Ejemplo n.º 1
        private static IEnumerable <Dictionary <string, string> > GetAutoRunsFolder()
            List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();

            var systemDrive      = Environment.GetEnvironmentVariable("SystemDrive");
            var autorunLocations = new List <string>
                Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"),

            string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));

            usersPath = Directory.GetParent(usersPath).FullName;

                var userDirs = Directory.EnumerateDirectories(usersPath);

                foreach (var userDir in userDirs)
                    string startupPath = $@"{userDir}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";

                    if (Directory.Exists(startupPath))
            catch (Exception)

            foreach (string path in autorunLocations)
                    var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);

                    foreach (string filepath in files)
                        string folder = Path.GetDirectoryName(filepath);
                        results.Add(new Dictionary <string, string>()
                            { "Reg", "" },
                            { "RegKey", "" },
                            { "RegPermissions", "" },
                            { "Folder", folder },
                            { "File", filepath },
                            { "isWritableReg", "" },
                            { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs)) },
                            { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs)) },
                            { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
                catch (Exception)

            var taskAutorunLocations = new HashSet <string>()

            foreach (string folder in taskAutorunLocations)
                    results.Add(new Dictionary <string, string>()
                        { "Reg", "" },
                        { "RegKey", "" },
                        { "RegPermissions", "" },
                        { "Folder", folder },
                        { "File", "" },
                        { "isWritableReg", "" },
                        { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs)) },
                        { "interestingFileRights", "" },
                        { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() }
                catch (Exception)

Ejemplo n.º 2
        ///////  Get Autorun Registry ////////
        /// Find Autorun registry where you have write or equivalent access
        private static IEnumerable <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames)
            List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();

                //Add the keyvalues inside autorunLocationsKeys to autorunLocations
                foreach (List <string> autorunLocationKey in autorunLocationsKeys)
                    List <string> subkeys = RegistryHelper.GetRegSubkeys(autorunLocationKey[0], autorunLocationKey[1]).ToList();
                    foreach (string keyname in subkeys)
                        string clsid_name = keyname;
                        Match  clsid      = Regex.Match(keyname, @"^\W*(\{[\w\-]+\})\W*");
                        if (clsid.Groups.Count > 1) //Sometime the CLSID is bad writting and this kind of fix common mistakes
                            clsid_name = clsid.Groups[1].ToString();

                        autorunLocations.Add(autorunLocationKey.Count > 2
                            ? new List <string>
                            autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2]
                            : new List <string> {
                            autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name

                //Read registry and get values
                foreach (List <string> autorunLocation in autorunLocations)
                    Dictionary <string, object> settings = RegistryHelper.GetRegValues(autorunLocation[0], autorunLocation[1]);
                    if ((settings != null) && (settings.Count != 0))
                        foreach (KeyValuePair <string, object> kvp in settings)
                            RegistryKey key = null;
                            if ("HKLM" == autorunLocation[0])
                                key = Registry.LocalMachine.OpenSubKey(autorunLocation[1]);
                                key = Registry.CurrentUser.OpenSubKey(autorunLocation[1]);

                            if (autorunLocation.Count > 2 && kvp.Key != autorunLocation[2])
                                continue; //If only interested on 1 key of the registry and it's that one, continue

                            string orig_filepath = Environment.ExpandEnvironmentVariables(string.Format("{0}", kvp.Value));
                            string filepath      = orig_filepath;

                            if (MyUtils.GetExecutableFromPath(Environment.ExpandEnvironmentVariables(string.Format("{0}", kvp.Value))).Length > 0)
                                filepath = MyUtils.GetExecutableFromPath(filepath);

                            string filepath_cleaned = filepath.Replace("'", "").Replace("\"", "");
                            string folder           = Path.GetDirectoryName(filepath_cleaned);

                                //If the path doesn't exist, pass
                                if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory))
                                    //If the path is already a folder, change the values of the params
                                    orig_filepath = "";
                                    folder        = filepath_cleaned;

                            results.Add(new Dictionary <string, string>()
                                { "Reg", autorunLocation[0] + "\\" + autorunLocation[1] },
                                { "RegKey", kvp.Key },
                                { "Folder", folder },
                                { "File", orig_filepath },
                                    string.Join(", ", PermissionsHelper.GetMyPermissionsR(key, Checks.Checks.CurrentUserSiDs))
                                    string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))
                                    orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
                                { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }

                //Check the autoruns that depends on CLSIDs
                foreach (List <string> autorunLocation in autorunLocationsKeysCLSIDs)
                    List <string> CLSIDs = RegistryHelper.GetRegSubkeys(autorunLocation[0], autorunLocation[1]).ToList();
                    foreach (string clsid in CLSIDs)
                        string      reg = autorunLocation[1] + "\\" + clsid;
                        RegistryKey key = null;
                        if ("HKLM" == autorunLocation[0])
                            key = Registry.LocalMachine.OpenSubKey(reg);
                            key = Registry.CurrentUser.OpenSubKey(reg);

                        string orig_filepath = MyUtils.GetCLSIDBinPath(clsid);
                        if (string.IsNullOrEmpty(orig_filepath))
                        orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
                        string folder = Path.GetDirectoryName(orig_filepath);

                        results.Add(new Dictionary <string, string>()
                            { "Reg", autorunLocation[0] + "\\" + reg },
                            { "RegKey", "" },
                            { "Folder", folder },
                            { "File", orig_filepath },
                                string.Join(", ", PermissionsHelper.GetMyPermissionsR(key, Checks.Checks.CurrentUserSiDs))
                                string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))
                                orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
                            { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString() }
            catch (Exception ex)