static void Main(string[] args)
{
Console.ForegroundColor = ConsoleColor.White;
////////////////////////////////////////////
// search in autostart filesystem locations
////////////////////////////////////////////
Console.WriteLine("Searching in autostart filesystem locations...");
List <string> list = new List <string>();
string appDataDir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
FileUtils.fileSearch(appDataDir + @"\Microsoft\Windows\Start Menu\Programs\Startup", list);
FileUtils.fileSearch(@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp", list);
/////////////////////////////////////
// search in selected registry hives
/////////////////////////////////////
Console.WriteLine("Searching in registry...");
RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list);
RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list);
RegistryUtils.regSearch(true, "Environment", "UserInitMprLogonScript", list);
//////////////////////////
// search scheduled tasks
//////////////////////////
Console.WriteLine("Searching in scheduled tasks...");
tasksSearch(list);
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine($"\r\nChecking suspected objects");
///////////////////////////////////////
// search for lolbas objects
// send suspected hashes to VirusTotal
///////////////////////////////////////
foreach (string path in list)
{
//Console.ForegroundColor = ConsoleColor.Yellow;
// Console.WriteLine($"\r\nChecking {path}");
string lol = checkLolbas(path);
if (lol != null)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"Suspicious object detected: {path}");
}
else
if (isPathSuspected(path))
{
try
{
if (File.Exists(path))
{
Console.ForegroundColor = ConsoleColor.DarkGray;
Console.WriteLine($"\r\nSending hash of {path} to VirusTotal...");
string fileHash = FileUtils.getFileHash(path);
if (fileHash == null)
{
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine($"{path} - Error, can't access this file");
continue;
}
string detections = vt(fileHash);
if (detections != null)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"{path} - {detections} detections");
}
else
{
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine($"{path} - no detections but you should check this file manually");
}
}
}
catch (Exception e)
{
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine($"{path} - Error");
}
}
}
////////////////////////////////////////////////////////
// search for files in My Documents and Desktop folders
////////////////////////////////////////////////////////
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine("\r\nSearching in user folders...");
List <string> userFiles = new List <string>();
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments).ToLower(), userFiles);
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.Desktop).ToLower(), userFiles);
//////////////////////////////////////////////
// check if any of these files contain macros
//////////////////////////////////////////////
foreach (string dfile in userFiles)
{
try
{
if (dfile.ToLower().EndsWith(".doc") || dfile.ToLower().EndsWith(".docm") ||
dfile.ToLower().EndsWith(".xls") || dfile.ToLower().EndsWith(".xlsm") ||
dfile.ToLower().EndsWith(".xlsb")
)
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.Write($"\r\nChecking if {dfile} contains macros... ");
if (OfficeUtils.containsMacro(dfile))
{
Console.ForegroundColor = ConsoleColor.Red;
Console.Write(" YES");
//if there is a macro add this file to the list of suspected files
list.Add(dfile);
}
else
{
Console.ForegroundColor = ConsoleColor.Green;
Console.Write(" NO");
}
}
}
catch (Exception ex)
{
}
}
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine("\r\nDone. Press any key to exit");
Console.Read();
}
void scan()
{
List <ScannedObject> list = new List <ScannedObject>();
if (listView1.InvokeRequired)
{
listView1.Invoke(new MethodInvoker(delegate
{
listView1.Items.Clear();
}));
}
else
{
listView1.Items.Clear();
}
////////////////////////////////////////////
// search in autostart filesystem locations
////////////////////////////////////////////
log("Searching in autostart filesystem locations...");
string appDataDir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
