public static List<BaseModel> GetBootExecuteList()
{
List<BaseModel> list = new List<BaseModel>();
RegistryKey key = Registry.LocalMachine.OpenSubKey(BOOT_EXECUTE);
object value = key.GetValue("BootExecute");
if (value != null && !value.ToString().Equals(AUTOCHECK))
{
BaseModel model = new FileVersionHelper("C:\\Windows\\System32\\autochk.exe").GetFileInfoModel(AUTOCHECK);
list.Add(model);
}
return list;
}
public List<BaseModel> GetModelListByValue()
{
List<BaseModel> list = new List<BaseModel>();
foreach (string valuname in mKey.GetValueNames())
{
string value = mKey.GetValue(valuname).ToString();
value = GetPureValueName(value);
FileVersionHelper fvHelper = new FileVersionHelper(value);
BaseModel model = fvHelper.GetFileInfoModel();
model.Name = valuname;
list.Add(model);
}
return list;
}
public static List<BaseModel> GetDriversList()
{
List<BaseModel> modelList = new List<BaseModel>();
Dictionary<String, IFilter> dic = new Dictionary<string, IFilter>();
dic.Add("Type", new EqualFilter<int>(1));
dic.Add(IMAGE_PATH, new EndWithFileter(".sys"));
RegistryReader regReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(SYSTEM_SERVICES));
List<RegistryKey> regList = regReader.GetSubKeys(dic);
foreach (RegistryKey r in regList)
{
string name = r.GetValue(IMAGE_PATH).ToString();
if (name != null && !name.Equals(""))
{
name = StringUtils.GetLastSubString(name, "system32");
name = "C:\\Windows\\s" + name;
BaseModel model = new FileVersionHelper(name).GetFileInfoModel(StringUtils.GetLastSubString(r.Name, "\\"));
modelList.Add(model);
}
}
return modelList;
}
public static List<BaseModel> GetImageHijacks()
{
List<BaseModel> list = new List<BaseModel>();
RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(IMAGE_FILE_KEY));
Dictionary<string, IFilter> dic = new Dictionary<string, IFilter>();
dic.Add("Debugger", new NotNullFilter());
List<RegistryKey> kList = rReader.GetSubKeys(dic);
foreach (RegistryKey k in kList)
{
string name = k.GetValue("Debugger").ToString();
BaseModel model = new FileVersionHelper(name).GetFileInfoModel(new RegistryReader(k).GetEntryName());
list.Add(model);
}
return list;
}
private static List<BaseModel> MakeListByKey(RegistryKey objKey)
{
List<BaseModel> modelList = new List<BaseModel>();
foreach (string value in objKey.GetSubKeyNames())
{
try
{
RegistryKey subKey = objKey.OpenSubKey(value);
Object exec = subKey.GetValue("Exec");
if (exec == null)
{
exec = subKey.GetValue("Script");
}
if (exec != null)
{
FileVersionHelper fHelper = new FileVersionHelper(exec.ToString());
RegistryReader regReader = new RegistryReader(subKey);
modelList.Add(fHelper.GetFileInfoModel(regReader.GetEntryName()));
}
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
}
return modelList;
}
private static List<BaseModel> MakeListByKey(RegistryKey objKey, RegistryKey dataKey)
{
List<BaseModel> modelList = new List<BaseModel>();
string[] valueList = objKey.GetSubKeyNames();
foreach (string value in valueList)
{
try
{
RegistryKey rightKey = dataKey.OpenSubKey(value);
if (rightKey != null)
{
RegistryKey subKey = rightKey.OpenSubKey(INPROCSERVER);
FileVersionHelper vHelper = new FileVersionHelper(subKey.GetValue("").ToString());
modelList.Add(vHelper.GetFileInfoModel(rightKey.GetValue("").ToString()));
}
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
}
return modelList;
}
public static List<BaseModel> GetWinsockProviderList()
{
List<BaseModel> list = new List<BaseModel>();
RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(PROTOCOL_CATAOG));
List<RegistryKey> kl = rReader.GetSubKeys(null);
ContainFileter cf = new ContainFileter(".dll");
foreach (RegistryKey key in kl)
{
string value = System.Text.Encoding.Default.GetString((byte[])key.GetValue("PackedCatalogItem"));
value = StringUtils.RemoveTailByTag(value, "\0");
string name = key.GetValue("ProtocolName").ToString();
if (cf.Filter(name))
{
name = RegistryReader.GetPureValueName(name);
FileVersionInfo info = FileVersionInfo.GetVersionInfo("C:\\Windows\\" + name.Substring(14));
name = info.FileDescription;
}
BaseModel model = new FileVersionHelper(value.Replace("%SystemRoot%", "C:\\Windows")).GetFileInfoModel(name);
list.Add(model);
}
return list;
}
public static List<BaseModel> GetServicesList()
{
List<BaseModel> modelList = new List<BaseModel>();
Dictionary<string, IFilter> dic = new Dictionary<string, IFilter>();
dic.Add("Type", new EqualFilter<int>(16, 32));
dic.Add("Start", new EqualFilter<int>(2));
ContainFileter svhost = new ContainFileter("svchost");
RegistryReader regReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(SYSTEM_SERVICES));
List<RegistryKey> regList = regReader.GetSubKeys(dic);
foreach (RegistryKey r in regList)
{
RegistryKey paramKey = r.OpenSubKey("Parameters");
string name = "";
if (!svhost.Filter(r.GetValue(IMAGE_PATH).ToString()))
{
name = r.GetValue(IMAGE_PATH).ToString();
name = RegistryReader.GetPureValueName(name);
}
else if (paramKey != null)
{
name = paramKey.GetValue("ServiceDLL").ToString();
}
else
{
continue;
}
BaseModel model = new FileVersionHelper(name).GetFileInfoModel(StringUtils.GetLastSubString(r.Name, "\\"));
modelList.Add(model);
}
return modelList;
}
public static List<BaseModel> GetSchedulerTaskList()
{
List<BaseModel> modelList = new List<BaseModel>();
DirectoryInfo dir = new DirectoryInfo(WINDOWS_TASKS);
DirectoryInfo taskDir = new DirectoryInfo(SYSTEM_TASKS);
foreach (FileInfo file in dir.GetFiles())
{
if (!FileUtils.DirContainFile(taskDir, file.Name+ ".job"))
{
continue;
}
StreamReader sReader = new StreamReader(file.FullName);
string realName = "";
string line = "";
while ((line = sReader.ReadLine()) != null)
{
int start = line.IndexOf(COMMADN_TAG);
if (start != -1)
{
realName = line.Substring(start + COMMADN_TAG.Length, line.IndexOf(_COMMADN_TAG) - COMMADN_TAG.Length - start);
break;
}
}
BaseModel model = new FileVersionHelper(realName).GetFileInfoModel(file.Name + ".job");
model.ImagePath = realName;
modelList.Add(model);
}
return modelList;
}
public static List<BaseModel> GetKnownDllsList()
{
List<BaseModel> list = new List<BaseModel>();
RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(KNOWN_DLLS));
List<string> ls = rReader.GetValues(new EndWithFileter(".dll"));
foreach (string s in ls)
{
BaseModel model = new FileVersionHelper("C:\\Windows\\System32\\" + s).GetFileInfoModel();
list.Add(model);
}
return list;
}
