From ae20982f7da227f519f9505071fc4c0dc4948dd2 Mon Sep 17 00:00:00 2001 From: Eric Zimmerman Date: Wed, 4 Sep 2024 09:31:59 -0400 Subject: [PATCH] fixes for case sensitive linux log names, fix for finding profile name in compressed output names --- rla/Program.cs | 41 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/rla/Program.cs b/rla/Program.cs index ecfe013..1ea06a1 100644 --- a/rla/Program.cs +++ b/rla/Program.cs @@ -7,6 +7,7 @@ using System.IO; using System.Linq; using System.Reflection; +using System.Text.RegularExpressions; using System.Threading.Tasks; using Exceptionless; using Exceptionless.Extensions; @@ -211,6 +212,7 @@ private static void DoWork(string f, string d, string @out, bool ca, bool cn, bo okFileParts.Add("SYSCACHE"); okFileParts.Add("SECURITY"); okFileParts.Add("DRIVERS"); + okFileParts.Add("DEFAULT"); okFileParts.Add("COMPONENTS"); var directoryEnumerationFilters = new DirectoryEnumerationFilters(); directoryEnumerationFilters.InclusionFilter = fsei => @@ -357,6 +359,7 @@ private static void DoWork(string f, string d, string @out, bool ca, bool cn, bo "SYSCACHE.hve", "SECURITY", "DRIVERS", + "DEFAULT", "COMPONENTS" }; var ignoreExt = new HashSet(StringComparer.OrdinalIgnoreCase) @@ -484,7 +487,25 @@ private static void DoWork(string f, string d, string @out, bool ca, bool cn, bo dirname = "."; } - var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?"); + +#if NET462 + var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?"); +#elif NET6_0 + var en = new EnumerationOptions + { + // IgnoreInaccessible = true, + MatchCasing = MatchCasing.CaseInsensitive, + // RecurseSubdirectories = true, + AttributesToSkip = 0 + }; + + var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?",en); +#endif + + + + + // var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?",en); if (logFiles.Length == 0) { @@ -558,13 +579,23 @@ private static void DoWork(string f, string d, string @out, bool ca, bool cn, bo { Log.Verbose("In cn && ntuser|usrclass",outFileAll); - var dl = hiveToProcess[0].ToString(); - var segs = hiveToProcess.Split(Path.PathSeparator); + var profileName = "Undetermined"; + var dl = "Undetermined"; + try { + profileName = Regex.Match(hiveToProcess, @"(.)\\\b(.sers|.indows)\b\\(.+?)\\", RegexOptions.IgnoreCase | RegexOptions.IgnorePatternWhitespace).Groups[3].Value; + dl = Regex.Match(hiveToProcess, @"(.)\\\b(.sers|.indows)\b\\(.+?)\\", RegexOptions.IgnoreCase | RegexOptions.IgnorePatternWhitespace).Groups[1].Value; + } catch (ArgumentException ) { + // Syntax error in the regular expression + } + + + // var dl = hiveToProcess[0].ToString(); + // var segs = hiveToProcess.Split(Path.DirectorySeparatorChar); - var profile = segs[2]; + var filename = Path.GetFileName(hiveToProcess); - var outFile2 = $"{dl}_{profile}_{filename}"; + var outFile2 = $"{dl}_{profileName}_{filename}"; outFileAll = Path.Combine(@out, outFile2); }