private string?GetServiceDll(string serviceName)
{
// ServiceDll's can be at the following locations
// - HKLM\\SYSTEM\\CurrentControlSet\\Services\\ ! ServiceDll
// - Ex: DoSvc on Win10
// - HKLM\\SYSTEM\\CurrentControlSet\\Services\\Parameters ! ServiceDll
// - Ex: DnsCache on Win10
string path = null;
try
{
path = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"SYSTEM\\CurrentControlSet\\Services\\{serviceName}\\Parameters", "ServiceDll");
}
catch
{
}
if (path == null)
{
try
{
path = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ServiceDll");
}
catch
{
}
}
return(path);
}
public static void Reload()
{
RegistryKey server = RegistryUtil.HKLM.OpenSubKey("SOFTWARE\\Perspective Software\\Blue Iris\\server");
if (server == null)
{
return;
}
enabled = RegistryUtil.GetStringValue(server, "enable") == "1";
if (enabled)
{
try
{
lanIp = RegistryUtil.GetStringValue(server, "lanip");
bindLanIpOnly = RegistryUtil.GetStringValue(server, "bind") == "1";
port = RegistryUtil.GetIntValue(server, "port", 80);
authenticate = (AuthenticationMode)RegistryUtil.GetIntValue(server, "authenticate", 0);
secureonly = RegistryUtil.GetStringValue(server, "secureonly") == "1";
}
catch
{
enabled = false;
}
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
// ref - @_RastaMouse https://rastamouse.me/2018/09/enumerating-applocker-config/
var wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT Name, State FROM win32_service WHERE Name = 'AppIDSvc'");
var data = wmiData.Get();
string appIdSvcState = "Service not found";
var rules = new List <string>();
foreach (var o in data)
{
var result = (ManagementObject)o;
appIdSvcState = result["State"].ToString();
}
var keys = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2");
if (keys != null && keys.Length != 0)
{
foreach (var key in keys)
{
var keyName = key;
var enforcementMode = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}", "EnforcementMode");
var enforcementModeStr = enforcementMode switch
{
null => "not configured",
0 => "Audit Mode",
1 => "Enforce Mode",
_ => $"Unknown value {enforcementMode}"
};
var ids = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2\\" + key);
foreach (var id in ids)
{
var rule = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value");
rules.Add(rule);
}
yield return(new AppLockerDTO(
configured: true,
appIdSvcState,
keyName,
enforcementModeStr,
rules
));
}
}
else
{
yield return(new AppLockerDTO(
configured: false,
appIdSvcState,
keyName: null,
enforcementMode: null,
rules: null
));
}
}
public string?GetStringValue(RegistryHive hive, string path, string value)
{
if (!string.IsNullOrEmpty(ComputerName))
{
return(RegistryUtil.GetStringValue(hive, path, value, wmiRegProv));
}
return(RegistryUtil.GetStringValue(hive, path, value));
}
private string?GetServiceCommandFromRegistry(string serviceName)
{
try
{
return(RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ImagePath"));
}
catch
{
return(null);
}
}
public UserInfo(RegistryKey key, string name)
{
this.name = name;
admin = RegistryUtil.GetStringValue(key, "admin") == "1";
password_encoded = RegistryUtil.GetStringValue(key, "password");
selgroups = RegistryUtil.GetStringValue(key, "selgroups");
noalerts = RegistryUtil.GetStringValue(key, "noalerts") == "1";
lanonly = RegistryUtil.GetStringValue(key, "lanonly") == "1";
enabled = RegistryUtil.GetStringValue(key, "enabled") == "1";
usegroups = RegistryUtil.GetStringValue(key, "usegroups") == "1";
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
string chromeVersion = "";
var chromePath = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, @"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "");
if (chromePath != null)
{
chromeVersion = FileVersionInfo.GetVersionInfo(chromePath).ProductVersion;
}
var userFolder = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\Users\\";
var dirs = Directory.GetDirectories(userFolder);
foreach (var dir in dirs)
{
if (dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") ||
dir.EndsWith("All Users"))
{
continue;
}
var chromeBasePath = $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\";
if (!Directory.Exists(chromeBasePath))
{
continue;
}
var history = new DateTime();
var cookies = new DateTime();
var loginData = new DateTime();
var userChromeHistoryPath = $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History";
if (File.Exists(userChromeHistoryPath))
{
history = File.GetLastWriteTime(userChromeHistoryPath);
}
var userChromeCookiesPath = $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies";
if (File.Exists(userChromeCookiesPath))
{
cookies = File.GetLastWriteTime(userChromeCookiesPath);
}
var userChromeLoginDataPath = $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";
if (File.Exists(userChromeLoginDataPath))
{
loginData = File.GetLastWriteTime(userChromeLoginDataPath);
