public MainForm() { InitializeComponent(); Logging.FormOutputControl = tbOutput; SQLHelper.LogExceptionAction = Logging.LogExceptionMessage; ProcessingToggle = new Toggle(ActivationBehavior, DeactivationBehavior); panelYara.Enabled = checkBoxYaraRules.Checked; string connectionString = Settings.Database_ConnectionString; if (string.IsNullOrWhiteSpace(connectionString) || connectionString == "SetMe") { Logging.ReportOutput("ERROR: Connection string not set! Please set the SQL connection string in .config file. Browse button disabled."); btnBrowse.Enabled = false; } else { FilePropertiesAccessLayer.SetConnectionString(connectionString); } if (!string.IsNullOrWhiteSpace(Settings.GUI_DefaultFolder)) { tbPath.Text = Settings.GUI_DefaultFolder; } if (!string.IsNullOrWhiteSpace(Settings.GUI_SearchPattern)) { tbSearchPatterns.Text = Settings.GUI_SearchPattern; } }
private static List <FailSuccessCount> ThreadLauncher(FileEnumeratorParameters parameters) { fileEnumCount = new FailSuccessCount("OS files enumerated"); databaseInsertCount = new FailSuccessCount("OS database rows updated"); directoryEnumCount = new FailSuccessCount("directories enumerated"); try { char driveLetter = parameters.SelectedFolder[0]; Queue <string> folders = new Queue <string>(new string[] { parameters.SelectedFolder }); while (folders.Count > 0) { parameters.CancelToken.ThrowIfCancellationRequested(); string currentDirectory = folders.Dequeue(); // Get all _FILES_ inside folder IEnumerable <FileProperties> properties = EnumerateFileProperties(parameters, driveLetter, currentDirectory); foreach (FileProperties prop in properties) { parameters.CancelToken.ThrowIfCancellationRequested(); // INSERT file properties into _DATABASE_ bool insertResult = FilePropertiesAccessLayer.InsertFileProperties(prop); if (insertResult) { databaseInsertCount.IncrementSucceededCount(); } else { databaseInsertCount.IncrementFailedCount(); parameters.CancelToken.ThrowIfCancellationRequested(); continue; } parameters.CancelToken.ThrowIfCancellationRequested(); } // Get all _FOLDERS_ at this depth inside this folder IEnumerable <NtfsDirectory> nestedDirectories = MftHelper.GetDirectories(driveLetter, currentDirectory); foreach (NtfsDirectory directory in nestedDirectories) { parameters.CancelToken.ThrowIfCancellationRequested(); string dirPath = Path.Combine(currentDirectory, directory.Name); folders.Enqueue(dirPath); directoryEnumCount.IncrementSucceededCount(); parameters.CancelToken.ThrowIfCancellationRequested(); } } } catch (OperationCanceledException) { } return(new List <FailSuccessCount> { fileEnumCount, databaseInsertCount, directoryEnumCount }); }
private static List <FailSuccessCount> Worker(FileEnumeratorParameters parameters) { fileEnumCount = new FailSuccessCount("OS files enumerated"); databaseInsertCount = new FailSuccessCount("OS database rows updated"); directoryEnumCount = new FailSuccessCount("directories enumerated"); try { parameters.CancelToken.ThrowIfCancellationRequested(); StringBuilder currentPath = new StringBuilder(parameters.SelectedFolder); string lastParent = currentPath.ToString(); string temp = currentPath.ToString(); if (temp.Contains(':') && (temp.Length == 2 || temp.Length == 3)) // Is a root directory, i.e. "C:" or "C:\" { lastParent = "."; } string drive = parameters.SelectedFolder[0].ToString(); List <DriveInfo> ntfsDrives = DriveInfo.GetDrives().Where(d => d.DriveFormat == "NTFS").ToList(); DriveInfo driveToAnalyze = ntfsDrives.Where(dr => dr.Name.ToUpper().Contains(drive.ToUpper())).Single(); IEnumerable <INode> mftNodes = MftHelper.EnumerateMft(driveToAnalyze); if (parameters.SelectedFolder.ToCharArray().Length > 3) { string selectedFolderUppercase = parameters.SelectedFolder.ToUpperInvariant().TrimEnd(new char[] { '\\' }); mftNodes = mftNodes.Where(node => node.FullName.ToUpperInvariant().Contains(selectedFolderUppercase)); } foreach (INode node in mftNodes) { // File _PATTERN MATCHING_ if (FileMatchesPattern(node.FullName, parameters.SearchPatterns)) { string message = $"MFT#: {node.MFTRecordNumber.ToString().PadRight(7)} Seq.#: {node.SequenceNumber.ToString().PadRight(4)} Path: {node.FullName}"; if (parameters.LogOutputFunction != null) { parameters.LogOutputFunction.Invoke(message); } if (parameters.ReportOutputFunction != null) { parameters.ReportOutputFunction.Invoke(message); } fileEnumCount.IncrementSucceededCount(); parameters.CancelToken.ThrowIfCancellationRequested(); FileProperties prop = new FileProperties(); prop.PopulateFileProperties(parameters, parameters.SelectedFolder[0], node); parameters.CancelToken.ThrowIfCancellationRequested(); // INSERT file properties into _DATABASE_ bool insertResult = FilePropertiesAccessLayer.InsertFileProperties(prop); if (insertResult) { databaseInsertCount.IncrementSucceededCount(); } else { databaseInsertCount.IncrementFailedCount(); } } else { if (parameters.LogOutputFunction != null) { parameters.LogOutputFunction.Invoke($"FileMatchingPattern returned false: \"{node.FullName}\""); } fileEnumCount.IncrementFailedCount(); } parameters.CancelToken.ThrowIfCancellationRequested(); } } catch (OperationCanceledException) { } return(new List <FailSuccessCount> { fileEnumCount, databaseInsertCount, directoryEnumCount }); }
private static void Main(string[] args) { string connectionString = Settings.Database_ConnectionString; if (string.IsNullOrWhiteSpace(connectionString) || connectionString == "SetMe") { ReportOutput("ERROR: Connection string not set! Please set the SQL connection string in .config file."); ReportOutput("Aborting..."); return; } else { FilePropertiesAccessLayer.SetConnectionString(connectionString); } if (args.Length == 0) { DisplayUsageSyntax(); return; } // Will hold flag & parameter to flag, such as: "-p", "C:\Windows\" List <Tuple <string, string> > flags = GetFlags(args); if (!flags.Any()) { return; } string searchPath = ""; string searchMask = "*.*"; bool calcEntropy = false; bool onlineValidation = false; string yaraRulesFile = ""; foreach (Tuple <string, string> flagTuple in flags) { string flag = flagTuple.Item1; string parameter = flagTuple.Item2; switch (flag) { case "e": calcEntropy = true; break; case "v": onlineValidation = true; break; case "p": searchPath = parameter; break; case "m": searchMask = parameter; break; case "y": yaraRulesFile = parameter; break; } } ReportOutput($"Search [P]ath: \"{searchPath}\""); ReportOutput($"Search [M]ask: {searchMask}"); ReportOutput($"Calulate [E]ntropy: {calcEntropy}"); ReportOutput($"Online [V]alidation: {onlineValidation}"); ReportOutput($"[Y]ara Rules File: \"{yaraRulesFile}\""); ReportOutput(""); FileEnumeratorParameters parameters = new FileEnumeratorParameters(CancellationToken.None, Settings.FileEnumeration_DisableWorkerThread, searchPath, searchMask, calcEntropy, onlineValidation, yaraRulesFile, ReportOutput, LogOutput, ReportResults, ReportException); ReportOutput("Beginning enumeration..."); FileEnumerator.LaunchFileEnumerator(parameters); }