private JProperty ExtractCommandFromScheduledTask(JToken scheduledTask, ref int interestLevel, int number = 0)
{
string commandString = JUtil.GetSafeString(scheduledTask, "Command");
string argumentsString = JUtil.GetSafeString(scheduledTask, "Arguments");
JObject command = new JObject(new JProperty("Command", commandString));
JObject arguments = new JObject(new JProperty("Arguments", argumentsString));
command = FileSystem.InvestigatePath(commandString);
arguments = FileSystem.InvestigateString(argumentsString);
if ((arguments != null) && (arguments["InterestLevel"] != null))
{
int argumentInterest = (int)arguments["InterestLevel"];
interestLevel = interestLevel + argumentInterest;
}
if ((command != null) && (command["InterestLevel"] != null))
{
int commandInterest = (int)command["InterestLevel"];
interestLevel = interestLevel + commandInterest;
}
string caption = "Exec";
if (number > 0)
{
caption += " - " + number;
}
return(new JProperty(caption, new JObject(
new JProperty("Command", command),
new JProperty("Args", arguments)
)
));
}
private JObject GetAssessedGroupMember(JToken member)
{
List <JToken> memberProps = new List <JToken>
{
JUtil.GetSafeJProp("Name", member, "@name"),
JUtil.GetSafeJProp("Action", member, "@action"),
JUtil.GetSafeJProp("SID", member, "@sid")
};
string memberSid = JUtil.GetSafeString(member, "@sid");
if (!string.IsNullOrEmpty(memberSid))
{
string resolvedSID = LDAPstuff.GetUserFromSid(memberSid);
memberProps.Add(new JProperty("Display Name From SID", resolvedSID));
}
JObject assessedMember = new JObject();
foreach (JProperty memberProp in memberProps)
{
if (memberProp != null)
{
assessedMember.Add(memberProp);
}
}
if (assessedMember.HasValues)
{
return(assessedMember);
}
return(null);
}
private JToken GetAssessedRegistryCollection(JToken gppRegCollection)
{
// this method handles the 'collection' object, which contains a bunch of individual regkeys and these properties
/*
*
* Looks like the structure kind of goes like:
*
* You can have multiple collections in a collection JArray
*
* Collections have some top level properties like:
* @name
* @changed
* @uid
* @desc
* @bypassErrors
* Registry
* Contains a Settings JArray
*
*/
JObject assessedRegistryCollection = new JObject
{
// add collection-specific properties
{ "Name", JUtil.GetSafeString(gppRegCollection, "@name") },
{ "Changed", JUtil.GetSafeString(gppRegCollection, "@changed") },
{ "Description", JUtil.GetSafeString(gppRegCollection, "@desc") }
};
if ((gppRegCollection["Registry"] != null) && gppRegCollection.HasValues)
{
JToken registrySettingses = gppRegCollection["Registry"];
JToken assessedRegistrySettingses = GetAssessedRegistrySettingses(registrySettingses);
if ((assessedRegistrySettingses != null) && assessedRegistrySettingses.HasValues)
{
assessedRegistryCollection.Add("Registry Settings in Collection", assessedRegistrySettingses);
}
else
{
return(null);
}
}
else
{
return(null);
}
if ((assessedRegistryCollection != null) && assessedRegistryCollection.HasValues)
{
return(assessedRegistryCollection);
}
else
{
return(null);
}
}
static JProperty AssessGppEv(JToken gppEv)
{
JObject assessedGppEv = new JObject
{
{ "Name", JUtil.GetSafeString(gppEv, "@name") },
{ "Status", JUtil.GetSafeString(gppEv, "@status") },
{ "Changed", JUtil.GetSafeString(gppEv, "@changed") },
{ "Action", JUtil.GetActionString(gppEv["Properties"]["@action"].ToString()) }
};
return(new JProperty(JUtil.GetSafeString(gppEv, "@uid"), assessedGppEv));
}
static JProperty AssessGppDataSource(JToken gppDataSource)
{
int interestLevel = 1;
string gppDataSourceUid = JUtil.GetSafeString(gppDataSource, "@uid");
string gppDataSourceName = JUtil.GetSafeString(gppDataSource, "@name");
string gppDataSourceChanged = JUtil.GetSafeString(gppDataSource, "@changed");
JToken gppDataSourceProps = gppDataSource["Properties"];