FileUtils.fileSearch(appDataDir + @"\Microsoft\Windows\Start Menu\Programs\Startup", list);
FileUtils.fileSearch(@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp", list);
if (!Settings.working)
{
return;
}
/////////////////////////////////////
// search in selected registry hives
/////////////////////////////////////
log("Searching in registry...");
RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list);
RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list);
RegistryUtils.regSearch(true, "Environment", "UserInitMprLogonScript", list);
if (!Settings.working)
{
return;
}
//////////////////////////
// search scheduled tasks
//////////////////////////
log("Searching in scheduled tasks...");
tasksSearch(list);
if (!Settings.working)
{
return;
}
//////////////////////////
// search processes
//////////////////////////
log("Searching in process list...");
ProcessUtils.listProcesses(list);
if (!Settings.working)
{
return;
}
////////////////////////////////////////////////////////
// search for files in My Documents and Desktop folders
////////////////////////////////////////////////////////
log("Searching for documents in user folders...");
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments), list, Settings.dangerousDocumentExtensions);
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.Desktop), list, Settings.dangerousDocumentExtensions);
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile) + "\\Downloads", list, Settings.dangerousDocumentExtensions);
if (!Settings.working)
{
return;
}
////////////////////////////////////////////////////////
// Searching done
// Check these files and objects
////////////////////////////////////////////////////////
int progressValue = 0;
if (progressBar1.InvokeRequired)
{
listView1.Invoke(new MethodInvoker(delegate
{
progressBar1.Maximum = list.Count;
}));
}
else
{
progressBar1.Maximum = list.Count;
}
foreach (ScannedObject sobj in list)
{
if (!Settings.working)
{
return;
}
log($"Checking {sobj.path}...");
progress(++progressValue);
if (sobj.path.Contains(Settings.ignoreFolderName))
{
continue;
}
if (sobj.type.Equals("registry"))
{
addObject(sobj);
}
string path = sobj.path.ToLower();
try
{
if (Settings.dangerousDocumentExtensions.Any(e => path.EndsWith(e)))
{
log($"Checking if {path} contains macros... ");
if (OfficeUtils.containsMacro(path))
{
sobj.type = "macro";
addObject(sobj);
}
}
if (sobj.type.Equals("process") && sobj.path.Contains("powershell"))
{
addObject(sobj);
}
else if (sobj.path.Contains("regsvr") || sobj.path.Contains("cmd") ||
sobj.path.Contains("rundll32"))
{
if (sobj.commandLine.Contains("\\Users\\"))
{
addObject(sobj);
}
}
else
if (isPathSuspected(path))
{
if (path.EndsWith(".exe"))
{
try
{
X509Certificate basicSigner = X509Certificate.CreateFromSignedFile(path);
if (!Settings.certSubjectIgnore.Any(s => basicSigner.Subject.Contains(s)))
{
// cert subject is not in our ignore list
log($"Checking {path} on VirusTotal... ");
string detections = SandboxUtils.checkFile(path);
sobj.info = detections;
addObject(sobj);
}
}
catch (Exception sigex)
{
// executable file is not signed
log($"Checking {path} on VirusTotal... ");
string detections = SandboxUtils.checkFile(path);
sobj.info = detections;
addObject(sobj);
}
}
}
}
catch (Exception ex)
{
}
}
log("Scanning done");
}
void scan()
{
List <ScannedObject> list = new List <ScannedObject>();
if (listView1.InvokeRequired)
{
listView1.Invoke(new MethodInvoker(delegate
{
listView1.Items.Clear();
}));
}
else
{
listView1.Items.Clear();
}
////////////////////////////////////////////
// search in autostart filesystem locations
////////////////////////////////////////////
log("Searching in autostart filesystem locations...");
string appDataDir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
FileUtils.fileSearch(appDataDir + @"\Microsoft\Windows\Start Menu\Programs\Startup", list);
FileUtils.fileSearch(@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp", list);
if (!Settings.working)
{
return;
}
/////////////////////////////////////
// search in selected registry hives
/////////////////////////////////////
log("Searching in registry...");
RegistryUtils.regSearch(Registry.LocalMachine, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list);
