Add Archive Crawling powered by OSS Gadget MultiExtractor (#471)

* Add Archive Crawling powered by OSS Gadget MultiExtractor

use --crawl-archives on file collector.

* Catch all exceptions

* Update FileSystemUtils.cs

Author: gfs

Lib/Collectors/FileSystemCollector.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 using AttackSurfaceAnalyzer.Objects;
+using AttackSurfaceAnalyzer.Types;
 using AttackSurfaceAnalyzer.Utils;
 using Microsoft.CodeAnalysis;
 using Mono.Unix;
@@ -11,15 +12,14 @@
 using System.ComponentModel;
 using System.IO;
 using System.Linq;
-using System.Management;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.AccessControl;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Permissions;
 using System.Security.Principal;
-using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.CST.OpenSource.MultiExtractor;
 
 namespace AttackSurfaceAnalyzer.Collectors
 {
@@ -106,6 +106,16 @@ public override void ExecuteInternal()
                     {
                         HandleChange(obj);
 
+                        // If we know how to handle this as an archive, and crawling archives is enabled
+                        if (opts.CrawlArchives && MiniMagic.DetectFileType(file) != ArchiveFileType.UNKNOWN)
+                        {
+                            Extractor extractor = new Extractor(new ExtractorOptions() { ExtractSelfOnFail = false });
+                            foreach (var fso in extractor.ExtractFile(file, !opts.SingleThread).Select(fileEntry => FileEntryToFileSystemObject(fileEntry)))
+                            {
+                                HandleChange(fso);
+                            }
+                        }
+
                         // TODO: Also try parse .DER as a key
                         if (Path.EndsWith(".cer", StringComparison.CurrentCulture) ||
                             Path.EndsWith(".der", StringComparison.CurrentCulture) ||
@@ -165,14 +175,42 @@ public override void ExecuteInternal()
             }
         }
 
-        /// <summary>
-        /// Converts a FileSystemInfo into a FileSystemObject by reading in data about the file
-        /// </summary>
-        /// <param name="fileInfo">A reference to a file on disk.</param>
-        /// <param name="downloadCloud">If the file is hosted in the cloud, the user has the option to include cloud files or not.</param>
-        /// <param name="includeContentHash">If we should generate a hash of the file.</param>
-        /// <returns></returns>
-        public FileSystemObject FilePathToFileSystemObject(string path)
+        private FileSystemObject FileEntryToFileSystemObject(FileEntry fileEntry)
+        {
+            var fso = new FileSystemObject(Path: fileEntry.FullPath)
+            {
+                Size = (ulong)fileEntry.Content.Length
+            };
+
+            if (opts.GatherHashes == true)
+            {
+                fso.ContentHash = CryptoHelpers.CreateHash(fileEntry.Content);
+            }
+
+            var exeType = FileSystemUtils.GetExecutableType(fileEntry.FullPath, fileEntry.Content);
+
+            if (exeType != EXECUTABLE_TYPE.NONE && exeType != EXECUTABLE_TYPE.UNKNOWN)
+            {
+                fso.IsExecutable = true;
+            }
+
+            if (exeType == EXECUTABLE_TYPE.WINDOWS)
+            {
+                fso.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(fileEntry.FullPath, fileEntry.Content);
+                fso.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(fileEntry.FullPath, fileEntry.Content);
+            }
+
+            return fso;
+        }
+
+            /// <summary>
+            /// Converts a FileSystemInfo into a FileSystemObject by reading in data about the file
+            /// </summary>
+            /// <param name="fileInfo">A reference to a file on disk.</param>
+            /// <param name="downloadCloud">If the file is hosted in the cloud, the user has the option to include cloud files or not.</param>
+            /// <param name="includeContentHash">If we should generate a hash of the file.</param>
+            /// <returns></returns>
+            public FileSystemObject FilePathToFileSystemObject(string path)
         {
             FileSystemObject obj = new FileSystemObject(path);
 
@@ -318,14 +356,19 @@ e is ArgumentNullException
                                 obj.ContentHash = FileSystemUtils.GetFileHash(fileInfo);
                             }
 
-                            obj.IsExecutable = FileSystemUtils.IsExecutable(obj.Path, size);
+                            var exeType = FileSystemUtils.GetExecutableType(path);
+
+                            if (exeType != EXECUTABLE_TYPE.NONE && exeType != EXECUTABLE_TYPE.UNKNOWN)
+                            {
+                                obj.IsExecutable = true;
+                            }
 