string gppDataSourceAction = JUtil.GetActionString(gppDataSourceProps["@action"].ToString());
string gppDataSourceUserName = JUtil.GetSafeString(gppDataSourceProps, "@username");
string gppDataSourcecPassword = JUtil.GetSafeString(gppDataSourceProps, "@cpassword");
string gppDataSourcePassword = "";
if (gppDataSourcecPassword.Length > 0)
{
gppDataSourcePassword = Util.DecryptCpassword(gppDataSourcecPassword);
interestLevel = 10;
}
string gppDataSourceDsn = JUtil.GetSafeString(gppDataSourceProps, "@dsn");
string gppDataSourceDriver = JUtil.GetSafeString(gppDataSourceProps, "@driver");
string gppDataSourceDescription = JUtil.GetSafeString(gppDataSourceProps, "@description");
JToken gppDataSourceAttributes = gppDataSourceProps["Attributes"];
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppDataSource = new JObject
{
{ "Name", gppDataSourceName },
{ "Changed", gppDataSourceChanged },
{ "Action", gppDataSourceAction },
{ "Username", gppDataSourceUserName }
};
if (gppDataSourcecPassword.Length > 0)
{
assessedGppDataSource.Add("cPassword", gppDataSourcecPassword);
assessedGppDataSource.Add("Decrypted Password", gppDataSourcePassword);
}
assessedGppDataSource.Add("DSN", gppDataSourceDsn);
assessedGppDataSource.Add("Driver", gppDataSourceDriver);
assessedGppDataSource.Add("Description", gppDataSourceDescription);
if ((gppDataSourceAttributes != null) && (gppDataSourceAttributes.HasValues))
{
assessedGppDataSource.Add("Attributes", gppDataSourceAttributes);
}
return(new JProperty(gppDataSourceUid, assessedGppDataSource));
}
return(null);
}
static JProperty AssessGppIni(JToken gppIni)
{
int interestLevel = 1;
string gppIniUid = JUtil.GetSafeString(gppIni, "@uid");
string gppIniName = JUtil.GetSafeString(gppIni, "@name");
string gppIniChanged = JUtil.GetSafeString(gppIni, "@changed");
string gppIniStatus = JUtil.GetSafeString(gppIni, "@status");
JToken gppIniProps = gppIni["Properties"];
string gppIniAction = JUtil.GetActionString(gppIniProps["@action"].ToString());
JToken gppIniPath = FileSystem.InvestigatePath(JUtil.GetSafeString(gppIniProps, "@path"));
JToken gppIniSection = FileSystem.InvestigateString(JUtil.GetSafeString(gppIniProps, "@section"));
JToken gppIniValue = FileSystem.InvestigateString(JUtil.GetSafeString(gppIniProps, "@value"));
JToken gppIniProperty = FileSystem.InvestigateString(JUtil.GetSafeString(gppIniProps, "@property"));
// check each of our potentially interesting values to see if it raises our overall interest level
JToken[] valuesWithInterest = { gppIniPath, gppIniSection, gppIniValue, gppIniProperty };
foreach (JToken val in valuesWithInterest)
{
if ((val != null) && (val["InterestLevel"] != null))
{
int valInterestLevel = int.Parse(val["InterestLevel"].ToString());
if (valInterestLevel > interestLevel)
{
interestLevel = valInterestLevel;
}
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppIni = new JObject
{
{ "Name", gppIniName },
{ "Changed", gppIniChanged },
{ "Path", gppIniPath },
{ "Action", gppIniAction },
{ "Status", gppIniStatus },
{ "Section", gppIniSection },
{ "Value", gppIniValue },
{ "Property", gppIniProperty }
};
return(new JProperty(gppIniUid, assessedGppIni));
}
return(null);
}
private JProperty GetAssessedNetworkShare(JToken netShare)
{
int interestLevel = 2;
JObject assessedGppNetShare = new JObject
{
{ "Name", JUtil.GetSafeString(netShare, "@name") },
{ "Changed", JUtil.GetSafeString(netShare, "@changed") },
{ "Action", JUtil.GetActionString(netShare["Properties"]["@action"].ToString()) }
};
assessedGppNetShare.Add("Path", JUtil.GetSafeString(netShare["Properties"], "@path"));
assessedGppNetShare.Add("Comment", JUtil.GetSafeString(netShare["Properties"], "@comment"));
// removed InvestigatePath because it's a network share, it's literally always going to be local and therefore not super interesting.
