Skip to content

Commit

Permalink
none
Browse files Browse the repository at this point in the history
  • Loading branch information
@peterm30
peterm30 committed Jan 28, 2019
1 parent 9427ca7 commit 8e1c23c
Show file tree
Hide file tree
Showing 7 changed files with 146 additions and 124 deletions.
6 changes: 3 additions & 3 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,12 @@
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
#[Rr]elease/
#[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
#[Bb]in/
[Oo]bj/
[Ll]og/

Expand Down
10 changes: 6 additions & 4 deletions EventFinder/EventFinder.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
<IsWebBootstrapper>false</IsWebBootstrapper>
<NuGetPackageImportStamp>
</NuGetPackageImportStamp>
<PublishUrl>publish\</PublishUrl>
<Install>true</Install>
<InstallFrom>Disk</InstallFrom>
Expand All @@ -26,11 +29,8 @@
<MapFileExtensions>true</MapFileExtensions>
<ApplicationRevision>0</ApplicationRevision>
<ApplicationVersion>1.0.0.%2a</ApplicationVersion>
<IsWebBootstrapper>false</IsWebBootstrapper>
<UseApplicationTrust>false</UseApplicationTrust>
<BootstrapperEnabled>true</BootstrapperEnabled>
<NuGetPackageImportStamp>
</NuGetPackageImportStamp>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
Expand Down Expand Up @@ -71,7 +71,9 @@
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Form1.cs" />
<Compile Include="Form1.cs">
<SubType>Form</SubType>
</Compile>
<Compile Include="Form1.Designer.cs">
<DependentUpon>Form1.cs</DependentUpon>
</Compile>
Expand Down
2 changes: 1 addition & 1 deletion EventFinder/Form1.Designer.cs
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

236 changes: 120 additions & 116 deletions EventFinder/Form1.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,45 +6,15 @@
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics.Eventing.Reader; // I think this will be needed?
using System.Diagnostics.Eventing.Reader;
using System.Diagnostics;
using System.Xml;
using System.Xml.Linq;
using System.Text.RegularExpressions;
using System.Windows.Forms;
using System.IO;
using CsvHelper;

public class Record
{
public string Message { get; set; }
public string SystemTime { get; set; }
public string Id { get; set; }
public string Version { get; set; }
public string Qualifiers { get; set; }
public string Level { get; set; }
public string Task { get; set; }
public string Opcode { get; set; }
public string Keywords { get; set; }
public string RecordId { get; set; }
public string ProviderName { get; set; }
public string ProviderID { get; set; }
public string LogName { get; set; }
public string ProcessId { get; set; }
public string ThreadId { get; set; }
public string MachineName { get; set; }
public string UserID { get; set; }
public string TimeCreated { get; set; }
public string ActivityId { get; set; }
public string RelatedActivityId { get; set; }
public string Hashcode { get; set; }
public string MatchedQueryIds { get; set; }
public string LevelDisplayName { get; set; }
public string OpcodeDisplayName { get; set; }
public string TaskDisplayName { get; set; }

}

using System.Security.Principal;

namespace EventFinder
{
Expand All @@ -54,128 +24,162 @@ public FindEvents()
{
InitializeComponent();



EventLogSession session = new EventLogSession();
var providers = session.GetProviderNames().ToList();
Regex rgx = new Regex(@"^Security$");
bool AdminFlag = false;

foreach (string provider in providers)
// Check if the User is running as Administrator. Display appropriate text.
bool isElevated;
using (WindowsIdentity identity = WindowsIdentity.GetCurrent())
{
if (rgx.IsMatch(provider))
{
AdminFlag = true;
}
WindowsPrincipal principal = new WindowsPrincipal(identity);
isElevated = principal.IsInRole(WindowsBuiltInRole.Administrator);
}

if (AdminFlag)
if (isElevated)
{
StatusOutput.Text = "Security log found!\nYou are likely administrator";
StatusOutput.Text = "Running as Administrator.\nRestricted logs will be enumerated.";
StatusOutput.ForeColor = System.Drawing.Color.Green;
} else
{
StatusOutput.Text = "Unable to read Security log.\nAre you administrator?";
StatusOutput.Text = "Not running as Administrator!\nYou will not be able to read Security, etc.";
StatusOutput.ForeColor = System.Drawing.Color.Red;
}
}

// Get a start time for our filter
private void StartButton_Click(object sender, EventArgs e)
{
string CurrentTime = DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss");
StartInput.Text = CurrentTime;
}

// Get an end time for our filter
private void EndButton_Click(object sender, EventArgs e)
{
string CurrentTime = DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss");
EndInput.Text = CurrentTime;
}

// Our Find Events button, this is where the magic happens
private void FindEventsButton_Click(object sender, EventArgs e)
{
FindEventsButton.Enabled = false;

if (StartInput.Text == "" || EndInput.Text == "") // Check to make sure times are populated
{
StatusOutput.Text = "Missing Start or End Time!";
StatusOutput.ForeColor = System.Drawing.Color.Red;
} else if (!DateTime.TryParse(StartInput.Text, out DateTime temp)) // And that the start time is valid
{
StatusOutput.Text = "Invalid Start Time";
StatusOutput.ForeColor = System.Drawing.Color.Red;
} else if (!DateTime.TryParse(EndInput.Text, out DateTime temp2)) // And that the end time is valid
{
StatusOutput.Text = "Invalid End Time";
StatusOutput.ForeColor = System.Drawing.Color.Red;
} else // If everything is valid, run!
{