}
if (history != DateTime.MinValue || cookies != DateTime.MinValue || loginData != DateTime.MinValue)
{
yield return(new ChromePresenceDTO(
$"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\",
history,
cookies,
loginData,
chromeVersion
));
}
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
var ProductName = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
var EditionID = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID");
var ReleaseId = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId");
var BuildBranch = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch");
var CurrentMajorVersionNumber = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber");
var CurrentVersion = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion");
var BuildNumber = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber");
var UBR = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR");
if (!string.IsNullOrEmpty(UBR)) // UBR is not on Win < 10
{
BuildNumber += ("." + UBR);
}
var isHighIntegrity = SecurityUtil.IsHighIntegrity();
var isLocalAdmin = SecurityUtil.IsLocalAdmin();
var arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
var ProcessorCount = Environment.ProcessorCount.ToString();
var isVM = IsVirtualMachine();
var now = DateTime.UtcNow;
var boot = now - TimeSpan.FromMilliseconds(Environment.TickCount);
var BootTime = boot + TimeSpan.FromMilliseconds(Environment.TickCount);
var strHostName = Dns.GetHostName();
var properties = IPGlobalProperties.GetIPGlobalProperties();
var dnsDomain = properties.DomainName;
var timeZone = TimeZone.CurrentTimeZone;
var cultureInfo = CultureInfo.InstalledUICulture;
var machineGuid = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "SOFTWARE\\Microsoft\\Cryptography", "MachineGuid");
yield return(new OSInfoDTO()
{
Hostname = strHostName,
Domain = dnsDomain,
Username = WindowsIdentity.GetCurrent().Name,
ProductName = ProductName,
EditionId = EditionID,
ReleaseId = ReleaseId,
Build = BuildNumber,
BuildBranch = BuildBranch,
CurrentMajorVersionNumber = CurrentMajorVersionNumber,
CurrentVersion = CurrentVersion,
Architecture = arch,
ProcessorCount = ProcessorCount,
IsVirtualMachine = isVM,
BootTime = BootTime,
IsHighIntegrity = isHighIntegrity,
IsLocalAdmin = isLocalAdmin,
Time = DateTime.Now,
TimeZone = timeZone.StandardName,
TimeZoneUtcOffset = timeZone.GetUtcOffset(DateTime.Now).ToString(),
Locale = cultureInfo.ToString(),
MachineGuid = machineGuid
});
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
string chromeVersion = "";
if (!ThisRunTime.ISRemote())
{
// TODO: translate the chrome path to a UNC path
var chromePath = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, @"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "");
if (chromePath != null)
{
chromeVersion = FileVersionInfo.GetVersionInfo(chromePath).ProductVersion;
}
}
var dirs = ThisRunTime.GetDirectories("\\Users\\");
foreach (var dir in dirs)
{
if (dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") ||
dir.EndsWith("All Users"))
{
continue;
}
string[] paths =
{
"\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\",
"\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\",
"\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\",
"\\AppData\\Roaming\\Opera Software\\Opera Stable\\"
};
foreach (string path in paths)
{
var chromeBasePath = $"{dir}{path}";
if (!Directory.Exists(chromeBasePath))
{
continue;
}
var history = new DateTime();
var cookies = new DateTime();
var loginData = new DateTime();
var userChromeHistoryPath = $"{chromeBasePath}History";
if (File.Exists(userChromeHistoryPath))
{
history = File.GetLastWriteTime(userChromeHistoryPath);
}
var userChromeCookiesPath = $"{chromeBasePath}Cookies";
if (File.Exists(userChromeCookiesPath))
{
cookies = File.GetLastWriteTime(userChromeCookiesPath);
}
var userChromeLoginDataPath = $"{chromeBasePath}LoginData";
if (File.Exists(userChromeLoginDataPath))
{
loginData = File.GetLastWriteTime(userChromeLoginDataPath);
}
if (history != DateTime.MinValue || cookies != DateTime.MinValue || loginData != DateTime.MinValue)
{
yield return(new ChromiumPresenceDTO(
$"{chromeBasePath}",
history,
cookies,
loginData,
chromeVersion
));
}
}
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
var ProductName = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
var EditionID = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID");
var ReleaseId = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId");
var BuildBranch = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch");
var CurrentMajorVersionNumber = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber");
var CurrentVersion = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion");
var BuildNumber = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber");
