public void HandlePushNotification(string func, object args)
{
try
{
if (func == "ActivityNotification")
{
NotifyActivity(GetArg <Guid>(args, 0), GetArg <Program.LogEntry>(args, 1));
}
else if (func == "ChangeNotification")
{
NotifyChange(GetArg <Guid>(args, 0));
}
else
{
throw new Exception("Unknown Notificacion");
}
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
}
// *** Tasks ***
static public List <string> EnumTasks(string path)
{
List <string> list = new List <string>();
try
{
TaskScheduler.TaskScheduler service = new TaskScheduler.TaskScheduler();
service.Connect();
ITaskFolder folder = service.GetFolder(path);
foreach (IRegisteredTask task in folder.GetTasks((int)_TASK_ENUM_FLAGS.TASK_ENUM_HIDDEN))
{
list.Add(task.Name);
}
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
return(null);
}
return(list);
}
public bool Load(XmlNode entryNode)
{
foreach (XmlNode node in entryNode.ChildNodes)
{
if (node.Name == "id")
{
ProgramList.ID id = new ProgramList.ID();
if (id.Load(node))
{
IDs.Add(id);
}
}
else if (node.Name == "Name")
{
config.Name = node.InnerText;
}
else if (node.Name == "Category")
{
config.Category = node.InnerText;
}
else if (node.Name == "Icon")
{
config.Icon = node.InnerText;
}
else if (node.Name == "NetAccess")
{
Enum.TryParse(node.InnerText, out config.NetAccess);
}
else if (node.Name == "Notify")
{
config.Notify = MiscFunc.parseBool(node.InnerText, null);
}
else
{
AppLog.Line("Unknown Program Value, '{0}':{1}", node.Name, node.InnerText);
}
}
return(IDs.Count > 0 && config.Name != null);
}
public static string SID_SPLevel = "S-1-16-28672"; // Secure Process Mandatory Level
internal static bool TakeOwn(string path)
{
bool ret = true;
try
{
TokenManipulator.AddPrivilege(TokenManipulator.SE_TAKE_OWNERSHIP_NAME);
FileSecurity ac = File.GetAccessControl(path);
ac.SetOwner(new SecurityIdentifier(FileOps.SID_Admins));
File.SetAccessControl(path, ac);
}
catch (PrivilegeNotHeldException err)
{
AppLog.Line("Couldn't take Ovnership {0}", err.ToString());
ret = false;
}
finally
{
TokenManipulator.RemovePrivilege(TokenManipulator.SE_TAKE_OWNERSHIP_NAME);
}
return(ret);
}
static public bool IsTaskEnabled(string path, string name)
{
if (name == "*")
{
List <string> names = EnumTasks(path);
if (names == null)
{
return(true); // we dont know so just in case
}
foreach (string found in names)
{
if (IsTaskEnabled(path, found))
{
return(true);
}
}
return(false);
}
try
{
TaskScheduler.TaskScheduler service = new TaskScheduler.TaskScheduler();
service.Connect();
ITaskFolder folder = service.GetFolder(path);
IRegisteredTask task = folder.GetTask(name);
return(task.Enabled);
}
catch (FileNotFoundException)
{
return(false);
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
return(true); // we dont know so just in case
}
public FilteringModes GetFilteringMode()
{
try
{
if (TestFirewallEnabled(true))
{
if (TestDefaultOutboundAction(NET_FW_ACTION_.NET_FW_ACTION_ALLOW))
{
return(FilteringModes.BlackList);
}
if (TestDefaultOutboundAction(NET_FW_ACTION_.NET_FW_ACTION_BLOCK))
{
return(FilteringModes.WhiteList);
}
}
return(FilteringModes.NoFiltering);
}
catch (Exception err)
{
AppLog.Line("Getting FilteringMode failed: " + err.Message);
}
return(FilteringModes.Unknown);
}
public Auditing GetAuditPol()
{
try
{
AuditPol.AUDIT_POLICY_INFORMATION pol = AuditPol.GetSystemPolicy("0CCE9226-69AE-11D9-BED3-505054503030");
if ((pol.AuditingInformation & AuditPol.AUDIT_POLICY_INFORMATION_TYPE.Success) != 0 && (pol.AuditingInformation & AuditPol.AUDIT_POLICY_INFORMATION_TYPE.Failure) != 0)
{
return(Auditing.All);
}
if ((pol.AuditingInformation & AuditPol.AUDIT_POLICY_INFORMATION_TYPE.Success) != 0)
