public int GetCount(string username, string password, string nameSpace, string filter)
{
var context = new ManagementNamedValueCollection();
ManagementScope scope = new ManagementScope(GetScopeString("localhost", nameSpace), new ConnectionOptions("en-US", username, password, "", ImpersonationLevel.Default, AuthenticationLevel.Default, true, context, TimeSpan.FromSeconds(60)));
{
ObjectQuery query = new ObjectQuery(filter);
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query, new EnumerationOptions(context, TimeSpan.FromSeconds(60), 4096, true, true, true, false, false, true, true)))
{
return(searcher.Get().Count);
}
}
}
public IEnumerable <object> Get(string username, string password, string nameSpace, string filter)
{
var context = new ManagementNamedValueCollection();
ManagementScope scope = new ManagementScope(GetScopeString("localhost", nameSpace), new ConnectionOptions("en-US", username, password, "", ImpersonationLevel.Default, AuthenticationLevel.Default, true, context, TimeSpan.FromSeconds(60)));
{
ObjectQuery query = new ObjectQuery(filter);
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query, new EnumerationOptions(context, TimeSpan.FromSeconds(60), 4096, true, true, true, false, false, true, true)))
{
foreach (ManagementBaseObject obj in searcher.Get())
{
yield return(ToEndointAddress(obj, _isLocal));
}
}
}
}
private static RegType GetValueType(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName)
{
ManagementBaseObject inParams = mc.GetMethodParameters("EnumValues");
inParams["hDefKey"] = hDefKey;
inParams["sSubKeyName"] = sSubKeyName;
ManagementNamedValueCollection objCtx = new ManagementNamedValueCollection();
objCtx.Add("__ProviderArchitecture", 64);
objCtx.Add("__RequiredArchitecture", true);
InvokeMethodOptions invokeOptions = new InvokeMethodOptions();
invokeOptions.Context = objCtx;
ManagementBaseObject outParams = mc.InvokeMethod("EnumValues", inParams, invokeOptions);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
string[] sNames = outParams["sNames"] as String[];
int[] iTypes = outParams["Types"] as int[];
for (int i = 0; i < sNames.Length; i++)
{
if (sNames[i] == sValueName)
{
return((RegType)iTypes[i]);
}
}
return(0);
}
else
{
return(0);
}
return(0);
}
public string GetFilthyStdOut(string strKey)
{
StringBuilder strOut = new StringBuilder();
bool bSeenFinishedMarker = false;
Console.WriteLine("[i] Getting stdout from registry from " + strKey);
ManagementClass registry = new ManagementClass(this.Scope, new ManagementPath("StdRegProv"), null);
// Enumerate the values
ManagementBaseObject inParams = registry.GetMethodParameters("EnumValues");
inParams["sSubKeyName"] = strKey;
inParams["hDefKey"] = RegHive.HKEY_LOCAL_MACHINE;
ManagementNamedValueCollection objCtx = new ManagementNamedValueCollection();
objCtx.Add("__ProviderArchitecture", 64);
objCtx.Add("__RequiredArchitecture", true);
InvokeMethodOptions invokeOptions = new InvokeMethodOptions();
invokeOptions.Context = objCtx;
ManagementBaseObject outParams = registry.InvokeMethod("EnumValues", inParams, invokeOptions);
string[] strValues = outParams["sNames"] as string[];
try
{
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
}
else
{
Console.WriteLine("[!] Failed to get values " + outParams["ReturnValue"].ToString());
return(null);
}
}
catch (Exception ex)
{
Console.WriteLine("[!] Failed to get values - command likely not valid i.e. generated no stdout output - " + ex.Message.ToString());
return(null);
}
try
{
foreach (string value in strValues)
{
try
{
RegType rType = GetValueType(registry, RegHive.HKEY_LOCAL_MACHINE, strKey, value);
switch (rType)
{
case RegType.REG_SZ:
inParams = registry.GetMethodParameters("GetStringValue");
inParams["sSubKeyName"] = strKey;
inParams["sValueName"] = value;
inParams["hDefKey"] = RegHive.HKEY_LOCAL_MACHINE;
ManagementBaseObject outParams2 = registry.InvokeMethod("GetStringValue", inParams, invokeOptions);
if (outParams2.Properties["sValue"].Value != null)
{
if (outParams2.Properties["sValue"].Value.ToString().Contains("CDOFINISHED"))
{
bSeenFinishedMarker = true;
}
else
{
strOut.AppendLine(outParams2.Properties["sValue"].Value.ToString());
}
}
else
{
}
// One of ours
int intMy;
bool isNumeric = int.TryParse("123", out intMy);
if (isNumeric && intMy > 0)
{