-                            if (FileSystemUtils.IsWindowsExecutable(obj.Path, obj.Size))
+                            if (exeType == EXECUTABLE_TYPE.WINDOWS)
                             {
                                 obj.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(path);
                                 obj.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(path);
                             }
-                            else if (FileSystemUtils.IsMacExecutable(obj.Path, obj.Size))
+                            else if (exeType == EXECUTABLE_TYPE.MACOS)
                             {
                                 obj.MacSignatureStatus = FileSystemUtils.GetMacSignature(path);
                             }
@@ -368,13 +411,20 @@ e is ArgumentNullException
                                 {
                                     obj.ContentHash = FileSystemUtils.GetFileHash(path);
                                 }
-                                obj.IsExecutable = FileSystemUtils.IsExecutable(obj.Path, obj.Size);
-                                if (FileSystemUtils.IsWindowsExecutable(obj.Path, obj.Size))
+
+                                var exeType = FileSystemUtils.GetExecutableType(path);
+
+                                if (exeType != EXECUTABLE_TYPE.NONE && exeType != EXECUTABLE_TYPE.UNKNOWN)
+                                {
+                                    obj.IsExecutable = true;
+                                }
+
+                                if (exeType == EXECUTABLE_TYPE.WINDOWS)
                                 {
                                     obj.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(path);
                                     obj.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(path);
                                 }
-                                else if (FileSystemUtils.IsMacExecutable(obj.Path, obj.Size))
+                                else if (exeType == EXECUTABLE_TYPE.MACOS)
                                 {
                                     obj.MacSignatureStatus = FileSystemUtils.GetMacSignature(path);
                                 }

Lib/Collectors/FileSystemUtils.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 using AttackSurfaceAnalyzer.Objects;
+using AttackSurfaceAnalyzer.Types;
 using AttackSurfaceAnalyzer.Utils;
 using Mono.Unix;
 using Serilog;
@@ -179,124 +180,52 @@ e is ArgumentException
                     return signature;
                 }
             }
-            catch (Exception e) {
+            catch (Exception e)
+            {
                 Log.Verbose("Failed to get Mac CodeSign information for {0} ({1}:{2})", Path, e.GetType(), e.Message);
             }
             return null;
         }
 
-        public static bool? IsExecutable(string? Path, ulong? Size)
+        public static EXECUTABLE_TYPE GetExecutableType(string Path)
         {
-            if (Path is null || Size is null) { return null; }
-            if (Size < 4) { return false; }
-
-            // Shortcut to help with system files we can't read directly
-            if (Path.EndsWith(".dll") || Path.EndsWith(".exe"))
-            {
-                return true;
-            }
-
-            byte[] fourBytes = new byte[4];
-            try
-            {
-                using (var fileStream = File.OpenRead(Path))
-                {
-                    fileStream.Read(fourBytes, 0, 4);
-                }
-            }
-            catch (Exception e) when (
-                e is ArgumentException
-                || e is ArgumentNullException
-                || e is PathTooLongException
-                || e is DirectoryNotFoundException
-                || e is IOException
-                || e is UnauthorizedAccessException
-                || e is ArgumentOutOfRangeException
-                || e is FileNotFoundException
-                || e is NotSupportedException
-                || e is ObjectDisposedException)
-            {
-                Log.Verbose("Couldn't chomp 4 bytes of {0} ({1}:{2})", Path, e.GetType().ToString(), e.Message);
-                return false;
-            }
-
-            return fourBytes.SequenceEqual(ElfMagicNumber) || fourBytes.SequenceEqual(JavaMagicNumber) || MacMagicNumbers.Contains(fourBytes) || fourBytes[0..2].SequenceEqual(WindowsMagicNumber);
+            using var fs = new FileStream(Path, FileMode.Open);
+            return GetExecutableType(Path, fs);
         }
 
-        public static bool IsMacExecutable(string? Path, ulong? Size)
+        public static EXECUTABLE_TYPE GetExecutableType(string? Path, Stream input)
         {
-            if (Path is null) { return false; }
-            if (Size < 4) { return false; }
+            if (input == null) { return EXECUTABLE_TYPE.UNKNOWN; }
+            if (input.Length < 4) { return EXECUTABLE_TYPE.NONE; }
 
