Exemplo n.º 1
0
        private FileSystemObject FileEntryToFileSystemObject(FileEntry fileEntry)
        {
            var fso = new FileSystemObject(Path: fileEntry.FullPath)
            {
                Size = fileEntry.Content.Length
            };

            if (opts.GatherHashes == true)
            {
                fso.ContentHash = CryptoHelpers.CreateHash(fileEntry.Content);
            }

            var exeType = FileSystemUtils.GetExecutableType(fileEntry.FullPath, fileEntry.Content);

            if (exeType != EXECUTABLE_TYPE.NONE && exeType != EXECUTABLE_TYPE.UNKNOWN)
            {
                fso.IsExecutable = true;
            }

            if (exeType == EXECUTABLE_TYPE.WINDOWS)
            {
                fso.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(fileEntry.FullPath, fileEntry.Content);
                fso.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(fileEntry.FullPath, fileEntry.Content);
            }

            return(fso);
        }
Exemplo n.º 2
0
        public static string GetFileHash(FileSystemInfo fileInfo)
        {
            if (fileInfo != null)
            {
                Log.Debug("{0} {1}", Strings.Get("FileHash"), fileInfo.FullName);

                string hashValue = null;
                try
                {
                    using (var stream = new FileStream(fileInfo.FullName, FileMode.Open, FileAccess.Read))
                    {
                        hashValue = CryptoHelpers.CreateHash(stream);
                    }
                }
                catch (Exception e) when(
                    e is ArgumentNullException ||
                    e is ArgumentException ||
                    e is NotSupportedException ||
                    e is FileNotFoundException ||
                    e is IOException ||
                    e is System.Security.SecurityException ||
                    e is DirectoryNotFoundException ||
                    e is UnauthorizedAccessException ||
                    e is PathTooLongException ||
                    e is ArgumentOutOfRangeException)
                {
                    Log.Verbose("{0}: {1} {2}", Strings.Get("Err_UnableToHash"), fileInfo.FullName, e.GetType().ToString());
                }
                return(hashValue);
            }
            return(string.Empty);
        }
Exemplo n.º 3
0
        public void WriteRename(RenamedEventArgs obj)
        {
            var evt = new FileMonitorEvent()
            {
                ChangeType = ChangeTypeToChangeType(obj.ChangeType),
                Path       = obj.FullPath,
                Name       = obj.Name,
                OldPath    = obj.OldFullPath,
                OldName    = obj.OldName
            };

            string timestamp = DateTime.Now.ToString("O");

            var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction);

            cmd.Parameters.AddWithValue("@run_id", this.runId);
            cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(obj.ToString() + timestamp + watcher.NotifyFilter.ToString() + obj.ChangeType.ToString()));
            cmd.Parameters.AddWithValue("@timestamp", timestamp);
            cmd.Parameters.AddWithValue("@path", obj.FullPath);
            cmd.Parameters.AddWithValue("@old_path", obj.OldFullPath ?? "");
            cmd.Parameters.AddWithValue("@name", obj.Name ?? "");
            cmd.Parameters.AddWithValue("@old_name", obj.OldName ?? "");
            cmd.Parameters.AddWithValue("@change_type", ChangeTypeToChangeType(obj.ChangeType));
            cmd.Parameters.AddWithValue("@extended_results", "");
            cmd.Parameters.AddWithValue("@notify_filters", watcher.NotifyFilter.ToString());
            cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(evt));

            cmd.ExecuteNonQuery();
        }
Exemplo n.º 4
0
        public void WriteChange(FileSystemEventArgs obj)
        {
            string timestamp = DateTime.Now.ToString("O");

            var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction);

