Improved globalization

HotCakeX · Aug 20, 2024 · bb1c1ab · bb1c1ab
1 parent 9c755d8
commit bb1c1ab
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 33 deletions.
diff --git a/WDACConfig/WDACConfig Module Files/C#/Functions/DirectorySelector.cs b/WDACConfig/WDACConfig Module Files/C#/Functions/DirectorySelector.cs
@@ -53,7 +53,7 @@ public static class DirectorySelector
             return programsPaths.Count > 0 ? programsPaths.ToArray() : null;
         }
 
-        // Comparer for DirectoryInfo to ensure uniqueness and do it in a case-insensitive way        
+        // Comparer for DirectoryInfo to ensure uniqueness and do it in a case-insensitive way
         private class DirectoryInfoComparer : IEqualityComparer<DirectoryInfo>
         {
             public bool Equals(DirectoryInfo? x, DirectoryInfo? y)

diff --git a/WDACConfig/WDACConfig Module Files/C#/Functions/MoveUserModeToKernelMode.cs b/WDACConfig/WDACConfig Module Files/C#/Functions/MoveUserModeToKernelMode.cs
@@ -3,6 +3,7 @@
 using System.Xml;
 using static System.Formats.Asn1.AsnWriter;
 using System.Xml.Linq;
+using System.Globalization;
 
 #nullable enable
 
@@ -49,12 +50,13 @@ public static void Move(string filePath)
                 // Find SigningScenario nodes with Value 12 and 131
                 foreach (XmlNode signingScenario in signingScenarios)
                 {
-                    string valueAttr = signingScenario.Attributes["Value"].Value;
-                    if (valueAttr == "12")
+                    string? valueAttr = signingScenario.Attributes?["Value"]?.Value;
+
+                    if (string.Equals(valueAttr, "12", StringComparison.OrdinalIgnoreCase))
                     {
                         signingScenario12 = signingScenario;
                     }
-                    else if (valueAttr == "131")
+                    else if (string.Equals(valueAttr, "131", StringComparison.OrdinalIgnoreCase))
                     {
                         signingScenario131 = signingScenario;
                     }
@@ -107,7 +109,10 @@ public static void Move(string filePath)
                         }
 
                         // Remove SigningScenario with Value 12 completely after moving all of its AllowedSigners to SigningScenario with the value of 131
-                        signingScenario12.ParentNode.RemoveChild(signingScenario12);
+                        if (signingScenario12 != null)
+                        {
+                            signingScenario12.ParentNode?.RemoveChild(signingScenario12);
+                        }
                     }
                 }
 

diff --git a/WDACConfig/WDACConfig Module Files/C#/XMLOps/SignerAndHashBuilder.cs b/WDACConfig/WDACConfig Module Files/C#/XMLOps/SignerAndHashBuilder.cs
@@ -355,7 +355,7 @@ public static FileBasedInfoPackage BuildSignerAndHashObjects(Hashtable[] data, s
                 currentPublisherSigner.AuthenticodeSHA256 = string.Equals(incomingDataType, "MDEAH", StringComparison.OrdinalIgnoreCase) ? signedData["SHA256"].ToString() : signedData["SHA256 Hash"].ToString();
                 currentPublisherSigner.AuthenticodeSHA1 = string.Equals(incomingDataType, "MDEAH", StringComparison.OrdinalIgnoreCase) ? signedData["SHA1"].ToString() : signedData["SHA1 Hash"].ToString();
                 currentPublisherSigner.SiSigningScenario = string.Equals(incomingDataType, "MDEAH", StringComparison.OrdinalIgnoreCase) ? int.Parse(signedData["SiSigningScenario"].ToString(), CultureInfo.InvariantCulture) : (string.Equals(signedData["SI Signing Scenario"].ToString(), "Kernel-Mode", StringComparison.OrdinalIgnoreCase) ? 0 : 1);
-#nullable restore
+#nullable enable
 
