private static void READ_Local_Log_Dirs_for_Powershell_or_IIS(string directory) { try { if (Directory.Exists(directory)) { string[] SubDirs = Directory.GetDirectories(directory); for (int x = 0; x < SubDirs.Length; ++x) { string[] FilePaths = Directory.GetFiles(SubDirs[x]); for (int c = 0; c < FilePaths.Length; ++c) { if (FilePaths[c].Contains(".txt") && (FilePaths[c].ToLower().Contains("powershell_transcript.") || FilePaths[c].ToLower().Contains("iis"))) { string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(c)); File.Delete(FilePaths.ElementAt(c)); FileContents_From_FileReads.Add("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + FileContent); } } } } } catch (Exception e) { Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } }
internal static void READ_Local_Log_Dirs() { try { List <string> DirPaths = File_Operation.READ_File_In_List(File_Operation.GET_DirToMonitor_Path()).ToList(); for (int z = 0; z < DirPaths.Count; ++z) { if (Directory.Exists(DirPaths.ElementAt(z))) { if (DirPaths.ElementAt(z).ToLower().Contains("powershell") || DirPaths.ElementAt(z).ToLower().Contains("iis")) { READ_Local_Log_Dirs_for_Powershell_or_IIS(DirPaths.ElementAt(z)); } else { string[] FilePaths = Directory.GetFiles(DirPaths.ElementAt(z)); for (int x = 0; x < FilePaths.Length - 1; ++x) { if (File_Operation.CHECK_if_File_Exists(FilePaths.ElementAt(x)) && (FilePaths.ElementAt(x).Contains(".txt") || FilePaths.ElementAt(x).Contains(".log"))) { string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(x)); File.Delete(FilePaths.ElementAt(x)); FileContents_From_FileReads.Add(FileContent); } } } } } } catch (Exception e) { Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } }
internal static string Run_PS_Script(String PowershellSciptLocation, string PowershellSciptArgs = "") { if (File_Operation.CHECK_if_File_Exists(PowershellSciptLocation)) { ScriptContents = File_Operation.READ_AllText(PowershellSciptLocation); if (CallAntimalwareScanInterface(Get_SHA256(PowershellSciptLocation), ScriptContents) < 32768) { powershellSciptLocation = PowershellSciptLocation; powershellSciptArgs = PowershellSciptArgs; ProcessStartInfo startInfo = new ProcessStartInfo("powershell", "-ExecutionPolicy Bypass .\\" + Path.GetFileName(PowershellSciptLocation)); startInfo.WorkingDirectory = Path.GetDirectoryName(PowershellSciptLocation); startInfo.RedirectStandardOutput = true; startInfo.RedirectStandardError = true; startInfo.LoadUserProfile = true; startInfo.UseShellExecute = false; startInfo.CreateNoWindow = true; Process process = new Process(); process.StartInfo = startInfo; process.Start(); string output = process.StandardOutput.ReadToEnd(); if (string.IsNullOrEmpty(output)) { output += "\nPS Plugin ERROR: " + process.StandardError.ReadToEnd(); } if (string.IsNullOrEmpty(ScriptContents) == false || string.IsNullOrWhiteSpace(ScriptContents) == false) { Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "microsoft-windows-powershell/operational" + "~"); Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "windows powershell" + "~"); } return(output); } else { Error_Operation.Log_Error("Run_PS_Script() POSSIBLE MALWARE DETECTED", "Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents), "", Error_Operation.LogSeverity.Critical); return("POSSIBLE MALWARE DETECTED - Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents)); } } else { Error_Operation.Log_Error("Run_PS_Script()", PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName, "", Error_Operation.LogSeverity.Warning); return(PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName); } }
private static Dictionary <string, int> ReadLocalFiles_Log_File_Tracking = new Dictionary <string, int>();//Filepath,Line Number where it left off internal static void READ_Local_Log_Files() { List <string> FilePaths = File_Operation.READ_File_In_List(File_Operation.GET_FilesToMonitor_Path()).ToList(); for (int z = 0; z < FilePaths.Count; ++z) { try { string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(z)); File.Delete(FilePaths.ElementAt(z)); FileContents_From_FileReads.Add("DateTime = " + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + FileContent); } catch (Exception e) { Error_Operation.Log_Error("READ_Local_Log_Files() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } }
