public static string checkFile(string path)
{
string fileHash = FileUtils.getFileHash(path);
if (fileHash == null)
{
return("File access error");
}
string detections = vt(fileHash);
if (detections != null)
{
return("VirusTotal detections = " + detections);
}
return("File hash not found");
}
static void Main(string[] args)
{
Console.ForegroundColor = ConsoleColor.White;
////////////////////////////////////////////
// search in autostart filesystem locations
////////////////////////////////////////////
Console.WriteLine("Searching in autostart filesystem locations...");
List <string> list = new List <string>();
string appDataDir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
FileUtils.fileSearch(appDataDir + @"\Microsoft\Windows\Start Menu\Programs\Startup", list);
FileUtils.fileSearch(@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp", list);
/////////////////////////////////////
// search in selected registry hives
/////////////////////////////////////
Console.WriteLine("Searching in registry...");
RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list);
RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list);
RegistryUtils.regSearch(true, "Environment", "UserInitMprLogonScript", list);
//////////////////////////
// search scheduled tasks
//////////////////////////
Console.WriteLine("Searching in scheduled tasks...");
tasksSearch(list);
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine($"\r\nChecking suspected objects");
///////////////////////////////////////
// search for lolbas objects
// send suspected hashes to VirusTotal
///////////////////////////////////////
foreach (string path in list)
{
//Console.ForegroundColor = ConsoleColor.Yellow;
// Console.WriteLine($"\r\nChecking {path}");
string lol = checkLolbas(path);
if (lol != null)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"Suspicious object detected: {path}");
}
else
if (isPathSuspected(path))
{
try
{
if (File.Exists(path))
{
Console.ForegroundColor = ConsoleColor.DarkGray;
Console.WriteLine($"\r\nSending hash of {path} to VirusTotal...");
string fileHash = FileUtils.getFileHash(path);
if (fileHash == null)
{
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine($"{path} - Error, can't access this file");
continue;
}
string detections = vt(fileHash);
if (detections != null)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"{path} - {detections} detections");
}
else
{
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine($"{path} - no detections but you should check this file manually");
}
}
}
catch (Exception e)
{
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine($"{path} - Error");
}
}
}
////////////////////////////////////////////////////////
// search for files in My Documents and Desktop folders
////////////////////////////////////////////////////////
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine("\r\nSearching in user folders...");
List <string> userFiles = new List <string>();
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments).ToLower(), userFiles);
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.Desktop).ToLower(), userFiles);
//////////////////////////////////////////////
// check if any of these files contain macros
//////////////////////////////////////////////
foreach (string dfile in userFiles)
{
try
{
if (dfile.ToLower().EndsWith(".doc") || dfile.ToLower().EndsWith(".docm") ||
dfile.ToLower().EndsWith(".xls") || dfile.ToLower().EndsWith(".xlsm") ||
dfile.ToLower().EndsWith(".xlsb")
)
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.Write($"\r\nChecking if {dfile} contains macros... ");
if (OfficeUtils.containsMacro(dfile))
{
Console.ForegroundColor = ConsoleColor.Red;
Console.Write(" YES");
//if there is a macro add this file to the list of suspected files
list.Add(dfile);
}
else
{
Console.ForegroundColor = ConsoleColor.Green;
Console.Write(" NO");
}
}
}
catch (Exception ex)
{
}
}
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine("\r\nDone. Press any key to exit");
Console.Read();
}