var UBR = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR");
if (!string.IsNullOrEmpty(UBR)) // UBR is not on Win < 10
{
BuildNumber += ("." + UBR);
}
var isHighIntegrity = SecurityUtil.IsHighIntegrity();
var isLocalAdmin = SecurityUtil.IsLocalAdmin();
var arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
var ProcessorCount = Environment.ProcessorCount.ToString();
var isVM = IsVirtualMachine();
var now = DateTime.UtcNow;
var bootTimeUtc = now - TimeSpan.FromMilliseconds(Environment.TickCount);
var strHostName = Dns.GetHostName();
var properties = IPGlobalProperties.GetIPGlobalProperties();
var dnsDomain = properties.DomainName;
var timeZone = TimeZone.CurrentTimeZone;
var cultureInfo = CultureInfo.InstalledUICulture;
var inputLanguage = InputLanguage.CurrentInputLanguage.LayoutName;
var installedInputLanguages = new List <string>();
foreach (InputLanguage l in InputLanguage.InstalledInputLanguages)
{
installedInputLanguages.Add(l.LayoutName);
}
var machineGuid = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "SOFTWARE\\Microsoft\\Cryptography", "MachineGuid");
yield return(new OSInfoDTO(
strHostName,
dnsDomain,
WindowsIdentity.GetCurrent().Name,
ProductName,
EditionID,
ReleaseId,
BuildNumber,
BuildBranch,
CurrentMajorVersionNumber,
CurrentVersion,
arch,
ProcessorCount,
isVM,
bootTimeUtc,
isHighIntegrity,
isLocalAdmin,
DateTime.UtcNow,
timeZone.StandardName,
timeZone.GetUtcOffset(DateTime.Now).ToString(),
cultureInfo.ToString(),
inputLanguage,
installedInputLanguages.ToArray(),
machineGuid
));
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
var ProductName = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
var EditionID = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID");
var ReleaseId = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId");
var BuildBranch = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch");
var CurrentMajorVersionNumber = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber");
var CurrentVersion = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion");
var BuildNumber = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber");
var UBR = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR");
if (!string.IsNullOrEmpty(UBR)) // UBR is not on Win < 10
{
BuildNumber += ("." + UBR);
}
if (ThisRunTime.ISRemote())
{
var isHighIntegrity = true;
var isLocalAdmin = true;
var arch = ThisRunTime.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
var ProcessorCount = ThisRunTime.GetEnvironmentVariable("NUMBER_OF_PROCESSORS");
var isVM = IsVirtualMachine();
var bootTimeUtc = new DateTime();
var strHostName = ThisRunTime.ComputerName;
var domain = "";
var wmiData = ThisRunTime.GetManagementObjectSearcher(@"root\cimv2", "Select Domain from Win32_ComputerSystem");
var data = wmiData.Get();
foreach (var o in data)
{
var result = (ManagementObject)o;
domain = result["Domain"].ToString();
}
var machineGuid = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "SOFTWARE\\Microsoft\\Cryptography", "MachineGuid");
var temp = new string[0];
yield return(new OSInfoDTO(
strHostName,
domain,
"",
ProductName,
EditionID,
ReleaseId,
BuildNumber,
BuildBranch,
CurrentMajorVersionNumber.ToString(),
CurrentVersion,
arch,
ProcessorCount,
isVM,
bootTimeUtc,
isHighIntegrity,
isLocalAdmin,
DateTime.UtcNow,
null,
null,
null,
null,
temp,
machineGuid
));
}
else
{
var isHighIntegrity = SecurityUtil.IsHighIntegrity();
var isLocalAdmin = SecurityUtil.IsLocalAdmin();
var arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
var ProcessorCount = Environment.ProcessorCount.ToString();
var isVM = IsVirtualMachine();
var now = DateTime.UtcNow;
var bootTimeUtc = now - TimeSpan.FromMilliseconds(Environment.TickCount);
var strHostName = Dns.GetHostName();
var properties = IPGlobalProperties.GetIPGlobalProperties();
var dnsDomain = properties.DomainName;
var timeZone = TimeZone.CurrentTimeZone;
var cultureInfo = CultureInfo.InstalledUICulture;
var inputLanguage = InputLanguage.CurrentInputLanguage.LayoutName;
var installedInputLanguages = new List <string>();
foreach (InputLanguage l in InputLanguage.InstalledInputLanguages)
{
installedInputLanguages.Add(l.LayoutName);
}
var machineGuid = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "SOFTWARE\\Microsoft\\Cryptography", "MachineGuid");
yield return(new OSInfoDTO(
strHostName,
dnsDomain,
WindowsIdentity.GetCurrent().Name,
ProductName,
EditionID,
ReleaseId,
BuildNumber,
BuildBranch,
CurrentMajorVersionNumber.ToString(),
CurrentVersion,
arch,
ProcessorCount,
isVM,
bootTimeUtc,
isHighIntegrity,
isLocalAdmin,
DateTime.UtcNow,
timeZone.StandardName,
timeZone.GetUtcOffset(DateTime.Now).ToString(),
cultureInfo.ToString(),
inputLanguage,
installedInputLanguages.ToArray(),
machineGuid
));
}
}