public FileEnumeratorParameters(CancellationToken cancelToken,
bool disableWorkerThread,
string selectedFolder,
string searchPatterns,
bool calculateEntropy,
List <YaraFilter> yaraParameters,
IDataPersistenceLayer dataPersistenceLayerClass,
Action <string> reportOutputFunction,
Action <string> logOutputFunction,
Action <FileEnumeratorReport> reportResultsFunction,
Action <string, string, Exception> reportExceptionFunction
)
{
this.CancelToken = cancelToken;
this.DisableWorkerThread = disableWorkerThread;
this.SelectedFolder = selectedFolder;
this.CalculateEntropy = calculateEntropy;
this.YaraParameters = yaraParameters;
this.DataPersistenceLayer = dataPersistenceLayerClass;
this.ReportOutputFunction = reportOutputFunction;
this.LogOutputFunction = logOutputFunction;
this.ReportResultsFunction = reportResultsFunction;
this.ReportExceptionFunction = reportExceptionFunction;
this.SearchPatterns = ParseSearchPatterns(searchPatterns);
}
private static List <string> Worker(ScanParameters parameters)
{
List <string> resultsAggregate = new List <string>();
try
{
IEnumerable <INode> mftNodes = FileEnumerator.EnumerateFiles(parameters);
IDataPersistenceLayer dataPersistenceLayer = parameters.DataPersistenceLayer;
foreach (INode node in mftNodes)
{
string message = $"MFT#: {node.MFTRecordNumber.ToString().PadRight(7)} Seq.#: {node.SequenceNumber.ToString().PadRight(4)} Path: {node.FullName}";
if (parameters.LogOutputFunction != null)
{
parameters.LogOutputFunction.Invoke(message);
}
if (parameters.ReportOutputFunction != null)
{
parameters.ReportOutputFunction.Invoke(message);
}
ScanResults results = new ScanResults();
results = PopulateFileProperties(parameters, parameters.SelectedFolder[0], node);
resultsAggregate.AddRange(results.YaraDetections);
// Insert scan results into IDataPersistenceLayer
bool insertResult = dataPersistenceLayer.PersistFileProperties(results);
if (insertResult)
{
}
else
{
}
parameters.CancelToken.ThrowIfCancellationRequested();
}
dataPersistenceLayer.Dispose();
}
catch (OperationCanceledException)
{ }
return(resultsAggregate);
}
public ScanParameters(CancellationToken cancelToken,
string selectedFolder,
List <YaraFilter> yaraParameters,
IDataPersistenceLayer dataPersistenceLayerClass,
Action <string> reportOutputFunction,
Action <string> logOutputFunction,
Action <List <string> > reportResultsFunction,
Action <string, string, Exception> reportExceptionFunction)
{
this.CancelToken = cancelToken;
this.SelectedFolder = selectedFolder;
this.YaraParameters = yaraParameters;
this.DataPersistenceLayer = dataPersistenceLayerClass;
this.ReportOutputFunction = reportOutputFunction;
this.LogOutputFunction = logOutputFunction;
this.ReportResultsFunction = reportResultsFunction;
this.ReportExceptionFunction = reportExceptionFunction;
}
private void BeginScanning()
{
if (ProcessingToggle.CurrentState == ToggleState.Active)
{
btnSearch.Enabled = false;
ProcessingToggle.SetState(ToggleState.Inactive);
}
else if (ProcessingToggle.CurrentState == ToggleState.Ready)
{
btnSearch.Enabled = false;
ProcessingToggle.SetState(ToggleState.Active);
bool calculateEntropy = checkboxCalculateEntropy.Checked;
string selectedFolder = tbPath.Text;
string searchPatterns = tbSearchPatterns.Text;
List <YaraFilter> yaraParameters = new List <YaraFilter>();
if (checkBoxYaraRules.Checked)
{
yaraParameters = currentYaraFilters.ToList();
}
IDataPersistenceLayer dataPersistenceLayer = null;
if (radioPersistenceCSV.Checked)
{
dataPersistenceLayer = new CsvDataPersistenceLayer(tbPersistenceParameter.Text);
}
else if (radioPersistenceSqlite.Checked)
{
dataPersistenceLayer = new SqliteDataPersistenceLayer(tbPersistenceParameter.Text);
}
else if (radioPersistenceSqlServer.Checked)
{
dataPersistenceLayer = new SqlDataPersistenceLayer(tbPersistenceParameter.Text);
}
FileEnumeratorParameters parameters =
new FileEnumeratorParameters(cancelToken,
Settings.FileEnumeration_DisableWorkerThread,
selectedFolder,
searchPatterns,
calculateEntropy,
yaraParameters,
dataPersistenceLayer,
Log.ToUI, Log.ToFile, ReportNumbers, Log.ExceptionMessage);
enumerationStart = DateTime.Now;
bool didThrow = false;
try
{
parameters.ThrowIfAnyParametersInvalid();
}
catch (Exception ex)
{
didThrow = true;
MessageBox.Show(
ex.ToString().Split(new char[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries).FirstOrDefault(),
MsgBox_TitleBarText,
MessageBoxButtons.OK,
MessageBoxIcon.Error
);
}
if (didThrow)
{
ProcessingToggle.SetState(ToggleState.Ready);
}
else
{
Log.ToUI(Environment.NewLine);
Log.ToAll($"Beginning Enumeration of folder: \"{parameters.SelectedFolder}\"");
Log.ToAll("Parsing MFT. (This may take a few minutes)");