            cmd.Parameters.AddWithValue("@run_id", this.runId);
            cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(obj.ToString() + timestamp + watcher.NotifyFilter.ToString() + obj.ChangeType.ToString()));
            cmd.Parameters.AddWithValue("@timestamp", timestamp);
            cmd.Parameters.AddWithValue("@path", obj.FullPath);
            cmd.Parameters.AddWithValue("@old_path", "");
            cmd.Parameters.AddWithValue("@name", obj.Name);
            cmd.Parameters.AddWithValue("@old_name", "");
            cmd.Parameters.AddWithValue("@change_type", ChangeTypeStringToChangeType(obj.ChangeType.ToString()));
            cmd.Parameters.AddWithValue("@extended_results", "");
            cmd.Parameters.AddWithValue("@notify_filters", watcher.NotifyFilter.ToString());
            cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(obj));
            FileSystemMonitorResult fileSystemObject = new FileSystemMonitorResult()
            {
                evt    = obj,
                filter = watcher.NotifyFilter
            };

            cmd.ExecuteNonQuery();
        }
Exemplo n.º 5
0
 private WriteObject(byte[] SerializedIn, RESULT_TYPE ResultTypeIn, string RunIdIn)
 {
     _serialized = SerializedIn;
     _rowKey     = CryptoHelpers.CreateHash(_serialized);
     RunId       = RunIdIn;
     ColObj      = JsonUtils.Hydrate(SerializedIn, ResultTypeIn) !;
 }
Exemplo n.º 6
0
        public void WriteChange(FileSystemEventArgs objIn, string details)
        {
            if (objIn != null)
            {
                var evt = new FileMonitorEvent()
                {
                    ChangeType = ChangeTypeToChangeType(objIn.ChangeType),
                    Path       = objIn.FullPath,
                    Name       = objIn.Name
                };
                string timestamp = DateTime.Now.ToString("O", CultureInfo.InvariantCulture);

                using var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction);
                cmd.Parameters.AddWithValue("@run_id", this.RunId);
                cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(objIn.ToString() + timestamp + watcher.NotifyFilter.ToString() + objIn.ChangeType.ToString()));
                cmd.Parameters.AddWithValue("@timestamp", timestamp);
                cmd.Parameters.AddWithValue("@path", objIn.FullPath);
                cmd.Parameters.AddWithValue("@old_path", "");
                cmd.Parameters.AddWithValue("@name", objIn.Name);
                cmd.Parameters.AddWithValue("@old_name", "");
                cmd.Parameters.AddWithValue("@change_type", ChangeTypeToChangeType(objIn.ChangeType));
                cmd.Parameters.AddWithValue("@extended_results", details);
                cmd.Parameters.AddWithValue("@notify_filters", watcher.NotifyFilter.ToString());
                cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(evt));

                cmd.ExecuteNonQuery();
            }
        }
Exemplo n.º 7
0
        public WriteObject(CollectObject ColObj, string RunId)
        {
            this.ColObj = ColObj;
            this.RunId  = RunId;

            _serialized = JsonUtils.Dehydrate(ColObj);
            _rowKey     = CryptoHelpers.CreateHash(_serialized);
        }
Exemplo n.º 8
0
        public WriteObject(CollectObject ColObjIn, string RunIdIn)
        {
            ColObj = ColObjIn;
            RunId  = RunIdIn;

            _serialized = JsonUtils.Dehydrate(ColObjIn);
            _rowKey     = CryptoHelpers.CreateHash(_serialized);
        }
Exemplo n.º 9
0
        public WriteObject(CollectObject ColObj, string RunId)
        {
            if (ColObj == null)
            {
                throw new ArgumentNullException(nameof(ColObj));
            }
            this.ColObj = ColObj;
            this.RunId  = RunId;

            _serialized = JsonUtils.Dehydrate(ColObj);
            _rowKey     = CryptoHelpers.CreateHash(_serialized);
            Shard       = DatabaseManager.ModuloString(ColObj.Identity);
        }
Exemplo n.º 10
0
        public void Write(StoreLocation storeLocation, StoreName storeName, X509Certificate2 obj)
        {
            try
            {
                recordCounter++;
                var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction);
                cmd.Parameters.AddWithValue("@run_id", runId);
                cmd.Parameters.AddWithValue("@store_location", storeLocation.ToString());
                cmd.Parameters.AddWithValue("@store_name", storeName.ToString());
                cmd.Parameters.AddWithValue("@hash", obj.GetCertHashString());
                cmd.Parameters.AddWithValue("@hash_plus_store", obj.GetCertHashString() + storeLocation.ToString() + storeName.ToString());
                cmd.Parameters.AddWithValue("@cn", obj.Subject);