{
return(Auditing.Allowed);
}
if ((pol.AuditingInformation & AuditPol.AUDIT_POLICY_INFORMATION_TYPE.Failure) != 0)
{
return(Auditing.Blocked);
}
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
return(Auditing.Off);
}
public bool WatchConnections(bool enable = true)
{
try
{
if (enable)
{
mEventWatcher = new EventLogWatcher(new EventLogQuery("Security", PathType.LogName, "*[System[(Level=4 or Level=0) and (EventID=" + (int)EventIDs.Blocked + " or EventID=" + (int)EventIDs.Allowed + ")]] and *[EventData[Data[@Name='LayerRTID']>='48']]"));
mEventWatcher.EventRecordWritten += new EventHandler <EventRecordWrittenEventArgs>(OnConnection);
mEventWatcher.Enabled = true;
}
else
{
mEventWatcher.EventRecordWritten -= new EventHandler <EventRecordWrittenEventArgs>(OnConnection);
mEventWatcher.Dispose();
mEventWatcher = null;
}
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
return(false);
}
return(true);
}
public bool Install(bool start = false)
{
try
{
if (!ServiceHelper.ServiceIsInstalled(ServiceName))
{
ServiceHelper.Install(ServiceName, App.mName, "\"" + App.exePath + "\" -svc");
}
ServiceHelper.ChangeStartMode(ServiceName, ServiceHelper.ServiceBootFlag.AutoStart);
if (start)
{
ServiceHelper.StartService(ServiceName);
}
return(true);
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
return(false);
}
public static bool Exec(string cmd, string args, bool hidden = true)
{
try
{
Process process = new Process();
process.StartInfo.UseShellExecute = false;
if (hidden)
{
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.StartInfo.CreateNoWindow = true;
}
process.StartInfo.FileName = cmd;
process.StartInfo.Arguments = args;
process.StartInfo.Verb = "runas"; // run as admin
process.Start();
process.WaitForExit();
return(true);
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
return(false);
}
public void LoadLog()
{
EventLog eventLog = new EventLog("Security");
try
{
//for (int i = eventLog.Entries.Count-1; i > 0; i--)
foreach (EventLogEntry logEntry in eventLog.Entries)
{
//EventLogEntry entry = eventLog.Entries[i];
if (logEntry.InstanceId != (long)EventIDs.Allowed && logEntry.InstanceId != (long)EventIDs.Blocked)
{
continue;
}
string[] ReplacementStrings = logEntry.ReplacementStrings;
string direction_str = ReplacementStrings[2];
Directions direction = Directions.Unknown;
if (direction_str == "%%14592")
{
direction = Directions.Inbound;
}
else if (direction_str == "%%14593")
{
direction = Directions.Outboun;
}
int processId = MiscFunc.parseInt(ReplacementStrings[0]);
string path = ReplacementStrings[1];
ProgramList.ID id = GetIDforEntry(path, processId);
if (id == null)
{
return;
}
Actions action = Actions.Undefined;
if (logEntry.InstanceId == (int)EventIDs.Blocked)
{
action = Actions.Block;
}
else if (logEntry.InstanceId == (int)EventIDs.Allowed)
{
action = Actions.Allow;
}
string src_ip = ReplacementStrings[3];
int src_port = MiscFunc.parseInt(ReplacementStrings[4]);
string dest_ip = ReplacementStrings[5];
int dest_port = MiscFunc.parseInt(ReplacementStrings[6]);
int protocol = MiscFunc.parseInt(ReplacementStrings[7]);
Program.LogEntry entry = new Program.LogEntry(id, action, direction, src_ip, src_port, dest_ip, dest_port, protocol, processId, logEntry.TimeGenerated);
App.engine.LogActivity(entry, true);
}
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
eventLog.Dispose();
}
public void LoadApps()
{
Apps.Clear();
AppInfos.Clear();
//packageManager.RemovePackageAsync(package.Id.FullName);
IEnumerable <Windows.ApplicationModel.Package> packages = (IEnumerable <Windows.ApplicationModel.Package>)packageManager.FindPackages();
// Todo: is there a better way to get this ?
