Gfs/#15 (#148)

gfs · web-flow · commit d061d8cd97b3 · 2019-04-23T15:10:00.000-07:00
* More filters. Some minor fixes to registry filter load behavior.

* Remove extraneous log statement.
diff --git a/Cli/Properties/Resources.resx b/Cli/Properties/Resources.resx
@@ -364,7 +364,7 @@
     <value>Collectors</value>
   </data>
   <data name="Err_AccessControl" xml:space="preserve">
-    <value>Could not get file permissions</value>
+    <value>Could not get file permissions for: {0}</value>
   </data>
   <data name="Err_FiltersFile" xml:space="preserve">
     <value>Json error parsing your filters.json file.</value>
diff --git a/Lib/Collectors/Certificates/CertificateCollector.cs b/Lib/Collectors/Certificates/CertificateCollector.cs
@@ -31,7 +31,6 @@ public class CertificateCollector : BaseCollector
 
         public CertificateCollector(string runId)
         {
-            Log.Debug("Initializing a new {0} object.", this.GetType().Name);
             this.runId = runId;
         }
 
diff --git a/Lib/Collectors/FileSystem/FileSystemCollector.cs b/Lib/Collectors/FileSystem/FileSystemCollector.cs
@@ -130,7 +130,6 @@ public void Write(FileSystemObject obj)
 
         public FileSystemCollector(string runId, bool enableHashing = false, string directories = "")
         {
-            Log.Debug("Initializing a new {0} object.", this.GetType().Name);
             this.runId = runId;
             this.roots = new HashSet<string>();
             INCLUDE_CONTENT_HASH = enableHashing;
diff --git a/Lib/Collectors/FileSystem/WindowsFileSystemUtils.cs b/Lib/Collectors/FileSystem/WindowsFileSystemUtils.cs
@@ -25,9 +25,9 @@ protected internal static string GetFilePermissions(FileSystemInfo fileInfo)
                 {
                     fileSecurity = new FileSecurity(filename, AccessControlSections.All);
                 }
-                catch (Exception ex)
+                catch (UnauthorizedAccessException)
                 {
-                    Log.Debug("{0} {1}: {2}", Strings.Get("Err_AccessControl"),fileInfo.FullName, ex.Message);
+                    Log.Verbose(Strings.Get("Err_AccessControl"), fileInfo.FullName);
                     //Log.Debug(ex.StackTrace);
                 }
             }
@@ -37,9 +37,9 @@ protected internal static string GetFilePermissions(FileSystemInfo fileInfo)
                 {
                     fileSecurity = new DirectorySecurity(filename, AccessControlSections.All);
                 }
-                catch (Exception ex)
+                catch (UnauthorizedAccessException)
                 {
-                    Log.Debug("{0} {1}: {2}", Strings.Get("Err_AccessControl"), fileInfo.FullName, ex.Message);
+                    Log.Verbose(Strings.Get("Err_AccessControl"), fileInfo.FullName);
                     //Log.Debug(ex.StackTrace);
 
                 }
@@ -51,7 +51,7 @@ protected internal static string GetFilePermissions(FileSystemInfo fileInfo)
             if (fileSecurity != null)
                 return fileSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
             else
-                return null;
+                return "";
         }
     }
 }
diff --git a/Lib/Collectors/Registry/RegistryCollector.cs b/Lib/Collectors/Registry/RegistryCollector.cs
@@ -111,8 +111,6 @@ public override void Execute()
         {
             Start();
 
-            Log.Information(JsonConvert.SerializeObject(DefaultHives));
-
             if (!this.CanRunOnPlatform())
             {
                 return;
@@ -133,6 +131,7 @@ public override void Execute()
                         return;
                     }
 