if (interestLevel >= GlobalVar.IntLevelToShow)
{
return(new JProperty(netShare["@uid"].ToString(), assessedGppNetShare));
}
return(null);
}
static JProperty AssessGppPrinter(JToken gppPrinter)
{
int interestLevel = 1;
string gppPrinterUid = JUtil.GetSafeString(gppPrinter, "@uid");
string gppPrinterName = JUtil.GetSafeString(gppPrinter, "@name");
string gppPrinterChanged = JUtil.GetSafeString(gppPrinter, "@changed");
JToken gppPrinterProps = gppPrinter["Properties"];
string gppPrinterAction = JUtil.GetActionString(gppPrinterProps["@action"].ToString());
string gppPrinterUsername = JUtil.GetSafeString(gppPrinterProps, "@username");
string gppPrintercPassword = JUtil.GetSafeString(gppPrinterProps, "@cpassword");
string gppPrinterPassword = "";
if (gppPrintercPassword.Length > 0)
{
gppPrinterPassword = Util.DecryptCpassword(gppPrintercPassword);
interestLevel = 10;
}
string gppPrinterAddress = JUtil.GetSafeString(gppPrinterProps, "@ipAddress");
string gppPrinterLocalName = JUtil.GetSafeString(gppPrinterProps, "@localName");
string gppPrinterSnmpCommString = JUtil.GetSafeString(gppPrinterProps, "@snmpCommunity");
if (gppPrinterSnmpCommString.Length > 1)
{
interestLevel = 7;
}
JToken gppPrinterPath = FileSystem.InvestigatePath(JUtil.GetSafeString(gppPrinterProps, "@path"));
JToken gppPrinterComment = FileSystem.InvestigateString(JUtil.GetSafeString(gppPrinterProps, "@comment"));
JToken gppPrinterLocation = FileSystem.InvestigateString(JUtil.GetSafeString(gppPrinterProps, "@location"));
// check each of our potentially interesting values to see if it raises our overall interest level
JToken[] valuesWithInterest = { gppPrinterPath, gppPrinterComment, gppPrinterLocation, };
foreach (JToken val in valuesWithInterest)
{
if ((val != null) && (val["InterestLevel"] != null))
{
int valInterestLevel = int.Parse(val["InterestLevel"].ToString());
if (valInterestLevel > interestLevel)
{
interestLevel = valInterestLevel;
}
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppPrinter = new JObject
{
{ "Name", gppPrinterName },
{ "Changed", gppPrinterChanged },
{ "Action", gppPrinterAction }
};
if (gppPrintercPassword.Length > 0)
{
assessedGppPrinter.Add("Username", gppPrinterUsername);
assessedGppPrinter.Add("cPassword", gppPrintercPassword);
assessedGppPrinter.Add("Decrypted Password", gppPrinterPassword);
}
assessedGppPrinter.Add("Local Name", gppPrinterLocalName);
assessedGppPrinter.Add("Address", gppPrinterAddress);
assessedGppPrinter.Add("Path", gppPrinterPath);
assessedGppPrinter.Add("SNMP Community String", gppPrinterSnmpCommString);
assessedGppPrinter.Add("Comment", gppPrinterComment);
assessedGppPrinter.Add("Location", gppPrinterLocation);
return(new JProperty(gppPrinterUid, assessedGppPrinter));
}
return(null);
}
static JProperty AssessGppNTService(JToken gppNtService)
{
int interestLevel = 1;
string gppNtServiceUid = JUtil.GetSafeString(gppNtService, "@uid");
string gppNtServiceChanged = JUtil.GetSafeString(gppNtService, "@changed");
string gppNtServiceName = JUtil.GetSafeString(gppNtService, "@name");
string gppNtServiceUserName = JUtil.GetSafeString(gppNtService["Properties"], "@accountName");
string gppNtServicecPassword = JUtil.GetSafeString(gppNtService["Properties"], "@cpassword");
string gppNtServicePassword = "";
if (gppNtServicecPassword.Length > 0)
{
