public static Dictionary <string, string> GetModifiableServices(Dictionary <string, string> SIDs)
{
Dictionary <string, string> results = new Dictionary <string, string>();
ServiceController[] scServices;
scServices = ServiceController.GetServices();
var GetServiceHandle = typeof(System.ServiceProcess.ServiceController).GetMethod("GetServiceHandle", BindingFlags.Instance | BindingFlags.NonPublic);
object[] readRights = { 0x00020000 };
foreach (ServiceController sc in scServices)
{
try
{
IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights);
ServiceControllerStatus status = sc.Status;
byte[] psd = new byte[0];
uint bufSizeNeeded;
bool ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122 || err == 0)
{ // ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + _name + ": error code=" + err);
continue;
}
}
if (!ok)
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + _name + ": error code=" + Marshal.GetLastWin32Error());
continue;
}
// get security descriptor via raw into DACL form so ACE ordering checks are done for us.
RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
List <string> permissions = new List <string>();
foreach (System.Security.AccessControl.CommonAce ace in dacl)
{
if (SIDs.ContainsKey(ace.SecurityIdentifier.ToString()))
{
int serviceRights = ace.AccessMask;
string current_perm_str = MyUtils.PermInt2Str(serviceRights, true, true);
if (!String.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str))
{
permissions.Add(current_perm_str);
}
}
}
if (permissions.Count > 0)
{
string perms = String.Join(", ", permissions);
if (perms.Replace("Start", "").Replace("Stop", "").Length > 3) //Check if any other permissions appart from Start and Stop
{
results.Add(sc.ServiceName, perms);
}
}
}
catch (Exception ex)
{
//Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
}
return(results);
}
public static List <Dictionary <string, string> > GetNonstandardServicesFromReg()
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
foreach (string key in MyUtils.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services"))
{
Dictionary <string, object> key_values = MyUtils.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key);
if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath"))
{
string companyName = "";
string isDotNet = "";
string pathName = Environment.ExpandEnvironmentVariables(String.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\"));
string binaryPath = MyUtils.ReconstructExecPath(pathName);
if (binaryPath != "")
{
try
{
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath);
companyName = myFileVersionInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : "";
}
catch (Exception ex)
{
// Not enough privileges
}
}
string displayName = String.Format("{0}", key_values["DisplayName"]);
string imagePath = String.Format("{0}", key_values["ImagePath"]);
string description = key_values.ContainsKey("Description") ? String.Format("{0}", key_values["Description"]) : "";
string startMode = "";
if (key_values.ContainsKey("Start"))
{
switch (key_values["Start"].ToString())
{
case "0":
startMode = "Boot";
break;
case "1":
startMode = "System";
break;
case "2":
startMode = "Autoload";
break;
case "3":
startMode = "System";
break;
case "4":
startMode = "Manual";
break;
case "5":
startMode = "Disabled";
break;
}
}
if (String.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary <string, string> toadd = new Dictionary <string, string>();
toadd["Name"] = String.Format("{0}", displayName);
toadd["DisplayName"] = String.Format("{0}", displayName);
toadd["CompanyName"] = companyName;
toadd["State"] = "";
toadd["StartMode"] = startMode;
toadd["PathName"] = pathName;
toadd["FilteredPath"] = binaryPath;
toadd["isDotNet"] = isDotNet;
toadd["Description"] = description;
results.Add(toadd);
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
public static List <string> GetUsersFolders()
{
return(MyUtils.ListFolder("Users"));
}
public static SortedDictionary <string, Dictionary <string, string> > GetInstalledAppsPerms()
{
//Get from Program Files
SortedDictionary <string, Dictionary <string, string> > results = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files");
SortedDictionary <string, Dictionary <string, string> > results2 = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files (x86)");
results.Concat(results2).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
//Get from Uninstall
string[] subkeys = MyUtils.GetRegSubkeys("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall");
if (subkeys != null)
{
foreach (string app in subkeys)
{
string installLocation = MyUtils.GetRegValue("HKLM", String.Format(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0}", app), "InstallLocation");
if (String.IsNullOrEmpty(installLocation))
{
continue;
}
installLocation = installLocation.Replace("\"", "");
if (installLocation.EndsWith(@"\"))
{
installLocation = installLocation.Substring(0, installLocation.Length - 1);
}