// Variables we will need
DateTime StartTime = DateTime.ParseExact(StartInput.Text, "MM/dd/yyyy HH:mm:ss", null);
DateTime EndTime = DateTime.ParseExact(EndInput.Text, "MM/dd/yyyy HH:mm:ss", null);
string RunTime = DateTime.Now.ToString("yyyyMMdd_HHmmss");
string DesktopPath = Environment.GetFolderPath(Environment.SpecialFolder.Desktop);
EventLogSession Session = new EventLogSession();
var Providers = Session.GetProviderNames().ToList();

var query = string.Format(@"*[System[TimeCreated[@SystemTime >= '{0}']]] and *[System[TimeCreated[@SystemTime <= '{1}']]]", StartTime.ToString("o"), EndTime.ToString("o"));

List<Record> records = new List<Record> { };
// Variables we will need
DateTime StartTime = DateTime.ParseExact(StartInput.Text, "MM/dd/yyyy HH:mm:ss", null); // Needed for filter query
DateTime EndTime = DateTime.ParseExact(EndInput.Text, "MM/dd/yyyy HH:mm:ss", null); // Needed for filter query
string DesktopPath = Environment.GetFolderPath(Environment.SpecialFolder.Desktop); // Needed for file name
string RunTime = DateTime.Now.ToString("yyyyMMdd_HHmmss"); // Needed for file name
EventLogSession Session = new EventLogSession();
var Logs = Session.GetLogNames().ToList();
var query = string.Format(@"*[System[TimeCreated[@SystemTime >= '{0}']]] and *[System[TimeCreated[@SystemTime <= '{1}']]]", StartTime.ToUniversalTime().ToString("o"), EndTime.ToUniversalTime().ToString("o"));
List<Record> records = new List<Record> { }; // Start a list for all those sweet sweet logs we're going to get

foreach (var Provider in Providers)
{
try
foreach (var Log in Logs)
{
EventLogQuery eventlogQuery = new EventLogQuery(Provider, PathType.LogName, query);
EventLogReader eventlogReader = new EventLogReader(eventlogQuery);

for (EventRecord eventRecord = eventlogReader.ReadEvent(); null != eventRecord; eventRecord = eventlogReader.ReadEvent())
try
{
// Get the SystemTime from the event record XML
var xml = XDocument.Parse(eventRecord.ToXml());
XNamespace ns = xml.Root.GetDefaultNamespace();

// Collect ALL THE THINGS!
string Message = eventRecord.FormatDescription();
string SystemTime = xml.Root.Element(ns + "System").Element(ns + "TimeCreated").Attribute("SystemTime").Value;
string Id = eventRecord.Id.ToString();
string Version = eventRecord.Version.ToString();
string Qualifiers = eventRecord.Qualifiers.ToString();
string Level = eventRecord.Level.ToString();
string Task = eventRecord.Task.ToString();
string Opcode = eventRecord.Opcode.ToString();
string Keywords = eventRecord.Keywords.ToString();
string RecordId = eventRecord.RecordId.ToString();
string ProviderName = eventRecord.ProviderName;
string ProviderID = eventRecord.ProviderId.ToString();
string LogName = eventRecord.LogName;
string ProcessId = eventRecord.ProcessId.ToString();
string ThreadId = eventRecord.ThreadId.ToString();
string MachineName = eventRecord.MachineName;
string UserID = eventRecord.UserId?.ToString();
string TimeCreated = eventRecord.TimeCreated.ToString();
string ActivityId = eventRecord.ActivityId.ToString();
string RelatedActivityId = eventRecord.RelatedActivityId.ToString();
string Hashcode = eventRecord.GetHashCode().ToString();
string LevelDisplayName = eventRecord.LevelDisplayName;
string OpcodeDisplayName = eventRecord.OpcodeDisplayName;
string TaskDisplayName = eventRecord.TaskDisplayName;

// Add them to the record. The things equal the things.
records.Add(new Record() { Message = Message, SystemTime = SystemTime, Id = Id, Version = Version, Qualifiers = Qualifiers, Level = Level, Task = Task, Opcode = Opcode, Keywords = Keywords, RecordId = RecordId, ProviderName = ProviderName, ProviderID = ProviderID, LogName = LogName, ProcessId = ProcessId, ThreadId = ThreadId, MachineName = MachineName, UserID = UserID, TimeCreated = TimeCreated, ActivityId = ActivityId, RelatedActivityId = RelatedActivityId, Hashcode = Hashcode, LevelDisplayName = LevelDisplayName, OpcodeDisplayName = OpcodeDisplayName, TaskDisplayName = TaskDisplayName });
EventLogQuery eventlogQuery = new EventLogQuery(Log, PathType.LogName, query);
EventLogReader eventlogReader = new EventLogReader(eventlogQuery);

for (EventRecord eventRecord = eventlogReader.ReadEvent(); null != eventRecord; eventRecord = eventlogReader.ReadEvent())
{
// Get the SystemTime from the event record XML
var xml = XDocument.Parse(eventRecord.ToXml());
XNamespace ns = xml.Root.GetDefaultNamespace();