gppNtServicePassword = Util.DecryptCpassword(gppNtServicecPassword);
interestLevel = 10;
}
string gppNtServiceTimeout = JUtil.GetSafeString(gppNtService["Properties"], "@timeout");
string gppNtServiceStartup = JUtil.GetSafeString(gppNtService["Properties"], "@startupType");
string gppNtServiceAction = JUtil.GetSafeString(gppNtService["Properties"], "@serviceAction");
string gppNtServiceServiceName = JUtil.GetSafeString(gppNtService["Properties"], "@serviceName");
string gppNtServiceFirstFailure = JUtil.GetSafeString(gppNtService["Properties"], "@firstFailure");
string gppNtServiceSecondFailure = JUtil.GetSafeString(gppNtService["Properties"], "@secondFailure");
string gppNtServiceThirdFailure = JUtil.GetSafeString(gppNtService["Properties"], "@thirdFailure");
JObject gppNtServiceProgram =
FileSystem.InvestigatePath(JUtil.GetSafeString(gppNtService["Properties"], "@program"));
JObject gppNtServiceArgs =
FileSystem.InvestigateString(JUtil.GetSafeString(gppNtService["Properties"], "@args"));
if ((gppNtServiceProgram != null) && (gppNtServiceProgram["InterestLevel"] != null))
{
int progInterestLevelInt = int.Parse(gppNtServiceProgram["InterestLevel"].ToString());
if (progInterestLevelInt > interestLevel)
{
interestLevel = progInterestLevelInt;
}
}
if (gppNtServiceArgs["InterestLevel"] != null)
{
int argsInterestLevelInt = int.Parse(gppNtServiceArgs["InterestLevel"].ToString());
if (argsInterestLevelInt > interestLevel)
{
interestLevel = argsInterestLevelInt;
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppNtService = new JObject
{
{ "Name", gppNtServiceName }, { "Changed", gppNtServiceChanged }
};
if (gppNtServiceServiceName.Length > 0)
{
assessedGppNtService.Add("Service Name", gppNtServiceName);
}
if (gppNtServicecPassword.Length > 0)
{
assessedGppNtService.Add("Username", gppNtServiceUserName);
assessedGppNtService.Add("cPassword", gppNtServicecPassword);
assessedGppNtService.Add("Decrypted Password", gppNtServicePassword);
}
if (gppNtServiceTimeout.Length > 0)
{
assessedGppNtService.Add("Timeout", gppNtServiceTimeout);
}
if (gppNtServiceStartup.Length > 0)
{
assessedGppNtService.Add("Startup Type", gppNtServiceStartup);
}
if (gppNtServiceAction.Length > 0)
{
assessedGppNtService.Add("Action", gppNtServiceAction);
}
if (gppNtServiceFirstFailure.Length > 0)
{
assessedGppNtService.Add("Action on first failure", gppNtServiceFirstFailure);
}
if (gppNtServiceSecondFailure.Length > 0)
{
assessedGppNtService.Add("Action on second failure", gppNtServiceSecondFailure);
}
if (gppNtServiceThirdFailure.Length > 0)
{
assessedGppNtService.Add("Action on third failure", gppNtServiceThirdFailure);
}
if (gppNtServiceProgram.HasValues)
{
assessedGppNtService.Add("Program", gppNtServiceProgram);
}
if (gppNtServiceArgs.HasValues)
{
assessedGppNtService.Add("Args", gppNtServiceArgs);
}
return(new JProperty(gppNtServiceUid, assessedGppNtService));
}
return(null);
}
static JProperty AssessGppDrive(JToken gppDrive)
{
int interestLevel = 1;
string gppDriveUid = JUtil.GetSafeString(gppDrive, "@uid");
string gppDriveName = JUtil.GetSafeString(gppDrive, "@name");
string gppDriveChanged = JUtil.GetSafeString(gppDrive, "@changed");
string gppDriveAction = JUtil.GetActionString(gppDrive["Properties"]["@action"].ToString());
string gppDriveUserName = JUtil.GetSafeString(gppDrive["Properties"], "@userName");