                 // Add the completed PublisherSigner to the list
                 publisherSigners.Add(currentPublisherSigner);

diff --git a/WDACConfig/WDACConfig Module Files/Core/ConvertTo-WDACPolicy.psm1 b/WDACConfig/WDACConfig Module Files/Core/ConvertTo-WDACPolicy.psm1
@@ -397,7 +397,13 @@ Function ConvertTo-WDACPolicy {
                     $CurrentStep++
                     Write-Progress -Id 30 -Activity "Collecting $LogType events" -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100)
 
-                    [PSCustomObject[]]$EventsToDisplay = Receive-CodeIntegrityLogs -PostProcessing OnlyExisting -PolicyName:$FilterByPolicyNames -Date:$StartTime -Type:$LogType
+                    if ($null -ne $StartTime -and $StartTime -is [System.DateTime]) {
+                        [PSCustomObject[]]$EventsToDisplay = Receive-CodeIntegrityLogs -PostProcessing OnlyExisting -PolicyName:$FilterByPolicyNames -Date $StartTime -Type:$LogType
+                    }
+                    else {
+                        [PSCustomObject[]]$EventsToDisplay = Receive-CodeIntegrityLogs -PostProcessing OnlyExisting -PolicyName:$FilterByPolicyNames -Type:$LogType
+                    }
+
                     [PSCustomObject[]]$EventsToDisplay = Select-LogProperties -Logs $EventsToDisplay
 
                     # If the KernelModeOnly switch is used, then filter the events by the 'Requested Signing Level' property
@@ -866,7 +872,13 @@ Function ConvertTo-WDACPolicy {
                     $CurrentStep++
                     Write-Progress -Id 32 -Activity 'Processing the selected Evtx files' -Status "Step $CurrentStep/$TotalSteps" -PercentComplete ($CurrentStep / $TotalSteps * 100)
 
-                    [PSCustomObject[]]$EventsToDisplay = Receive-CodeIntegrityLogs -PolicyName:$FilterByPolicyNames -Date:$StartTime -Type:$LogType -LogSource EVTXFiles -EVTXFilePaths $EVTXLogs
+                    if ($null -ne $StartTime -and $StartTime -is [System.DateTime]) {
+                        [PSCustomObject[]]$EventsToDisplay = Receive-CodeIntegrityLogs -PolicyName:$FilterByPolicyNames -Date $StartTime -Type:$LogType -LogSource EVTXFiles -EVTXFilePaths $EVTXLogs
+                    }
+                    else {
+                        [PSCustomObject[]]$EventsToDisplay = Receive-CodeIntegrityLogs -PolicyName:$FilterByPolicyNames -Type:$LogType -LogSource EVTXFiles -EVTXFilePaths $EVTXLogs
+                    }
+
                     [PSCustomObject[]]$EventsToDisplay = Select-LogProperties -Logs $EventsToDisplay
 
                     # If the KernelModeOnly switch is used, then filter the events by the 'Requested Signing Level' property

diff --git a/WDACConfig/WDACConfig Module Files/Shared/Receive-CodeIntegrityLogs.psm1 b/WDACConfig/WDACConfig Module Files/Shared/Receive-CodeIntegrityLogs.psm1
@@ -13,7 +13,6 @@ Function Receive-CodeIntegrityLogs {
         Then processes the output based on different criteria
     .PARAMETER Date
         The date from which the logs should be collected. If not specified, all logs will be collected.
-        It accepts empty strings, nulls, and whitespace and they are treated as not specified.
     .PARAMETER Type
         The type of logs to be collected. Audit, Blocked, All. The default value is 'All'
     .PARAMETER PostProcessing
@@ -29,6 +28,7 @@ Function Receive-CodeIntegrityLogs {
         The file paths of the EVTX files to collect the logs from. It accepts an array of FileInfo objects
     .INPUTS
         System.String
+        System.DateTime
         System.String[]
         System.IO.FileInfo[]
     .OUTPUTS
@@ -40,10 +40,8 @@ Function Receive-CodeIntegrityLogs {
     [CmdletBinding()]
     [OutputType([System.Collections.Hashtable])]
     param(
-        [AllowEmptyString()]
-        [AllowNull()]
         [Parameter(Mandatory = $false)]
-        [System.String]$Date,
+        [System.DateTime]$Date,
 
