private static void PrintFilePublisherRules(AppLockerPolicyRuleCollection rule)
{
if (rule?.FilePublisherRule == null)
{
return;
}
foreach (var filePublisherRule in rule.FilePublisherRule)
{
Beaprint.GoodPrint($" File Publisher Rule\n");
Beaprint.NoColorPrint($" Rule Type: {rule.Type}\n" +
$" Enforcement Mode: {rule.EnforcementMode}\n" +
$" Name: {filePublisherRule.Name}\n" +
$" Description: {filePublisherRule.Description}\n" +
$" Action: {filePublisherRule.Action}");
var color = GetColorBySid(filePublisherRule.UserOrGroupSid);
Beaprint.ColorPrint($" User Or Group Sid: {filePublisherRule.UserOrGroupSid}\n", color);
Beaprint.GoodPrint($" Conditions");
foreach (var condition in filePublisherRule.Conditions)
{
Beaprint.NoColorPrint(
$" Binary Name: {condition.BinaryName}\n" +
$" Binary Version Range: ({condition.BinaryVersionRange.LowSection} - {condition.BinaryVersionRange.HighSection})\n" +
$" Product Name: {condition.ProductName}\n" +
$" Publisher Name: {condition.PublisherName}\n");
}
Beaprint.PrintLineSeparator();
}
}
private static void PrintFileHashRules(AppLockerPolicyRuleCollection rule)
{
if (rule?.FileHashRule == null)
{
return;
}
foreach (var fileHashRule in rule.FileHashRule)
{
Beaprint.GoodPrint($" File Hash Rule\n");
Beaprint.NoColorPrint(
$" Rule Type: {rule.Type}\n" +
$" Enforcement Mode: {rule.EnforcementMode}\n" +
$" Name: {fileHashRule.Name}\n" +
$" Description: {fileHashRule.Description}\n" +
$" Action: {fileHashRule.Action}");
var color = GetColorBySid(fileHashRule.UserOrGroupSid);
Beaprint.ColorPrint(
$" User Or Group Sid: {fileHashRule.UserOrGroupSid}\n", color);
Beaprint.GoodPrint($" Conditions");
foreach (var condition in fileHashRule.Conditions)
{
Beaprint.NoColorPrint(
$" Source File Name: {condition.FileHash.SourceFileName}\n" +
$" Data: {condition.FileHash.Data}\n" +
$" Source File Length: {condition.FileHash.SourceFileLength}\n" +
$" Type: {condition.FileHash.Type}\n");
}
Beaprint.PrintLineSeparator();
}
}
private static void PrintFilePathRules(AppLockerPolicyRuleCollection rule)
{
if (rule?.FilePathRule == null)
{
return;
}
foreach (var filePathRule in rule.FilePathRule)
{
Beaprint.GoodPrint($" File Path Rule\n");
var normalizedName = NormalizePath(filePathRule.Name);
Beaprint.NoColorPrint($" Rule Type: {rule.Type}\n" +
$" Enforcement Mode: {rule.EnforcementMode}\n" +
$" Name: {filePathRule.Name}\n" +
$" Translated Name: {normalizedName}\n" +
$" Description: {filePathRule.Description}\n" +
$" Action: {filePathRule.Action}");
var color = GetColorBySid(filePathRule.UserOrGroupSid);
Beaprint.ColorPrint($" User Or Group Sid: {filePathRule.UserOrGroupSid}\n", color);
Beaprint.GoodPrint($" Conditions");
foreach (var condition in filePathRule.Conditions)
{
// print wildcards as red and continue
if (condition.Path == "*" || condition.Path == "*.*")
{
Beaprint.ColorPrint(
$" Path: {condition.Path}", Beaprint.ansi_color_bad);
continue;
}
Beaprint.NoColorPrint(
$" Path: {condition.Path}");
// TODO
// cache permissions in a dictionary
var normalizedPath = NormalizePath(condition.Path);
// it's a file rule
if (IsFilePath(normalizedPath))
{
// TODO
// load permissions from cache
// check file
CheckFileWriteAccess(normalizedPath);
// check directories
string directory = Path.GetDirectoryName(normalizedPath);
CheckDirectoryAndParentsWriteAccess(directory);
}
// it's a directory rule
else
{
// TODO
// load permissions from cache
// does the directory exists?
if (Directory.Exists(normalizedPath))
{
// can we write to the directory ?
var folderPermissions = PermissionsHelper.GetPermissionsFolder(normalizedPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
// we can write
if (folderPermissions.Count > 0)
{
Beaprint.BadPrint($" Directory \"{normalizedPath}\" Permissions: " + string.Join(",", folderPermissions));
}
// we cannot write to the folder
else
{
// first check well known AppLocker bypass locations
if (_appLockerByPassDirectoriesByPath.ContainsKey(normalizedPath))
{
// iterate over applocker bypass directories and check them
foreach (var subfolders in _appLockerByPassDirectoriesByPath[normalizedPath])
{
var subfolderPermissions = PermissionsHelper.GetPermissionsFolder(subfolders, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
// we can write
if (subfolderPermissions.Count > 0)
{
Beaprint.BadPrint($" Directory \"{subfolders}\" Permissions: " + string.Join(",", subfolderPermissions));
break;
}
}
}
// the well-known bypass location does not contain the folder
// check file / subfolder write permissions
else
{
// start with the current directory
bool isFileOrSubfolderWriteAccess = CheckFilesAndSubfolders(normalizedPath, rule.Type, 0);
if (!isFileOrSubfolderWriteAccess)
{
Beaprint.ColorPrint($" No potential bypass found while recursively checking files/subfolders " +
$"for write or equivalent permissions with depth: {FolderCheckMaxDepth}\n" +
$" Check permissions manually.", Beaprint.YELLOW);
}
}
}
}
else
{
// do we have write access recursively for the parent folder(s)?
CheckDirectoryAndParentsWriteAccess(normalizedPath);
}
// TODO
// save to cache for faster next search
}
Beaprint.GoodPrint("");
}
Beaprint.PrintLineSeparator();
}
}
