Skip to content

Commit

Permalink
Fix Download of Executables in OneDrive (#221)
Browse files Browse the repository at this point in the history 
Adds option to restore previous behavior.
  • Loading branch information
@gfs
gfs authored and gfs committed May 31, 2019
1 parent a08808e commit 3a8f867
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 6 deletions.
9 changes: 6 additions & 3 deletions Cli/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,9 @@ public class CollectCommandOptions
[Option("directories", Required = false, HelpText = "Comma separated list of paths to scan with FileSystemCollector")]
public string SelectedDirectories { get; set; }

[Option(HelpText = "Download files from thin Cloud Folders (like OneDrive) to check them.", Default = false)]
public bool DownloadCloud { get; set; }

[Option(HelpText ="If the specified runid already exists delete all data from that run before proceeding.")]
public bool Overwrite { get; set; }

Expand Down Expand Up @@ -1162,12 +1165,12 @@ public static void AdminOrQuit()

public static int RunCollectCommand(CollectCommandOptions opts)
{
AdminOrQuit();
#if DEBUG
Logger.Setup(true, opts.Verbose);
#else
Logger.Setup(false, opts.Verbose);
#endif
AdminOrQuit();
DatabaseManager.SqliteFilename = opts.DatabaseFilename;
DatabaseManager.Setup();
Telemetry.Setup(Gui: false);
Expand All @@ -1193,11 +1196,11 @@ public static int RunCollectCommand(CollectCommandOptions opts)
{
if (String.IsNullOrEmpty(opts.SelectedDirectories))
{
collectors.Add(new FileSystemCollector(opts.RunId, enableHashing: opts.GatherHashes));
collectors.Add(new FileSystemCollector(opts.RunId, enableHashing: opts.GatherHashes, downloadCloud: opts.DownloadCloud));
}
else
{
collectors.Add(new FileSystemCollector(opts.RunId, enableHashing: opts.GatherHashes, directories: opts.SelectedDirectories));
collectors.Add(new FileSystemCollector(opts.RunId, enableHashing: opts.GatherHashes, directories: opts.SelectedDirectories, downloadCloud: opts.DownloadCloud));
}
}
if (opts.EnableNetworkPortCollector || opts.EnableAllCollectors)
Expand Down
15 changes: 12 additions & 3 deletions Lib/Collectors/FileSystem/FileSystemCollector.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ public class FileSystemCollector : BaseCollector


private WriteBuffer wb;
bool downloadCloud;

public void Write(FileSystemObject obj)
{
Expand All @@ -128,10 +129,11 @@ public void Write(FileSystemObject obj)
}
}

public FileSystemCollector(string runId, bool enableHashing = false, string directories = "")
public FileSystemCollector(string runId, bool enableHashing = false, string directories = "", bool downloadCloud = false)
{
this.runId = runId;
this.roots = new HashSet<string>();
this.downloadCloud = downloadCloud;
INCLUDE_CONTENT_HASH = enableHashing;
if (directories.Equals(""))
{
Expand Down Expand Up @@ -235,8 +237,15 @@ public override void Execute()
};
if (WindowsFileSystemUtils.NeedsSignature(obj.Path))
{
obj.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(fileInfo.FullName);
obj.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(fileInfo.FullName);
if (WindowsFileSystemUtils.IsLocal(obj.Path) || downloadCloud)
{
obj.SignatureStatus = WindowsFileSystemUtils.GetSignatureStatus(fileInfo.FullName);
obj.Characteristics = WindowsFileSystemUtils.GetDllCharacteristics(fileInfo.FullName);
}
else
{
obj.SignatureStatus = "Cloud";
}
}
if (INCLUDE_CONTENT_HASH)
{
Expand Down
41 changes: 41 additions & 0 deletions Lib/Collectors/FileSystem/WindowsFileSystemUtils.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,35 @@ public class WindowsFileSystemUtils
{
public static List<string> SIGNED_EXTENSIONS = new List<string> { "dll", "exe", "cab", "ocx" };


[StructLayout(LayoutKind.Sequential)]
public struct WIN32_FILE_ATTRIBUTE_DATA
{
public uint dwFileAttributes;
public System.Runtime.InteropServices.ComTypes.FILETIME ftCreationTime;
public System.Runtime.InteropServices.ComTypes.FILETIME ftLastAccessTime;
public System.Runtime.InteropServices.ComTypes.FILETIME ftLastWriteTime;
public uint nFileSizeHigh;
public uint nFileSizeLow;
}

public enum GET_FILEEX_INFO_LEVELS
{
GetFileExInfoStandard,
GetFileExMaxInfoLevel
}

[StructLayout(LayoutKind.Sequential)]
public class FILETIME
{
public uint dwLowDateTime;
public uint dwHighDateTime;
}

[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool GetFileAttributesEx(string lpFileName, GET_FILEEX_INFO_LEVELS fInfoLevelId, out WIN32_FILE_ATTRIBUTE_DATA fileData);

protected internal static string GetSignatureStatus(string Path)
{
if (!WindowsFileSystemUtils.NeedsSignature(Path))
Expand Down Expand Up @@ -47,6 +76,18 @@ protected internal static bool NeedsSignature(string Path)
}
}

protected internal static bool IsLocal(string path)
{
WIN32_FILE_ATTRIBUTE_DATA fileData;
GetFileAttributesEx(path, GET_FILEEX_INFO_LEVELS.GetFileExInfoStandard, out fileData);

if ((fileData.dwFileAttributes & (0x00100000 + 0x00040000 + 0x00400000)) == 0)
{
return false;
}
return true;
}

protected internal static List<DLLCHARACTERISTICS> GetDllCharacteristics(string Path)
{
if (NeedsSignature(Path))
Expand Down

0 comments on commit 3a8f867

Please sign in to comment.