if (!results.ContainsKey(installLocation) && Directory.Exists(installLocation))
{
bool already = false;
foreach (string path in results.Keys)
{
if (installLocation.IndexOf(path) != -1) //Check for subfoldres of already found folders
{
already = true;
break;
}
}
if (!already)
{
results[installLocation] = MyUtils.GetRecursivePrivs(installLocation);
}
}
}
}
subkeys = MyUtils.GetRegSubkeys("HKLM", @"SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall");
if (subkeys != null)
{
foreach (string app in subkeys)
{
string installLocation = MyUtils.GetRegValue("HKLM", String.Format(@"SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0}", app), "InstallLocation");
if (String.IsNullOrEmpty(installLocation))
{
continue;
}
installLocation = installLocation.Replace("\"", "");
if (installLocation.EndsWith(@"\"))
{
installLocation = installLocation.Substring(0, installLocation.Length - 1);
}
if (!results.ContainsKey(installLocation) && Directory.Exists(installLocation))
{
bool already = false;
foreach (string path in results.Keys)
{
if (installLocation.IndexOf(path) != -1) //Check for subfoldres of already found folders
{
already = true;
break;
}
}
if (!already)
{
results[installLocation] = MyUtils.GetRecursivePrivs(installLocation);
}
}
}
}
return(results);
}
public static Dictionary <string, Dictionary <string, string> > GetCachedGPPPassword()
{ //From SharpUP
Dictionary <string, Dictionary <string, string> > results = new Dictionary <string, Dictionary <string, string> >();
try
{
string allUsers = System.Environment.GetEnvironmentVariable("ALLUSERSPROFILE");
if (!allUsers.Contains("ProgramData"))
{
// Before Windows Vista, the default value of AllUsersProfile was "C:\Documents and Settings\All Users"
// And after, "C:\ProgramData"
allUsers += "\\Application Data";
}
allUsers += "\\Microsoft\\Group Policy\\History"; // look only in the GPO cache folder
List <String> files = MyUtils.FindFiles(allUsers, "*.xml");
// files will contain all XML files
foreach (string file in files)
{
if (!(file.Contains("Groups.xml") || file.Contains("Services.xml") ||
file.Contains("Scheduledtasks.xml") || file.Contains("DataSources.xml") ||
file.Contains("Printers.xml") || file.Contains("Drives.xml")))
{
continue; // uninteresting XML files, move to next
}
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(file);
if (!xmlDoc.InnerXml.Contains("cpassword"))
{
continue; // no "cpassword" => no interesting content, move to next
}
Console.WriteLine("\r\n{0}", file);
string cPassword = "";
string UserName = "";
string NewName = "";
string Changed = "";
if (file.Contains("Groups.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/Groups/User/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/Groups/User");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("userName"))
{
UserName = attr.Value;
}
if (attr.Name.Equals("newName"))
{
NewName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
//Console.WriteLine("\r\nA{0}", a.Attributes[0].Value);
}
else if (file.Contains("Services.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/NTServices/NTService/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/NTServices/NTService");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("accountName"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
else if (file.Contains("Scheduledtasks.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/ScheduledTasks/Task/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/ScheduledTasks/Task");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("runAs"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
else if (file.Contains("DataSources.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/DataSources/DataSource/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/DataSources/DataSource");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("username"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
else if (file.Contains("Printers.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/Printers/SharedPrinter/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/Printers/SharedPrinter");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("username"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
else
{
// Drives.xml
XmlNode a = xmlDoc.SelectSingleNode("/Drives/Drive/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/Drives/Drive");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("username"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
if (UserName.Equals(""))
{
UserName = "******";
}
if (NewName.Equals(""))
{
NewName = "[BLANK]";
}
if (cPassword.Equals(""))
{
cPassword = "******";
}
else
{
cPassword = DecryptGPP(cPassword);
}
if (Changed.Equals(""))
{
Changed = "[BLANK]";
}
results[file] = new Dictionary <string, string>();
results[file]["UserName"] = UserName;
results[file]["NewName"] = NewName;
results[file]["cPassword"] = cPassword;
results[file]["Changed"] = Changed;
}
}
catch (Exception ex)
{
Console.WriteLine(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
