internal static void Initialize()
{
_processesInfo = new ProcessesInfo();
}
void PrintInterestingProcesses()
{
try
{
Beaprint.MainPrint("Interesting Processes -non Microsoft-");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
List <Dictionary <string, string> > processesInfo = ProcessesInfo.GetProcInfo();
foreach (Dictionary <string, string> procInfo in processesInfo)
{
Dictionary <string, string> colorsP = new Dictionary <string, string>()
{
{ " " + Checks.CurrentUserName, Beaprint.ansi_current_user },
{ "Permissions:.*", Beaprint.ansi_color_bad },
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
};
if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"]))
{
if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]]))
{
procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]];
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_good;
}
else if (InterestingProcesses.Definitions.ContainsKey(procInfo["Name"]))
{
if (!string.IsNullOrEmpty(InterestingProcesses.Definitions[procInfo["Name"]]))
{
procInfo["Product"] = InterestingProcesses.Definitions[procInfo["Name"]];
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_bad;
}
List <string> fileRights = PermissionsHelper.GetPermissionsFile(procInfo["ExecutablePath"], Checks.CurrentUserSiDs);
List <string> dirRights = new List <string>();
if (procInfo["ExecutablePath"] != null && procInfo["ExecutablePath"] != "")
{
dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(procInfo["ExecutablePath"]), Checks.CurrentUserSiDs);
}
colorsP[procInfo["ExecutablePath"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") + "[^\"^']"] = (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good;
string formString = " {0}({1})[{2}]";
if (procInfo["Product"] != null && procInfo["Product"].Length > 1)
{
formString += ": {3}";
}
if (procInfo["Owner"].Length > 1)
{
formString += " -- POwn: {4}";
}
if (procInfo["isDotNet"].Length > 1)
{
formString += " -- {5}";
}
if (fileRights.Count > 0)
{
formString += "\n Permissions: {6}";
}
if (dirRights.Count > 0)
{
formString += "\n Possible DLL Hijacking folder: {7} ({8})";
}
if (procInfo["CommandLine"].Length > 1)
{
formString += "\n " + Beaprint.ansi_color_gray + "Command Line: {9}";
}
Beaprint.AnsiPrint(string.Format(formString, procInfo["Name"], procInfo["ProcessID"], procInfo["ExecutablePath"], procInfo["Product"], procInfo["Owner"], procInfo["isDotNet"], string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(procInfo["ExecutablePath"]) : "", string.Join(", ", dirRights), procInfo["CommandLine"]), colorsP);
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(ex.Message);
}
}
