public FileWatchers()
{
systemp = sysroot + "temp\\";
//c:\Windows
psexecWatcher = new FileSystemWatcher();
psexecWatcher.Path = sysroot;
psexecWatcher.Filter = "*.*";
psexecWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size;
psexecWatcher.IncludeSubdirectories = false;
psexecWatcher.Changed += new FileSystemEventHandler(psexecChanged);
psexecWatcher.EnableRaisingEvents = true;
//%temp%
exploitWatcher = new FileSystemWatcher();
exploitWatcher.Path = usertemp;
exploitWatcher.Filter = "*.*";
exploitWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size;
exploitWatcher.IncludeSubdirectories = true;
exploitWatcher.Changed += new FileSystemEventHandler(exploitChanged);
exploitWatcher.EnableRaisingEvents = true;
//c:\windows\temp
systempWatcher = new FileSystemWatcher();
systempWatcher.Path = systemp;
systempWatcher.Filter = "*.*";
systempWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size;
systempWatcher.IncludeSubdirectories = false;
systempWatcher.Changed += new FileSystemEventHandler(systempChanged);
systempWatcher.EnableRaisingEvents = true;
w = Writer.getInstance();
}
public EventLogWatchers()
{
EventLog evtLog = new EventLog("Security");
evtLog.EntryWritten += new EntryWrittenEventHandler(entryWritten);
evtLog.EnableRaisingEvents = true;
builder = new StringBuilder();
w = Writer.getInstance();
}
public ProcWatchers()
{
//Hook WMI because its awesome
watcher = new ManagementEventWatcher();
WqlEventQuery query = new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace");
watcher.Query = query;
watcher.EventArrived += new EventArrivedEventHandler(watcher_EventArrived);
watcher.Start();
w = Writer.getInstance();
builder = new StringBuilder();
}
public static Writer getInstance()
{
if (instance == null)
{
instance = new Writer();
return instance;
}
else
{
return instance;
}
}
public RegistryWatchers()
{
WqlEventQuery bootQuery = new WqlEventQuery(bootSql);
WqlEventQuery serviceQuery = new WqlEventQuery(serviceSql);
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
WqlEventQuery userQuery = new WqlEventQuery("SELECT * FROM RegistryTreeChangeEvent WHERE " +
"Hive = 'HKEY_USERS' " +
@"AND RootPath = '" + currentUser.User.Value + @"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'");
userWatch.Query = userQuery;
bootWatch.Query = bootQuery;
serviceWatch.Query = serviceQuery;
userWatch.EventArrived += new EventArrivedEventHandler(currentUserEvent);
userWatch.Start();
bootWatch.EventArrived += new EventArrivedEventHandler(localMachineEvent);
bootWatch.Start();
serviceWatch.EventArrived += new EventArrivedEventHandler(serviceEvent);
serviceWatch.Start();
initialize();
w = Writer.getInstance();
}
public AntiPwny()
{
icon = new NotifyIcon();
icon.Text = "Antipwny";
icon.Icon = new System.Drawing.Icon(System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream("AnalysisEngine.Resources.icon.ico"));
icon.ContextMenu = new ContextMenu();
icon.ContextMenu.MenuItems.Add("Exit",OnExit);
icon.DoubleClick += new EventHandler(ShowGui);
icon.Visible = true;
InitializeComponent();
initializeGui();
w = Writer.getInstance();
w.LogAdded += HandleItemAdded;
builder = new StringBuilder();
w.setPath("output.txt");
FileWatchers filewatch = new FileWatchers();
regwatch = new RegistryWatchers();
regwatch.addRegistry += regwatch_addRegistry;
regwatch.removedEntry += regwatch_removedEntry;
EventLogWatchers evt = new EventLogWatchers();
proc = new ProcWatchers();
rescanButton.Enabled = false;
procListUpdater.RunWorkerAsync();
}