foreach (var package in packages)
{
string name;
//string fullname;
string path;
string publisher;
bool isFramework;
try
{
name = package.Id.Name;
//fullname = package.Id.FullName;
publisher = package.Id.PublisherId;
path = package.InstalledLocation.Path;
isFramework = package.IsFramework;
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
continue;
}
string appPackageID = name.ToLower() + "_" + publisher;
string appSID = PackageIDToSid(appPackageID).ToLower();
if (Apps.ContainsKey(package.InstalledLocation.Path.ToLower()))
{
AppLog.Line("Warning an app with the path: {0} is already listed", package.InstalledLocation.Path.ToLower());
}
else
{
Apps.Add(package.InstalledLocation.Path.ToLower(), appSID);
}
AppInfo?info = GetInfo(path, name, appPackageID, appSID);
if (info != null)
{
AppInfo old_info;
if (AppInfos.TryGetValue(appSID, out old_info))
{
continue;
}
if (AppInfos.ContainsKey(appSID))
{
AppLog.Line("Warning an app with the SID: {0} is already listed", appSID);
}
else
{
AppInfos.Add(appSID, info.Value);
}
}
}
}
public AppInfo?GetInfo(string path, string name, string id, string sid)
{
string manifest = Path.Combine(path, "AppxManifest.xml");
if (!File.Exists(manifest))
{
return(null);
}
XElement xelement;
try
{
string manifestXML = File.ReadAllText(manifest);
int startIndex = manifestXML.IndexOf("<Properties>", StringComparison.Ordinal);
int num = manifestXML.IndexOf("</Properties>", StringComparison.Ordinal);
xelement = XElement.Parse(manifestXML.Substring(startIndex, num - startIndex + 13).Replace("uap:", string.Empty));
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
return(null);
}
string displayName = name;
string logoPath = null;
try
{
displayName = xelement.Element((XName)"DisplayName")?.Value;
logoPath = xelement.Element((XName)"Logo")?.Value;
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
try
{
Uri result;
if (Uri.TryCreate(displayName, UriKind.Absolute, out result))
{
string pathToPri = Path.Combine(path, "resources.pri");
string resourceKey1 = "ms-resource://" + name + "/resources/" + ((IEnumerable <string>)result.Segments).Last <string>();
string stringFromPriFile = MiscFunc.GetResourceStr(pathToPri, resourceKey1);
if (!string.IsNullOrEmpty(stringFromPriFile.Trim()))
{
displayName = stringFromPriFile;
}
else
{
string str = string.Concat(((IEnumerable <string>)result.Segments).Skip <string>(1));
string resourceKey2 = "ms-resource://" + name + "/" + str;
stringFromPriFile = MiscFunc.GetResourceStr(pathToPri, resourceKey2);
if (!string.IsNullOrEmpty(stringFromPriFile.Trim()))
{
displayName = stringFromPriFile;
}
}
}
if (logoPath != null)
{
string path1 = Path.Combine(path, logoPath);
if (File.Exists(path1))
{
logoPath = path1;
}
else
{
string path2 = Path.Combine(path, Path.ChangeExtension(path1, "scale-100.png"));
if (File.Exists(path2))
{
logoPath = path2;
}
else
{
string path3 = Path.Combine(Path.Combine(path, "en-us"), logoPath);
string path4 = Path.Combine(path, Path.ChangeExtension(path3, "scale-100.png"));
if (File.Exists(path4))
{
logoPath = path4;
}
else
{
logoPath = null;
}
}
}
}
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
return(new AppInfo()
{
Name = displayName, Logo = logoPath, ID = id, SID = sid
});
}
public static bool SaveRule(FirewallRule rule, INetFwRule2 entry)
{
try
{
entry.EdgeTraversalOptions = (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY;
#if win10
INetFwRule3 entry3 = entry as INetFwRule3;
#endif
switch (rule.mID.Type)
{
case ProgramList.Types.Global:
entry.ApplicationName = null;
