/// <summary> /// Uses ServiceController. /// </summary> internal void ExecuteWindows(CancellationToken cancellationToken) { try { SelectQuery sQuery = new SelectQuery("select * from Win32_Service"); // where name = '{0}'", "MCShield.exe")); using ManagementObjectSearcher mgmtSearcher = new ManagementObjectSearcher(sQuery); if (opts.SingleThread) { foreach (ManagementObject service in mgmtSearcher.Get()) { if (cancellationToken.IsCancellationRequested) { return; } ProcessManagementObject(service); } } else { var list = new List <ManagementObject>(); foreach (ManagementObject service in mgmtSearcher.Get()) { list.Add(service); } ParallelOptions po = new ParallelOptions() { CancellationToken = cancellationToken }; Parallel.ForEach(list, po, x => ProcessManagementObject(x)); } } catch (Exception e) { Log.Warning(e, "Failed to run Service Collector."); } var fsc = new FileSystemCollector(new CollectorOptions() { SingleThread = opts.SingleThread }); foreach (var file in Directory.EnumerateFiles("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")) { var name = file.Split(Path.DirectorySeparatorChar)[^ 1];
public FileSystemMonitor(MonitorCommandOptions opts, Action <FileMonitorObject> changeHandler) { options = opts ?? new MonitorCommandOptions(); #pragma warning disable CA1303 // Do not pass literals as localized parameters this.changeHandler = changeHandler ?? throw new NullReferenceException(nameof(changeHandler)); #pragma warning restore CA1303 // This string doesn't need to be localized, it is the name of the variable fsc = new FileSystemCollector(new CollectorOptions() { DownloadCloud = false, GatherHashes = options.GatherHashes, }); foreach (var dir in options?.MonitoredDirectories?.Any() is true ? options.MonitoredDirectories : fsc.Roots.ToArray()) { foreach (var filter in defaultFiltersList) { var watcher = new FileSystemWatcher(); watcher.Path = dir; watcher.NotifyFilter = filter; watcher.IncludeSubdirectories = true; // Changed, Created and Deleted can share a handler, because they throw the same // type of event watcher.Changed += GetFunctionForFilterType(filter); watcher.Created += GetFunctionForFilterType(filter); watcher.Deleted += GetFunctionForFilterType(filter); // Renamed needs a different handler because it throws a different kind of event watcher.Renamed += GetRenamedFunctionForFilterType(filter); watchers.Add(watcher); } } }
public void ParseComObjects(RegistryKey SearchKey, RegistryView View) { if (SearchKey == null) { return; } List <ComObject> comObjects = new List <ComObject>(); try { Parallel.ForEach(SearchKey.GetSubKeyNames(), (SubKeyName) => { try { RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName); var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View); if (RegObj != null) { ComObject comObject = new ComObject(RegObj); foreach (string ComDetails in CurrentKey.GetSubKeyNames()) { var ComKey = CurrentKey.OpenSubKey(ComDetails); var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View); if (obj != null) { comObject.AddSubKey(obj); } } //Get the information from the InProcServer32 Subkey (for 32 bit) string?BinaryPath32 = null; var InProcServer32SubKeys = comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")); if (InProcServer32SubKeys.Any() && InProcServer32SubKeys.First().Values?.TryGetValue("", out BinaryPath32) is bool successful) { if (BinaryPath32 != null && successful) { // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath32 = BinaryPath32.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\"")) { BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString(); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%")) { BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim()); } comObject.x86_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath32.Trim(), true); comObject.x86_BinaryName = BinaryPath32; } } // And the InProcServer64 for 64 bit string?BinaryPath64 = null; var InProcServer64SubKeys = comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")); if (InProcServer64SubKeys.Any() && InProcServer64SubKeys.First().Values?.TryGetValue("", out BinaryPath64) is bool successful64) { if (BinaryPath64 != null && successful64) { // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath64 = BinaryPath64.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\"")) { BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%")) { BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim()); } comObject.x64_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath64.Trim(), true); comObject.x64_BinaryName = BinaryPath64; } } comObjects.Add(comObject); } } catch (Exception e) when( e is System.Security.SecurityException || e is ObjectDisposedException || e is UnauthorizedAccessException || e is IOException) { Log.Debug($"Couldn't parse {SubKeyName}"); } }); } catch (Exception e) when( e is System.Security.SecurityException || e is ObjectDisposedException || e is UnauthorizedAccessException || e is IOException) { Log.Debug($"Failing parsing com objects {SearchKey.Name} {e.GetType().ToString()} {e.Message}"); } foreach (var comObject in comObjects) { DatabaseManager.Write(comObject, RunId); } }
