static void Main(string[] args) { Console.ForegroundColor = ConsoleColor.White; //////////////////////////////////////////// // search in autostart filesystem locations //////////////////////////////////////////// Console.WriteLine("Searching in autostart filesystem locations..."); List <string> list = new List <string>(); string appDataDir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); FileUtils.fileSearch(appDataDir + @"\Microsoft\Windows\Start Menu\Programs\Startup", list); FileUtils.fileSearch(@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp", list); ///////////////////////////////////// // search in selected registry hives ///////////////////////////////////// Console.WriteLine("Searching in registry..."); RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list); RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list); RegistryUtils.regSearch(true, "Environment", "UserInitMprLogonScript", list); ////////////////////////// // search scheduled tasks ////////////////////////// Console.WriteLine("Searching in scheduled tasks..."); tasksSearch(list); Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine($"\r\nChecking suspected objects"); /////////////////////////////////////// // search for lolbas objects // send suspected hashes to VirusTotal /////////////////////////////////////// foreach (string path in list) { //Console.ForegroundColor = ConsoleColor.Yellow; // Console.WriteLine($"\r\nChecking {path}"); string lol = checkLolbas(path); if (lol != null) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine($"Suspicious object detected: {path}"); } else if (isPathSuspected(path)) { try { if (File.Exists(path)) { Console.ForegroundColor = ConsoleColor.DarkGray; Console.WriteLine($"\r\nSending hash of {path} to VirusTotal..."); string fileHash = FileUtils.getFileHash(path); if (fileHash == null) { Console.ForegroundColor = ConsoleColor.White; Console.WriteLine($"{path} - Error, can't access this file"); continue; } string detections = vt(fileHash); if (detections != null) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine($"{path} - {detections} detections"); } else { Console.ForegroundColor = ConsoleColor.White; Console.WriteLine($"{path} - no detections but you should check this file manually"); } } } catch (Exception e) { Console.ForegroundColor = ConsoleColor.White; Console.WriteLine($"{path} - Error"); } } } //////////////////////////////////////////////////////// // search for files in My Documents and Desktop folders //////////////////////////////////////////////////////// Console.ForegroundColor = ConsoleColor.White; Console.WriteLine("\r\nSearching in user folders..."); List <string> userFiles = new List <string>(); FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments).ToLower(), userFiles); FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.Desktop).ToLower(), userFiles); ////////////////////////////////////////////// // check if any of these files contain macros ////////////////////////////////////////////// foreach (string dfile in userFiles) { try { if (dfile.ToLower().EndsWith(".doc") || dfile.ToLower().EndsWith(".docm") || dfile.ToLower().EndsWith(".xls") || dfile.ToLower().EndsWith(".xlsm") || dfile.ToLower().EndsWith(".xlsb") ) { Console.ForegroundColor = ConsoleColor.Yellow; Console.Write($"\r\nChecking if {dfile} contains macros... "); if (OfficeUtils.containsMacro(dfile)) { Console.ForegroundColor = ConsoleColor.Red; Console.Write(" YES"); //if there is a macro add this file to the list of suspected files list.Add(dfile); } else { Console.ForegroundColor = ConsoleColor.Green; Console.Write(" NO"); } } } catch (Exception ex) { } } Console.ForegroundColor = ConsoleColor.White; Console.WriteLine("\r\nDone. Press any key to exit"); Console.Read(); }