-            // Shortcut to help with system files we can't read directly
-            if (Path.EndsWith(".app"))
-            {
-                return true;
-            }
+            var fourBytes = new byte[4];
+            var initialPosition = input.Position;
 
-            byte[] fourBytes = new byte[4];
             try
             {
-                using (var fileStream = File.Open(Path, FileMode.Open))
-                {
-                    fileStream.Read(fourBytes, 0, 4);
-                }
+                input.Read(fourBytes);
+                input.Position = initialPosition;
             }
-            catch (Exception e) when (
-                e is ArgumentException
-                || e is ArgumentNullException
-                || e is PathTooLongException
-                || e is DirectoryNotFoundException
-                || e is IOException
-                || e is UnauthorizedAccessException
-                || e is ArgumentOutOfRangeException
-                || e is FileNotFoundException
-                || e is NotSupportedException
-                || e is ObjectDisposedException)
+            catch (Exception e)
             {
                 Log.Verbose("Couldn't chomp 4 bytes of {0} ({1}:{2})", Path, e.GetType().ToString(), e.Message);
-                return false;
+                return EXECUTABLE_TYPE.UNKNOWN;
             }
 
-            return MacMagicNumbers.Contains(fourBytes);
-        }
-
-        public static bool IsWindowsExecutable(string? Path, ulong? Size)
-        {
-            if (Path is null) { return false; }
-            if (Size < 4) { return false; }
-
-            // Shortcut to help with system files we can't read directly
-            if (Path.EndsWith(".dll") || Path.EndsWith(".exe"))
+            switch (fourBytes)
             {
-                return true;
-            }
+                case var span when span.SequenceEqual(ElfMagicNumber):
+                    return EXECUTABLE_TYPE.LINUX;
+                case var span when span.SequenceEqual(JavaMagicNumber):
+                    return EXECUTABLE_TYPE.JAVA;
+                case var span when MacMagicNumbers.Contains(span):
+                    return EXECUTABLE_TYPE.MACOS;
+                case var span when span[0..2].SequenceEqual(WindowsMagicNumber):
+                    return EXECUTABLE_TYPE.WINDOWS;
+                default:
+                    return EXECUTABLE_TYPE.NONE;
 
-            byte[] fourBytes = new byte[4];
-            try
-            {
-                using (var fileStream = File.OpenRead(Path))
-                {
-                    fileStream.Read(fourBytes, 0, 4);
-                }
-            }
-            catch (Exception e) when (
-                e is ArgumentException
-                || e is ArgumentNullException
-                || e is PathTooLongException
-                || e is DirectoryNotFoundException
-                || e is IOException
-                || e is UnauthorizedAccessException
-                || e is ArgumentOutOfRangeException
-                || e is FileNotFoundException
-                || e is NotSupportedException
-                || e is ObjectDisposedException)
-            {
-                Log.Verbose("Couldn't chomp 4 bytes of {0} ({1}:{2})", Path, e.GetType().ToString(), e.Message);
-                return false;
             }
-
-            return fourBytes[0..2].SequenceEqual(WindowsMagicNumber);
         }
 
         public static string GetFileHash(string path)
@@ -313,35 +242,25 @@ public static string GetFileHash(string path)
 
         public static string? GetFileHash(FileSystemInfo fileInfo)
         {
+            string? hashValue = null;
+
             if (fileInfo != null)
             {
                 Log.Debug("{0} {1}", Strings.Get("FileHash"), fileInfo.FullName);
 
-                string? hashValue = null;
                 try
                 {
                     using (var stream = File.OpenRead(fileInfo.FullName))
                     {
                         hashValue = CryptoHelpers.CreateHash(stream);
                     }
                 }
-                catch (Exception e) when (
-                    e is ArgumentNullException
-                    || e is ArgumentException
-                    || e is NotSupportedException
-                    || e is FileNotFoundException
-                    || e is IOException
-                    || e is System.Security.SecurityException
-                    || e is DirectoryNotFoundException
-                    || e is UnauthorizedAccessException
-                    || e is PathTooLongException
-                    || e is ArgumentOutOfRangeException)
+                catch (Exception e)
                 {
                     Log.Verbose("{0}: {1} {2}", Strings.Get("Err_UnableToHash"), fileInfo.FullName, e.GetType().ToString());
                 }
-                return hashValue;
             }
-            return null;
+            return hashValue;
         }
     }
 }