public static List<BaseModel> GetDriversList()
{
List<BaseModel> modelList = new List<BaseModel>();
Dictionary<String, IFilter> dic = new Dictionary<string, IFilter>();
dic.Add("Type", new EqualFilter<int>(1));
dic.Add(IMAGE_PATH, new EndWithFileter(".sys"));
RegistryReader regReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(SYSTEM_SERVICES));
List<RegistryKey> regList = regReader.GetSubKeys(dic);
foreach (RegistryKey r in regList)
{
string name = r.GetValue(IMAGE_PATH).ToString();
if (name != null && !name.Equals(""))
{
name = StringUtils.GetLastSubString(name, "system32");
name = "C:\\Windows\\s" + name;
BaseModel model = new FileVersionHelper(name).GetFileInfoModel(StringUtils.GetLastSubString(r.Name, "\\"));
modelList.Add(model);
}
}
return modelList;
}
public static List<BaseModel> GetImageHijacks()
{
List<BaseModel> list = new List<BaseModel>();
RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(IMAGE_FILE_KEY));
Dictionary<string, IFilter> dic = new Dictionary<string, IFilter>();
dic.Add("Debugger", new NotNullFilter());
List<RegistryKey> kList = rReader.GetSubKeys(dic);
foreach (RegistryKey k in kList)
{
string name = k.GetValue("Debugger").ToString();
BaseModel model = new FileVersionHelper(name).GetFileInfoModel(new RegistryReader(k).GetEntryName());
list.Add(model);
}
return list;
}
private static List<BaseModel> MakeListByKey(RegistryKey objKey)
{
List<BaseModel> modelList = new List<BaseModel>();
foreach (string value in objKey.GetSubKeyNames())
{
try
{
RegistryKey subKey = objKey.OpenSubKey(value);
Object exec = subKey.GetValue("Exec");
if (exec == null)
{
exec = subKey.GetValue("Script");
}
if (exec != null)
{
FileVersionHelper fHelper = new FileVersionHelper(exec.ToString());
RegistryReader regReader = new RegistryReader(subKey);
modelList.Add(fHelper.GetFileInfoModel(regReader.GetEntryName()));
}
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
}
return modelList;
}
private static List<BaseModel> GetModelListByKey(RegistryKey key)
{
RegistryReader regReader = new RegistryReader(key);
return regReader.GetModelListByValue();
}
public static List<BaseModel> GetWinsockProviderList()
{
List<BaseModel> list = new List<BaseModel>();
RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(PROTOCOL_CATAOG));
List<RegistryKey> kl = rReader.GetSubKeys(null);
ContainFileter cf = new ContainFileter(".dll");
foreach (RegistryKey key in kl)
{
string value = System.Text.Encoding.Default.GetString((byte[])key.GetValue("PackedCatalogItem"));
value = StringUtils.RemoveTailByTag(value, "\0");
string name = key.GetValue("ProtocolName").ToString();
if (cf.Filter(name))
{
name = RegistryReader.GetPureValueName(name);
FileVersionInfo info = FileVersionInfo.GetVersionInfo("C:\\Windows\\" + name.Substring(14));
name = info.FileDescription;
}
BaseModel model = new FileVersionHelper(value.Replace("%SystemRoot%", "C:\\Windows")).GetFileInfoModel(name);
list.Add(model);
}
return list;
}
public static List<BaseModel> GetServicesList()
{
List<BaseModel> modelList = new List<BaseModel>();
Dictionary<string, IFilter> dic = new Dictionary<string, IFilter>();
dic.Add("Type", new EqualFilter<int>(16, 32));
dic.Add("Start", new EqualFilter<int>(2));
ContainFileter svhost = new ContainFileter("svchost");
RegistryReader regReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(SYSTEM_SERVICES));
List<RegistryKey> regList = regReader.GetSubKeys(dic);
foreach (RegistryKey r in regList)
{
RegistryKey paramKey = r.OpenSubKey("Parameters");
string name = "";
if (!svhost.Filter(r.GetValue(IMAGE_PATH).ToString()))
{
name = r.GetValue(IMAGE_PATH).ToString();
name = RegistryReader.GetPureValueName(name);
}
else if (paramKey != null)
{
name = paramKey.GetValue("ServiceDLL").ToString();
}
else
{
continue;
}
BaseModel model = new FileVersionHelper(name).GetFileInfoModel(StringUtils.GetLastSubString(r.Name, "\\"));
modelList.Add(model);
}
return modelList;
}
public static List<BaseModel> GetKnownDllsList()
{
List<BaseModel> list = new List<BaseModel>();
RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(KNOWN_DLLS));
List<string> ls = rReader.GetValues(new EndWithFileter(".dll"));
foreach (string s in ls)
{
BaseModel model = new FileVersionHelper("C:\\Windows\\System32\\" + s).GetFileInfoModel();
list.Add(model);
}
return list;
}