FileEnumerator.LaunchFileEnumerator(parameters);
}
}
}
private static FileEnumeratorReport Worker(FileEnumeratorParameters parameters)
{
TimingMetrics timingMetrics = new TimingMetrics();
FailSuccessCount fileEnumCount = new FailSuccessCount("OS files enumerated");
FailSuccessCount databaseInsertCount = new FailSuccessCount("OS database rows updated");
try
{
parameters.CancelToken.ThrowIfCancellationRequested();
StringBuilder currentPath = new StringBuilder(parameters.SelectedFolder);
string lastParent = currentPath.ToString();
string temp = currentPath.ToString();
if (temp.Contains(':') && (temp.Length == 2 || temp.Length == 3)) // Is a root directory, i.e. "C:" or "C:\"
{
lastParent = ".";
}
string drive = parameters.SelectedFolder[0].ToString().ToUpper();
timingMetrics.Start(TimingMetric.ParsingMFT);
List <DriveInfo> ntfsDrives = DriveInfo.GetDrives().Where(d => d.IsReady && d.DriveFormat == "NTFS").ToList();
DriveInfo driveToAnalyze = ntfsDrives.Where(dr => dr.Name.ToUpper().Contains(drive)).Single();
NtfsReader ntfsReader = new NtfsReader(driveToAnalyze, RetrieveMode.All);
IEnumerable <INode> mftNodes =
ntfsReader.GetNodes(driveToAnalyze.Name)
.Where(node => (node.Attributes &
(NtfsNodeAttributes.Device
| NtfsNodeAttributes.Directory
| NtfsNodeAttributes.ReparsePoint
| NtfsNodeAttributes.SparseFile
)) == 0) // This means that we DONT want any matches of the above NtfsNodeAttributes type
.Where(node => FileMatchesPattern(node.FullName, parameters.SearchPatterns));
//.OrderByDescending(n => n.Size);
if (parameters.SelectedFolder.ToCharArray().Length > 3)
{
string selectedFolderUppercase = parameters.SelectedFolder.ToUpperInvariant().TrimEnd(new char[] { '\\' });
mftNodes = mftNodes.Where(node => node.FullName.ToUpperInvariant().Contains(selectedFolderUppercase));
}
timingMetrics.Stop(TimingMetric.ParsingMFT);
IDataPersistenceLayer dataPersistenceLayer = parameters.DataPersistenceLayer;
foreach (INode node in mftNodes)
{
string message = $"MFT#: {node.MFTRecordNumber.ToString().PadRight(7)} Seq.#: {node.SequenceNumber.ToString().PadRight(4)} Path: {node.FullName}";
parameters.ReportAndLogOutputFunction.Invoke(message);
fileEnumCount.IncrementSucceededCount();
FileProperties prop = new FileProperties();
prop.PopulateFileProperties(parameters, parameters.SelectedFolder[0], node, timingMetrics);
// INSERT file properties into _DATABASE_
timingMetrics.Start(TimingMetric.PersistingFileProperties);
bool insertResult = dataPersistenceLayer.PersistFileProperties(prop);
if (insertResult)
{
databaseInsertCount.IncrementSucceededCount();
}
else
{
databaseInsertCount.IncrementFailedCount();
}
timingMetrics.Stop(TimingMetric.PersistingFileProperties);
parameters.CancelToken.ThrowIfCancellationRequested();
}
dataPersistenceLayer.Dispose();
FileProperties.CleanUp();
}
catch (OperationCanceledException)
{ }
return(new FileEnumeratorReport(new List <FailSuccessCount> {
fileEnumCount, databaseInsertCount
}, timingMetrics));
}
private void BeginScanning()
{
if (ProcessingToggle.CurrentState == ToggleState.Active)
{
btnSearch.Enabled = false;
ProcessingToggle.SetState(ToggleState.Inactive);
}
else if (ProcessingToggle.CurrentState == ToggleState.Ready)
{
btnSearch.Enabled = false;
ProcessingToggle.SetState(ToggleState.Active);
string selectedFolder = tbPath.Text;
List <YaraFilter> yaraParameters = new List <YaraFilter>();
yaraParameters = currentYaraFilters.ToList();
IDataPersistenceLayer dataPersistenceLayer = null;
if (radioPersistenceCSV.Checked)
{
//dataPersistenceLayer = new CsvDataPersistenceLayer(tbPersistenceParameter.Text);
}
else if (radioPersistenceSqlite.Checked)
{
//dataPersistenceLayer = new SqliteDataPersistenceLayer(tbPersistenceParameter.Text);
}
else if (radioPersistenceSqlServer.Checked)
{
//dataPersistenceLayer = new SqlDataPersistenceLayer(tbPersistenceParameter.Text);
}
ScanParameters parameters =
new ScanParameters(
cancelToken,
selectedFolder,
yaraParameters,
dataPersistenceLayer,
Log.ToUI,
Log.ToFile,
ReporResults,
Log.ExceptionMessage
);
enumerationStart = DateTime.Now;
bool didThrow = false;
try
{
parameters.ThrowIfAnyParametersInvalid();
}
catch (Exception ex)
{
didThrow = true;
string message = ex.ToString().Split(new char[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries).FirstOrDefault();
Log.ToAll(message);
MessageBox.Show(message, "", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
if (didThrow)
{
ProcessingToggle.SetState(ToggleState.Ready);
}
else
{
Log.ToUI(Environment.NewLine);
Log.ToAll($"Beginning Enumeration of folder: \"{parameters.SelectedFolder}\"");
Log.ToAll("Parsing MFT. (This may take a few minutes)");
FileScanner.LaunchFileScan(parameters);
}
}
}