+                    Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "Registry", "Key", "Exclude", hive.ToString());
                     var registryInfoEnumerable = RegistryWalker.WalkHive(hive);
                     try
                     {
diff --git a/Lib/Utils/DirectoryWalker.cs b/Lib/Utils/DirectoryWalker.cs
@@ -122,7 +122,7 @@ public static IEnumerable<FileSystemInfo> WalkDirectory(string root)
                         // Future improvement: log it as a symlink in the data
                         if (fileInfo.Attributes.HasFlag(FileAttributes.ReparsePoint))
                         {
-                            Log.Debug("Skipping symlink {0}", str);
+                            Log.Verbose("Skipping symlink {0}", str);
                             continue;
                         }
                     }
diff --git a/Lib/Utils/Filter.cs b/Lib/Utils/Filter.cs
@@ -51,10 +51,8 @@ public static bool IsFiltered(string Platform, string ScanType, string ItemType,
                     try
                     {
                         JArray jFilters = (JArray)config[Platform][ScanType][ItemType][Property][FilterType];
-                        Log.Debug(jFilters.ToString());
                         foreach (var filter in jFilters)
                         {
-                            Log.Debug(filter.ToString());
                             try
                             {
                                 filters.Add(new Regex(filter.ToString()));
@@ -120,7 +118,7 @@ public static bool IsFiltered(string Platform, string ScanType, string ItemType,
                         if (filter.IsMatch(Target))
                         {
                             regex = filter;
-                            Log.Debug("{0} caught {1}", filter, Target);
+                            Log.Verbose("{0} caught {1}", filter, Target);
                             return true;
                         }
                     }
diff --git a/filters.json b/filters.json
@@ -28,7 +28,17 @@
             "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\mpssvc\\\\Parameterss",
             "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\PolicyAgent\\\\Parameters",
             "^HKEY_CURRENT_USER\\\\System\\\\CurrentControlSet\\\\Control\\\\DeviceContainers\\\\",
-            "^HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\EAPSIMMethods"
+            "^HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\EAPSIMMethods",
+            "^HKEY_LOCAL_MACHINE\\\\SECURITY",
+            "^HKEY_LOCAL_MACHINE\\\\SAM",
+            "^HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\EAPSIMMethods",
+            "^HKEY_USERS\\\\S-[0-9-]*\\\\System\\\\CurrentControlSet\\\\Control\\\\DeviceContainers",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\ADOVMPPackage",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\BTHPORT\\\\Parameters",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\mpssvc\\\\Parameters",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\ADOVMPPackage",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\BTHPORT\\\\Parameters",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PolicyAgent\\\\Parameters"
           ]
         },
         "Hive": {
@@ -67,7 +77,9 @@
             "^[A-Z]:\\\\Windows\\\\Temp\\\\MpCmdRun.log$",
             "^[A-Z]:\\\\Windows\\\\Temp\\\\MpSigStub.log$",
             "^[A-Z]:\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\LwtNetLog.etl$",
-            "^[A-Z]:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Support\\\\MpWppTracing$"
+            "^[A-Z]:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Support\\\\MpWppTracing$",
+            "^[A-Z]:\\\\Windows\\\\CCM\\\\ScriptStore",
+            "^[A-Z]:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\.*?\\\\Files\\\\System Volume Information"
           ]
         }
       }

