// TODO: check out https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna#L10
public static List <Dictionary <string, string> > GetProcInfo()
{
List <Dictionary <string, string> > f_results = new List <Dictionary <string, string> >();
try
{
var wmiQueRyStr = "SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process";
using (var srcher = new ManagementObjectSearcher(wmiQueRyStr))
using (var reslts = srcher.Get())
{
var queRy = from p in Process.GetProcesses()
join mo in reslts.Cast <ManagementObject>()
on p.Id equals(int)(uint) mo["ProcessId"]
select new
{
Proc = p,
Pth = (string)mo["ExecutablePath"],
CommLine = (string)mo["CommandLine"],
Owner = GetProcU(p), //Needed inside the next foreach
};
foreach (var itm in queRy)
{
if (itm.Pth != null)
{
string companyName = "";
string isDotNet = "";
try
{
FileVersionInfo myFileVerInfo = FileVersionInfo.GetVersionInfo(itm.Pth);
//compName = myFileVerInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(itm.Pth) ? "isDotNet" : "";
}
catch
{
// Not enough privileges
}
if ((string.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary <string, string> to_add = new Dictionary <string, string>();
to_add["Name"] = itm.Proc.ProcessName;
to_add["ProcessID"] = itm.Proc.Id.ToString();
to_add["ExecutablePath"] = itm.Pth;
to_add["Product"] = companyName;
to_add["Owner"] = itm.Owner == null ? "" : itm.Owner;
to_add["isDotNet"] = isDotNet;
to_add["CommandLine"] = itm.CommLine;
f_results.Add(to_add);
}
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
return(f_results);
}
///////////////////////////////////////////////
//// Non Standard Services (Non Microsoft) ////
///////////////////////////////////////////////
public static List <Dictionary <string, string> > GetNonstandardServices()
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
using (ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT * FROM win32_service"))
{
using (ManagementObjectCollection data = wmiData.Get())
{
foreach (ManagementObject result in data)
{
if (result["PathName"] != null)
{
string binaryPath = MyUtils.GetExecutableFromPath(result["PathName"].ToString());
string companyName = "";
string isDotNet = "";
try
{
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath);
companyName = myFileVersionInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : "";
}
catch (Exception)
{
// Not enough privileges
}
if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary <string, string> toadd = new Dictionary <string, string>();
toadd["Name"] = GetStringOrEmpty(result["Name"]);
toadd["DisplayName"] = GetStringOrEmpty(result["DisplayName"]);
toadd["CompanyName"] = companyName;
toadd["State"] = GetStringOrEmpty(result["State"]);
toadd["StartMode"] = GetStringOrEmpty(result["StartMode"]);
toadd["PathName"] = GetStringOrEmpty(result["PathName"]);
toadd["FilteredPath"] = binaryPath;
toadd["isDotNet"] = isDotNet;
toadd["Description"] = GetStringOrEmpty(result["Description"]);
results.Add(toadd);
}
}
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
return(results);
}
public static List <Dictionary <string, string> > GetNonstandardServicesFromReg()
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
foreach (string key in RegistryHelper.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services"))
{
Dictionary <string, object> key_values = RegistryHelper.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key);
if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath"))
{
string companyName = "";
string isDotNet = "";
string pathName = Environment.ExpandEnvironmentVariables(string.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\"));
string binaryPath = MyUtils.ReconstructExecPath(pathName);
if (binaryPath != "")
{
try
{
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath);
companyName = myFileVersionInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : "";
}
catch (Exception)
{
// Not enough privileges
}
}
string displayName = string.Format("{0}", key_values["DisplayName"]);
string imagePath = string.Format("{0}", key_values["ImagePath"]);
string description = key_values.ContainsKey("Description") ? string.Format("{0}", key_values["Description"]) : "";
string startMode = "";
if (key_values.ContainsKey("Start"))
{
switch (key_values["Start"].ToString())
{
case "0":
startMode = "Boot";
break;
case "1":
startMode = "System";
break;
case "2":
startMode = "Autoload";
break;
case "3":
startMode = "System";
break;
case "4":
startMode = "Manual";
break;
case "5":
startMode = "Disabled";
break;
}
}
if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary <string, string> toadd = new Dictionary <string, string>
{
["Name"] = displayName,
["DisplayName"] = displayName,
["CompanyName"] = companyName,
["State"] = "",
["StartMode"] = startMode,
["PathName"] = pathName,
["FilteredPath"] = binaryPath,
["isDotNet"] = isDotNet,
["Description"] = description
};
results.Add(toadd);
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
return(results);
}
