Skip to content

Commit

Permalink
Merge branch 'master' into release/v2.1
Browse files Browse the repository at this point in the history
  • Loading branch information
gfs committed Dec 28, 2019
2 parents 7e5fb12 + 7acb083 commit 3bec73c
Show file tree
Hide file tree
Showing 13 changed files with 350 additions and 282 deletions.
4 changes: 4 additions & 0 deletions Asa/Asa.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@
</PropertyGroup>-->


<PropertyGroup Condition=" '$(RunConfiguration)' == 'Collect' ">
<StartAction>Project</StartAction>
<LaunchBrowser></LaunchBrowser>
</PropertyGroup>
<ItemGroup>
<None Remove="asa.sqlite" />
<None Remove="asa.log.txt" />
Expand Down
9 changes: 5 additions & 4 deletions Asa/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,9 @@ public class CollectCommandOptions

[Option(HelpText = "Force run without admin/root (collectors may not function).")]
public bool ForceNoAdmin { set; get; }

[Option(HelpText = "Run parallelized collectors when available.", Default = true)]
public bool Parallelization { set; get; }
}
[Verb("monitor", HelpText = "Continue running and monitor activity")]
public class MonitorCommandOptions
Expand Down Expand Up @@ -1250,8 +1253,6 @@ public static int RunCollectCommand(CollectCommandOptions opts)
CheckFirstRun();
DatabaseManager.VerifySchemaVersion();



int returnValue = (int)GUI_ERROR.NONE;
opts.RunId = opts.RunId.Trim();

Expand Down Expand Up @@ -1297,7 +1298,7 @@ public static int RunCollectCommand(CollectCommandOptions opts)

if (opts.EnableFileSystemCollector || opts.EnableAllCollectors)
{
collectors.Add(new FileSystemCollector(opts.RunId, enableHashing: opts.GatherHashes, directories: opts.SelectedDirectories, downloadCloud: opts.DownloadCloud, examineCertificates: opts.CertificatesFromFiles));
collectors.Add(new FileSystemCollector(opts.RunId, enableHashing: opts.GatherHashes, directories: opts.SelectedDirectories, downloadCloud: opts.DownloadCloud, examineCertificates: opts.CertificatesFromFiles, parallel: opts.Parallelization));
}
if (opts.EnableNetworkPortCollector || opts.EnableAllCollectors)
{
Expand All @@ -1313,7 +1314,7 @@ public static int RunCollectCommand(CollectCommandOptions opts)
}
if (opts.EnableRegistryCollector || (opts.EnableAllCollectors && RuntimeInformation.IsOSPlatform(OSPlatform.Windows)))
{
collectors.Add(new RegistryCollector(opts.RunId));
collectors.Add(new RegistryCollector(opts.RunId, opts.Parallelization));
}
if (opts.EnableCertificateCollector || opts.EnableAllCollectors)
{
Expand Down
10 changes: 6 additions & 4 deletions Asa/Properties/launchSettings.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
"Collect": {
"commandName": "Project",
"commandLineArgs": "collect -C --databasefilename C:\\asa.dbg.sqlite",
"environmentVariables": {},
"applicationUrl": "http://localhost:5000/"
},
"Asa": {
"commandName": "Project",
"commandLineArgs": "export-collect --databasefilename C:\\asa.dbg.sqlite",
Expand All @@ -23,10 +29,6 @@
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "http://localhost:5000"
},
"Collect": {
"commandName": "Project",
"commandLineArgs": "collect -C --databasefilename C:\\asa.dbg.sqlite"
}
}
}
Binary file added Asa/asa.litedb
View file
Binary file not shown.
4 changes: 2 additions & 2 deletions AsaTests/AsaLibTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ public void TestRegistryCollectorWindows()
var FirstRunId = "TestRegistryCollector-1";
var SecondRunId = "TestRegistryCollector-2";

var rc = new RegistryCollector(FirstRunId, new List<RegistryHive>() { RegistryHive.CurrentUser });
var rc = new RegistryCollector(FirstRunId, new List<RegistryHive>() { RegistryHive.CurrentUser }, true);
rc.Execute();

// Create a registry key
Expand All @@ -293,7 +293,7 @@ public void TestRegistryCollectorWindows()
key.SetValue(value, value2);
key.Close();

rc = new RegistryCollector(SecondRunId, new List<RegistryHive>() { RegistryHive.CurrentUser });
rc = new RegistryCollector(SecondRunId, new List<RegistryHive>() { RegistryHive.CurrentUser }, true);
rc.Execute();