inParams = registry.GetMethodParameters("DeleteValue");
inParams["sSubKeyName"] = strKey;
inParams["sValueName"] = value;
inParams["hDefKey"] = RegHive.HKEY_LOCAL_MACHINE;
registry.InvokeMethod("DeleteValue", inParams, invokeOptions);
}
break;
default:
break;
}
}
catch
{
continue;
}
}
if (bSeenFinishedMarker == false)
{
Console.WriteLine("[!] WARNING: Didn't see stdout output finished marker - output may be truncated");
}
else
{
Console.WriteLine("[i] Full command output received");
}
return(strOut.ToString());
}
catch
{
Console.WriteLine("[i] No registry keys indicating no output");
return("");
}
}
public InvokeMethodOptions(ManagementNamedValueCollection context, System.TimeSpan timeout)
{
}
public DeleteOptions(ManagementNamedValueCollection context, System.TimeSpan timeout) {}
public PutOptions(ManagementNamedValueCollection context, System.TimeSpan timeout, bool useAmendedQualifiers, PutType putType)
{
}
public DeleteOptions(ManagementNamedValueCollection context, System.TimeSpan timeout)
{
}
public ObjectGetOptions(ManagementNamedValueCollection context, System.TimeSpan timeout, bool useAmendedQualifiers) {}
public ObjectGetOptions(ManagementNamedValueCollection context, System.TimeSpan timeout, bool useAmendedQualifiers)
{
}
public ObjectGetOptions(ManagementNamedValueCollection context)
{
}
public EventWatcherOptions(ManagementNamedValueCollection context, TimeSpan timeout, int blockSize)
{
throw new NotImplementedException();
}
public EventWatcherOptions(ManagementNamedValueCollection context, System.TimeSpan timeout, int blockSize)
{
}
public ConnectionOptions(string locale, string username, string password, string authority, ImpersonationLevel impersonation, AuthenticationLevel authentication, bool enablePrivileges, ManagementNamedValueCollection context, System.TimeSpan timeout)
{
}
public ConnectionOptions(string locale, string username, System.Security.SecureString password, string authority, ImpersonationLevel impersonation, AuthenticationLevel authentication, bool enablePrivileges, ManagementNamedValueCollection context, System.TimeSpan timeout) {}
public EnumerationOptions(ManagementNamedValueCollection context, System.TimeSpan timeout, int blockSize, bool rewindable, bool returnImmediatley, bool useAmendedQualifiers, bool ensureLocatable, bool prototypeOnly, bool directRead, bool enumerateDeep) {}
public ObjectGetOptions(ManagementNamedValueCollection context) {}
public PutOptions(ManagementNamedValueCollection context, System.TimeSpan timeout, bool useAmendedQualifiers, PutType putType)
{
}
public InvokeMethodOptions(ManagementNamedValueCollection context, System.TimeSpan timeout) {}
public PutOptions(ManagementNamedValueCollection context)
{
}
public EventWatcherOptions (ManagementNamedValueCollection context, TimeSpan timeout, int blockSize)
{
throw new NotImplementedException ();
}
//WMI Query Registry for software details
public int ReadRegistryForSoftwareWMI()
{
ComputerSoftware computerSoftwares = new ComputerSoftware();
int rtn = -1;
try
{
using (var db = new DatabaseContext())
{
const int REG_SZ = 1;
const int REG_EXPAND_SZ = 2;
const int REG_BINARY = 3;
const int REG_DWORD = 4;
const int REG_MULTI_SZ = 7;
const int REG_QWORD = 11;
var queryDBSoftware = db.ComputerSoftwares.Select(x => x.Name);
List <int> softwareBits = new List <int> {
32, 64
};
foreach (int bit in softwareBits)
{
ManagementNamedValueCollection mContext = new ManagementNamedValueCollection
{
{ "__ProviderArchitecture", bit },
{ "__RequiredArchitecture", true }
};
ConnectionOptions connectionOptions = new ConnectionOptions
{
Impersonation = ImpersonationLevel.Impersonate,
Context = mContext
};
ManagementScope scope = new ManagementScope("\\\\" + Environment.MachineName + "\\root\\CIMV2", connectionOptions);
scope.Connect();
string softwareRegLoc = @"Software\Microsoft\Windows\CurrentVersion\Uninstall";
ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null);
ManagementBaseObject inParams = registry.GetMethodParameters("EnumKey");
inParams["hDefKey"] = 0x80000002;//HKEY_LOCAL_MACHINE
inParams["sSubKeyName"] = softwareRegLoc;
// Read Registry Key Names
ManagementBaseObject outParams = registry.InvokeMethod("EnumKey", inParams, null);
string[] softwareGuids = outParams["sNames"] as string[];
