//From Seatbelt
public static Dictionary <string, string> GetWEFSettings()
{
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", "Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager");
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in settings)
{
if (kvp.Value.GetType().IsArray&& (kvp.Value.GetType().GetElementType().ToString() == "System.String"))
{
string result = string.Join(",", (string[])kvp.Value);
results.Add(kvp.Key, result);
}
else
{
results.Add(kvp.Key, (string)kvp.Value);
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
//From https://stackoverflow.com/questions/1331887/detect-antivirus-on-windows-using-c-sharp
public static Dictionary <string, string> GetAVInfo()
{
Dictionary <string, string> results = new Dictionary <string, string>();
string whitelistpaths = "";
try
{
whitelistpaths = String.Join("\n ", MyUtils.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths").Keys);
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct");
ManagementObjectCollection data = wmiData.Get();
foreach (ManagementObject virusChecker in data)
{
results["Name"] = (string)virusChecker["displayName"];
results["ProductEXE"] = (string)virusChecker["pathToSignedProductExe"];
results["pathToSignedReportingExe"] = (string)virusChecker["pathToSignedReportingExe"];
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
if (!String.IsNullOrEmpty(whitelistpaths))
{
results["whitelistpaths"] = " " + whitelistpaths; //Add this info the last
}
return(results);
}
//From Seatbelt
public static Dictionary <string, string> GetPowerShellSettings()
{
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion");
results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion");
results["Transcription Settings"] = "";
results["Module Logging Settings"] = "";
results["Scriptblock Logging Settings"] = "";
Dictionary <string, object> transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription");
if ((transcriptionSettings == null) || (transcriptionSettings.Count == 0))
{
transcriptionSettings = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription");
}
if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in transcriptionSettings)
{
results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging");
if ((moduleLoggingSettings == null) || (moduleLoggingSettings.Count == 0))
{
moduleLoggingSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging");
}
if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in moduleLoggingSettings)
{
results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging");
if ((scriptBlockSettings == null) || (scriptBlockSettings.Count == 0))
{
scriptBlockSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging");
}
if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in scriptBlockSettings)
{
results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
// From seatbelt
public static Dictionary <string, string> GetAuditSettings()
{
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit");
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in settings)
{
if (kvp.Value.GetType().IsArray&& (kvp.Value.GetType().GetElementType().ToString() == "System.String"))
{
string result = string.Join(",", (string[])kvp.Value);
results.Add(kvp.Key, result);
}
else
{
results.Add(kvp.Key, (string)kvp.Value);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
return(results);
}
//////////////////////////////////////
/////// Get Autorun Registry ////////
//////////////////////////////////////
/// Find Autoru registry where you have write or equivalent access
public static List <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames)
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
string[] autorunLocations = new string[] {
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
};
foreach (string autorunLocation in autorunLocations)
{
Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation);
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in settings)
{
RegistryKey key = Registry.LocalMachine.OpenSubKey(autorunLocation);
string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value));
string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", ""));
results.Add(new Dictionary <string, string>()
{
{ "Reg", "HKLM\\" + autorunLocation },
{ "Folder", folder },
{ "File", filepath },
{ "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, NtAccountNames)) },
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) },
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs)) },
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
});
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
public static List <Dictionary <string, string> > GetRegistryAutoRuns()
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
string[] autorunLocations = new string[] {
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
};
foreach (string autorunLocation in autorunLocations)
{
Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation);
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in settings)
{
string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value));