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,6 @@ public class CertificateCollector : BaseCollector`
`31`	`31`
`32`	`32`	`public CertificateCollector(string runId)`
`33`	`33`	`{`
`34`		`- Log.Debug("Initializing a new {0} object.", this.GetType().Name);`
`35`	`34`	`this.runId = runId;`
`36`	`35`	`}`
`37`	`36`
Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,6 @@ public void Write(FileSystemObject obj)`
`130`	`130`
`131`	`131`	`public FileSystemCollector(string runId, bool enableHashing = false, string directories = "")`
`132`	`132`	`{`
`133`		`- Log.Debug("Initializing a new {0} object.", this.GetType().Name);`
`134`	`133`	`this.runId = runId;`
`135`	`134`	`this.roots = new HashSet<string>();`
`136`	`135`	`INCLUDE_CONTENT_HASH = enableHashing;`
Original file line number	Diff line number	Diff line change
`@@ -25,9 +25,9 @@ protected internal static string GetFilePermissions(FileSystemInfo fileInfo)`
`25`	`25`	`{`
`26`	`26`	`fileSecurity = new FileSecurity(filename, AccessControlSections.All);`
`27`	`27`	`}`
`28`		`- catch (Exception ex)`
	`28`	`+ catch (UnauthorizedAccessException)`
`29`	`29`	`{`
`30`		`- Log.Debug("{0} {1}: {2}", Strings.Get("Err_AccessControl"),fileInfo.FullName, ex.Message);`
	`30`	`+ Log.Verbose(Strings.Get("Err_AccessControl"), fileInfo.FullName);`
`31`	`31`	`//Log.Debug(ex.StackTrace);`
`32`	`32`	`}`
`33`	`33`	`}`
`@@ -37,9 +37,9 @@ protected internal static string GetFilePermissions(FileSystemInfo fileInfo)`
`37`	`37`	`{`
`38`	`38`	`fileSecurity = new DirectorySecurity(filename, AccessControlSections.All);`
`39`	`39`	`}`
`40`		`- catch (Exception ex)`
	`40`	`+ catch (UnauthorizedAccessException)`
`41`	`41`	`{`
`42`		`- Log.Debug("{0} {1}: {2}", Strings.Get("Err_AccessControl"), fileInfo.FullName, ex.Message);`
	`42`	`+ Log.Verbose(Strings.Get("Err_AccessControl"), fileInfo.FullName);`
`43`	`43`	`//Log.Debug(ex.StackTrace);`
`44`	`44`
`45`	`45`	`}`
`@@ -51,7 +51,7 @@ protected internal static string GetFilePermissions(FileSystemInfo fileInfo)`
`51`	`51`	`if (fileSecurity != null)`
`52`	`52`	`return fileSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);`
`53`	`53`	`else`
`54`		`- return null;`
	`54`	`+ return "";`
`55`	`55`	`}`
`56`	`56`	`}`
`57`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -111,8 +111,6 @@ public override void Execute()`
`111`	`111`	`{`
`112`	`112`	`Start();`
`113`	`113`
`114`		`- Log.Information(JsonConvert.SerializeObject(DefaultHives));`
`115`		`-`
`116`	`114`	`if (!this.CanRunOnPlatform())`
`117`	`115`	`{`
`118`	`116`	`return;`
`@@ -133,6 +131,7 @@ public override void Execute()`
`133`	`131`	`return;`
`134`	`132`	`}`
`135`	`133`
	`134`	`+ Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "Registry", "Key", "Exclude", hive.ToString());`
`136`	`135`	`var registryInfoEnumerable = RegistryWalker.WalkHive(hive);`
`137`	`136`	`try`
`138`	`137`	`{`
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ public static IEnumerable<FileSystemInfo> WalkDirectory(string root)`
`122`	`122`	`// Future improvement: log it as a symlink in the data`
`123`	`123`	`if (fileInfo.Attributes.HasFlag(FileAttributes.ReparsePoint))`
`124`	`124`	`{`
`125`		`- Log.Debug("Skipping symlink {0}", str);`
	`125`	`+ Log.Verbose("Skipping symlink {0}", str);`
`126`	`126`	`continue;`
`127`	`127`	`}`
`128`	`128`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,10 +51,8 @@ public static bool IsFiltered(string Platform, string ScanType, string ItemType,`
`51`	`51`	`try`
`52`	`52`	`{`
`53`	`53`	`JArray jFilters = (JArray)config[Platform][ScanType][ItemType][Property][FilterType];`
`54`		`- Log.Debug(jFilters.ToString());`
`55`	`54`	`foreach (var filter in jFilters)`
`56`	`55`	`{`
`57`		`- Log.Debug(filter.ToString());`
`58`	`56`	`try`
`59`	`57`	`{`
`60`	`58`	`filters.Add(new Regex(filter.ToString()));`
`@@ -120,7 +118,7 @@ public static bool IsFiltered(string Platform, string ScanType, string ItemType,`
`120`	`118`	`if (filter.IsMatch(Target))`
`121`	`119`	`{`
`122`	`120`	`regex = filter;`
`123`		`- Log.Debug("{0} caught {1}", filter, Target);`
	`121`	`+ Log.Verbose("{0} caught {1}", filter, Target);`
`124`	`122`	`return true;`
`125`	`123`	`}`
`126`	`124`	`}`