public void LoadEmbeddedFilters() { try { var assembly = typeof(FileSystemObject).Assembly; var resourceName = "AttackSurfaceAnalyzer.analyses.json"; using (Stream stream = assembly.GetManifestResourceStream(resourceName)) using (StreamReader streamreader = new StreamReader(stream)) using (JsonTextReader reader = new JsonTextReader(streamreader)) { config = (JObject)JToken.ReadFrom(reader); Log.Information(Strings.Get("LoadedAnalyses"), "Embedded"); } if (config == null) { Log.Debug("No filters today."); return; } ParseFilters(); DumpFilters(); } catch (Exception e) when( e is ArgumentNullException || e is ArgumentException || e is FileLoadException || e is FileNotFoundException || e is BadImageFormatException || e is NotImplementedException) { config = null; Log.Debug("Could not load filters {0} {1}", "Embedded", e.GetType().ToString()); // This is interesting. We shouldn't hit exceptions when loading the embedded resource. Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>(); ExceptionEvent.Add("Exception Type", e.GetType().ToString()); AsaTelemetry.TrackEvent("EmbeddedAnalysesFilterLoadException", ExceptionEvent); } }
protected ANALYSIS_RESULT_TYPE Apply(Rule rule, CompareResult compareResult) { if (compareResult != null && rule != null) { var properties = _Properties[compareResult.ResultType]; foreach (Clause clause in rule.Clauses) { PropertyInfo property = properties.FirstOrDefault(iProp => iProp.Name.Equals(clause.Field)); if (property == null) { //Custom field logic will go here return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } try { var valsToCheck = new List <string>(); List <KeyValuePair <string, string> > dictToCheck = new List <KeyValuePair <string, string> >(); if (property != null) { if (compareResult.ChangeType == CHANGE_TYPE.CREATED || compareResult.ChangeType == CHANGE_TYPE.MODIFIED) { try { if (GetValueByPropertyName(compareResult.Compare, property.Name) is List <string> ) { foreach (var value in (List <string>)(GetValueByPropertyName(compareResult.Compare, property.Name) ?? new List <string>())) { valsToCheck.Add(value); } } else if (GetValueByPropertyName(compareResult.Compare, property.Name) is Dictionary <string, string> ) { dictToCheck = ((Dictionary <string, string>)(GetValueByPropertyName(compareResult.Compare, property.Name) ?? new Dictionary <string, string>())).ToList(); } else if (GetValueByPropertyName(compareResult.Compare, property.Name) is List <KeyValuePair <string, string> > ) { dictToCheck = (List <KeyValuePair <string, string> >)(GetValueByPropertyName(compareResult.Compare, property.Name) ?? new List <KeyValuePair <string, string> >()); } else { var val = GetValueByPropertyName(compareResult.Compare, property.Name)?.ToString(); if (!string.IsNullOrEmpty(val)) { valsToCheck.Add(val); } } } catch (Exception e) { Log.Debug(e, "Error fetching Property {0} of Type {1}", property.Name, compareResult.ResultType); Log.Debug(Utf8Json.JsonSerializer.ToJsonString(compareResult)); Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>(); ExceptionEvent.Add("Exception Type", e.GetType().ToString()); AsaTelemetry.TrackEvent("ApplyCreatedModifiedException", ExceptionEvent); } } if (compareResult.ChangeType == CHANGE_TYPE.DELETED || compareResult.ChangeType == CHANGE_TYPE.MODIFIED) { try { if (GetValueByPropertyName(compareResult.Base, property.Name) is List <string> ) { foreach (var value in (List <string>)(GetValueByPropertyName(compareResult.Base, property.Name) ?? new List <string>())) { valsToCheck.Add(value); } } else if (GetValueByPropertyName(compareResult.Base, property.Name) is Dictionary <string, string> ) { dictToCheck = ((Dictionary <string, string>)(GetValueByPropertyName(compareResult.Base, property.Name) ?? new Dictionary <string, string>())).ToList(); } else if (GetValueByPropertyName(compareResult.Base, property.Name) is List <KeyValuePair <string, string> > ) { dictToCheck = (List <KeyValuePair <string, string> >)(GetValueByPropertyName(compareResult.Base, property.Name) ?? new List <KeyValuePair <string, string> >()); } else { var val = GetValueByPropertyName(compareResult.Base, property.Name)?.ToString(); if (!string.IsNullOrEmpty(val)) { valsToCheck.Add(val); } } } catch (Exception e) { Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>(); ExceptionEvent.Add("Exception