private void SubmitQuery(object sender, DoWorkEventArgs e)
{
// Parse input argument object
string query = (string)e.Argument;
string path = query.Split('\n')[0];
query = string.Join("", query.Split('\n').Skip(1));
// Simulate Thread Actions
//Random random = new Random();
//Thread.Sleep(random.Next(1000,10000));
// Grab the channel path from the query
string channel = query.Split('"')[3];
string id = query.Split('"')[1];
mutex.WaitOne();
Backbone.LogEvent("INFO", "Attempting to write to " + path + "\\" + channel + "\\Query_" + id);
// Ensure directory path exists
if (!Directory.Exists(path + "\\" + channel))
{
Backbone.LogEvent("WARNING", "Log directory " + channel + " does not exist, attempting to create.");
try {
Directory.CreateDirectory(path + "\\" + channel);
} catch (UnauthorizedAccessException) {
Backbone.LogEvent("ERROR", "You do not have the required permission to create this directory.");
return;
} catch (PathTooLongException) {
Backbone.LogEvent("ERROR", "The path entered exceeds the system-defined limit.");
return;
} catch (DirectoryNotFoundException) {
Backbone.LogEvent("ERROR", "Invalid directory path. Perhaps the drive is unmapped?");
return;
} catch (Exception) {
Backbone.LogEvent("ERROR", "Unspecified IO Error when creating " + channel);
return;
}
Backbone.LogEvent("INFO", "Log directory " + channel + " created successfully.");
}
mutex.ReleaseMutex();
WevtapiHandler.ExportChannel(IntPtr.Zero, channel, path + "\\" + channel + "\\Query_" + id + ".evtx", query);
}
private void GetSystemConfiguration()
{
Backbone.LogEvent("INFO", "---- Gathering System Information ----");
// Gather all event log channels
EventLog[] channels_raw = WevtapiHandler.EnumerateChannels();
Channels = new List <SelectableChannelItem>();
Backbone.LogEvent("INFO", "---- Attempting to Enumerate Log Channels ----");
// Configure SelectableChannelItem and add to list
foreach (EventLog channel in channels_raw)
{
SelectableChannelItem NewChannel = new SelectableChannelItem {
Selected = false,
Channel = channel,
ChannelName = channel.LogDisplayName
};
Backbone.LogEvent("INFO", "Found Log Channel: " + channel.LogDisplayName);
Channels.Add(NewChannel);
}
if (Channels.Count == 0)
{
Backbone.LogEvent("WARNING", "No Open Log Channels Found");
}
// Set the display datagrid
Backbone.LogEvent("INFO", "Setting Channel Display");
ChannelsDisplay.ItemsSource = Channels;
Backbone.LogEvent("INFO", "---- Attempting to Enumerate User Accounts ----");
// Gather all usernames
SelectQuery query = new SelectQuery("Win32_UserAccount");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
// Init Users List
Users = new List <SelectableUserItem>();
// Configure and add users to list
foreach (ManagementObject user in searcher.Get())
{
SelectableUserItem userItem = new SelectableUserItem {
Selected = false,
Username = user["Name"].ToString()
};
Backbone.LogEvent("INFO", "User Account Found: " + user["Name"]);
Users.Add(userItem);
}
if (Users.Count == 0)
{
Backbone.LogEvent("ERROR", "Failed to Enumerate User Accounts");
}
Backbone.LogEvent("INFO", "Setting User Display");
UserDisplay.ItemsSource = Users;
Backbone.LogEvent("INFO", "---- Finished Gathering System Information ----");
}
private void PumpAndDump_Click(object sender, RoutedEventArgs e)
{
PumpAndDump.IsEnabled = false;
//
// Collect Information on Selected Channels
//
Backbone.LogEvent("INFO", "---- Attempting to Collect Log Channels ----");