/// <summary> /// Parse all the Subkeys of the given SearchKey into ComObjects and returns a list of them /// </summary> /// <param name="SearchKey">The Registry Key to search</param> /// <param name="View">The View of the registry to use</param> public static IEnumerable <CollectObject> ParseComObjects(RegistryKey SearchKey, RegistryView View, bool SingleThreaded = false) { if (SearchKey == null) { return(new List <CollectObject>()); } List <ComObject> comObjects = new List <ComObject>(); var fsc = new FileSystemCollector(new CollectCommandOptions() { SingleThread = SingleThreaded }); Action <string> ParseComObjectsIn = SubKeyName => { try { RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName); var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View); if (RegObj != null) { ComObject comObject = new ComObject(RegObj); foreach (string ComDetails in CurrentKey.GetSubKeyNames()) { if (ComDetails.Contains("InprocServer32")) { var ComKey = CurrentKey.OpenSubKey(ComDetails); var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View); string?BinaryPath32 = null; if (obj != null && obj.Values?.TryGetValue("", out BinaryPath32) is bool successful) { if (successful && BinaryPath32 != null) { // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath32 = BinaryPath32.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\"")) { BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString(); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%")) { BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim()); } comObject.x86_Binary = fsc.FilePathToFileSystemObject(BinaryPath32.Trim()); } } } if (ComDetails.Contains("InprocServer64")) { var ComKey = CurrentKey.OpenSubKey(ComDetails); var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View); string?BinaryPath64 = null; if (obj != null && obj.Values?.TryGetValue("", out BinaryPath64) is bool successful) { if (successful && BinaryPath64 != null) { // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath64 = BinaryPath64.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\"")) { BinaryPath64 = BinaryPath64.AsSpan().Slice(1, BinaryPath64.Length - 2).ToString(); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%")) { BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim()); } comObject.x64_Binary = fsc.FilePathToFileSystemObject(BinaryPath64.Trim()); } } } } comObjects.Add(comObject); } } catch (Exception e) when( e is System.Security.SecurityException || e is ObjectDisposedException || e is UnauthorizedAccessException || e is IOException) { Log.Debug($"Couldn't parse {SubKeyName}"); } }; try { if (SingleThreaded) { foreach (var subKey in SearchKey.GetSubKeyNames()) { ParseComObjectsIn(subKey); } } else { SearchKey.GetSubKeyNames().AsParallel().ForAll(subKey => ParseComObjectsIn(subKey)); } } catch (Exception e) { Log.Debug("Failing parsing com objects {0} {1}", SearchKey.Name, e.GetType()); } return(comObjects); }
public void ParseComObjects(RegistryKey SearchKey) { if (SearchKey == null) { return; } foreach (string SubKeyName in SearchKey.GetSubKeyNames()) { try { RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName); var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey); ComObject comObject = new ComObject() { Key = RegObj, Subkeys = new List <RegistryObject>() }; foreach (string ComDetails in CurrentKey.GetSubKeyNames()) { var ComKey = CurrentKey.OpenSubKey(ComDetails); comObject.Subkeys.Add(RegistryWalker.RegistryKeyToRegistryObject(ComKey)); } //Get the information from the InProcServer32 Subkey (for 32 bit) if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.ContainsKey("")) { comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.TryGetValue("", out string BinaryPath32); // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath32 = BinaryPath32.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\"")) { BinaryPath32 = BinaryPath32.Substring(1, BinaryPath32.