Type", e.GetType().ToString()); AsaTelemetry.TrackEvent("ApplyDeletedModifiedException", ExceptionEvent); } } } switch (clause.Operation) { case OPERATION.EQ: if (clause.Data is List <string> EqualsData) { if (EqualsData.Intersect(valsToCheck).Any()) { break; } } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); case OPERATION.NEQ: if (clause.Data is List <string> NotEqualsData) { if (!NotEqualsData.Intersect(valsToCheck).Any()) { break; } } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); // If *every* entry of the clause data is matched case OPERATION.CONTAINS: if (dictToCheck.Count > 0) { if (clause.DictData is List <KeyValuePair <string, string> > ContainsData) { if (ContainsData.Where(y => dictToCheck.Where((x) => x.Key == y.Key && x.Value == y.Value).Any()).Count() == ContainsData.Count) { break; } } } else if (valsToCheck.Count > 0) { if (clause.Data is List <string> ContainsDataList) { if (ContainsDataList.Intersect(valsToCheck).Count() == ContainsDataList.Count) { break; } } } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); // If *any* entry of the clause data is matched case OPERATION.CONTAINS_ANY: if (dictToCheck.Count > 0) { if (clause.DictData is List <KeyValuePair <string, string> > ContainsData) { foreach (KeyValuePair <string, string> value in ContainsData) { if (dictToCheck.Where((x) => x.Key == value.Key && x.Value == value.Value).Any()) { break; } } } } else if (valsToCheck.Count > 0) { if (clause.Data is List <string> ContainsDataList) { if (clause.Data.Intersect(valsToCheck).Any()) { break; } } } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); // If any of the clauses are not contained case OPERATION.DOES_NOT_CONTAIN: if (dictToCheck.Count > 0) { if (clause.DictData is List <KeyValuePair <string, string> > ContainsData) { if (ContainsData.Where(y => dictToCheck.Where((x) => x.Key == y.Key && x.Value == y.Value).Any()).Any()) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } else if (valsToCheck.Count > 0) { if (clause.Data is List <string> ContainsDataList) { if (ContainsDataList.Intersect(valsToCheck).Any()) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } break; // If any of the data values are greater than the first provided data value case OPERATION.GT: if (valsToCheck.Where(val => (int.Parse(val, CultureInfo.InvariantCulture) > int.Parse(clause.Data?[0] ?? $"{int.MinValue}", CultureInfo.InvariantCulture))).Any()) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); // If any of the data values are less than the first provided data value case OPERATION.LT: if (valsToCheck.Where(val => (int.Parse(val, CultureInfo.InvariantCulture) < int.Parse(clause.Data?[0] ?? $"{int.MaxValue}", CultureInfo.InvariantCulture))).Any()) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); // If any of the regexes match any of the values case OPERATION.REGEX: if (clause.Data is List <string> RegexList) { var regexList = RegexList.Select(x => new Regex(x)); if (valsToCheck.Where(x => regexList.Where(y => y.IsMatch(x)).Any()).Any()) { break; } } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); // Ignores provided data. Checks if the named property has changed. case OPERATION.WAS_MODIFIED: if ((valsToCheck.Count == 2) && (valsToCheck[0] == valsToCheck[1])) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); // Ends with any of the provided data case OPERATION.ENDS_WITH: if (clause.Data is List <string> EndsWithData) { if (valsToCheck.Where(x => EndsWithData.Where(y => x.EndsWith(y, StringComparison.CurrentCulture)).Any()).Any()) { break; } } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); // Starts with any of the provided data case OPERATION.STARTS_WITH: if (clause.Data is List <string> StartsWithData) { if (valsToCheck.Where(x => StartsWithData.Where(y => x.StartsWith(y, StringComparison.CurrentCulture)).Any()).Any()) { break; } } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); default: Log.Debug("Unimplemented operation {0}", clause.Operation); return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } catch (Exception e) { Log.Debug(e, $"Hit while parsing {JsonSerializer.Serialize(rule)} onto {JsonSerializer.Serialize(compareResult)}"); Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>(); ExceptionEvent.Add("Exception Type", e.GetType().ToString()); AsaTelemetry.TrackEvent("ApplyOverallException", ExceptionEvent); return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } compareResult.Rules.Add(rule); return(rule.Flag); } else { throw new NullReferenceException(); } }