List <string> channels = new List <string>();
foreach (SelectableChannelItem channel in Channels)
{
if (channel.Selected)
{
channels.Add(channel.ChannelName);
Backbone.LogEvent("INFO", "Added Channel: " + channel.ChannelName);
}
}
// Prevent User Stupidity
if (channels.Count == 0)
{
Backbone.LogEvent("WARNING", "No Channels Selected, Selecting All Channels.");
foreach (SelectableChannelItem channel in Channels)
{
channels.Add(channel.ChannelName);
Backbone.LogEvent("INFO", "Added Channel: " + channel.ChannelName);
}
}
//
// Collect Information on Selected Users
//
Backbone.LogEvent("INFO", "---- Attempting to Collect Users ----");
// Compile a list of all selected users
List <string> users = new List <string>();
foreach (SelectableUserItem user in Users)
{
if (user.Selected)
{
users.Add(user.Username);
Backbone.LogEvent("INFO", "Added User: "******"WARNING", "No Users Selected, Selecting All Users.");
foreach (SelectableUserItem user in Users)
{
users.Add(user.Username);
Backbone.LogEvent("INFO", "Added User: "******"INFO", "---- Attempting to Collect Severities ----");
// Compile a list of all selected severities
List <string> severities = new List <string>();
CheckBox[] boxes = { ErrorCB, WarningCB, InformationCB, FailureAuditCB, SuccessAuditCB };
foreach (CheckBox item in boxes)
{
if (!item.IsChecked.Value)
{
severities.Add(item.Content.ToString());
Backbone.LogEvent("INFO", "Blocked Severity: " + item.Content.ToString());
}
else
{
Backbone.LogEvent("INFO", "Added Severity: " + item.Content.ToString());
}
}
// Prevent User Stupidity
if (severities.Count == 5)
{
Backbone.LogEvent("WARNING", "All Severities Blocked, Unblocking All Severities.");
severities.Clear();
Backbone.LogEvent("INFO", "Unblocked all severity levels");
}
//
// Validate Parent Directory
//
string path = OutputDirectory.Text + "\\" + DateTime.Now.ToString("dd-MM-yyy") + "\\" + DateTime.Now.ToString("HH.mm.ss");
if (!Directory.Exists(path))
{
mutex.WaitOne();
Backbone.LogEvent("WARNING", "Parent directory " + path + " does not exist, attempting to create.");
try {
Directory.CreateDirectory(path);
} catch (UnauthorizedAccessException) {
Backbone.LogEvent("ERROR", "You do not have the required permission to create this directory.");
mutex.ReleaseMutex();
return;
} catch (PathTooLongException) {
Backbone.LogEvent("ERROR", "The path entered exceeds the system-defined limit.");
mutex.ReleaseMutex();
return;
} catch (DirectoryNotFoundException) {
Backbone.LogEvent("ERROR", "Invalid directory path. Perhaps the drive is unmapped?");
mutex.ReleaseMutex();
return;
} catch (Exception) {
Backbone.LogEvent("ERROR", "Unspecified IO Error when creating " + path);
mutex.ReleaseMutex();
return;
}
Backbone.LogEvent("INFO", "Parent directory " + path + " created successfully.");
mutex.ReleaseMutex();
}
List <string> queryList = WevtapiHandler.GenerateQueryList(channels, users, severities, StartDayPicker, StartTimePicker, EndDayPicker, EndTimePicker);
progress.Value = 0;
progress.Maximum = queryList.Count;
progress.Minimum = 0;
queryList.Add(path);
BackgroundWorker worker = new BackgroundWorker();
worker.WorkerReportsProgress = true;
worker.DoWork += new DoWorkEventHandler(SubmitQueries);
worker.RunWorkerCompleted += new RunWorkerCompletedEventHandler(QueriesComplete);
worker.RunWorkerAsync(argument: queryList);
mutex.WaitOne();
Backbone.LogEvent("ERROR", "END OF IMPLEMENTATION");
mutex.ReleaseMutex();
}