RegistryUtils.regSearch(Registry.LocalMachine, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list);
RegistryUtils.regSearch(Registry.CurrentUser, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list);
RegistryUtils.regSearch(Registry.CurrentUser, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list);
RegistryUtils.regSearch(Registry.CurrentUser, "Environment", "UserInitMprLogonScript", list);
if (!Settings.working)
{
return;
}
//////////////////////////
// search scheduled tasks
//////////////////////////
log("Searching in scheduled tasks...");
tasksSearch(list);
if (!Settings.working)
{
return;
}
//////////////////////////
// search processes
//////////////////////////
log("Searching in process list...");
ProcessUtils.listProcesses(list);
if (!Settings.working)
{
return;
}
////////////////////////////////////////////////////////
// search for files in My Documents and Desktop folders
////////////////////////////////////////////////////////
log("Searching for documents in user folders...");
//string[] dangerousExt = Settings.dangerousDocumentExtensions.Concat(Settings.dangerousScriptExtensions).ToArray();
string[] dangerousExt = Settings.dangerousDocumentExtensions.Concat(Settings.dangerousScriptExtensions).Concat(new string[] { ".jar" }).ToArray();
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments), list, dangerousExt);
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.Desktop), list, dangerousExt);
FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile) + "\\Downloads", list, dangerousExt);
if (!Settings.working)
{
return;
}
////////////////////////////////////////////////////////
// Searching done
// Check these files and objects
////////////////////////////////////////////////////////
int progressValue = 0;
if (progressBar1.InvokeRequired)
{
listView1.Invoke(new MethodInvoker(delegate
{
progressBar1.Maximum = list.Count;
}));
}
else
{
progressBar1.Maximum = list.Count;
}
foreach (ScannedObject sobj in list)
{
if (!Settings.working)
{
return;
}
log($"Checking {sobj.path} ...");
progress(++progressValue);
string path = Environment.ExpandEnvironmentVariables(sobj.path).ToLower().Trim('\"');
string ext = Path.GetExtension(path);
string cmdline = sobj.commandLine.ToLower();
if (sobj.path.Contains(Settings.ignoreFolderName))
{
continue;
}
/////////////////////
// registry object
/////////////////////
if (sobj.type.Equals("registry"))
{
addObject(sobj);
continue;
}
///////////////////////
// file or lnk object
///////////////////////
if (sobj.type.Equals("file") || sobj.type.Equals("lnk"))
{
if (path.EndsWith(".jar"))
{
sobj.type = "jar";
sobj.info = "";
addObject(sobj);
}
if (Settings.dangerousScriptExtensions.Any(e => path.EndsWith(e)))
{
sobj.type = "script";
sobj.info = "";
addObject(sobj);
}
else if (Settings.dangerousDocumentExtensions.Any(e => path.EndsWith(e)))
{
log($"Checking if {path} contains macros... ");
string macros = OfficeUtils.containsMacro(path);
if (!macros.Equals(""))
{
sobj.type = "macro";
sobj.info = macros;
addObject(sobj);
}
}
continue;
}
/////////////////////
// process object
/////////////////////
if (sobj.type.Equals("process"))
{
if (path.Contains("powershell"))
{
addObject(sobj);
}
else if (path.Contains("script") || path.Contains("regsvr") || path.Contains("conhost") || path.Contains("cmd") || path.Contains("rundll32") || path.Contains("javaw"))
{
if (cmdline.Contains("\\users\\") || cmdline.Contains(@"\programdata\") || cmdline.Contains(@"powershell"))
{
addObject(sobj);
}
}
else
{
/* if (path.EndsWith(".exe"))
* {
*
* try
* {
* X509Certificate basicSigner = X509Certificate.CreateFromSignedFile(path);
*
* if (!Settings.certSubjectIgnore.Any(s => basicSigner.Subject.Contains(s)))
* {
* // cert subject is not in our ignore list
* log($"Checking {path} on VirusTotal... ");
*
* string detections = SandboxUtils.checkFile(path);
* sobj.info = detections;
* addObject(sobj);
*
* }
*
* }
* catch (Exception sigex)
* {
* // executable file is not signed
* log($"Checking {path} on VirusTotal... ");
* string detections = SandboxUtils.checkFile(path);
* sobj.info = detections;
* addObject(sobj);
*
* }
* }*/
}
continue;
}
}
log("Scanning done");
}