string gppDrivecPassword = JUtil.GetSafeString(gppDrive["Properties"], "@cpassword");
string gppDrivePassword = "";
if (gppDrivecPassword.Length > 0)
{
gppDrivePassword = Util.DecryptCpassword(gppDrivecPassword);
interestLevel = 10;
}
string gppDriveLetter = "";
if (gppDrive["Properties"]["@useLetter"] != null)
{
if (gppDrive["Properties"]["@useLetter"].ToString() == "1")
{
gppDriveLetter = JUtil.GetSafeString(gppDrive["Properties"], "@letter");
}
else if (gppDrive["Properties"]["@useLetter"].ToString() == "0")
{
gppDriveLetter = "First letter available, starting at " +
JUtil.GetSafeString(gppDrive["Properties"], "@letter");
}
}
string gppDriveLabel = JUtil.GetSafeString(gppDrive["Properties"], "@label");
JObject gppDrivePath = FileSystem.InvestigatePath(gppDrive["Properties"]["@path"].ToString());
if (gppDrivePath != null)
{
if (gppDrivePath["InterestLevel"] != null)
{
int pathInterestLevel = int.Parse(gppDrivePath["InterestLevel"].ToString());
if (pathInterestLevel > interestLevel)
{
interestLevel = pathInterestLevel;
}
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
JObject assessedGppDrive = new JObject
{
{ "Name", gppDriveName },
{ "Action", gppDriveAction },
{ "Changed", gppDriveChanged },
{ "Drive Letter", gppDriveLetter },
{ "Label", gppDriveLabel }
};
if (gppDrivecPassword.Length > 0)
{
assessedGppDrive.Add("Username", gppDriveUserName);
assessedGppDrive.Add("cPassword", gppDrivecPassword);
assessedGppDrive.Add("Decrypted Password", gppDrivePassword);
}
if (gppDrivePath != null)
{
assessedGppDrive.Add("Path", gppDrivePath);
}
return(new JProperty(gppDriveUid, assessedGppDrive));
}
return(null);
}
private JObject GetAssessedShortcut(JObject gppShortcut)
{
int interestLevel = 3;
JObject assessedShortcut = new JObject();
JToken gppShortcutProps = gppShortcut["Properties"];
assessedShortcut.Add("Name", JUtil.GetSafeString(gppShortcut, "@name"));
assessedShortcut.Add("Status", JUtil.GetSafeString(gppShortcut, "@status"));
assessedShortcut.Add("Changed", JUtil.GetSafeString(gppShortcut, "@changed"));
string gppShortcutAction = JUtil.GetActionString(gppShortcutProps["@action"].ToString());
assessedShortcut.Add("Action", gppShortcutAction);
assessedShortcut.Add("Target Type", JUtil.GetSafeString(gppShortcutProps, "@targetType"));
string arguments = JUtil.GetSafeString(gppShortcutProps, "@arguments");
if (arguments != null)
{
JToken investigatedArguments = FileSystem.InvestigateString(arguments);
assessedShortcut.Add("Arguments", arguments);
if (investigatedArguments["InterestLevel"] != null)
{
if ((int)investigatedArguments["InterestLevel"] > interestLevel)
{
interestLevel = (int)investigatedArguments["InterestLevel"];
}
}
}
string iconPath = JUtil.GetSafeString(gppShortcutProps, "@iconPath");
JObject investigatedIconPath = FileSystem.InvestigatePath(iconPath);
if ((investigatedIconPath != null) && (investigatedIconPath["InterestLevel"] != null))
{
if ((int)investigatedIconPath["InterestLevel"] > interestLevel)
{
interestLevel = (int)investigatedIconPath["InterestLevel"];
}
}
assessedShortcut.Add("Icon Path", investigatedIconPath);
assessedShortcut.Add("Icon Index", JUtil.GetSafeString(gppShortcutProps, "@iconIndex"));
string workingDir = JUtil.GetSafeString(gppShortcutProps, "@startIn");
if (workingDir != null)
{
