// TODO: check out https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna#L10 public static List <Dictionary <string, string> > GetProcInfo() { List <Dictionary <string, string> > f_results = new List <Dictionary <string, string> >(); try { var wmiQueRyStr = "SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"; using (var srcher = new ManagementObjectSearcher(wmiQueRyStr)) using (var reslts = srcher.Get()) { var queRy = from p in Process.GetProcesses() join mo in reslts.Cast <ManagementObject>() on p.Id equals(int)(uint) mo["ProcessId"] select new { Proc = p, Pth = (string)mo["ExecutablePath"], CommLine = (string)mo["CommandLine"], Owner = GetProcU(p), //Needed inside the next foreach }; foreach (var itm in queRy) { if (itm.Pth != null) { string companyName = ""; string isDotNet = ""; try { FileVersionInfo myFileVerInfo = FileVersionInfo.GetVersionInfo(itm.Pth); //compName = myFileVerInfo.CompanyName; isDotNet = MyUtils.CheckIfDotNet(itm.Pth) ? "isDotNet" : ""; } catch { // Not enough privileges } if ((string.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) { Dictionary <string, string> to_add = new Dictionary <string, string>(); to_add["Name"] = itm.Proc.ProcessName; to_add["ProcessID"] = itm.Proc.Id.ToString(); to_add["ExecutablePath"] = itm.Pth; to_add["Product"] = companyName; to_add["Owner"] = itm.Owner == null ? "" : itm.Owner; to_add["isDotNet"] = isDotNet; to_add["CommandLine"] = itm.CommLine; f_results.Add(to_add); } } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } return(f_results); }
/////////////////////////////////////////////// //// Non Standard Services (Non Microsoft) //// /////////////////////////////////////////////// public static List <Dictionary <string, string> > GetNonstandardServices() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { using (ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT * FROM win32_service")) { using (ManagementObjectCollection data = wmiData.Get()) { foreach (ManagementObject result in data) { if (result["PathName"] != null) { string binaryPath = MyUtils.GetExecutableFromPath(result["PathName"].ToString()); string companyName = ""; string isDotNet = ""; try { FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath); companyName = myFileVersionInfo.CompanyName; isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : ""; } catch (Exception) { // Not enough privileges } if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) { Dictionary <string, string> toadd = new Dictionary <string, string>(); toadd["Name"] = GetStringOrEmpty(result["Name"]); toadd["DisplayName"] = GetStringOrEmpty(result["DisplayName"]); toadd["CompanyName"] = companyName; toadd["State"] = GetStringOrEmpty(result["State"]); toadd["StartMode"] = GetStringOrEmpty(result["StartMode"]); toadd["PathName"] = GetStringOrEmpty(result["PathName"]); toadd["FilteredPath"] = binaryPath; toadd["isDotNet"] = isDotNet; toadd["Description"] = GetStringOrEmpty(result["Description"]); results.Add(toadd); } } } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } return(results); }
public static List <Dictionary <string, string> > GetNonstandardServicesFromReg() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { foreach (string key in RegistryHelper.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services")) { Dictionary <string, object> key_values = RegistryHelper.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key); if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath")) { string companyName = ""; string isDotNet = ""; string pathName = Environment.ExpandEnvironmentVariables(string.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\")); string binaryPath = MyUtils.ReconstructExecPath(pathName); if (binaryPath != "") { try { FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath); companyName = myFileVersionInfo.CompanyName; isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : ""; } catch (Exception) { // Not enough privileges } } string displayName = string.Format("{0}", key_values["DisplayName"]); string imagePath = string.Format("{0}", key_values["ImagePath"]); string description = key_values.ContainsKey("Description") ? string.Format("{0}", key_values["Description"]) : ""; string startMode = ""; if (key_values.ContainsKey("Start")) { switch (key_values["Start"].ToString()) { case "0": startMode = "Boot"; break; case "1": startMode = "System"; break; case "2": startMode = "Autoload"; break; case "3": startMode = "System"; break; case "4": startMode = "Manual"; break; case "5": startMode = "Disabled"; break; } } if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) { Dictionary <string, string> toadd = new Dictionary <string, string> { ["Name"] = displayName, ["DisplayName"] = displayName, ["CompanyName"] = companyName, ["State"] = "", ["StartMode"] = startMode, ["PathName"] = pathName, ["FilteredPath"] = binaryPath, ["isDotNet"] = isDotNet, ["Description"] = description }; results.Add(toadd); } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } return(results); }