// TODO: check out https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna#L10
public static List <Dictionary <string, string> > GetProcessInfo()
{
List <Dictionary <string, string> > final_results = new List <Dictionary <string, string> >();
try
{
var wmiQueryString = "SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process";
using (var searcher = new ManagementObjectSearcher(wmiQueryString))
using (var results = searcher.Get())
{
var query = from p in Process.GetProcesses()
join mo in results.Cast <ManagementObject>()
on p.Id equals(int)(uint) mo["ProcessId"]
select new
{
Process = p,
Path = (string)mo["ExecutablePath"],
CommandLine = (string)mo["CommandLine"],
Owner = GetProcessUser(p), //Needed inside the next foreach
};
foreach (var item in query)
{
if (item.Path != null)
{
string companyName = "";
string isDotNet = "";
try
{
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(item.Path);
companyName = myFileVersionInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(item.Path) ? "isDotNet" : "";
}
catch (Exception ex)
{
// Not enough privileges
}
if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary <string, string> toadd = new Dictionary <string, string>();
toadd["Name"] = item.Process.ProcessName;
toadd["ProcessID"] = item.Process.Id.ToString();
toadd["ExecutablePath"] = item.Path;
toadd["Product"] = companyName;
toadd["Owner"] = item.Owner == null ? "" : item.Owner;
toadd["isDotNet"] = isDotNet;
toadd["CommandLine"] = item.CommandLine;
final_results.Add(toadd);
}
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(final_results);
}
public static List <Dictionary <string, string> > GetNonstandardServices()
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT * FROM win32_service");
ManagementObjectCollection data = wmiData.Get();
foreach (ManagementObject result in data)
{
if (result["PathName"] != null)
{
Match path = Regex.Match(result["PathName"].ToString(), @"^\W*([a-z]:\\.+?(\.exe|\.dll|\.sys))\W*", RegexOptions.IgnoreCase);
String binaryPath = path.Groups[1].ToString();
string companyName = "";
string isDotNet = "";
try
{
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath);
companyName = myFileVersionInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : "";
}
catch (Exception ex)
{
// Not enough privileges
}
if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary <string, string> toadd = new Dictionary <string, string>();
toadd["Name"] = String.Format("{0}", result["Name"]);
toadd["DisplayName"] = String.Format("{0}", result["DisplayName"]);
toadd["CompanyName"] = companyName;
toadd["State"] = String.Format("{0}", result["State"]);
toadd["StartMode"] = String.Format("{0}", result["StartMode"]);
toadd["PathName"] = String.Format("{0}", result["PathName"]);
toadd["FilteredPath"] = binaryPath;
toadd["isDotNet"] = isDotNet;
toadd["Description"] = String.Format("{0}", result["Description"]);
results.Add(toadd);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(" [X] Exception: {0}", ex.Message);
}
return(results);
}
public static List <Dictionary <string, string> > GetNonstandardServicesFromReg()
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
foreach (string key in MyUtils.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services"))
{
Dictionary <string, object> key_values = MyUtils.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key);
if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath"))
{
string companyName = "";
string isDotNet = "";
string pathName = Environment.ExpandEnvironmentVariables(String.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\"));
string binaryPath = MyUtils.ReconstructExecPath(pathName);
if (binaryPath != "")
{
try
{
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath);
companyName = myFileVersionInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : "";
}
catch (Exception ex)
{
// Not enough privileges
}
}
string displayName = String.Format("{0}", key_values["DisplayName"]);
string imagePath = String.Format("{0}", key_values["ImagePath"]);
string description = key_values.ContainsKey("Description") ? String.Format("{0}", key_values["Description"]) : "";
string startMode = "";
if (key_values.ContainsKey("Start"))
{
switch (key_values["Start"].ToString())
{
case "0":
startMode = "Boot";
break;
case "1":
startMode = "System";
break;
case "2":
startMode = "Autoload";
break;
case "3":
startMode = "System";
break;
case "4":
startMode = "Manual";
break;
case "5":
startMode = "Disabled";
break;
}
}
if (String.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary <string, string> toadd = new Dictionary <string, string>();
toadd["Name"] = String.Format("{0}", displayName);
toadd["DisplayName"] = String.Format("{0}", displayName);
toadd["CompanyName"] = companyName;
toadd["State"] = "";
toadd["StartMode"] = startMode;
toadd["PathName"] = pathName;
toadd["FilteredPath"] = binaryPath;
toadd["isDotNet"] = isDotNet;
toadd["Description"] = description;
results.Add(toadd);
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return(results);
}