foreach (string subKeyName in softwareGuids)
{
inParams = registry.GetMethodParameters("EnumValues");
inParams["hDefKey"] = 0x80000002;//HKEY_LOCAL_MACHINE
inParams["sSubKeyName"] = softwareRegLoc + @"\" + subKeyName;
// Read Registry Value
outParams = registry.InvokeMethod("EnumValues", inParams, null);
if (outParams.Properties["sNames"].Value != null &&
outParams.Properties["Types"].Value != null)
{
//For Names
string[] softwareValueNames = (outParams.Properties["sNames"].Value) as string[];
int[] softwareValueTypes = (outParams.Properties["Types"].Value) as int[];
//For Types
for (int i = 0; i < softwareValueTypes.Count(); i++)
{
int valueTypes = softwareValueTypes[i];
string valueNames = softwareValueNames[i];
string executionMethod;
switch (valueTypes)
{
case REG_SZ:
{
executionMethod = "GetStringValue";
//inParams = registry.GetMethodParameters("GetStringValue");
break;
}
case REG_EXPAND_SZ:
{
executionMethod = "GetExpandedStringValue";
break;
}
case REG_BINARY:
{
executionMethod = "GetBinaryValue";
break;
}
case REG_DWORD:
{
executionMethod = "GetDWORDValue";
break;
}
case REG_MULTI_SZ:
{
executionMethod = "GetMultiStringValue";
break;
}
case REG_QWORD:
{
executionMethod = "GetQWORDValue";
break;
}
default:
{
executionMethod = "Close";
break;
}
}
if (executionMethod != "Close")
{
inParams = registry.GetMethodParameters(executionMethod);
inParams["hDefKey"] = 0x80000002;//HKEY_LOCAL_MACHINE
inParams["sSubKeyName"] = softwareRegLoc + @"\" + subKeyName;
inParams["sValueName"] = valueNames;
outParams = registry.InvokeMethod(executionMethod, inParams, null);
int softwareSystemComponent;
//Get values
switch (valueNames)
{
case "DisplayName":
{
computerSoftwares.Name = outParams.Properties["sValue"].Value.ToString();
break;
}
case "InstallLocation":
{
computerSoftwares.InstalledLocation = outParams.Properties["sValue"].Value.ToString();
break;
}
case "DisplayVersion":
{
computerSoftwares.Version = outParams.Properties["sValue"].Value.ToString();
break;
}
case "Publisher":
{
computerSoftwares.Publisher = outParams.Properties["sValue"].Value.ToString();
break;
}
case "InstallDate":
{
DateTime dt;
if (outParams.Properties["sValue"].Value.ToString() == null)
{
computerSoftwares.InstalledOn = Convert.ToDateTime("19900903");
}
else
{
try
{
if (DateTime.TryParseExact(outParams.Properties["sValue"].Value.ToString(), "yyyyMMdd", CultureInfo.InvariantCulture, DateTimeStyles.None, out dt))
{
computerSoftwares.InstalledOn = dt;
}
else if (DateTime.TryParseExact(outParams.Properties["sValue"].Value.ToString(), "yyyy-MM-dd", CultureInfo.InvariantCulture, DateTimeStyles.None, out dt))
{
computerSoftwares.InstalledOn = dt;
}
else if (DateTime.TryParseExact(outParams.Properties["sValue"].Value.ToString(), "yyyy/MM/dd", CultureInfo.InvariantCulture, DateTimeStyles.None, out dt))
{
computerSoftwares.InstalledOn = dt;
}
}
catch (Exception ex)
{
throw ex;
}
}
break;
}
case "EstimatedSize":
{
computerSoftwares.Size = Convert.ToInt32(outParams.Properties["uValue"].Value);
break;
}
case "SystemComponent":
{
softwareSystemComponent = Convert.ToInt32(outParams.Properties["uValue"].Value);
if (softwareSystemComponent.Equals(""))
{
softwareSystemComponent = 1;
}
computerSoftwares.SystemComponent = softwareSystemComponent;
break;
}
default:
break;
}
}
}
//Filter unwanted softwares
if (softwareValueNames.Contains("WindowsInstaller") &&
!softwareValueNames.Contains("ParentDisplayName") &&
!softwareValueNames.Contains("ParentDisplayName") &&
softwareValueNames.Contains("UninstallString"))
{
var currentRegistryScan = computerSoftwares.Name.ToString();
if (!string.IsNullOrEmpty(currentRegistryScan) &&
char.IsUpper(currentRegistryScan[0]) &&
!currentRegistryScan.Contains("-") &&
!currentRegistryScan.ToLower().Contains("pack") &&
!currentRegistryScan.ToLower().Contains("kb") &&
!currentRegistryScan.ToLower().Contains("update") &&
!queryDBSoftware.Contains(currentRegistryScan) &&
computerSoftwares.SystemComponent == 1)
{
computerSoftwares.Status = "Active";
db.ComputerSoftwares.Add(computerSoftwares);
db.SaveChanges();
}
}
}
}
}
rtn = 1;
}
}
catch (Exception ex)
{
throw ex;
}
return(rtn);
}
public PutOptions(ManagementNamedValueCollection context)
{
}
public EventWatcherOptions(ManagementNamedValueCollection context, System.TimeSpan timeout, int blockSize) {}