//////////////////////////////////////
/////// Get Autorun Registry ////////
//////////////////////////////////////
/// Find Autorun registry where you have write or equivalent access
public static List <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames)
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
List <List <String> > autorunLocations = new List <List <string> >()
{
//Common Autoruns
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
},
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
},
new List <String> {
"HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run"
},
new List <String> {
"HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce"
},
new List <String> {
"HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunEx"
},
//Service Autoruns
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService"
},
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
},
//Special Autorun
new List <String> {
"HKLM", "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"
},
new List <String> {
"HKLM", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"
},
new List <String> {
"HKCU", "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"
},
new List <String> {
"HKCU", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"
},
//Startup Path
new List <String> {
"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup"
},
new List <String> {
"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup"
},
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup"
},
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup"
},
//Winlogon
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit"
},
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell"
},
//Policy Settings
new List <String> {
"HKLM", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run"
},
new List <String> {
"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run"
},
//AlternateShell in SafeBoot
new List <String> {
"HKLM", "SYSTEM\\CurrentControlSet\\Control\\SafeBoot", "AlternateShell"
},
//Font Drivers
new List <String> {
"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
},
new List <String> {
"HKLM", @"SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
},
//Open Command
new List <String> {
"HKLM", @"SOFTWARE\Classes\htmlfile\shell\open\command", ""
}, //Get (Default) value with empty string
new List <String> {
"HKLM", @"SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command", ""
}, //Get (Default) value with empty string
};
List <List <String> > autorunLocationsKeys = new List <List <String> >
{
//Installed Components
new List <String> {
"HKLM", "SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "StubPath"
},
new List <String> {
"HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components", "StubPath"
},
new List <String> {
"HKCU", "SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "StubPath"
},
new List <String> {
"HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components", "StubPath"
},
};
//This registry expect subkeys with the CLSID name
List <List <String> > autorunLocationsKeysCLSIDs = new List <List <String> >
{
//Browser Helper Objects
new List <String> {
"HKLM", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
},
new List <String> {
"HKLM", @"Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
},
//Internet Explorer Extensions
new List <String> {
"HKLM", @"Software\Microsoft\Internet Explorer\Extensions"
},
new List <String> {
"HKLM", @"Software\Wow6432Node\Microsoft\Internet Explorer\Extensions"
},
};
//Add the keyvalues inside autorunLocationsKeys to autorunLocations
foreach (List <String> autorunLocationKey in autorunLocationsKeys)
{
List <String> subkeys = MyUtils.GetRegSubkeys(autorunLocationKey[0], autorunLocationKey[1]).ToList();
foreach (String keyname in subkeys)
{
string clsid_name = keyname;
Match clsid = Regex.Match(keyname, @"^\W*(\{[\w\-]+\})\W*");
if (clsid.Groups.Count > 1) //Sometime the CLSID is bad writting and this kind of fix common mistakes
{
clsid_name = clsid.Groups[1].ToString();
}
if (autorunLocationKey.Count > 2)
{
autorunLocations.Add(new List <string> {
autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2]
});
}
else
{
autorunLocations.Add(new List <string> {
autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name
});
}
}
}
//Read registry and get values
foreach (List <String> autorunLocation in autorunLocations)
{
Dictionary <string, object> settings = MyUtils.GetRegValues(autorunLocation[0], autorunLocation[1]);
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair <string, object> kvp in settings)
{
RegistryKey key = null;
if ("HKLM" == autorunLocation[0])
{
key = Registry.LocalMachine.OpenSubKey(autorunLocation[1]);
}
else
{
key = Registry.CurrentUser.OpenSubKey(autorunLocation[1]);
}
if (autorunLocation.Count > 2 && kvp.Key != autorunLocation[2])
{
continue; //If only interested on 1 key of the registry and it's that one, continue
}
