(fInfo);
FAFileInfo.DisplayHashes(filename);
if (guessFile)
{
GuessFileFormat.Guess(filename);
}
List <string> foundStrings = new List <string>();
if (stringSearch)
{
FAStrings.GetStrings(filename, STRING_THRESHOLD, ref foundStrings);
FAStrings.DisplayDLLs(foundStrings);
FAStrings.DisplayIPv4s(foundStrings);
FAStrings.DisplayWebsites(foundStrings);
FAStrings.DisplayErrors(foundStrings);
}
if (pii)
{
if (foundStrings.Count == 0)
{
FAStrings.GetStrings(filename, STRING_THRESHOLD, ref foundStrings);
}
FAStrings.DisplayPhoneNumbers(foundStrings);
FAStrings.DisplaySSNs(foundStrings);
FAStrings.DisplayEmails(foundStrings);
}
if (yaraScan)
{
string s = PythonScript.YaraScan(filename);
Console.WriteLine(s);
}
}
else
{
throw new FileNotFoundException("Please enter a filename with the correct/full path.");
}
}
public static void Guess(string filename)
{
Console.WriteLine("\n\n++++++++Magic File Headers Matches++++++++");
List <FASignature> sigs = GuessFileFormat.ReadFileHeaders(filename);
if (sigs.Count == 1) //easy no duplicate IDs
{
Console.WriteLine("\t" + sigs[0].ToString());
}
else if (sigs.Count > 1)
{
//TODO handle this so that if check zip has occured then filter accordingly
//Refactor this into something for zips
//TODO do the same for other formats.
FASignature fasig;
bool? scrutenize = null;
foreach (var sig in sigs)
{
if (sig.HexSignature == "50 4B 03 04") //this is the first match in the database for zip
{
//prompt to interrogate further
if (scrutenize == null)
{
scrutenize = FAUtilities.GetUserInput("Ambiguous File Header.\n Would you like to interrogate further?");
}
else if ((bool)scrutenize)
{
fasig = IdentifyZip(filename);
if (fasig != null)
{
Console.WriteLine("\t" + fasig.ToString(full: true));
break;
}
else
{
Console.WriteLine("\t" + sig.ToString(full: true));
}
}
else
{
Console.WriteLine("\t" + sig.ToString(full: true));
}
}
else if (sig.HexSignature == "FF D8 FF E0")
{
if (scrutenize == null)
{
scrutenize = FAUtilities.GetUserInput("Ambiguous File Header.\n Would you like to interrogate further?");
}
else if ((bool)scrutenize)
{
fasig = IdentifyJPEG(filename);
Console.WriteLine("\t" + fasig.ToString(full: true));
break;
}
else
{
Console.WriteLine("\t" + sig.ToString(full: true));
}
} //jpeg
//insert other scrutinization here.
else
{
Console.WriteLine("\t" + sig.ToString(full: true));
}
}
}
else
{
//TODO no specific matches. heres where to write methods to scrutenize files without headers.
if (!TestTSQL(filename))
{
Console.WriteLine("\tNo Header Matched in DB. Possible ambiguous file type.");
}
}
Console.WriteLine("\n");
}