                if (obj.HasPrivateKey)
                {
                    cmd.Parameters.AddWithValue("@pkcs12", "redacted");
                }
                else
                {
                    cmd.Parameters.AddWithValue("@pkcs12", obj.Export(X509ContentType.Pfx));
                }

                cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(runId + recordCounter));

                var cert = new CertificateObject()
                {
                    StoreLocation         = storeLocation.ToString(),
                    StoreName             = storeName.ToString(),
                    CertificateHashString = obj.GetCertHashString(),
                    Subject = obj.Subject
                };
                cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(cert));
                cmd.ExecuteNonQuery();
            }
            catch (NullReferenceException e)
            {
                Log.Warning(e.StackTrace);
            }
            catch (Microsoft.Data.Sqlite.SqliteException e)
            {
                Log.Warning(e.Message);
                //This catches duplicate certificates
            }
            catch (Exception e)
            {
                Log.Warning(e.GetType().ToString());
                Log.Warning(e.StackTrace);
            }
        }
Exemplo n.º 11
0
        protected internal static string GetFileHash(FileSystemInfo fileInfo)
        {
            Log.Debug("Generating file hash for {0}", fileInfo.FullName);

            string hashValue = null;

            try
            {
                using (var stream = new FileStream(fileInfo.FullName, FileMode.Open, FileAccess.Read))
                {
                    hashValue = CryptoHelpers.CreateHash(stream);
                }
            }
            catch (Exception ex)
            {
                Log.Warning("Unable to take hash of file: {0}: {1}", fileInfo.FullName, ex.Message);
            }
            return(hashValue);
        }
Exemplo n.º 12
0
        protected internal static string GetFileHash(FileSystemInfo fileInfo)
        {
            Log.Debug("{0} {1}", Strings.Get("FileHash"), fileInfo.FullName);

            string hashValue = null;

            try
            {
                using (var stream = new FileStream(fileInfo.FullName, FileMode.Open, FileAccess.Read))
                {
                    hashValue = CryptoHelpers.CreateHash(stream);
                }
            }
            catch (Exception ex)
            {
                Log.Warning("{0}: {1} {2}", Strings.Get("Err_UnableToHash"), fileInfo.FullName, ex.Message);
            }
            return(hashValue);
        }
Exemplo n.º 13
0
        public void Write(RegistryObject obj)
        {
            try
            {
                string hashSeed = String.Format("{0}{1}", obj.Key, JsonConvert.SerializeObject(obj));

                using (var cmd = new SqliteCommand(SQL_INSERT, DatabaseManager.Connection, DatabaseManager.Transaction))
                {
                    cmd.Parameters.AddWithValue("@run_id", this.runId);
                    cmd.Parameters.AddWithValue("@row_key", CryptoHelpers.CreateHash(hashSeed));
                    cmd.Parameters.AddWithValue("@key", obj.Key);

                    cmd.Parameters.AddWithValue("@value", JsonConvert.SerializeObject(obj.Values));


                    cmd.Parameters.AddWithValue("@subkeys", JsonConvert.SerializeObject(obj.Subkeys));
                    cmd.Parameters.AddWithValue("@permissions", obj.Permissions);
                    cmd.Parameters.AddWithValue("@serialized", JsonConvert.SerializeObject(obj));

                    try
                    {
                        cmd.ExecuteNonQuery();
                    }
                    catch (Exception e)
                    {
                        Log.Debug(e.GetType() + "thrown in registry collector");
                        Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e);
                    }
                }
            }
            catch (Exception)
            {
                Log.Debug("Had trouble writing {0}", obj.Key);
            }

            customCrawlHandler?.Invoke(obj);
        }
Exemplo n.º 14
0
 public string GetHash()
 {
     return(CryptoHelpers.CreateHash(JsonConvert.SerializeObject(this)));
 }
Exemplo n.º 15
0
 public string GetUniqueHash()
 {
     return(CryptoHelpers.CreateHash(this.ToString()));
 }