private static void RUN_Thread_Whitelist_SearchFile() { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents))//use reg { READ_WhiteList_Search_Terms_File(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents)); } else if (File_Operation.CHECK_if_File_Exists(GET_WhiteList_SearchTermsFile_Path))//no reg, look for file { READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path)); File_Operation.DELETE_File(GET_WhiteList_SearchTermsFile_Path); } else//no file, no reg, Create Default then load it into the reg to use later { File_Operation.VERIFY_Search_Default_Files_Ready(); READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path)); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path)); } ++ThreadsDone_Setup; }
private static void RUN_Thread_Plugins() { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents))//use reg { READ_Powershell_SearchTerms(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents)); } else if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_PLUGIN_Path))//no reg, look for file { READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path)); File_Operation.DELETE_File(GET_SearchTermsFile_PLUGIN_Path); } else//no file, no reg, Create Default then load it into the reg to use later { File_Operation.VERIFY_Search_Default_Files_Ready(); File_Operation.GET_Plugin_Scripts_Ready(); READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path)); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path)); } ++ThreadsDone_Setup; }
internal static void WRITE_Default_SWELF_Reg_Keys() { Microsoft.Win32.RegistryKey key; key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("Software\\SWELF"); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.First_Run].ToString(), Crypto_Operation.Protect_Data_Value("true")); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter].ToString(), Crypto_Operation.Protect_Data_Value("127.0.0.1")); //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_1].ToString(), Encryptions.Protect_Data_Value("127.0.0.1")); //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_2].ToString(), Encryptions.Protect_Data_Value("127.0.0.1")); //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_3].ToString(), Encryptions.Protect_Data_Value("127.0.0.1")); //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_4].ToString(), Encryptions.Protect_Data_Value("127.0.0.1")); //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_5].ToString(), Encryptions.Protect_Data_Value("127.0.0.1")); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.Encryption].ToString(), Crypto_Operation.Protect_Data_Value(Crypto_Operation.Generate_Decrypt())); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.logging_level].ToString(), Crypto_Operation.Protect_Data_Value(Settings.Logging_Level_To_Report)); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.output_format].ToString(), Crypto_Operation.Protect_Data_Value("keyvalue")); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_Current_Version].ToString(), Crypto_Operation.Protect_Data_Value(Settings.SWELF_Version)); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_CWD].ToString(), Crypto_Operation.Protect_Data_Value(Settings.SWELF_CWD)); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_FAILED_SEC_CHECK].ToString(), Crypto_Operation.Protect_Data_Value("false")); //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_app_config].ToString(), Crypto_Operation.Protect_Data_Value("")); //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_plugin_search_config].ToString(), Crypto_Operation.Protect_Data_Value("")); // BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_search_config].ToString(), Crypto_Operation.Protect_Data_Value("")); //BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_whitelist_search_config].ToString(),Crypto_Operation.Protect_Data_Value("")); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.ConsoleAppConfig_CreationDate].ToString(), Crypto_Operation.Protect_Data_Value(File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path))); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.ConsoleAppConfig_Contents], Crypto_Operation.Protect_Data_Value(File_Operation.READ_AllText(Settings.GET_AppConfigFile_Path))); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SearchTerms_File_Contents], Crypto_Operation.Protect_Data_Value(File_Operation.READ_AllText(Settings.GET_SearchTermsFile_Path))); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.Logs_Last_Sent], Crypto_Operation.Protect_Data_Value(DateTime.Now.ToString())); }