JToken assessedWorkingDir = FileSystem.InvestigatePath(workingDir);
if (assessedWorkingDir != null)
{
assessedShortcut.Add("Working Directory", assessedWorkingDir);
}
}
assessedShortcut.Add("Comment", JUtil.GetSafeString(gppShortcutProps, "@comment"));
string shortcutPath = JUtil.GetSafeString(gppShortcutProps, "@shortcutPath");
JObject investigatedShortcutPath = FileSystem.InvestigatePath(shortcutPath);
if (investigatedShortcutPath["InterestLevel"] != null)
{
if ((int)investigatedShortcutPath["InterestLevel"] > interestLevel)
{
interestLevel = (int)investigatedShortcutPath["InterestLevel"];
}
}
string targetPath = JUtil.GetSafeString(gppShortcutProps, "@targetPath");
JObject investigatedTargetPath = FileSystem.InvestigatePath(targetPath);
if ((investigatedTargetPath != null) && (investigatedTargetPath["InterestLevel"] != null))
{
if ((int)investigatedTargetPath["InterestLevel"] > interestLevel)
{
interestLevel = (int)investigatedTargetPath["InterestLevel"];
}
}
assessedShortcut.Add("Shortcut Path", investigatedShortcutPath);
assessedShortcut.Add("Target Path", investigatedTargetPath);
// if it's too boring to be worth showing, return an empty jobj.
if (interestLevel < GlobalVar.IntLevelToShow)
{
return(null);
}
return(assessedShortcut);
}
private JObject GetAssessedScheduledTask(JToken scheduledTask, string schedTaskType)
{
int interestLevel = 4;
JObject assessedScheduledTask = new JObject
{
{ "Name", scheduledTask["@name"].ToString() },
{ "UID", scheduledTask["@uid"].ToString() },
{ "Type", schedTaskType },
{ "Changed", scheduledTask["@changed"].ToString() }
};
if (scheduledTask["Properties"]["@runAs"] != null)
{
assessedScheduledTask.Add("Run As", JUtil.GetSafeString(scheduledTask["Properties"], "@runAs"));
}
string cPassword = JUtil.GetSafeString(scheduledTask["Properties"], "@cpassword");
if (cPassword.Length > 1)
{
assessedScheduledTask.Add("Encrypted Password",
JUtil.GetSafeString(scheduledTask["Properties"], "@cpassword"));
assessedScheduledTask.Add("Decrypted Password", Util.DecryptCpassword(cPassword));
interestLevel = 10;
}
if (scheduledTask["Properties"]["@logonType"] != null)
{
assessedScheduledTask.Add("Logon Type",
JUtil.GetSafeString(scheduledTask["Properties"], "@logonType"));
}
// handle the entries that are specific to some task types but not others
// both taskv2 and immediatetaskv2 have the same rough structure
if (schedTaskType.EndsWith("V2"))
{
assessedScheduledTask.Add("Action",
JUtil.GetActionString(scheduledTask["Properties"]["@action"].ToString()));
assessedScheduledTask.Add("Description", JUtil.GetSafeString(scheduledTask, "@desc"));
assessedScheduledTask.Add("Enabled",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Settings"], "Enabled"));
// just adding the Triggers info raw, there are way too many options.
assessedScheduledTask.Add("Triggers", scheduledTask["Properties"]["Task"]["Triggers"]);
if (scheduledTask["Properties"]["Task"]["Actions"]["ShowMessage"] != null)
{
assessedScheduledTask.Add(
new JProperty("Action - Show Message", new JObject(
new JProperty("Title",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["ShowMessage"],
"Title")),
new JProperty("Body",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["ShowMessage"],
"Body"))
)
)
);
}
if (scheduledTask["Properties"]["Task"]["Actions"]["Exec"] != null)
{
// do we have an array of Command?