break;
case ProgramList.Types.System:
entry.ApplicationName = "System";
break;
default:
if (rule.mID.Path != null && rule.mID.Path.Length > 0)
{
entry.ApplicationName = rule.mID.Path;
}
break;
}
if (rule.mID.Type == ProgramList.Types.Service)
{
entry.serviceName = rule.mID.Name;
}
else
{
entry.serviceName = null;
}
#if win10
if (rule.mID.Type == ProgramList.Types.App)
{
entry3.LocalAppPackageId = rule.mID.Name;
}
else
{
entry3.LocalAppPackageId = null;
}
#endif
entry.Name = rule.Name;
entry.Grouping = rule.Grouping;
entry.Description = rule.Description;
//entry.ApplicationName = rule.ProgramPath;
//entry.serviceName = rule.ServiceName;
entry.Enabled = rule.Enabled;
switch (rule.Direction)
{
case Firewall.Directions.Inbound: entry.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN; break;
case Firewall.Directions.Outboun: entry.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT; break;
}
switch (rule.Action)
{
case Firewall.Actions.Allow: entry.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW; break;
case Firewall.Actions.Block: entry.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK; break;
}
entry.Profiles = rule.Profile;
if (rule.Interface == (int)Firewall.Interfaces.All)
{
entry.InterfaceTypes = "All";
}
else
{
List <string> interfaces = new List <string>();
if ((rule.Interface & (int)Firewall.Interfaces.Lan) != 0)
{
interfaces.Add("Lan");
}
if ((rule.Interface & (int)Firewall.Interfaces.Wireless) != 0)
{
interfaces.Add("Wireless");
}
if ((rule.Interface & (int)Firewall.Interfaces.RemoteAccess) != 0)
{
interfaces.Add("RemoteAccess");
}
entry.InterfaceTypes = string.Join(",", interfaces.ToArray().Reverse());
}
// Note: if this is not cleared protocol change may trigger an exception
if (entry.LocalPorts != null)
{
entry.LocalPorts = null;
}
if (entry.RemotePorts != null)
{
entry.RemotePorts = null;
}
if (entry.IcmpTypesAndCodes != null)
{
entry.IcmpTypesAndCodes = null;
}
// Note: protocol must be set early enough or other sets will cause errors!
entry.Protocol = rule.Protocol;
switch (rule.Protocol)
{
case (int)FirewallRule.KnownProtocols.ICMP:
case (int)FirewallRule.KnownProtocols.ICMPv6:
entry.IcmpTypesAndCodes = rule.IcmpTypesAndCodes;
break;
case (int)FirewallRule.KnownProtocols.TCP:
case (int)FirewallRule.KnownProtocols.UDP:
entry.LocalPorts = rule.LocalPorts;
entry.RemotePorts = rule.RemotePorts;
break;
}
if (rule.EdgeTraversal != (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DEFER_TO_USER)
{
entry.LocalAddresses = rule.LocalAddresses;
entry.RemoteAddresses = rule.RemoteAddresses;
}
entry.EdgeTraversalOptions = rule.EdgeTraversal;
#if win10
if (entry3 != null)
{
//entry3.LocalAppPackageId = rule.AppID;
/*entry3.LocalAppPackageId;
* entry3.RemoteMachineAuthorizedList;
* entry3.LocalUserAuthorizedList;
* entry3.LocalUserOwner;
* entry3.SecureFlags;*/
}
#endif
}
catch (Exception err)
{
AppLog.Line("Firewall Rule Commit failed {0}", err.ToString());
return(false);
}
return(true);
}
public static bool LoadRule(FirewallRule rule, INetFwRule2 entry)
{
try
{
#if win10
INetFwRule3 entry3 = entry as INetFwRule3;
#endif
ProgramList.Types type;
string path = entry.ApplicationName;
string name = null;
if (path != null && path.Equals("System", StringComparison.OrdinalIgnoreCase))
{
type = ProgramList.Types.System;
}
else if (entry.serviceName != null)
{
type = ProgramList.Types.Service;
name = entry.serviceName;
}
#if win10
else if (entry3 != null && entry3.LocalAppPackageId != null)
{
type = ProgramList.Types.App;
