diff --git a/Asa/Controllers/HomeController.cs b/Asa/Controllers/HomeController.cs index 8cc9a2f8a..7aaa002b7 100644 --- a/Asa/Controllers/HomeController.cs +++ b/Asa/Controllers/HomeController.cs @@ -58,7 +58,7 @@ public ActionResult WriteScanJson(int ResultType, string BaseId, string CompareI return Json(true); } - public ActionResult GetMonitorResults(string RunId, int ResultType, int Offset, int NumResults) + public ActionResult GetMonitorResults(string RunId, int Offset, int NumResults) { var results = new List(); @@ -351,7 +351,7 @@ public ActionResult ChangeTelemetryState(bool DisableTelemetry) return Json(true); } - public ActionResult StartMonitoring(string RunId, string Directory, string Extension) + public ActionResult StartMonitoring(string RunId, string Directory) { if (RunId != null) { @@ -478,7 +478,7 @@ private static IEnumerable GetMonitorRunModels() return runModels; } - private IEnumerable GetRunModels() + private static IEnumerable GetRunModels() { List Runs = AttackSurfaceAnalyzerClient.GetRuns("collect"); diff --git a/Lib/Collectors/BaseCollector.cs b/Lib/Collectors/BaseCollector.cs index b2fce7696..63fd3ca8f 100644 --- a/Lib/Collectors/BaseCollector.cs +++ b/Lib/Collectors/BaseCollector.cs @@ -46,6 +46,7 @@ public void Execute() Log.Information(Strings.Get("Completed"), this.GetType().Name, answer); var prevFlush = DatabaseManager.WriteQueue.Count; + var totFlush = prevFlush; watch = System.Diagnostics.Stopwatch.StartNew(); @@ -53,7 +54,7 @@ public void Execute() { Thread.Sleep(1000); var sample = DatabaseManager.WriteQueue.Count; - Log.Debug("Flushing {0} results. ({1}/s)", DatabaseManager.WriteQueue.Count, prevFlush - sample); + Log.Debug("Flushing {0} results. ({1}/s {2:0.00}/s overall)", DatabaseManager.WriteQueue.Count, prevFlush - sample, ((double)(totFlush - sample)/watch.ElapsedMilliseconds) * 1000); prevFlush = sample; } diff --git a/Lib/Collectors/FileSystemUtils.cs b/Lib/Collectors/FileSystemUtils.cs index 49c8c3b7f..d40d24dde 100644 --- a/Lib/Collectors/FileSystemUtils.cs +++ b/Lib/Collectors/FileSystemUtils.cs @@ -57,7 +57,7 @@ public static string GetFilePermissions(FileSystemInfo fileInfo) { Log.Debug("Unable to get access control for {0}: {1}", fileInfo.FullName, e.Message); } - catch (InvalidOperationException e) + catch (InvalidOperationException) { Log.Debug("Path probably doesn't exist: {0}", fileInfo.FullName); } @@ -72,7 +72,7 @@ public static string GetFilePermissions(FileSystemInfo fileInfo) { Log.Debug("Unable to get access control for {0}: {1}", fileInfo.FullName, e.Message); } - catch (InvalidOperationException e) + catch (InvalidOperationException) { Log.Debug("Path probably doesn't exist: {0}", fileInfo.FullName); } diff --git a/Lib/Collectors/RegistryCollector.cs b/Lib/Collectors/RegistryCollector.cs index bf0d6d402..191994f20 100644 --- a/Lib/Collectors/RegistryCollector.cs +++ b/Lib/Collectors/RegistryCollector.cs @@ -87,57 +87,6 @@ public static string GetName(RegistryAccessRule rule) return SidMap[rule.IdentityReference.Value]; } - public static RegistryObject RegistryKeyToRegistryObject(RegistryKey registryKey) - { - RegistryObject regObj = null; - if (registryKey == null) { return regObj; } - try - { - regObj = new RegistryObject() - { - Key = registryKey.Name, - }; - - regObj.AddSubKeys(new List(registryKey.GetSubKeyNames())); - - foreach (RegistryAccessRule rule in registryKey.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier))) - { - string name = GetName(rule); - - if (regObj.Permissions.ContainsKey(name)) - { - regObj.Permissions[name].Add(rule.RegistryRights.ToString()); - } - else - { - regObj.Permissions.Add(name, new List() { rule.RegistryRights.ToString() }); - } - } - - foreach (string valueName in registryKey.GetValueNames()) - { - try - { - regObj.Values.Add(valueName, (registryKey.GetValue(valueName) == null) ? "" : (registryKey.GetValue(valueName).ToString())); - } - catch (Exception ex) - { - Log.Debug(ex, "Found an exception processing registry values."); - } - } - } - catch (System.ArgumentException e) - { - Log.Debug(e, "Exception parsing {0}", registryKey.Name); - } - catch (Exception e) - { - Log.Debug(e, "Couldn't process reg key {0}", registryKey.Name); - } - - return regObj; - } - public override void ExecuteInternal() { foreach (var hive in Hives) @@ -156,7 +105,7 @@ public override void ExecuteInternal() { try { - var regObj = RegistryKeyToRegistryObject(registryKey); + var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey); if (regObj != null) { diff --git a/Lib/Objects/RegistryObject.cs b/Lib/Objects/RegistryObject.cs index 534d2d1a6..3b7531055 100644 --- a/Lib/Objects/RegistryObject.cs +++ b/Lib/Objects/RegistryObject.cs @@ -33,7 +33,7 @@ public RegistryObject() Values = new Dictionary(); } - public void AddSubKeys(List subkeysIn) + public void AddSubKeys(string[] subkeysIn) { Subkeys.AddRange(subkeysIn); } diff --git a/Lib/Utils/RegistryWalker.cs b/Lib/Utils/RegistryWalker.cs index c8f9a7f7d..8463dc124 100644 --- a/Lib/Utils/RegistryWalker.cs +++ b/Lib/Utils/RegistryWalker.cs @@ -47,7 +47,7 @@ e is UnauthorizedAccessException || { if (startingKey != null) { - x86_View = x86_View.OpenSubKey(startingKey); + x86_View = x86_View.OpenSubKey(startingKey, writable: false); } keys.Push(x86_View); } @@ -56,7 +56,7 @@ e is UnauthorizedAccessException || { if (startingKey != null) { - x64_View = x64_View.OpenSubKey(startingKey); + x64_View = x64_View.OpenSubKey(startingKey, writable: false); } keys.Push(x64_View); } @@ -75,33 +75,32 @@ e is UnauthorizedAccessException || } // First push all the new subkeys onto our stack. - try + foreach (string key in currentKey.GetSubKeyNames()) { - foreach (string key in currentKey.GetSubKeyNames()) + try { - var next = currentKey.OpenSubKey(name: key, writable: false); keys.Push(next); } + // These are expected as we are running as administrator, not System. + catch (System.Security.SecurityException) + { + Log.Debug("Permission Denied Opening Subkey: {0}\\{1}", currentKey.Name, key); + } + // There seem to be some keys which are listed as existing by the APIs but don't actually exist. + // Unclear if these are just super transient keys or what the other cause might be. + // Since this isn't user actionable, also just supress these to the verbose stream. + catch (System.IO.IOException) + { + Log.Debug("IOError Reading: {0}\\{1}", currentKey.Name, key); + } + catch (Exception e) + { + Log.Information(e, "Unexpected error when parsing {0}\\{1}", currentKey.Name, key); + AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); + } } - // These are expected as we are running as administrator, not System. - catch (System.Security.SecurityException e) - { - Log.Verbose(e, "Permission Denied: {0}", currentKey.Name); - } - // There seem to be some keys which are listed as existing by the APIs but don't actually exist. - // Unclear if these are just super transient keys or what the other cause might be. - // Since this isn't user actionable, also just supress these to the verbose stream. - catch (System.IO.IOException e) - { - Log.Verbose(e, "Error Reading: {0}", currentKey.Name); - } - catch (Exception e) - { - Log.Information(e, "Unexpected error when parsing {0}:", currentKey.Name); - AsaTelemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); - } - + yield return currentKey; } @@ -113,15 +112,26 @@ public static RegistryObject RegistryKeyToRegistryObject(RegistryKey registryKey { RegistryObject regObj = null; if (registryKey == null) { return regObj; } - try - { + regObj = new RegistryObject() { Key = registryKey.Name, }; + try + { + regObj.AddSubKeys(registryKey.GetSubKeyNames()); + } + catch (System.ArgumentException) + { + Log.Debug("Invalid Handle (ArgumentException) {0}", registryKey.Name); + } + catch (Exception e) + { + Log.Debug(e, "Couldn't process reg key {0}", registryKey.Name); + } - regObj.AddSubKeys(new List(registryKey.GetSubKeyNames())); - + try + { foreach (RegistryAccessRule rule in registryKey.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier))) { string name = rule.IdentityReference.Value; @@ -144,32 +154,30 @@ public static RegistryObject RegistryKeyToRegistryObject(RegistryKey registryKey regObj.Permissions.Add(name, new List() { rule.RegistryRights.ToString() }); } } - - foreach (string valueName in registryKey.GetValueNames()) - { - try - { - if (registryKey.GetValue(valueName) == null) - { - - } - regObj.Values.Add(valueName, (registryKey.GetValue(valueName) == null) ? "" : (registryKey.GetValue(valueName).ToString())); - } - catch (Exception ex) - { - Log.Debug(ex, "Found an exception processing registry values."); - } - } } - catch (System.ArgumentException) + catch (ArgumentException) { - Log.Debug("Invalid Handle (ArgumentException) {0}", registryKey.Name); + Log.Debug("Failed to get permissions (handle is invalid) for {0}", regObj.Key); } catch (Exception e) { - Log.Debug(e, "Couldn't process reg key {0}", registryKey.Name); + Log.Debug(e, "Failed to get permissions for {0}", regObj.Key); } + + foreach (string valueName in registryKey.GetValueNames()) + { + try + { + regObj.Values.Add(valueName, (registryKey.GetValue(valueName) == null) ? "" : (registryKey.GetValue(valueName).ToString())); + } + catch (Exception ex) + { + Log.Debug(ex, "Found an exception processing registry values of {0}.",registryKey.Name); + } + } + + return regObj; } } diff --git a/filters.json b/filters.json index 43d50e574..a90a06f91 100644 --- a/filters.json +++ b/filters.json @@ -17,7 +17,6 @@ "^HKEY_USERS\\\\S-[0-9]*-[0-9]*-[0-9]*\\\\Software\\\\Microsoft\\\\Cryptography$", "^HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Perflib", "^HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\CIT$", - "^HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion", "^HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\WcmSvc\\\\wifinetworkmanager$", "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\ADOVMPPackages", "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\DeviceAssociationService\\\\State\\\\Store\\\\",