public FileWatchers()
{
systemp = sysroot + "temp\\";
//c:\Windows
psexecWatcher = new FileSystemWatcher();
psexecWatcher.Path = sysroot;
psexecWatcher.Filter = "*.*";
psexecWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size;
psexecWatcher.IncludeSubdirectories = false;
psexecWatcher.Changed += new FileSystemEventHandler(psexecChanged);
psexecWatcher.EnableRaisingEvents = true;
//%temp%
exploitWatcher = new FileSystemWatcher();
exploitWatcher.Path = usertemp;
exploitWatcher.Filter = "*.*";
exploitWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size;
exploitWatcher.IncludeSubdirectories = true;
exploitWatcher.Changed += new FileSystemEventHandler(exploitChanged);
exploitWatcher.EnableRaisingEvents = true;
//c:\windows\temp
systempWatcher = new FileSystemWatcher();
systempWatcher.Path = systemp;
systempWatcher.Filter = "*.*";
systempWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size;
systempWatcher.IncludeSubdirectories = false;
systempWatcher.Changed += new FileSystemEventHandler(systempChanged);
systempWatcher.EnableRaisingEvents = true;
w = Writer.getInstance();
}
public EventLogWatchers()
{
EventLog evtLog = new EventLog("Security");
evtLog.EntryWritten += new EntryWrittenEventHandler(entryWritten);
evtLog.EnableRaisingEvents = true;
builder = new StringBuilder();
w = Writer.getInstance();
}
public ProcWatchers()
{
//Hook WMI because its awesome
watcher = new ManagementEventWatcher();
WqlEventQuery query = new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace");
watcher.Query = query;
watcher.EventArrived += new EventArrivedEventHandler(watcher_EventArrived);
watcher.Start();
w = Writer.getInstance();
builder = new StringBuilder();
}
public RegistryWatchers()
{
WqlEventQuery bootQuery = new WqlEventQuery(bootSql);
WqlEventQuery serviceQuery = new WqlEventQuery(serviceSql);
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
WqlEventQuery userQuery = new WqlEventQuery("SELECT * FROM RegistryTreeChangeEvent WHERE " +
"Hive = 'HKEY_USERS' " +
@"AND RootPath = '" + currentUser.User.Value + @"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'");
userWatch.Query = userQuery;
bootWatch.Query = bootQuery;
serviceWatch.Query = serviceQuery;
userWatch.EventArrived += new EventArrivedEventHandler(currentUserEvent);
userWatch.Start();
bootWatch.EventArrived += new EventArrivedEventHandler(localMachineEvent);
bootWatch.Start();
serviceWatch.EventArrived += new EventArrivedEventHandler(serviceEvent);
serviceWatch.Start();
initialize();
w = Writer.getInstance();
}