protected ANALYSIS_RESULT_TYPE Apply(Rule rule, CompareResult compareResult) { if (compareResult != null && rule != null) { var properties = _Properties[compareResult.ResultType]; foreach (Clause clause in rule.Clauses) { PropertyInfo property = properties.FirstOrDefault(iProp => iProp.Name.Equals(clause.Field)); if (property == null) { //Custom field logic will go here return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } try { var valsToCheck = new List <string>(); List <KeyValuePair <string, string> > dictToCheck = new List <KeyValuePair <string, string> >(); if (property != null) { if (compareResult.ChangeType == CHANGE_TYPE.CREATED || compareResult.ChangeType == CHANGE_TYPE.MODIFIED) { try { if (GetValueByPropertyName(compareResult.Compare, property.Name) is List <string> ) { foreach (var value in (List <string>)GetValueByPropertyName(compareResult.Compare, property.Name)) { valsToCheck.Add(value); } } else if (GetValueByPropertyName(compareResult.Compare, property.Name) is Dictionary <string, string> ) { dictToCheck = ((Dictionary <string, string>)GetValueByPropertyName(compareResult.Compare, property.Name)).ToList(); } else if (GetValueByPropertyName(compareResult.Compare, property.Name) is List <KeyValuePair <string, string> > ) { dictToCheck = (List <KeyValuePair <string, string> >)GetValueByPropertyName(compareResult.Compare, property.Name); } else { valsToCheck.Add(GetValueByPropertyName(compareResult.Compare, property.Name).ToString()); } } catch (Exception e) { Log.Debug(e, "Error fetching Property {0} of Type {1}", property.Name, compareResult.ResultType); Log.Debug(Utf8Json.JsonSerializer.ToJsonString(compareResult)); Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>(); ExceptionEvent.Add("Exception Type", e.GetType().ToString()); AsaTelemetry.TrackEvent("ApplyCreatedModifiedException", ExceptionEvent); } } if (compareResult.ChangeType == CHANGE_TYPE.DELETED || compareResult.ChangeType == CHANGE_TYPE.MODIFIED) { try { if (GetValueByPropertyName(compareResult.Base, property.Name) is List <string> ) { foreach (var value in (List <string>)GetValueByPropertyName(compareResult.Base, property.Name)) { valsToCheck.Add(value); } } else if (GetValueByPropertyName(compareResult.Base, property.Name) is Dictionary <string, string> ) { dictToCheck = ((Dictionary <string, string>)GetValueByPropertyName(compareResult.Base, property.Name)).ToList(); } else if (GetValueByPropertyName(compareResult.Base, property.Name) is List <KeyValuePair <string, string> > ) { dictToCheck = (List <KeyValuePair <string, string> >)GetValueByPropertyName(compareResult.Base, property.Name); } else { valsToCheck.Add(GetValueByPropertyName(compareResult.Base, property.Name).ToString()); } } catch (Exception e) { Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>(); ExceptionEvent.Add("Exception Type", e.GetType().ToString()); AsaTelemetry.TrackEvent("ApplyDeletedModifiedException", ExceptionEvent); } } } int count = 0, dictCount = 0; switch (clause.Operation) { case OPERATION.EQ: foreach (string datum in clause.Data) { foreach (string val in valsToCheck) { count += (datum.Equals(val)) ? 1 : 0; break; } } if (count == clause.Data.Count) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); case OPERATION.NEQ: foreach (string datum in clause.Data) { foreach (string val in valsToCheck) { if (datum.Equals(val)) { return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } } break; case OPERATION.CONTAINS: if (dictToCheck.Count > 0) { foreach (KeyValuePair <string, string> value in clause.DictData) { if (dictToCheck.Where((x) => x.Key == value.Key && x.Value == value.Value).Any()) { dictCount++; } } if (dictCount == clause.DictData.Count) { break; } } else if (valsToCheck.Count > 0) { foreach (string datum in clause.Data) { foreach (string val in valsToCheck) { count += (!val.Contains(datum)) ? 