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%")) { BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim()); } comObject.x86_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath32.Trim()), true); comObject.x86_BinaryName = BinaryPath32; } // And the InProcServer64 for 64 bit if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.ContainsKey("")) { comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.TryGetValue("", out string BinaryPath64); // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath64 = BinaryPath64.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\"")) { BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%")) { BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim()); } comObject.x64_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath64.Trim()), true); comObject.x64_BinaryName = BinaryPath64; } DatabaseManager.Write(comObject, runId); } catch (Exception e) { Log.Debug(e, "Couldn't parse {0}", SubKeyName); } } }
/// <summary> /// Uses ServiceController. /// </summary> public void ExecuteWindows() { try { System.Management.SelectQuery sQuery = new System.Management.SelectQuery("select * from Win32_Service"); // where name = '{0}'", "MCShield.exe")); using System.Management.ManagementObjectSearcher mgmtSearcher = new System.Management.ManagementObjectSearcher(sQuery); foreach (System.Management.ManagementObject service in mgmtSearcher.Get()) { try { var val = service.GetPropertyValue("Name").ToString(); if (val != null) { var obj = new ServiceObject(val); val = service.GetPropertyValue("AcceptPause")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.AcceptPause = bool.Parse(val); } val = service.GetPropertyValue("AcceptStop")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.AcceptStop = bool.Parse(val); } obj.Caption = service.GetPropertyValue("Caption")?.ToString(); val = service.GetPropertyValue("CheckPoint")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.CheckPoint = uint.Parse(val, CultureInfo.InvariantCulture); } obj.CreationClassName = service.GetPropertyValue("CreationClassName")?.ToString(); val = service.GetPropertyValue("DelayedAutoStart")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.DelayedAutoStart = bool.Parse(val); } obj.Description = service.GetPropertyValue("Description")?.ToString(); val = service.GetPropertyValue("DesktopInteract")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.DesktopInteract = bool.Parse(val); } obj.DisplayName = service.GetPropertyValue("DisplayName")?.ToString(); obj.ErrorControl = service.GetPropertyValue("ErrorControl")?.ToString(); val = service.GetPropertyValue("ExitCode")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.ExitCode = uint.Parse(val, CultureInfo.InvariantCulture); } if (DateTime.TryParse(service.GetPropertyValue("InstallDate")?.ToString(), out DateTime dateTime)) { obj.InstallDate = dateTime; } obj.PathName = service.GetPropertyValue("PathName")?.ToString(); val = service.GetPropertyValue("ProcessId")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.ProcessId = uint.Parse(val, CultureInfo.InvariantCulture); } val = service.GetPropertyValue("ServiceSpecificExitCode")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.ServiceSpecificExitCode = uint.Parse(val, CultureInfo.InvariantCulture); } obj.ServiceType = service.GetPropertyValue("ServiceType")?.ToString(); val = service.GetPropertyValue("Started").ToString(); if (!string.IsNullOrEmpty(val)) { obj.Started = bool.Parse(val); } obj.StartMode = service.GetPropertyValue("StartMode")?.ToString(); obj.StartName = service.GetPropertyValue("StartName")?.ToString(); obj.State = service.GetPropertyValue("State")?.ToString(); obj.Status = service.GetPropertyValue("Status")?.ToString(); obj.SystemCreationClassName = service.GetPropertyValue("SystemCreationClassName")?.ToString(); obj.SystemName = service.GetPropertyValue("SystemName")?.ToString(); val = service.GetPropertyValue("TagId")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.TagId = uint.Parse(val, CultureInfo.InvariantCulture); } val = service.GetPropertyValue("WaitHint")?.ToString(); if (!string.IsNullOrEmpty(val)) { obj.WaitHint = uint.Parse(val, CultureInfo.InvariantCulture); } Results.Push(obj); } } catch (Exception e) when( e is TypeInitializationException || e is PlatformNotSupportedException) { Log.Warning(Strings.Get("CollectorNotSupportedOnPlatform"), GetType().ToString()); } catch (Exception e) { Log.Warning(e, "Failed to grok Service Collector object at {0}.", service.Path); } } } catch (Exception e) { Log.Warning(e, "Failed to run Service Collector."); } var fsc = new FileSystemCollector(new CollectCommandOptions() { SingleThread = opts.SingleThread }); foreach (var file in Directory.EnumerateFiles("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")) { var name = file.Split(Path.DirectorySeparatorChar)[^ 1];