string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", ""));
results.Add(new Dictionary <string, string>()
{
{ "Reg", "HKLM\\" + autorunLocation },
{ "Folder", folder },
{ "File", filepath },
{ "isWritableReg", MyUtils.CheckWriteAccessReg("HKLM", autorunLocation).ToString() },
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups)) },
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups)) },
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
});
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
return(results);
}
//From Seatbelt
public static Dictionary <string, string> GetPowerShellSettings()
{
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion");
results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion");
results["Transcription Settings"] = "";
results["Module Logging Settings"] = "";
results["Scriptblock Logging Settings"] = "";
Dictionary <string, object> transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription");
if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in transcriptionSettings)
{
results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging");
if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in moduleLoggingSettings)
{
results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging");
if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in scriptBlockSettings)
{
results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
return(results);
}
//From Seatbelt
public static Dictionary <string, string> GetSystemEnvVariables()
{
Dictionary <string, string> result = new Dictionary <string, string>();
try
{
Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment");
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in settings)
{
result[kvp.Key] = (string)kvp.Value;
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(result);
}
//From Seatbelt
public static Dictionary <string, string> GetInternetSettings(string root_reg)
{
// lists user/system internet settings, including default proxy info
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
Dictionary <string, object> proxySettings = MyUtils.GetRegValues(root_reg, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings");
if ((proxySettings != null) && (proxySettings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in proxySettings)
{
results[kvp.Key] = kvp.Value.ToString();
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
//From Seatbelt
public static Dictionary <string, string> GetPowerShellSettings()
{
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion");
results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion");
results["Transcription Settings"] = "";
results["Module Logging Settings"] = "";
results["Scriptblock Logging Settings"] = "";
results["PS history file"] = "";
results["PS history size"] = "";
Dictionary <string, object> transcriptionSettingsCU = MyUtils.GetRegValues("HKCU",
"SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription");
if ((transcriptionSettingsCU == null) || (transcriptionSettingsCU.Count == 0))
{
transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription");
}
if ((transcriptionSettingsCU != null) && (transcriptionSettingsCU.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in transcriptionSettingsCU)
{
results["Transcription Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> transcriptionSettingsLM = MyUtils.GetRegValues("HKLM",
"SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription");
if ((transcriptionSettingsLM == null) || (transcriptionSettingsLM.Count == 0))
{
transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription");
}
if ((transcriptionSettingsLM != null) && (transcriptionSettingsLM.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in transcriptionSettingsLM)
{
results["Transcription Settings LM"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging");
if ((moduleLoggingSettingsLM == null) || (moduleLoggingSettingsLM.Count == 0))
{
moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging");
}
if ((moduleLoggingSettingsLM != null) && (moduleLoggingSettingsLM.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in moduleLoggingSettingsLM)
{
results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging");
if ((moduleLoggingSettingsCU == null) || (moduleLoggingSettingsCU.Count == 0))
{
moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging");
}
if ((moduleLoggingSettingsCU != null) && (moduleLoggingSettingsCU.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in moduleLoggingSettingsCU)
{
results["Module Logging Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging");
if ((scriptBlockSettingsLM == null) || (scriptBlockSettingsLM.Count == 0))
{
scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging");
}
if ((scriptBlockSettingsLM != null) && (scriptBlockSettingsLM.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in scriptBlockSettingsLM)
{
results["Scriptblock Logging Settings LM"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary <string, object> scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging");