internal static bool VERIFY_Central_File_Config_Hash(string HTTP_File_Path, string Local_File_Path) { string HTTPFileHash; string LocalFileHash; try { HttpWebRequest request = (HttpWebRequest)WebRequest.Create(HTTP_File_Path); request.AllowAutoRedirect = false; request.UnsafeAuthenticatedConnectionSharing = false; request.Timeout = 150000; ServicePointManager.Expect100Continue = true; ServicePointManager.CheckCertificateRevocationList = false; ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3; using (CustomWebClient response = new CustomWebClient()) { //string Web_Config_File_Contents = response.DownloadString(HTTP_File_Path); if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == true)//determine if we use cache version { HTTPFileHash = Settings.Central_Config_Hashs[HTTP_File_Path]; } else//no cache version get from network { Central_Config_File_Web_Cache = Crypto_Operation.CONVERT_To_String_From_Bytes(response.DownloadData(HTTP_File_Path), 2);//get file has from Network using (var sha256 = SHA256.Create()) { HTTPFileHash = BitConverter.ToString(sha256.ComputeHash(Encoding.UTF8.GetBytes(Central_Config_File_Web_Cache))); } if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == false) { Settings.Central_Config_Hashs.Add(HTTP_File_Path, HTTPFileHash); } } using (var sha2562 = SHA256.Create())//Get local file hash { if (File_Operation.CHECK_if_File_Exists(Local_File_Path) == false) { return(false);//no local file } else { LocalFileHash = BitConverter.ToString(sha2562.ComputeHash(Encoding.UTF8.GetBytes(File_Operation.READ_AllText(Local_File_Path)))); } } if (HTTPFileHash == LocalFileHash) { return(true); } else { return(false); } } } catch (Exception e) { Error_Operation.WRITE_Errors_To_Log("VERIFY_Central_File_Config_Hash()", e.Message.ToString() + " " + HTTP_File_Path + " " + Local_File_Path, Error_Operation.LogSeverity.Informataion);//log change return(false); } finally { Wclient.Dispose(); } }
private static void RUN_Setup_AppConfig() { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))//use reg { READ_and_Parse_Console_App_Config_Contents(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)); } else if (File_Operation.CHECK_if_File_Exists(GET_AppConfigFile_Path))//no reg, look for file { READ_and_Parse_Console_App_Config_Contents(File_Operation.READ_AllText(GET_AppConfigFile_Path)); File_Operation.DELETE_File(GET_AppConfigFile_Path); } else//no file, no reg, Create Default then load it into the reg to use later { File_Operation.VERIFY_AppConfig_Default_Files_Ready(); READ_and_Parse_Console_App_Config_Contents(File_Operation.READ_AllText(GET_AppConfigFile_Path)); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(GET_AppConfigFile_Path)); } //Check for CENTRAL CONFIG's, if yes check for update, update if needed. //Appconfig if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[7]))//arg for central app config { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, ""); } if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[7]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) == false) { if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[7]].ToString())); Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config ConsoleAppConfig_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } //Searchterms if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[6]))//arg for central search config { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, ""); } if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[6]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents)) == false) { if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[6]].ToString())); Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } //Whitelist if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[9]))//arg for central search config { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, ""); } if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[9]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents)) == false) { if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[9]].ToString())); Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config WhiteList_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } //Powershell plugin if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[8]))//arg for central search config { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, ""); } if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[8]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents)) == false) { if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[8]].ToString())); Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config PLUGIN_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } Log_Forwarders_HostNames = GET_LogCollector_Locations();//GatherLog Collector Locations ++ThreadsDone_Setup; if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[16])) { Logging_Level_To_Report = "verbose"; } }