// Collect ALL THE THINGS!
string Message = eventRecord.FormatDescription();
string SystemTime = xml.Root.Element(ns + "System").Element(ns + "TimeCreated").Attribute("SystemTime").Value;
string Id = eventRecord.Id.ToString();
string Version = eventRecord.Version.ToString();
string Qualifiers = eventRecord.Qualifiers.ToString();
string Level = eventRecord.Level.ToString();
string Task = eventRecord.Task.ToString();
string Opcode = eventRecord.Opcode.ToString();
string Keywords = eventRecord.Keywords.ToString();
string RecordId = eventRecord.RecordId.ToString();
string ProviderName = eventRecord.ProviderName;
string ProviderID = eventRecord.ProviderId.ToString();
string LogName = eventRecord.LogName;
string ProcessId = eventRecord.ProcessId.ToString();
string ThreadId = eventRecord.ThreadId.ToString();
string MachineName = eventRecord.MachineName;
string UserID = eventRecord.UserId?.ToString();
string TimeCreated = eventRecord.TimeCreated.ToString();
string ActivityId = eventRecord.ActivityId.ToString();
string RelatedActivityId = eventRecord.RelatedActivityId.ToString();
string Hashcode = eventRecord.GetHashCode().ToString();
string LevelDisplayName = eventRecord.LevelDisplayName;
string OpcodeDisplayName = eventRecord.OpcodeDisplayName;
string TaskDisplayName = eventRecord.TaskDisplayName;

// Add them to the record. The things equal the things.
records.Add(new Record() { Message = Message, SystemTime = SystemTime, Id = Id, Version = Version, Qualifiers = Qualifiers, Level = Level, Task = Task, Opcode = Opcode, Keywords = Keywords, RecordId = RecordId, ProviderName = ProviderName, ProviderID = ProviderID, LogName = LogName, ProcessId = ProcessId, ThreadId = ThreadId, MachineName = MachineName, UserID = UserID, TimeCreated = TimeCreated, ActivityId = ActivityId, RelatedActivityId = RelatedActivityId, Hashcode = Hashcode, LevelDisplayName = LevelDisplayName, OpcodeDisplayName = OpcodeDisplayName, TaskDisplayName = TaskDisplayName });
}
}
catch (UnauthorizedAccessException)
{
// If you are running as admin, you will get unauthorized for some logs. Hey, I warned you! Nothing to do here.
}

} catch (EventLogNotFoundException)
{
// No events found - Nothing to be done
} catch (EventLogException)
{
// Error Reading Provider - Nothing to be done
}


}

records.OrderBy(x => x.SystemTime);
}

using (var writer = new StreamWriter(DesktopPath + "\\Logs_Runtime_" + RunTime + ".csv", append: true))
using (var csv = new CsvWriter(writer))
{
csv.Configuration.ShouldQuote = (field, context) => true;
csv.WriteRecords(records);
records.OrderBy(x => x.SystemTime); // Sort our records in chronological order
// and write them to a CSV
using (var writer = new StreamWriter(DesktopPath + "\\Logs_Runtime_" + RunTime + ".csv", append: true))
using (var csv = new CsvWriter(writer))
{
csv.Configuration.ShouldQuote = (field, context) => true;
csv.WriteRecords(records);
}
StatusOutput.Text = "Run Complete";
StatusOutput.ForeColor = System.Drawing.Color.Blue;
}

FindEventsButton.Enabled = true;
}
}
}

public class Record // All the things that will be used in our CSV later.
{
public string Message { get; set; }
public string SystemTime { get; set; }
public string Id { get; set; }
public string Version { get; set; }
public string Qualifiers { get; set; }
public string Level { get; set; }
public string Task { get; set; }
public string Opcode { get; set; }
public string Keywords { get; set; }
public string RecordId { get; set; }
public string ProviderName { get; set; }
public string ProviderID { get; set; }
public string LogName { get; set; }
public string ProcessId { get; set; }
public string ThreadId { get; set; }
public string MachineName { get; set; }
public string UserID { get; set; }
public string TimeCreated { get; set; }
public string ActivityId { get; set; }
public string RelatedActivityId { get; set; }
public string Hashcode { get; set; }
public string MatchedQueryIds { get; set; }
public string LevelDisplayName { get; set; }
public string OpcodeDisplayName { get; set; }
public string TaskDisplayName { get; set; }
}
Binary file added EventFinder/bin/Release/EventFinder.exe
View file
Binary file not shown.
14 changes: 14 additions & 0 deletions EventFinder/bin/Release/EventFinder.exe.config
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# EventFinder2
Finds event logs between two time points. Useful for helpdesk/support/malware analysis.

0 comments on commit 8e1c23c

Please sign in to comment.