зеркало из https://github.com/microsoft/msquic.git
Add Salted Hash Support To Etw Collection (#1734)
This commit is contained in:
Nick Banks
GitHub
Родитель
dce6d6f905
Коммит
7a5af86721
|
|
@ -31,6 +31,9 @@ This script invokes an ETW trace collection
|
|||
|
||||
.PARAMETER Sanitize
|
||||
If set, sanitizes IP addresses in the converted ETL file.
|
||||
|
||||
.PARAMETER UseSaltedHash
|
||||
If set, IP address sanitization uses a salted hash instead of REDACTED.
|
||||
#>
|
||||
|
||||
param (
|
||||
|
|
@ -59,23 +62,37 @@ param (
|
|||
[switch]$Convert,
|
||||
|
||||
[Parameter(Mandatory = $false)]
|
||||
[switch]$Sanitize
|
||||
[switch]$Sanitize,
|
||||
|
||||
[Parameter(Mandatory = $false)]
|
||||
[switch]$UseSaltedHash
|
||||
)
|
||||
|
||||
Set-StrictMode -Version 'Latest'
|
||||
$PSDefaultParameterValues['*:ErrorAction'] = 'Stop'
|
||||
|
||||
$IPv4Pattern = '(((25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))'
|
||||
|
||||
$IPv6Pattern = ":(?::[a-f\d]{1,4}){0,5}(?:(?::[a-f\d]{1,4}){1,2}|:(?:(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})))|[a-f\d]{1,4}:(?:[a-f\d]{1,4}:(?:[a-f\d]{1,4}:(?:[a-f\d]{1,4}:(?:[a-f\d]{1,4}:(?:[a-f\d]{1,4}:(?:[a-f\d]{1,4}:(?:[a-f\d]{1,4}|:)|(?::(?:[a-f\d]{1,4})?|(?:(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))))|:(?:(?:(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))|[a-f\d]{1,4}(?::[a-f\d]{1,4})?|))|(?::(?:(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))|:[a-f\d]{1,4}(?::(?:(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))|(?::[a-f\d]{1,4}){0,2})|:))|(?:(?::[a-f\d]{1,4}){0,2}(?::(?:(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))|(?::[a-f\d]{1,4}){1,2})|:))|(?:(?::[a-f\d]{1,4}){0,3}(?::(?:(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))|(?::[a-f\d]{1,4}){1,2})|:))|(?:(?::[a-f\d]{1,4}){0,4}(?::(?:(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})\.){3}(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))|(?::[a-f\d]{1,4}){1,2})|:))"
|
||||
|
||||
# Compile the regex for performance reasons, also ignore case
|
||||
$RegexOptions = [System.Text.RegularExpressions.RegexOptions]::Compiled
|
||||
$RegexOptions += [System.Text.RegularExpressions.RegexOptions]::IgnoreCase
|
||||
$IPv6Regex = [Regex]::new($IPv6Pattern, $RegexOptions)
|
||||
|
||||
$IPv6Regex = [Regex]::new($IPv6Pattern, $RegexOptions)
|
||||
$IPv4Regex = [Regex]::new($IPv4Pattern, $RegexOptions)
|
||||
|
||||
# Create HMAC for salted hashing.
|
||||
$Secret = ""
|
||||
for ($i = 0; $i -lt 4; $i++) {
|
||||
$Secret+= $(Get-Random).ToString('x8')
|
||||
}
|
||||
$HmacSha = New-Object System.Security.Cryptography.HMACSHA256
|
||||
$HmacSha.key = [Text.Encoding]::ASCII.GetBytes($Secret)
|
||||
|
||||
function Perform-SaltedHash($Input) {
|
||||
return [Convert]::ToBase64String($HmacSha.ComputeHash([Text.Encoding]::ASCII.GetBytes($Input))).SubString(0,12)
|
||||
}
|
||||
|
||||
function Format-IPAddresses {
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
|
|
@ -100,14 +117,28 @@ function Format-IPAddresses {
|
|||
# Explicitly check IPv4, as the way IPv4 is printed by ETW
|
||||
# partially matches the IPv6 cases, which doesn't fully match
|
||||
# and then exits, leaving the address exposed.
|
||||
$IPv4Matches = $IPv4Regex.Matches($ShrunkLine)
|
||||
foreach ($Match in $IPv4Matches) {
|
||||
$Line = $Line.Replace($Match, "REDACTED");
|
||||
}
|
||||
if ($UseSaltedHash) {
|
||||
$IPv4Matches = $IPv4Regex.Matches($ShrunkLine)
|
||||
foreach ($Match in $IPv4Matches) {
|
||||
$HashedMatch = Perform-SaltedHash $Match
|
||||
$Line = $Line.Replace($Match, $HashedMatch);
|
||||
}
|
||||
|
||||
$IPv6Matches = $IPv6Regex.Matches($ShrunkLine)
|
||||
foreach ($Match in $IPv6Matches) {
|
||||
$Line = $Line.Replace($Match, "REDACTED");
|
||||
$IPv6Matches = $IPv6Regex.Matches($ShrunkLine)
|
||||
foreach ($Match in $IPv6Matches) {
|
||||
$HashedMatch = Perform-SaltedHash $Match
|
||||
$Line = $Line.Replace($Match, $HashedMatch);
|
||||
}
|
||||
} else {
|
||||
$IPv4Matches = $IPv4Regex.Matches($ShrunkLine)
|
||||
foreach ($Match in $IPv4Matches) {
|
||||
$Line = $Line.Replace($Match, "REDACTED");
|
||||
}
|
||||
|
||||
$IPv6Matches = $IPv6Regex.Matches($ShrunkLine)
|
||||
foreach ($Match in $IPv6Matches) {
|
||||
$Line = $Line.Replace($Match, "REDACTED");
|
||||
}
|
||||
}
|
||||
return $Line
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче