//From Seatbelt public static Dictionary <string, string> GetWEFSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", "Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager"); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { if (kvp.Value.GetType().IsArray&& (kvp.Value.GetType().GetElementType().ToString() == "System.String")) { string result = string.Join(",", (string[])kvp.Value); results.Add(kvp.Key, result); } else { results.Add(kvp.Key, (string)kvp.Value); } } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
//From https://stackoverflow.com/questions/1331887/detect-antivirus-on-windows-using-c-sharp public static Dictionary <string, string> GetAVInfo() { Dictionary <string, string> results = new Dictionary <string, string>(); string whitelistpaths = ""; try { whitelistpaths = String.Join("\n ", MyUtils.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths").Keys); ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct"); ManagementObjectCollection data = wmiData.Get(); foreach (ManagementObject virusChecker in data) { results["Name"] = (string)virusChecker["displayName"]; results["ProductEXE"] = (string)virusChecker["pathToSignedProductExe"]; results["pathToSignedReportingExe"] = (string)virusChecker["pathToSignedReportingExe"]; } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } if (!String.IsNullOrEmpty(whitelistpaths)) { results["whitelistpaths"] = " " + whitelistpaths; //Add this info the last } return(results); }
//From Seatbelt public static Dictionary <string, string> GetPowerShellSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion"); results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion"); results["Transcription Settings"] = ""; results["Module Logging Settings"] = ""; results["Scriptblock Logging Settings"] = ""; Dictionary <string, object> transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); if ((transcriptionSettings == null) || (transcriptionSettings.Count == 0)) { transcriptionSettings = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); } if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in transcriptionSettings) { results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); if ((moduleLoggingSettings == null) || (moduleLoggingSettings.Count == 0)) { moduleLoggingSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); } if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in moduleLoggingSettings) { results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); if ((scriptBlockSettings == null) || (scriptBlockSettings.Count == 0)) { scriptBlockSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); } if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in scriptBlockSettings) { results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
// From seatbelt public static Dictionary <string, string> GetAuditSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit"); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { if (kvp.Value.GetType().IsArray&& (kvp.Value.GetType().GetElementType().ToString() == "System.String")) { string result = string.Join(",", (string[])kvp.Value); results.Add(kvp.Key, result); } else { results.Add(kvp.Key, (string)kvp.Value); } } } } catch (Exception ex) { Console.WriteLine(ex); } return(results); }
////////////////////////////////////// /////// Get Autorun Registry //////// ////////////////////////////////////// /// Find Autoru registry where you have write or equivalent access public static List <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames) { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { string[] autorunLocations = new string[] { "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }; foreach (string autorunLocation in autorunLocations) { Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { RegistryKey key = Registry.LocalMachine.OpenSubKey(autorunLocation); string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value)); string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", "")); results.Add(new Dictionary <string, string>() { { "Reg", "HKLM\\" + autorunLocation }, { "Folder", folder }, { "File", filepath }, { "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, NtAccountNames)) }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) }, { "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs)) }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() } }); } } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
public static List <Dictionary <string, string> > GetRegistryAutoRuns() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { string[] autorunLocations = new string[] { "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }; foreach (string autorunLocation in autorunLocations) { Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value)); string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", "")); results.Add(new Dictionary <string, string>() { { "Reg", "HKLM\\" + autorunLocation }, { "Folder", folder }, { "File", filepath }, { "isWritableReg", MyUtils.CheckWriteAccessReg("HKLM", autorunLocation).ToString() }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups)) }, { "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups)) }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() } }); } } } } catch (Exception ex) { Console.WriteLine(ex); } return(results); }
//From Seatbelt public static Dictionary <string, string> GetPowerShellSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion"); results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion"); results["Transcription Settings"] = ""; results["Module Logging Settings"] = ""; results["Scriptblock Logging Settings"] = ""; Dictionary <string, object> transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in transcriptionSettings) { results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in moduleLoggingSettings) { results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in scriptBlockSettings) { results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } } catch (Exception ex) { Console.WriteLine(ex); } return(results); }
//From Seatbelt public static Dictionary <string, string> GetSystemEnvVariables() { Dictionary <string, string> result = new Dictionary <string, string>(); try { Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment"); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { result[kvp.Key] = (string)kvp.Value; } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(result); }
//From Seatbelt public static Dictionary <string, string> GetInternetSettings(string root_reg) { // lists user/system internet settings, including default proxy info Dictionary <string, string> results = new Dictionary <string, string>(); try { Dictionary <string, object> proxySettings = MyUtils.GetRegValues(root_reg, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"); if ((proxySettings != null) && (proxySettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in proxySettings) { results[kvp.Key] = kvp.Value.ToString(); } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
//From Seatbelt public static Dictionary <string, string> GetPowerShellSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion"); results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion"); results["Transcription Settings"] = ""; results["Module Logging Settings"] = ""; results["Scriptblock Logging Settings"] = ""; results["PS history file"] = ""; results["PS history size"] = ""; Dictionary <string, object> transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); if ((transcriptionSettingsCU == null) || (transcriptionSettingsCU.Count == 0)) { transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); } if ((transcriptionSettingsCU != null) && (transcriptionSettingsCU.Count != 0)) { foreach (KeyValuePair <string, object> kvp in transcriptionSettingsCU) { results["Transcription Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); if ((transcriptionSettingsLM == null) || (transcriptionSettingsLM.Count == 0)) { transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); } if ((transcriptionSettingsLM != null) && (transcriptionSettingsLM.Count != 0)) { foreach (KeyValuePair <string, object> kvp in transcriptionSettingsLM) { results["Transcription Settings LM"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); if ((moduleLoggingSettingsLM == null) || (moduleLoggingSettingsLM.Count == 0)) { moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); } if ((moduleLoggingSettingsLM != null) && (moduleLoggingSettingsLM.Count != 0)) { foreach (KeyValuePair <string, object> kvp in moduleLoggingSettingsLM) { results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); if ((moduleLoggingSettingsCU == null) || (moduleLoggingSettingsCU.Count == 0)) { moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); } if ((moduleLoggingSettingsCU != null) && (moduleLoggingSettingsCU.Count != 0)) { foreach (KeyValuePair <string, object> kvp in moduleLoggingSettingsCU) { results["Module Logging Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); if ((scriptBlockSettingsLM == null) || (scriptBlockSettingsLM.Count == 0)) { scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); } if ((scriptBlockSettingsLM != null) && (scriptBlockSettingsLM.Count != 0)) { foreach (KeyValuePair <string, object> kvp in scriptBlockSettingsLM) { results["Scriptblock Logging Settings LM"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); if ((scriptBlockSettingsCU == null) || (scriptBlockSettingsCU.Count == 0)) { scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); } if ((scriptBlockSettingsCU != null) && (scriptBlockSettingsCU.Count != 0)) { foreach (KeyValuePair <string, object> kvp in scriptBlockSettingsCU) { results["Scriptblock Logging Settings CU"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } string ps_history_path = Environment.ExpandEnvironmentVariables(@"%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"); string ps_history_path2 = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE")); ps_history_path = File.Exists(ps_history_path) ? ps_history_path : ps_history_path2; if (File.Exists(ps_history_path)) { FileInfo fi = new FileInfo(ps_history_path); long size = fi.Length; results["PS history file"] = ps_history_path; results["PS history size"] = size.ToString() + "B"; } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
////////////////////////////////////// /////// Get Autorun Registry //////// ////////////////////////////////////// /// Find Autorun registry where you have write or equivalent access public static List <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames) { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { List <List <String> > autorunLocations = new List <List <string> >() { //Common Autoruns new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" }, new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce" }, new List <String> { "HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" }, new List <String> { "HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" }, new List <String> { "HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunEx" }, //Service Autoruns new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService" }, new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }, //Special Autorun new List <String> { "HKLM", "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" }, new List <String> { "HKLM", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" }, new List <String> { "HKCU", "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" }, new List <String> { "HKCU", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" }, //Startup Path new List <String> { "HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup" }, new List <String> { "HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup" }, new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup" }, new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup" }, //Winlogon new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit" }, new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell" }, //Policy Settings new List <String> { "HKLM", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run" }, new List <String> { "HKCU", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run" }, //AlternateShell in SafeBoot new List <String> { "HKLM", "SYSTEM\\CurrentControlSet\\Control\\SafeBoot", "AlternateShell" }, //Font Drivers new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers" }, new List <String> { "HKLM", @"SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers" }, //Open Command new List <String> { "HKLM", @"SOFTWARE\Classes\htmlfile\shell\open\command", "" }, //Get (Default) value with empty string new List <String> { "HKLM", @"SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command", "" }, //Get (Default) value with empty string }; List <List <String> > autorunLocationsKeys = new List <List <String> > { //Installed Components new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "StubPath" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components", "StubPath" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "StubPath" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components", "StubPath" }, }; //This registry expect subkeys with the CLSID name List <List <String> > autorunLocationsKeysCLSIDs = new List <List <String> > { //Browser Helper Objects new List <String> { "HKLM", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" }, new List <String> { "HKLM", @"Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" }, //Internet Explorer Extensions new List <String> { "HKLM", @"Software\Microsoft\Internet Explorer\Extensions" }, new List <String> { "HKLM", @"Software\Wow6432Node\Microsoft\Internet Explorer\Extensions" }, }; //Add the keyvalues inside autorunLocationsKeys to autorunLocations foreach (List <String> autorunLocationKey in autorunLocationsKeys) { List <String> subkeys = MyUtils.GetRegSubkeys(autorunLocationKey[0], autorunLocationKey[1]).ToList(); foreach (String keyname in subkeys) { string clsid_name = keyname; Match clsid = Regex.Match(keyname, @"^\W*(\{[\w\-]+\})\W*"); if (clsid.Groups.Count > 1) //Sometime the CLSID is bad writting and this kind of fix common mistakes { clsid_name = clsid.Groups[1].ToString(); } if (autorunLocationKey.Count > 2) { autorunLocations.Add(new List <string> { autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2] }); } else { autorunLocations.Add(new List <string> { autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name }); } } } //Read registry and get values foreach (List <String> autorunLocation in autorunLocations) { Dictionary <string, object> settings = MyUtils.GetRegValues(autorunLocation[0], autorunLocation[1]); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { RegistryKey key = null; if ("HKLM" == autorunLocation[0]) { key = Registry.LocalMachine.OpenSubKey(autorunLocation[1]); } else { key = Registry.CurrentUser.OpenSubKey(autorunLocation[1]); } if (autorunLocation.Count > 2 && kvp.Key != autorunLocation[2]) { continue; //If only interested on 1 key of the registry and it's that one, continue } string orig_filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value)); string filepath = orig_filepath; if (MyUtils.GetExecutableFromPath(Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value))).Length > 0) { filepath = MyUtils.GetExecutableFromPath(filepath); } string filepath_cleaned = filepath.Replace("'", "").Replace("\"", ""); string folder = System.IO.Path.GetDirectoryName(filepath_cleaned); try { //If the path doesn't exist, pass if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory)) { //If the path is already a folder, change the values of the params orig_filepath = ""; folder = filepath_cleaned; } } catch { } results.Add(new Dictionary <string, string>() { { "Reg", autorunLocation[0] + "\\" + autorunLocation[1] }, { "RegKey", kvp.Key }, { "Folder", folder }, { "File", orig_filepath }, { "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, Program.currentUserSIDs)) }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) }, { "interestingFileRights", orig_filepath.Length > 1 ? String.Join(", ", MyUtils.GetPermissionsFile(orig_filepath, Program.currentUserSIDs)) : "" }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() } }); } } } //Check the autoruns that depends on CLSIDs foreach (List <String> autorunLocation in autorunLocationsKeysCLSIDs) { List <String> CLSIDs = MyUtils.GetRegSubkeys(autorunLocation[0], autorunLocation[1]).ToList(); foreach (String clsid in CLSIDs) { string reg = autorunLocation[1] + "\\" + clsid; RegistryKey key = null; if ("HKLM" == autorunLocation[0]) { key = Registry.LocalMachine.OpenSubKey(reg); } else { key = Registry.CurrentUser.OpenSubKey(reg); } string orig_filepath = MyUtils.GetCLSIDBinPath(clsid); if (String.IsNullOrEmpty(orig_filepath)) { continue; } orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", ""); string folder = System.IO.Path.GetDirectoryName(orig_filepath); results.Add(new Dictionary <string, string>() { { "Reg", autorunLocation[0] + "\\" + reg }, { "RegKey", "" }, { "Folder", folder }, { "File", orig_filepath }, { "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, Program.currentUserSIDs)) }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) }, { "interestingFileRights", orig_filepath.Length > 1 ? String.Join(", ", MyUtils.GetPermissionsFile(orig_filepath, Program.currentUserSIDs)) : "" }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString() } }); } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
public static List <Dictionary <string, string> > GetNonstandardServicesFromReg() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { foreach (string key in MyUtils.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services")) { Dictionary <string, object> key_values = MyUtils.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key); if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath")) { string companyName = ""; string isDotNet = ""; string pathName = Environment.ExpandEnvironmentVariables(String.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\")); string binaryPath = MyUtils.ReconstructExecPath(pathName); if (binaryPath != "") { try { FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath); companyName = myFileVersionInfo.CompanyName; isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : ""; } catch (Exception ex) { // Not enough privileges } } string displayName = String.Format("{0}", key_values["DisplayName"]); string imagePath = String.Format("{0}", key_values["ImagePath"]); string description = key_values.ContainsKey("Description") ? String.Format("{0}", key_values["Description"]) : ""; string startMode = ""; if (key_values.ContainsKey("Start")) { switch (key_values["Start"].ToString()) { case "0": startMode = "Boot"; break; case "1": startMode = "System"; break; case "2": startMode = "Autoload"; break; case "3": startMode = "System"; break; case "4": startMode = "Manual"; break; case "5": startMode = "Disabled"; break; } } if (String.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) { Dictionary <string, string> toadd = new Dictionary <string, string>(); toadd["Name"] = String.Format("{0}", displayName); toadd["DisplayName"] = String.Format("{0}", displayName); toadd["CompanyName"] = companyName; toadd["State"] = ""; toadd["StartMode"] = startMode; toadd["PathName"] = pathName; toadd["FilteredPath"] = binaryPath; toadd["isDotNet"] = isDotNet; toadd["Description"] = description; results.Add(toadd); } } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }