private void BeginScanning() { if (ProcessingToggle.CurrentState == ToggleState.Active) { btnSearch.Enabled = false; ProcessingToggle.SetState(ToggleState.Inactive); } else if (ProcessingToggle.CurrentState == ToggleState.Ready) { btnSearch.Enabled = false; ProcessingToggle.SetState(ToggleState.Active); bool calculateEntropy = checkboxCalculateEntropy.Checked; string selectedFolder = tbPath.Text; string searchPatterns = tbSearchPatterns.Text; List <YaraFilter> yaraParameters = new List <YaraFilter>(); if (checkBoxYaraRules.Checked) { yaraParameters = currentYaraFilters.ToList(); } IDataPersistenceLayer dataPersistenceLayer = null; if (radioPersistenceCSV.Checked) { dataPersistenceLayer = new CsvDataPersistenceLayer(tbPersistenceParameter.Text); } else if (radioPersistenceSqlite.Checked) { dataPersistenceLayer = new SqliteDataPersistenceLayer(tbPersistenceParameter.Text); } else if (radioPersistenceSqlServer.Checked) { dataPersistenceLayer = new SqlDataPersistenceLayer(tbPersistenceParameter.Text); } FileEnumeratorParameters parameters = new FileEnumeratorParameters(cancelToken, Settings.FileEnumeration_DisableWorkerThread, selectedFolder, searchPatterns, calculateEntropy, yaraParameters, dataPersistenceLayer, Log.ToUI, Log.ToFile, ReportNumbers, Log.ExceptionMessage); enumerationStart = DateTime.Now; bool didThrow = false; try { parameters.ThrowIfAnyParametersInvalid(); } catch (Exception ex) { didThrow = true; MessageBox.Show( ex.ToString().Split(new char[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries).FirstOrDefault(), MsgBox_TitleBarText, MessageBoxButtons.OK, MessageBoxIcon.Error ); } if (didThrow) { ProcessingToggle.SetState(ToggleState.Ready); } else { Log.ToUI(Environment.NewLine); Log.ToAll($"Beginning Enumeration of folder: \"{parameters.SelectedFolder}\""); Log.ToAll("Parsing MFT. (This may take a few minutes)"); FileEnumerator.LaunchFileEnumerator(parameters); } } }
private static void Main(string[] args) { if (args.Length == 0) { DisplayUsageSyntax(); return; } // Will hold flag & parameter to flag, such as: "-p", "C:\Windows\" List <Tuple <string, string> > flags = GetFlags(args); if (!flags.Any()) { DisplayUsageSyntax(); return; } string searchPath = ""; string searchMask = "*.*"; bool isEntropyEnabled = false; bool isYaraEnabled = false; bool isSqlServerEnabled = false; bool isSqliteEnabled = false; bool isCsvEnabled = false; string sqliteDbFile = ""; string csvFile = ""; string sqlConnectionString = (Settings.Database_ConnectionString == "SetMe") ? "" : Settings.Database_ConnectionString; string yaraFiltersFile = ""; List <YaraFilter> yaraFilters = new List <YaraFilter>(); foreach (Tuple <string, string> flagTuple in flags) { string flag = flagTuple.Item1; string parameter = flagTuple.Item2; switch (flag) { case "e": isEntropyEnabled = true; break; case "p": searchPath = parameter; break; case "m": searchMask = parameter; break; case "y": isYaraEnabled = true; yaraFiltersFile = parameter; break; case "s": isSqlServerEnabled = true; break; case "l": isSqliteEnabled = true; sqliteDbFile = string.IsNullOrWhiteSpace(parameter) ? sqlConnectionString : parameter; break; case "c": isCsvEnabled = true; csvFile = parameter; break; } } ReportOutput(); ReportOutput("Running with these parameters:"); ReportOutput($" Search [P]ath: \"{searchPath}\""); ReportOutput($" Search [M]ask: {searchMask}"); ReportOutput($" Calulate [E]ntropy: {isEntropyEnabled}"); if (isYaraEnabled) { ReportOutput($" [Y]ara filters file: \"{yaraFiltersFile}\""); } if (isSqlServerEnabled) { ReportOutput($" [S]QL connection: \"{sqlConnectionString}\""); } else if (isSqliteEnabled) { ReportOutput($" Sq[l]ite DB: \"{sqliteDbFile}\""); } else if (isCsvEnabled) { ReportOutput($" [C]SV file: \"{csvFile}\""); } ReportOutput(); if (string.IsNullOrWhiteSpace(searchPath)) { ReportOutput("No search path provided!"); ReportOutput("You must supply the -p flag with a path, e.g.:"); ReportOutput("-p:\"C:\\Program Files\\BanzaiBuddy\""); ReportOutput(); ReportOutput("Aborting..."); return; } if (isYaraEnabled) { if (!File.Exists(yaraFiltersFile)) { ReportOutput($"The yara filters file path suppled does not exist: \"{yaraFiltersFile}\"."); ReportOutput(); ReportOutput("Aborting..."); return; } try { string loadJson = File.ReadAllText(yaraFiltersFile); yaraFilters = JsonConvert.DeserializeObject <List <YaraFilter> >(loadJson); } catch { ReportOutput("The yara filters file must be a JSON file."); ReportOutput(); ReportOutput("Aborting..."); return; } } IDataPersistenceLayer dataPersistenceLayer; if (isSqliteEnabled) { dataPersistenceLayer = new SqliteDataPersistenceLayer(sqliteDbFile); } else if (isCsvEnabled) { dataPersistenceLayer = new CsvDataPersistenceLayer(csvFile); } else if (isSqlServerEnabled) { dataPersistenceLayer = new SqlDataPersistenceLayer(sqlConnectionString); } else { ReportOutput("No output parameter provided!"); if (!string.IsNullOrWhiteSpace(sqlConnectionString)) { ReportOutput("(SQL server connection string supplied in config file, asuming SQL server output...)"); dataPersistenceLayer = new SqlDataPersistenceLayer(sqlConnectionString); } else { ReportOutput("You must supply an output parameter, e.g.:"); ReportOutput("-c:C:\\out.csv"); ReportOutput($"OR provide a SQL server connection string in the config file: {_thisExecutableFilename}"); ReportOutput("(Because it defaults to a SQL server connection. However, the connection string was missing.)"); ReportOutput(); ReportOutput("Aborting..."); return; } } FileEnumeratorParameters parameters = new FileEnumeratorParameters( CancellationToken.None, true, // Do not change this. If set to false, it will run on a thread, return immediately and exit, killing the thread. searchPath, searchMask, isEntropyEnabled, yaraFilters, dataPersistenceLayer, ReportOutput, Log.LogOutputAction, ReportResults, Log.ExceptionMessage ); parameters.ThrowIfAnyParametersInvalid(); ReportOutput("Beginning scan..."); FileEnumerator.LaunchFileEnumerator(parameters); }