PE Net exception on Google drive files

[slaurel]

To reproduce: Install "Google Drive for Desktop". You should now have a virtual drive letter (e.g. G:) mapped to Google Drive.

Run: asa collect -a

Get the following error once it gets to scanning the virtual drive:

[10:16:01 INF] Scanning root G:
Fatal error. Fatal error. System.Runtime.InteropServices.SEHException (0x80004005): External component has thrown an exception.
System.Runtime.InteropServices.SEHException (0x80004005): External component has thrown an exception.
at System.IO.UnmanagedMemoryAccessor.ReadInt32(Int64)
at System.Buffer.Memmove(Byte*, Byte*, UIntPtr)
at PeNet.Header.Pe.WinCertificate.get_BCertificate()
at System.Runtime.InteropServices.SafeBuffer.ReadArray[[System.Byte, System.Private.CoreLib, Version=5.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]](UInt64, Byte[], Int32, Int32)
at PeNet.Header.Authenticode.AuthenticodeInfo..ctor(PeNet.PeFile)
at System.IO.UnmanagedMemoryAccessor.ReadArray[[System.Byte, System.Private.CoreLib, Version=5.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]](Int64, Byte[], Int32, Int32)
at PeNet.HeaderParser.Authenticode.AuthenticodeParser.ParseTarget()
at PeNet.FileParser.MMFile.ToArray()
at Microsoft.CST.AttackSurfaceAnalyzer.Collectors.WindowsFileSystemUtils.GetSignatureStatus(System.String)
at PeNet.Header.Authenticode.AuthenticodeInfo.ComputeAuthenticodeHashFromPeFile(System.Security.Cryptography.HashAlgorithm)
at Microsoft.CST.AttackSurfaceAnalyzer.Collectors.FileSystemCollector.FilePathToFileSystemObject(System.String)
at PeNet.Header.Authenticode.AuthenticodeInfo.VerifyHash()
at Microsoft.CST.AttackSurfaceAnalyzer.Collectors.FileSystemCollector.ParseFile(System.String)
at PeNet.Header.Authenticode.AuthenticodeInfo..ctor(PeNet.PeFile)
at System.Threading.Tasks.Parallel+<>c__DisplayClass44_02[[System.__Canon, System.Private.CoreLib, Version=5.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.__Canon, System.Private.CoreLib, Version=5.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].<PartitionerForEachWorker>b__1(System.Collections.IEnumerator ByRef, Int32, Boolean ByRef) at PeNet.HeaderParser.Authenticode.AuthenticodeParser.ParseTarget() at System.Threading.Tasks.TaskReplicator+Replica.Execute() at Microsoft.CST.AttackSurfaceAnalyzer.Collectors.WindowsFileSystemUtils.GetSignatureStatus(System.String) at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(System.Threading.Thread, System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at Microsoft.CST.AttackSurfaceAnalyzer.Collectors.FileSystemCollector.FilePathToFileSystemObject(System.String) at System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef, System.Threading.Thread) at Microsoft.CST.AttackSurfaceAnalyzer.Collectors.FileSystemCollector.ParseFile(System.String) at System.Threading.ThreadPoolWorkQueue.Dispatch() at System.Threading.Tasks.Parallel+<>c__DisplayClass44_02[[System.__Canon, System.Private.CoreLib, Version=5.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.__Canon, System.Private.CoreLib, Version=5.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].b__1(System.Collections.IEnumerator ByRef, Int32, Boolean ByRef)
at System.Threading.Tasks.TaskReplicator+Replica.Execute()
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(System.Threading.Thread, System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef, System.Threading.Thread)
at System.Threading.ThreadPoolWorkQueue.Dispatch()

A potential workaround would be to allow specifying a list of drive letters to exclude.

[gfs]

Thanks for the report. We did (attempt) to exclude "Cloud" files by default but the implementation may only work for OneDrive.

You can use --skip-directories to skip the Google Drive

For example: asa collect -a --skip-directories G:/

Use asa collect --help for a full list of options.