         [ValidateSet('Audit', 'Blocked', 'All')]
         [Parameter(Mandatory = $false)]
@@ -87,13 +85,6 @@ Function Receive-CodeIntegrityLogs {
             }
         }
 
-        # Validate the date provided if it's not null or empty or whitespace
-        if (-NOT ([System.String]::IsNullOrWhiteSpace($Date))) {
-            if (-NOT ([System.DateTime]::TryParse($Date, [ref]$Date))) {
-                Throw 'The date provided is not in a valid DateTime type.'
-            }
-        }
-
         #Region Global Root Drive Fix
         Try {
             # Set a flag indicating that the alternative drive letter mapping method is not necessary unless the primary method fails
@@ -184,10 +175,8 @@ Function Receive-CodeIntegrityLogs {
                 [System.Diagnostics.Eventing.Reader.EventLogRecord]$AuditTemp = $RawLogGroup.Group.Where({ $_.Id -in '3076', '8028' }) | Select-Object -First 1
 
                 # If the main event is older than the specified date, skip it
-                if (-NOT ([System.String]::IsNullOrWhiteSpace($Date))) {
-                    if ($AuditTemp.TimeCreated -lt $Date) {
-                        continue
-                    }
+                if ($null -ne $Date -and $AuditTemp.TimeCreated -lt $Date) {
+                    continue
                 }
 
                 # Create a local hashtable to store the main event and the correlated events
@@ -208,10 +197,8 @@ Function Receive-CodeIntegrityLogs {
                 [System.Diagnostics.Eventing.Reader.EventLogRecord]$BlockedTemp = $RawLogGroup.Group.Where({ $_.Id -in '3077', '8029' }) | Select-Object -First 1
 
                 # If the main event is older than the specified date, skip it
-                if (-NOT ([System.String]::IsNullOrWhiteSpace($Date))) {
-                    if ($BlockedTemp.TimeCreated -lt $Date) {
-                        continue
-                    }
+                if ($null -ne $Date -and $BlockedTemp.TimeCreated -lt $Date) {
+                    continue
                 }
 
                 # Create a local hashtable to store the main event and the correlated events

diff --git a/WDACConfig/WDACConfig Module Files/WDACConfig.psm1 b/WDACConfig/WDACConfig Module Files/WDACConfig.psm1
@@ -29,6 +29,15 @@ if (!$IsWindows) {
 # Specifies that the WDACConfig module requires Administrator privileges
 #Requires -RunAsAdministrator
 
+# Unimportant actions that don't need to be terminating if they fail
+try {
+    # Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
+    Set-PSReadLineKeyHandler -Key 'Tab' -Function 'MenuComplete'
+    # Enables additional progress indicators for Windows Terminal and Windows
+    $PSStyle.Progress.UseOSCIndicator = $true
+}
+catch {}
+
 # This is required for the EKUs to work.
 # Load all the DLLs in the PowerShell folder, providing .NET types for the module
 # These types are required for the folder picker with multiple select options. Also the module manifest no longer handles assembly as it's not necessary anymore.
@@ -47,12 +56,6 @@ Add-Type -Path ([System.IO.Directory]::GetFiles("$PSScriptRoot\C#", '*.*', [Syst
 # Assign the value of the automatic variable $PSScriptRoot to the [WDACConfig.GlobalVars]::ModuleRootPath
 [WDACConfig.GlobalVars]::ModuleRootPath = $PSScriptRoot
 
-# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
-Set-PSReadLineKeyHandler -Key 'Tab' -Function 'MenuComplete'
-
-# Enables additional progress indicators for Windows Terminal and Windows
-$PSStyle.Progress.UseOSCIndicator = $true
-
 # Import the public global module
 Import-Module -FullyQualifiedName ([System.IO.Directory]::GetFiles("$PSScriptRoot\Public", '*.*', [System.IO.SearchOption]::AllDirectories)) -Force -Global