1 : 0; break; } } if (count == clause.Data.Count) { break; } } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); case OPERATION.DOES_NOT_CONTAIN: if (dictToCheck.Count > 0) { foreach (KeyValuePair <string, string> value in clause.DictData) { if (dictToCheck.Where((x) => x.Key == value.Key && x.Value == value.Value).Any()) { return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } } else if (valsToCheck.Count > 0) { foreach (string datum in clause.Data) { if (valsToCheck.Contains(datum)) { return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } } break; case OPERATION.GT: foreach (string val in valsToCheck) { count += (int.Parse(val, CultureInfo.InvariantCulture) > int.Parse(clause.Data[0], CultureInfo.InvariantCulture)) ? 1 : 0; } if (count == valsToCheck.Count) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); case OPERATION.LT: foreach (string val in valsToCheck) { count += (int.Parse(val, CultureInfo.InvariantCulture) < int.Parse(clause.Data[0], CultureInfo.InvariantCulture)) ? 1 : 0; } if (count == valsToCheck.Count) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); case OPERATION.REGEX: foreach (string val in valsToCheck) { foreach (string datum in clause.Data) { var r = new Regex(datum); if (r.IsMatch(val)) { count++; } } } if (count == valsToCheck.Count) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); case OPERATION.WAS_MODIFIED: if ((valsToCheck.Count == 2) && (valsToCheck[0] == valsToCheck[1])) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); case OPERATION.ENDS_WITH: foreach (string datum in clause.Data) { foreach (var val in valsToCheck) { if (val.EndsWith(datum, StringComparison.CurrentCulture)) { count++; break; } } } if (count == clause.Data.Count) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); case OPERATION.STARTS_WITH: foreach (string datum in clause.Data) { foreach (var val in valsToCheck) { if (val.StartsWith(datum, StringComparison.CurrentCulture)) { count++; break; } } } if (count == clause.Data.Count) { break; } return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); default: Log.Debug("Unimplemented operation {0}", clause.Operation); return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } catch (Exception e) { Log.Debug(e, $"Hit while parsing {JsonSerializer.Serialize(rule)} onto {JsonSerializer.Serialize(compareResult)}"); Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>(); ExceptionEvent.Add("Exception Type", e.GetType().ToString()); AsaTelemetry.TrackEvent("ApplyOverallException", ExceptionEvent); return(DEFAULT_RESULT_TYPE_MAP[compareResult.ResultType]); } } compareResult.Rules.Add(rule); return(rule.Flag); } else { throw new NullReferenceException(); } }
public static string VerifyEmbeddedSignature(string filename) { try { WinTrustFileInfo winTrustFileInfo = null; WinTrustData winTrustData = null; // specify the WinVerifyTrust function/action that we want Guid action = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2); // instantiate our WinTrustFileInfo and WinTrustData data structures winTrustFileInfo = new WinTrustFileInfo(filename); winTrustData = new WinTrustData(filename); WinVerifyTrustResult result = WinVerifyTrust(INVALID_HANDLE_VALUE, action, winTrustData); // call into WinVerifyTrust switch (result) { case WinVerifyTrustResult.Success: return("Valid"); case WinVerifyTrustResult.ProviderUnknown: return("ProviderUnknown"); case WinVerifyTrustResult.ActionUnknown: return("ActionUnknown"); case WinVerifyTrustResult.SubjectFormUnknown: return("SubjectFormUnknown"); case WinVerifyTrustResult.SubjectNotTrusted: return("SubjectNotTrusted"); case WinVerifyTrustResult.FileNotSigned: return("FileNotSigned"); case WinVerifyTrustResult.SubjectExplicitlyDistrusted: return("SubjectExplicitlyDistrusted"); case WinVerifyTrustResult.SignatureOrFileCorrupt: return("SignatureOrFileCorrupt"); case WinVerifyTrustResult.SubjectCertExpired: return("SubjectCertExpired"); case WinVerifyTrustResult.SubjectCertificateRevoked: return("SubjectCertificateRevoked"); case WinVerifyTrustResult.UntrustedRoot: return("UntrustedRoot"); default: // The UI was disabled in dwUIChoice or the admin policy // has disabled user trust. lStatus contains the // publisher or time stamp chain error. return(result.ToString()); } } catch (Exception e) when( e is System.AccessViolationException || e is Exception) { Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>(); ExceptionEvent.Add("Exception Type", e.GetType().ToString()); AsaTelemetry.TrackEvent("VerifyEmbeddedSignatureException", ExceptionEvent); return("FailedToFetch"); } }