if ((scriptBlockSettingsCU == null) || (scriptBlockSettingsCU.Count == 0))
{
scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging");
}
if ((scriptBlockSettingsCU != null) && (scriptBlockSettingsCU.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in scriptBlockSettingsCU)
{
results["Scriptblock Logging Settings CU"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
string ps_history_path = Environment.ExpandEnvironmentVariables(@"%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt");
string ps_history_path2 = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE"));
ps_history_path = File.Exists(ps_history_path) ? ps_history_path : ps_history_path2;
if (File.Exists(ps_history_path))
{
FileInfo fi = new FileInfo(ps_history_path);
long size = fi.Length;
results["PS history file"] = ps_history_path;
results["PS history size"] = size.ToString() + "B";
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
//////////////////////////////////////
/////// Get Autorun Registry ////////
//////////////////////////////////////
/// Find Autorun registry where you have write or equivalent access
public static List <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames)
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
List <List <String> > autorunLocations = new List <List <string> >()
{
//Common Autoruns
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
},
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
},
new List <String> {
"HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run"
},
new List <String> {
"HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce"
},
new List <String> {
"HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunEx"
},
//Service Autoruns
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService"
},
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
},
//Special Autorun
new List <String> {
"HKLM", "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"
},
new List <String> {
"HKLM", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"
},
new List <String> {
"HKCU", "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"
},
new List <String> {
"HKCU", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"
},
//Startup Path
new List <String> {
"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup"
},
new List <String> {
"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup"
},
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup"
},
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup"
},
//Winlogon
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit"
},
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell"
},
//Policy Settings
new List <String> {
"HKLM", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run"
},
new List <String> {
"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run"
},
//AlternateShell in SafeBoot
new List <String> {
"HKLM", "SYSTEM\\CurrentControlSet\\Control\\SafeBoot", "AlternateShell"
},
//Font Drivers
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
},
new List <String> {
"HKLM", @"SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
},
//Open Command
new List <String> {
"HKLM", @"SOFTWARE\Classes\htmlfile\shell\open\command", ""
}, //Get (Default) value with empty string
new List <String> {
"HKLM", @"SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command", ""
}, //Get (Default) value with empty string
};
List <List <String> > autorunLocationsKeys = new List <List <String> >
{
//Installed Components
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "StubPath"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components", "StubPath"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "StubPath"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components", "StubPath"
},
};
//This registry expect subkeys with the CLSID name
List <List <String> > autorunLocationsKeysCLSIDs = new List <List <String> >
{
//Browser Helper Objects
new List <String> {
"HKLM", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
},
new List <String> {
"HKLM", @"Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
},
//Internet Explorer Extensions
new List <String> {
"HKLM", @"Software\Microsoft\Internet Explorer\Extensions"
},
new List <String> {
"HKLM", @"Software\Wow6432Node\Microsoft\Internet Explorer\Extensions"
},
};
//Add the keyvalues inside autorunLocationsKeys to autorunLocations
foreach (List <String> autorunLocationKey in autorunLocationsKeys)
{
List <String> subkeys = MyUtils.GetRegSubkeys(autorunLocationKey[0], autorunLocationKey[1]).ToList();
foreach (String keyname in subkeys)
{
string clsid_name = keyname;
Match clsid = Regex.Match(keyname, @"^\W*(\{[\w\-]+\})\W*");
if (clsid.Groups.Count > 1) //Sometime the CLSID is bad writting and this kind of fix common mistakes
{
clsid_name = clsid.Groups[1].ToString();
}
if (autorunLocationKey.Count > 2)
{
autorunLocations.Add(new List <string> {
autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2]
});
}
else
{
autorunLocations.Add(new List <string> {
autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name
});
}
}
}
//Read registry and get values