// Clean up
Expand Down
3 changes: 3 additions & 0 deletions AttackSurfaceAnalyzer.sln
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,11 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
CONTRIBUTING.md = CONTRIBUTING.md
filters.json = filters.json
LICENSE.txt = LICENSE.txt
Pipelines\pr-validation.yml = Pipelines\pr-validation.yml
PRIVACY.md = PRIVACY.md
README.md = README.md
Pipelines\release.yml = Pipelines\release.yml
Pipelines\sdl.yml = Pipelines\sdl.yml
version.json = version.json
EndProjectSection
EndProject
Expand Down
8 changes: 7 additions & 1 deletion Lib/Collectors/BaseCollector.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,13 @@ public void Execute()
{
Thread.Sleep(1000);
var sample = DatabaseManager.WriteQueue.Count;
Log.Debug("Flushing {0} results. ({1}/s {2:0.00}/s overall)", DatabaseManager.WriteQueue.Count, prevFlush - sample, ((double)(totFlush - sample)/watch.ElapsedMilliseconds) * 1000);
t = TimeSpan.FromMilliseconds((sample) / (((double)(totFlush - sample) / watch.ElapsedMilliseconds)));
answer = string.Format(CultureInfo.InvariantCulture, "{0:D2}h:{1:D2}m:{2:D2}s:{3:D3}ms",
t.Hours,
t.Minutes,
t.Seconds,
t.Milliseconds);
Log.Debug("Flushing {0} results. ({1}/s {2:0.00}/s overall {3} ETA)", DatabaseManager.WriteQueue.Count, prevFlush - sample, ((double)(totFlush - sample)/watch.ElapsedMilliseconds) * 1000, answer);
prevFlush = sample;
}

Expand Down
135 changes: 84 additions & 51 deletions Lib/Collectors/FileSystemCollector.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,14 @@ public class FileSystemCollector : BaseCollector

private bool downloadCloud;
private bool examineCertificates;
private bool parallel;

public FileSystemCollector(string runId, bool enableHashing = false, string directories = "", bool downloadCloud = false, bool examineCertificates = false)
public FileSystemCollector(string runId, bool enableHashing = false, string directories = "", bool downloadCloud = false, bool examineCertificates = false, bool parallel = true)
{
this.RunId = runId;
this.downloadCloud = downloadCloud;
this.examineCertificates = examineCertificates;
this.parallel = parallel;

roots = new HashSet<string>();
INCLUDE_CONTENT_HASH = enableHashing;
Expand Down Expand Up @@ -86,45 +88,69 @@ public override void ExecuteInternal()
}
}

foreach (var root in roots)
Action<FileSystemInfo> IterateOn = fileInfo =>
{
Log.Information("{0} root {1}", Strings.Get("Scanning"), root);
var fileInfoEnumerable = DirectoryWalker.WalkDirectory(root);
Parallel.ForEach(fileInfoEnumerable,
(fileInfo =>
if (fileInfo is DirectoryInfo)
{
FileSystemObject obj = FileSystemInfoToFileSystemObject(fileInfo, downloadCloud, INCLUDE_CONTENT_HASH);

if (obj != null)
Log.Verbose("Starting Directory {0}", fileInfo.FullName);
}
else
{
Log.Verbose("Started parsing {0}", fileInfo.FullName);
}
FileSystemObject obj = FileSystemInfoToFileSystemObject(fileInfo, downloadCloud, INCLUDE_CONTENT_HASH);
if (obj != null)
{
DatabaseManager.Write(obj, RunId);
if (examineCertificates &&
fileInfo.FullName.EndsWith(".cer", StringComparison.CurrentCulture) ||
fileInfo.FullName.EndsWith(".der", StringComparison.CurrentCulture) ||
fileInfo.FullName.EndsWith(".p7b", StringComparison.CurrentCulture))
{
DatabaseManager.Write(obj, RunId);
if (examineCertificates &&
fileInfo.FullName.EndsWith(".cer", StringComparison.CurrentCulture) ||
fileInfo.FullName.EndsWith(".der", StringComparison.CurrentCulture) ||
fileInfo.FullName.EndsWith(".p7b", StringComparison.CurrentCulture))
try
{
try
{
var certificate = X509Certificate.CreateFromCertFile(fileInfo.FullName);
var certObj = new CertificateObject()
{
StoreLocation = fileInfo.FullName,
StoreName = "Disk",
CertificateHashString = certificate.GetCertHashString(),
Subject = certificate.Subject,
Pkcs7 = certificate.Export(X509ContentType.Cert).ToString()
};
DatabaseManager.Write(certObj, RunId);
}
catch (Exception e) when (
e is System.Security.Cryptography.CryptographicException
|| e is ArgumentException)
var certificate = X509Certificate.CreateFromCertFile(fileInfo.FullName);
var certObj = new CertificateObject()
{
Log.Verbose($"Could not parse certificate from file: {fileInfo.FullName}");
}
StoreLocation = fileInfo.FullName,
StoreName = "Disk",
CertificateHashString = certificate.GetCertHashString(),
Subject = certificate.Subject,
Pkcs7 = certificate.Export(X509ContentType.Cert).ToString()
};
DatabaseManager.Write(certObj, RunId);
}
catch (Exception e) when (
e is System.Security.Cryptography.CryptographicException
|| e is ArgumentException)
{
Log.Verbose($"Could not parse certificate from file: {fileInfo.FullName}");
}
}
}));
}
Log.Verbose("Finished parsing {0}", fileInfo.FullName);
};