internal static void Main(string[] args) { Process.GetCurrentProcess().PriorityClass = ProcessPriorityClass.BelowNormal; Program_Start_Args = Environment.GetCommandLineArgs().ToList(); string[] Program_Start_Args_Array = Environment.GetCommandLineArgs().Skip(1).ToArray(); if (Program_Start_Args.Count > 1) { if (Program_Start_Args.Count >= 3 && Program_Start_Args.ElementAt(1).ToLower() == "-c") { if (Program_Start_Args.Count < 3) { Program_Start_Args.Add(Settings.GET_AppConfigFile_Path); } //TODO make sure config file passed in is one of the correct file (by location and parsability) then update that reg key, then delete the file once read in if (File_Operation.CHECK_if_File_Exists(Program_Start_Args.ElementAt(2).ToLower())) { if (File_Operation.CHECK_if_File_Exists(Program_Start_Args.ElementAt(2).ToLower())) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(Program_Start_Args.ElementAt(2).ToLower())); Error_Operation.Log_Error("MAIN()", "Config update. ConsoleAppConfig_Contents reg key from file " + Program_Start_Args.ElementAt(2).ToLower(), "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } else if (File_Operation.CHECK_if_File_Exists(Settings.GET_AppConfigFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(Settings.GET_AppConfigFile_Path)); Error_Operation.Log_Error("MAIN()", "Config update. ConsoleAppConfig_Contents reg key from file " + Settings.GET_AppConfigFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, File_Operation.READ_AllText(Settings.GET_SearchTermsFile_Path)); Error_Operation.Log_Error("MAIN()", "Config update. SearchTerms_File_Contents reg key from file " + Settings.GET_SearchTermsFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } if (File_Operation.CHECK_if_File_Exists(Settings.GET_WhiteList_SearchTermsFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(Settings.GET_WhiteList_SearchTermsFile_Path)); Error_Operation.Log_Error("MAIN()", "Config update. WhiteList_SearchTerms_File_Contents reg key from file " + Settings.GET_WhiteList_SearchTermsFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } Start_Process_Live_Method(); //TODO add option for password in config file to allow updates this way //if no password allow update?? //store password in reg } else { Settings.SHOW_Help_Menu(); Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "MAIN()", "The config file path doesnt exist for some reaosn, Also the app halted.", ""); } } else if (Program_Start_Args.Count < 2 && Program_Start_Args.Count > 1) { Settings.SHOW_Help_Menu(); } else { Start_EVTX_Process(); } } else { try { Start_Process_Live_Method(); } catch (Exception e) { Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_Live_Process()", e.Message.ToString() + ", Also the app halted.", e.StackTrace.ToString()); } } }
internal static bool VERIFY_Central_File_Config_Hash(string HTTP_File_Path, string Local_File_Path) { string HTTPFileHash; string LocalFileHash; try { ServicePointManager.Expect100Continue = true; ServicePointManager.CheckCertificateRevocationList = false; ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3; using (CustomWebClient response = new CustomWebClient()) { //string Web_Config_File_Contents = response.DownloadString(HTTP_File_Path); if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == true)//determine if we use cache version { HTTPFileHash = Settings.Central_Config_Hashs[HTTP_File_Path]; } else//no cache version get from network { Uri uri = new Uri(HTTP_File_Path); Central_Config_File_Web_Cache = Crypto_Operation.CONVERT_To_String_From_Bytes(response.DownloadData(uri), 2);//get file has from Network using (var sha256 = SHA256.Create()) { HTTPFileHash = BitConverter.ToString(sha256.ComputeHash(Encoding.UTF8.GetBytes(Central_Config_File_Web_Cache))); } if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == false) { Settings.Central_Config_Hashs.Add(HTTP_File_Path, HTTPFileHash); } } using (var sha2562 = SHA256.Create())//Get local file hash { if (File_Operation.CHECK_if_File_Exists(Local_File_Path) == false) { return(false);//no local file } else { LocalFileHash = BitConverter.ToString(sha2562.ComputeHash(Encoding.UTF8.GetBytes(File_Operation.READ_AllText(Local_File_Path)))); } } if (HTTPFileHash == LocalFileHash) { return(true); } else { return(false); } } } catch (Exception e) { if ((!e.Message.Contains("The operation has timed out") || !e.Message.Contains("The remote name could not be resolved: ")) || (Settings.Logging_Level_To_Report.ToLower() == "informataion" || Settings.Logging_Level_To_Report.ToLower() == "verbose")) { Error_Operation.Log_Error("VERIFY_Central_File_Config_Hash()", e.Message.ToString() + " " + HTTP_File_Path + " " + Local_File_Path, e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } return(false); } finally { Wclient.Dispose(); } }