foreach (List <String> autorunLocation in autorunLocations)
{
Dictionary <string, object> settings = MyUtils.GetRegValues(autorunLocation[0], autorunLocation[1]);
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in settings)
{
RegistryKey key = null;
if ("HKLM" == autorunLocation[0])
{
key = Registry.LocalMachine.OpenSubKey(autorunLocation[1]);
}
else
{
key = Registry.CurrentUser.OpenSubKey(autorunLocation[1]);
}
if (autorunLocation.Count > 2 && kvp.Key != autorunLocation[2])
{
continue; //If only interested on 1 key of the registry and it's that one, continue
}
string orig_filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value));
string filepath = orig_filepath;
if (MyUtils.GetExecutableFromPath(Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value))).Length > 0)
{
filepath = MyUtils.GetExecutableFromPath(filepath);
}
string filepath_cleaned = filepath.Replace("'", "").Replace("\"", "");
string folder = System.IO.Path.GetDirectoryName(filepath_cleaned);
try
{ //If the path doesn't exist, pass
if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory))
{ //If the path is already a folder, change the values of the params
orig_filepath = "";
folder = filepath_cleaned;
}
}
catch
{
}
results.Add(new Dictionary <string, string>()
{
{ "Reg", autorunLocation[0] + "\\" + autorunLocation[1] },
{ "RegKey", kvp.Key },
{ "Folder", folder },
{ "File", orig_filepath },
{
"RegPermissions",
string.Join(", ", MyUtils.GetMyPermissionsR(key, Program.currentUserSIDs))
},
{
"interestingFolderRights",
String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs))
},
{
"interestingFileRights",
orig_filepath.Length > 1 ? String.Join(", ", MyUtils.GetPermissionsFile(orig_filepath, Program.currentUserSIDs)) : ""
},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
});
}
}
}
//Check the autoruns that depends on CLSIDs
foreach (List <String> autorunLocation in autorunLocationsKeysCLSIDs)
{
List <String> CLSIDs = MyUtils.GetRegSubkeys(autorunLocation[0], autorunLocation[1]).ToList();
foreach (String clsid in CLSIDs)
{
string reg = autorunLocation[1] + "\\" + clsid;
RegistryKey key = null;
if ("HKLM" == autorunLocation[0])
{
key = Registry.LocalMachine.OpenSubKey(reg);
}
else
{
key = Registry.CurrentUser.OpenSubKey(reg);
}
string orig_filepath = MyUtils.GetCLSIDBinPath(clsid);
if (String.IsNullOrEmpty(orig_filepath))
{
continue;
}
orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
string folder = System.IO.Path.GetDirectoryName(orig_filepath);
results.Add(new Dictionary <string, string>()
{
{ "Reg", autorunLocation[0] + "\\" + reg },
{ "RegKey", "" },
{ "Folder", folder },
{ "File", orig_filepath },
{
"RegPermissions",
string.Join(", ", MyUtils.GetMyPermissionsR(key, Program.currentUserSIDs))
},
{
"interestingFolderRights",
String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs))
},
{
"interestingFileRights",
orig_filepath.Length > 1 ? String.Join(", ", MyUtils.GetPermissionsFile(orig_filepath, Program.currentUserSIDs)) : ""
},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString() }
});
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
public static List <Dictionary <string, string> > GetNonstandardServicesFromReg()
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
foreach (string key in MyUtils.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services"))
{
Dictionary <string, object> key_values = MyUtils.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key);
if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath"))
{
string companyName = "";
string isDotNet = "";
string pathName = Environment.ExpandEnvironmentVariables(String.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\"));
string binaryPath = MyUtils.ReconstructExecPath(pathName);
if (binaryPath != "")
{
try
{
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath);
companyName = myFileVersionInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : "";
}
catch (Exception ex)
{
// Not enough privileges
}
}
string displayName = String.Format("{0}", key_values["DisplayName"]);
string imagePath = String.Format("{0}", key_values["ImagePath"]);
string description = key_values.ContainsKey("Description") ? String.Format("{0}", key_values["Description"]) : "";
string startMode = "";
if (key_values.ContainsKey("Start"))
{
switch (key_values["Start"].ToString())
{
case "0":
startMode = "Boot";
break;
case "1":
startMode = "System";
break;
case "2":
startMode = "Autoload";
break;
case "3":
startMode = "System";
break;
case "4":
startMode = "Manual";
break;
case "5":
startMode = "Disabled";
break;
}
}
if (String.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary <string, string> toadd = new Dictionary <string, string>();
toadd["Name"] = String.Format("{0}", displayName);
toadd["DisplayName"] = String.Format("{0}", displayName);
toadd["CompanyName"] = companyName;
toadd["State"] = "";
toadd["StartMode"] = startMode;
toadd["PathName"] = pathName;
toadd["FilteredPath"] = binaryPath;
toadd["isDotNet"] = isDotNet;
toadd["Description"] = description;
results.Add(toadd);
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