string orig_filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value));
string filepath = orig_filepath;
if (MyUtils.GetExecutableFromPath(Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value))).Length > 0)
{
filepath = MyUtils.GetExecutableFromPath(filepath);
}
string filepath_cleaned = filepath.Replace("'", "").Replace("\"", "");
string folder = System.IO.Path.GetDirectoryName(filepath_cleaned);
try
{ //If the path doesn't exist, pass
if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory))
{ //If the path is already a folder, change the values of the params
orig_filepath = "";
folder = filepath_cleaned;
}
}
catch
{
}
results.Add(new Dictionary <string, string>()
{
{ "Reg", autorunLocation[0] + "\\" + autorunLocation[1] },
{ "RegKey", kvp.Key },
{ "Folder", folder },
{ "File", orig_filepath },
{
"RegPermissions",
string.Join(", ", MyUtils.GetMyPermissionsR(key, Program.currentUserSIDs))
},
{
"interestingFolderRights",
String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs))
},
{
"interestingFileRights",
orig_filepath.Length > 1 ? String.Join(", ", MyUtils.GetPermissionsFile(orig_filepath, Program.currentUserSIDs)) : ""
},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
});
}
}
}
//Check the autoruns that depends on CLSIDs
foreach (List <String> autorunLocation in autorunLocationsKeysCLSIDs)
{
List <String> CLSIDs = MyUtils.GetRegSubkeys(autorunLocation[0], autorunLocation[1]).ToList();
foreach (String clsid in CLSIDs)
{
string reg = autorunLocation[1] + "\\" + clsid;
RegistryKey key = null;
if ("HKLM" == autorunLocation[0])
{
key = Registry.LocalMachine.OpenSubKey(reg);
}
else
{
key = Registry.CurrentUser.OpenSubKey(reg);
}
string orig_filepath = MyUtils.GetCLSIDBinPath(clsid);
if (String.IsNullOrEmpty(orig_filepath))
{
continue;
}
orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
string folder = System.IO.Path.GetDirectoryName(orig_filepath);
results.Add(new Dictionary <string, string>()
{
{ "Reg", autorunLocation[0] + "\\" + reg },
{ "RegKey", "" },
{ "Folder", folder },
{ "File", orig_filepath },
{
"RegPermissions",
string.Join(", ", MyUtils.GetMyPermissionsR(key, Program.currentUserSIDs))
},
{
"interestingFolderRights",
String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs))
},
{
"interestingFileRights",
orig_filepath.Length > 1 ? String.Join(", ", MyUtils.GetPermissionsFile(orig_filepath, Program.currentUserSIDs)) : ""
},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString() }
});
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
//From Seatbelt
public static Dictionary <string, string> GetBasicOSInfo()
{
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
string ProductName = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
string EditionID = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID");
string ReleaseId = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId");
string BuildBranch = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch");
string CurrentMajorVersionNumber = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber");
string CurrentVersion = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion");
bool isHighIntegrity = MyUtils.IsHighIntegrity();
CultureInfo ci = CultureInfo.InstalledUICulture;
string systemLang = ci.Name;
var timeZone = TimeZoneInfo.Local;
InputLanguage myCurrentLanguage = InputLanguage.CurrentInputLanguage;
string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
string userName = Environment.GetEnvironmentVariable("USERNAME");
string ProcessorCount = Environment.ProcessorCount.ToString();
bool isVM = IsVirtualMachine();
DateTime now = DateTime.Now;
String strHostName = Dns.GetHostName();
IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties();
string dnsDomain = properties.DomainName;
const string query = "SELECT HotFixID FROM Win32_QuickFixEngineering";
var search = new ManagementObjectSearcher(query);
var collection = search.Get();
string hotfixes = "";
foreach (ManagementObject quickFix in collection)
{
hotfixes += quickFix["HotFixID"].ToString() + ", ";
}
results.Add("Hostname", strHostName);
if (dnsDomain.Length > 1)
{
results.Add("Domain Name", dnsDomain);
}
results.Add("ProductName", ProductName);
results.Add("EditionID", EditionID);
results.Add("ReleaseId", ReleaseId);
results.Add("BuildBranch", BuildBranch);
results.Add("CurrentMajorVersionNumber", CurrentMajorVersionNumber);
results.Add("CurrentVersion", CurrentVersion);
results.Add("Architecture", arch);
results.Add("ProcessorCount", ProcessorCount);
results.Add("SystemLang", systemLang);
results.Add("KeyboardLang", myCurrentLanguage.Culture.EnglishName);
results.Add("TimeZone", timeZone.DisplayName);
results.Add("IsVirtualMachine", isVM.ToString());
results.Add("Current Time", now.ToString());
results.Add("HighIntegrity", isHighIntegrity.ToString());
results.Add("PartOfDomain", Program.partofdomain.ToString());
results.Add("Hotfixes", hotfixes);
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
