private static IEnumerable <Dictionary <string, string> > GetAutoRunsFolder()
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
var systemDrive = Environment.GetEnvironmentVariable("SystemDrive");
var autorunLocations = new List <string>
{
Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"),
};
string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));
usersPath = Directory.GetParent(usersPath).FullName;
try
{
var userDirs = Directory.EnumerateDirectories(usersPath);
foreach (var userDir in userDirs)
{
string startupPath = $@"{userDir}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";
if (Directory.Exists(startupPath))
{
autorunLocations.Add(startupPath);
}
}
}
catch (Exception)
{
}
foreach (string path in autorunLocations)
{
try
{
var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
foreach (string filepath in files)
{
string folder = Path.GetDirectoryName(filepath);
results.Add(new Dictionary <string, string>()
{
{ "Reg", "" },
{ "RegKey", "" },
{ "RegPermissions", "" },
{ "Folder", folder },
{ "File", filepath },
{ "isWritableReg", "" },
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs)) },
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs)) },
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
});
}
}
catch (Exception)
{
}
}
var taskAutorunLocations = new HashSet <string>()
{
$"{systemDrive}\\windows\\tasks",
$"{systemDrive}\\windows\\system32\\tasks",
};
foreach (string folder in taskAutorunLocations)
{
try
{
results.Add(new Dictionary <string, string>()
{
{ "Reg", "" },
{ "RegKey", "" },
{ "RegPermissions", "" },
{ "Folder", folder },
{ "File", "" },
{ "isWritableReg", "" },
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs)) },
{ "interestingFileRights", "" },
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() }
});
}
catch (Exception)
{
}
}
return(results);
}
//////////////////////////////////////
/////// Get Autorun Registry ////////
//////////////////////////////////////
/// Find Autorun registry where you have write or equivalent access
private static IEnumerable <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames)
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
//Add the keyvalues inside autorunLocationsKeys to autorunLocations
foreach (List <string> autorunLocationKey in autorunLocationsKeys)
{
List <string> subkeys = RegistryHelper.GetRegSubkeys(autorunLocationKey[0], autorunLocationKey[1]).ToList();
foreach (string keyname in subkeys)
{
string clsid_name = keyname;
Match clsid = Regex.Match(keyname, @"^\W*(\{[\w\-]+\})\W*");
if (clsid.Groups.Count > 1) //Sometime the CLSID is bad writting and this kind of fix common mistakes
{
clsid_name = clsid.Groups[1].ToString();
}
autorunLocations.Add(autorunLocationKey.Count > 2
? new List <string>
{
autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2]
}
: new List <string> {
autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name
});
}
}
//Read registry and get values
foreach (List <string> autorunLocation in autorunLocations)
{
Dictionary <string, object> settings = RegistryHelper.GetRegValues(autorunLocation[0], autorunLocation[1]);
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in settings)
{
RegistryKey key = null;
if ("HKLM" == autorunLocation[0])
{
key = Registry.LocalMachine.OpenSubKey(autorunLocation[1]);
}
else
{
key = Registry.CurrentUser.OpenSubKey(autorunLocation[1]);
}
if (autorunLocation.Count > 2 && kvp.Key != autorunLocation[2])
{
continue; //If only interested on 1 key of the registry and it's that one, continue
}
string orig_filepath = Environment.ExpandEnvironmentVariables(string.Format("{0}", kvp.Value));
string filepath = orig_filepath;
if (MyUtils.GetExecutableFromPath(Environment.ExpandEnvironmentVariables(string.Format("{0}", kvp.Value))).Length > 0)
{
filepath = MyUtils.GetExecutableFromPath(filepath);
}
string filepath_cleaned = filepath.Replace("'", "").Replace("\"", "");
string folder = Path.GetDirectoryName(filepath_cleaned);
try
{
//If the path doesn't exist, pass
if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory))
{
//If the path is already a folder, change the values of the params
orig_filepath = "";
folder = filepath_cleaned;
}
}
catch
{
}
results.Add(new Dictionary <string, string>()
{
{ "Reg", autorunLocation[0] + "\\" + autorunLocation[1] },
{ "RegKey", kvp.Key },
{ "Folder", folder },
{ "File", orig_filepath },
{
"RegPermissions",
string.Join(", ", PermissionsHelper.GetMyPermissionsR(key, Checks.Checks.CurrentUserSiDs))
},
{
"interestingFolderRights",
string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))
},
{
"interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
});
}
}
}
//Check the autoruns that depends on CLSIDs
foreach (List <string> autorunLocation in autorunLocationsKeysCLSIDs)
{
List <string> CLSIDs = RegistryHelper.GetRegSubkeys(autorunLocation[0], autorunLocation[1]).ToList();
foreach (string clsid in CLSIDs)
{
string reg = autorunLocation[1] + "\\" + clsid;
RegistryKey key = null;
if ("HKLM" == autorunLocation[0])
{
key = Registry.LocalMachine.OpenSubKey(reg);
}
else
{
key = Registry.CurrentUser.OpenSubKey(reg);
}
string orig_filepath = MyUtils.GetCLSIDBinPath(clsid);
if (string.IsNullOrEmpty(orig_filepath))
{
continue;
}
orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
string folder = Path.GetDirectoryName(orig_filepath);
results.Add(new Dictionary <string, string>()
{
{ "Reg", autorunLocation[0] + "\\" + reg },
{ "RegKey", "" },
{ "Folder", folder },
{ "File", orig_filepath },
{
"RegPermissions",
string.Join(", ", PermissionsHelper.GetMyPermissionsR(key, Checks.Checks.CurrentUserSiDs))
},
{
"interestingFolderRights",
string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))
},
{
"interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString() }
});
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
return(results);
}