Improved reliability of binary checking

Updated documents Changed service code to aid debugging
bsi-group · Sep 15, 2016 · 7369e9c · 7369e9c
1 parent f088de6
commit 7369e9c
Show file tree

Hide file tree

Showing 8 changed files with 68 additions and 31 deletions.
diff --git a/documents/readme.md → documents/information.md b/documents/readme.md → documents/information.md
diff --git a/documents/readme.pdf → documents/information.pdf b/documents/readme.pdf → documents/information.pdf
diff --git a/documents/installation.md b/documents/installation.md
@@ -2,7 +2,7 @@
 
 The client is implemented as a Windows service. The service uses the SysInternals [Autoruns](https://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx) tool to extract the autorun data. The Autoruns tool is provided in two forms, GUI and console.
 
-The console version of the Autoruns tool (autorunsc.exe) must be downloaded separately and put into the same directory as the rest of the AutoRuns client files.
+The console version of the Autoruns tool (autorunsc.exe) must be downloaded separately and put into the same directory as the rest of the AutoRuns client files. Note that this service has been tested with **Autoruns v13.62**. Autoruns comes with x64 versions within the zip file, these must **not** be used as the results appear to be unreliable.
 
 The service uses the configuration details within the **AutoRunLogger.xml** file. The file contains two settings:
 

diff --git a/documents/installation.pdf b/documents/installation.pdf
diff --git a/source/Program.cs b/source/Program.cs
@@ -33,6 +33,10 @@ static void Main(string[] args)
                         StopService();
                         UninstallService();
                         break;
+                    case "-run":
+                        var s = new AutoRunLogger();
+                        s.StartService();
+                        break;
                     default:
                         throw new NotImplementedException();
                 }

diff --git a/source/Properties/AssemblyInfo.cs b/source/Properties/AssemblyInfo.cs
@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.1")]
-[assembly: AssemblyFileVersion("1.0.1")]
+[assembly: AssemblyVersion("1.0.2")]
+[assembly: AssemblyFileVersion("1.0.2")]
diff --git a/source/Service.cs b/source/Service.cs
@@ -51,6 +51,24 @@ public AutoRunLogger()
         /// </summary>
         /// <param name="args"></param>
         protected override void OnStart(string[] args)
+        {
+            StartService();
+        }
+
+        /// <summary>
+        /// 
+        /// </summary>
+        protected override void OnStop()
+        {
+            EventLog.WriteEntry(Global.DISPLAY_NAME, "Service stopping", EventLogEntryType.Information);
+            this.timer.Enabled = false;            
+        }
+
+        /// <summary>
+        /// Method to start service functions. This provides a public interface so 
+        /// that the functionality can be run without initialising a service e.g. debug
+        /// </summary>
+        public void StartService()
         {
             // To debug, load VS2015 as an admin user, and then uncomment the following line
             //Debugger.Launch();
@@ -89,15 +107,6 @@ protected override void OnStart(string[] args)
 
             Task.Run(() => { ProcessAutorunData(); });
         }
-
-        /// <summary>
-        /// 
-        /// </summary>
-        protected override void OnStop()
-        {
-            EventLog.WriteEntry(Global.DISPLAY_NAME, "Service stopping", EventLogEntryType.Information);
-            this.timer.Enabled = false;            
-        }
         #endregion
 
         /// <summary>
@@ -138,8 +147,7 @@ private void Timer_Elapsed(object sender, ElapsedEventArgs e)
         private void ProcessAutorunData()
         {
             if (IsValidAutoRunsBinary() == false)
-            {
-                EventLog.WriteEntry(Global.DISPLAY_NAME, "Autorun binary is invalid", EventLogEntryType.Error);
+            {               
                 return;
             }
 
@@ -158,28 +166,53 @@ private void ProcessAutorunData()
         /// <returns></returns>
         private bool IsValidAutoRunsBinary()
         {
-            FileVersionInfo fvi = FileVersionInfo.GetVersionInfo(this.autorunsPath);
-            if (fvi.InternalName.ToLower() != "sysinternals autoruns")
+            try
             {
-                return false;
-            }
+                FileVersionInfo fvi = FileVersionInfo.GetVersionInfo(this.autorunsPath);
+                if (fvi.InternalName.ToLower() != "sysinternals autoruns")
+                {
+                    EventLog.WriteEntry(Global.DISPLAY_NAME, "Error validating Autorun binary: Invalid internal name (" + fvi.InternalName + ")", EventLogEntryType.Error);
+                    return false;
+                }
 
-            var cert = X509Certificate.CreateFromSignedFile(this.autorunsPath);
-            var cert2 = new X509Certificate2(cert.Handle);
-            if (cert2.Verify() == false)
-            {
-                return false;
-            }
+                var cert = X509Certificate.CreateFromSignedFile(this.autorunsPath);
+                if (cert == null)
+                {
+                    EventLog.WriteEntry(Global.DISPLAY_NAME, "Error validating Autorun binary: Unable to check certificate from signed file", EventLogEntryType.Error);
+                    return false;
+                }
 
-            if (cert2.Issuer.ToLower() != "cn=microsoft code signing pca, o=microsoft corporation, l=redmond, s=washington, c=us")
-            {
-                return false;
-            }
+                var cert2 = new X509Certificate2(cert.Handle);
+                if (cert2 == null)
+                {
+                    EventLog.WriteEntry(Global.DISPLAY_NAME, "Error validating Autorun binary: Unable to create X509Certificate2 object", EventLogEntryType.Error);
+                    return false;
+                }
+
+                // This method appears to be unreliable and therefore has been commented out
+                //if (cert2.Verify() == false)
+                //{
+                //    EventLog.WriteEntry(Global.DISPLAY_NAME, "Error validating Autorun binary: Unable to verify file signature", EventLogEntryType.Error);
+                //    return false;
+                //}
 
-            if (AuthenticodeTools.IsTrusted(this.autorunsPath) == false)
+                if (cert2.Issuer.ToLower() != "cn=microsoft code signing pca, o=microsoft corporation, l=redmond, s=washington, c=us")
+                {
+                    EventLog.WriteEntry(Global.DISPLAY_NAME, "Error validating Autorun binary: Invalid issuer (" + cert2.Issuer + ")", EventLogEntryType.Error);
+                    return false;
+                }
+
+                if (AuthenticodeTools.IsTrusted(this.autorunsPath) == false)
+                {
+                    EventLog.WriteEntry(Global.DISPLAY_NAME, "Error validating Autorun binary: Untrusted binary", EventLogEntryType.Error);
+                    return false;
+                }
+            }
+            catch (Exception ex)
             {
+                EventLog.WriteEntry(Global.DISPLAY_NAME, "Error validating Autorun binary: " + ex.Message, EventLogEntryType.Error);
                 return false;
-            }
+            }            
 
             return true;
         }

diff --git a/source/autorun-logger-client.csproj b/source/autorun-logger-client.csproj
@@ -40,7 +40,7 @@
     <WarningLevel>4</WarningLevel>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
-    <PlatformTarget>AnyCPU</PlatformTarget>
+    <PlatformTarget>x64</PlatformTarget>
     <DebugType>pdbonly</DebugType>
     <Optimize>true</Optimize>
     <OutputPath>bin\Release\</OutputPath>