foreach (var root in roots)
{
Log.Information("{0} root {1}", Strings.Get("Scanning"), root);
var fileInfoEnumerable = DirectoryWalker.WalkDirectory(root);

if (parallel)
{
Parallel.ForEach(fileInfoEnumerable,
(fileInfo =>
{
IterateOn(fileInfo);
}));
}
else
{
foreach (var fileInfo in fileInfoEnumerable)
{
IterateOn(fileInfo);
}
}
}
}

Expand All @@ -143,7 +169,6 @@ public static FileSystemObject FileSystemInfoToFileSystemObject(FileSystemInfo f
Path = fileInfo.FullName,
PermissionsString = FileSystemUtils.GetFilePermissions(fileInfo),
};

// Get Owner/Group
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Expand Down Expand Up @@ -218,11 +243,13 @@ e is ArgumentException
{
try
{
Log.Verbose("Before UnixFileInfo {0}", fileInfo.FullName);
var file = new UnixFileInfo(fileInfo.FullName);
obj.Owner = file.OwnerUser.UserName;
obj.Group = file.OwnerGroup.GroupName;
obj.SetGid = file.IsSetGroup;
obj.SetUid = file.IsSetUser;
Log.Verbose("After UnixFileInfo {0}", fileInfo.FullName);

if (file.FileAccessPermissions.ToString().Equals("AllPermissions", StringComparison.InvariantCulture))
{
Expand Down Expand Up @@ -288,16 +315,18 @@ e is ArgumentNullException
}
}

try

if (fileInfo is DirectoryInfo)
{
if (fileInfo is DirectoryInfo)
{
obj.IsDirectory = true;
}
else if (fileInfo is FileInfo)
obj.IsDirectory = true;
}
else if (fileInfo is FileInfo)
{
obj.IsDirectory = false;
try
{
// This can throw if access is denied. That's fine as everything below also wouldn't work when access is denied.
obj.Size = (ulong)(fileInfo as FileInfo).Length;
obj.IsDirectory = false;

if (INCLUDE_CONTENT_HASH)
{
Expand All @@ -311,30 +340,34 @@ e is ArgumentNullException
if (WindowsFileSystemUtils.IsLocal(obj.Path) || downloadCloud)
{

if (WindowsFileSystemUtils.NeedsSignature(obj.Path))
if (WindowsFileSystemUtils.NeedsSignature(obj))
{
obj.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(fileInfo.FullName);
obj.Characteristics.AddRange(WindowsFileSystemUtils.GetDllCharacteristics(fileInfo.FullName));
obj.IsExecutable = FileSystemUtils.IsExecutable(obj.Path);
obj.IsExecutable = FileSystemUtils.IsExecutable(obj.Path, obj.Size);
}
}

}
else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux) || RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
{
obj.IsExecutable = FileSystemUtils.IsExecutable(obj.Path);
obj.IsExecutable = FileSystemUtils.IsExecutable(obj.Path, obj.Size);
}
}
}
catch(Exception e) when (
e is FileNotFoundException ||
e is IOException)
{
catch (Exception e) when (
e is FileNotFoundException ||
e is IOException ||
e is UnauthorizedAccessException)
{

}
catch (Exception e)
{
Log.Debug("Should be catching in FileSystemInfoToFileSystemObject {0}", e.GetType().ToString());
}
}

return obj;
}

}
}
Loading

0 comments on commit 3bec73c

Please sign in to comment.