name = entry3.LocalAppPackageId;
}
#endif
else if (path != null)
{
type = ProgramList.Types.Program;
}
else
{
type = ProgramList.Types.Global;
}
rule.mID = new ProgramList.ID(type, path, name);
// https://docs.microsoft.com/en-us/windows/desktop/api/netfw/nn-netfw-inetfwrule
rule.Name = entry.Name;
rule.Grouping = entry.Grouping;
rule.Description = entry.Description;
//rule.ProgramPath = entry.ApplicationName;
//rule.ServiceName = entry.serviceName;
rule.Enabled = entry.Enabled;
switch (entry.Direction)
{
case NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN: rule.Direction = Firewall.Directions.Inbound; break;
case NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT: rule.Direction = Firewall.Directions.Outboun; break;
}
switch (entry.Action)
{
case NET_FW_ACTION_.NET_FW_ACTION_ALLOW: rule.Action = Firewall.Actions.Allow; break;
case NET_FW_ACTION_.NET_FW_ACTION_BLOCK: rule.Action = Firewall.Actions.Block; break;
}
rule.Profile = entry.Profiles;
if (entry.InterfaceTypes.Equals("All", StringComparison.OrdinalIgnoreCase))
{
rule.Interface = (int)Firewall.Interfaces.All;
}
else
{
rule.Interface = (int)Firewall.Interfaces.None;
if (entry.InterfaceTypes.IndexOf("Lan", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)Firewall.Interfaces.Lan;
}
if (entry.InterfaceTypes.IndexOf("Wireless", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)Firewall.Interfaces.Wireless;
}
if (entry.InterfaceTypes.IndexOf("RemoteAccess", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)Firewall.Interfaces.RemoteAccess;
}
}
rule.Protocol = entry.Protocol;
/*The localAddrs parameter consists of one or more comma-delimited tokens specifying the local addresses from which the application can listen for traffic. "*" is the default value. Valid tokens include:
*
* "*" indicates any local address. If present, this must be the only token included.
* "Defaultgateway"
* "DHCP"
* "WINS"
* "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
* A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
* A valid IPv6 address.
* An IPv4 address range in the format of "start address - end address" with no spaces included.
* An IPv6 address range in the format of "start address - end address" with no spaces included.*/
switch (rule.Protocol)
{
case (int)FirewallRule.KnownProtocols.ICMP:
case (int)FirewallRule.KnownProtocols.ICMPv6:
//The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes.
rule.IcmpTypesAndCodes = entry.IcmpTypesAndCodes;
break;
case (int)FirewallRule.KnownProtocols.TCP:
case (int)FirewallRule.KnownProtocols.UDP:
// , separated number or range 123-456
rule.LocalPorts = entry.LocalPorts;
rule.RemotePorts = entry.RemotePorts;
break;
}
rule.LocalAddresses = entry.LocalAddresses;
rule.RemoteAddresses = entry.RemoteAddresses;
// https://docs.microsoft.com/de-de/windows/desktop/api/icftypes/ne-icftypes-net_fw_edge_traversal_type_
//EdgeTraversal = (int)(Entry.EdgeTraversal ? NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_ALLOW : NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY);
rule.EdgeTraversal = entry.EdgeTraversalOptions;
#if win10
if (entry3 != null)
{
//rule.AppID = entry3.LocalAppPackageId;
/*string s1 = entry3.LocalAppPackageId;
* string s2 = entry3.RemoteMachineAuthorizedList;
* string s3 = entry3.LocalUserAuthorizedList;
* string s4 = entry3.LocalUserOwner;
* int i1 = entry3.SecureFlags;*/
}
#endif
}
catch (Exception err)
{
AppLog.Line("Reading Firewall Rule failed {0}", err.ToString());
return(false);
}
return(true);
}