if (scheduledTask["Properties"]["Task"]["Actions"]["Exec"].Type == JTokenType.Array)
{
int i = 1;
foreach (JToken item in scheduledTask["Properties"]["Task"]["Actions"]["Exec"])
{
assessedScheduledTask.Add(ExtractCommandFromScheduledTask(item, ref interestLevel, i));
i++;
}
}
else
{
// or just one?
assessedScheduledTask.Add(ExtractCommandFromScheduledTask(scheduledTask["Properties"]["Task"]["Actions"]["Exec"], ref interestLevel));
}
}
if (scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"] != null)
{
string attachmentString =
JUtil.GetSafeString(
scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"]["Attachments"], "File");
JObject attachment = new JObject(new JProperty("Attachment", attachmentString));
if (GlobalVar.OnlineChecks)
{
attachment = FileSystem.InvestigateString(attachmentString);
if (attachment["InterestLevel"] != null)
{
int attachmentInterest = (int)attachment["InterestLevel"];
interestLevel = interestLevel + attachmentInterest;
}
}
assessedScheduledTask.Add(
new JProperty("Action - Send Email", new JObject(
new JProperty("From",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"From")),
new JProperty("To",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"To")),
new JProperty("Subject",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"Subject")),
new JProperty("Body",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"Body")),
new JProperty("Header Fields",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"HeaderFields")),
new JProperty("Attachment", attachment),
new JProperty("Server",
JUtil.GetSafeString(scheduledTask["Properties"]["Task"]["Actions"]["SendEmail"],
"Server"))
)
)
);
}
}
if (schedTaskType == "Task")
{
string commandString = JUtil.GetSafeString(scheduledTask["Properties"], "@appname");
string argumentsString = JUtil.GetSafeString(scheduledTask["Properties"], "@args");
JObject command = new JObject(new JProperty("Command", commandString));
JObject arguments = new JObject(new JProperty("Arguments", argumentsString));
command = FileSystem.InvestigatePath(commandString);
arguments = FileSystem.InvestigateString(argumentsString);
if ((arguments != null) && (arguments["InterestLevel"] != null))
{
int argumentInterest = (int)arguments["InterestLevel"];
interestLevel = interestLevel + argumentInterest;
}
if ((command != null) && (command["InterestLevel"] != null))
{
int commandInterest = (int)command["InterestLevel"];
interestLevel = interestLevel + commandInterest;
}
assessedScheduledTask.Add("Action",
JUtil.GetActionString(scheduledTask["Properties"]["@action"].ToString()));
assessedScheduledTask.Add("Command", command);
assessedScheduledTask.Add("Args", arguments);
JObject assessedWorkingDir =
FileSystem.InvestigatePath(JUtil.GetSafeString(scheduledTask["Properties"], "@startIn"));
if ((assessedWorkingDir != null) && assessedWorkingDir.HasValues)
{
assessedScheduledTask.Add("Working Dir", assessedWorkingDir);
}
if (scheduledTask["Properties"]["Triggers"] != null)
{
assessedScheduledTask.Add("Triggers", scheduledTask["Properties"]["Triggers"]);
}
}
if (schedTaskType == "ImmediateTask")
{
string argumentsString = JUtil.GetSafeString(scheduledTask["Properties"], "@args");
string commandString = JUtil.GetSafeString(scheduledTask["Properties"], "@appName");
JObject command = new JObject(new JProperty("Command", commandString));
JObject arguments = new JObject(new JProperty("Arguments", argumentsString));
command = FileSystem.InvestigatePath(commandString);
arguments = FileSystem.InvestigateString(argumentsString);
if ((arguments != null) && (arguments["InterestLevel"] != null))
{
int argumentInterest = (int)arguments["InterestLevel"];
interestLevel = interestLevel + argumentInterest;
}
if ((command != null) && (command["InterestLevel"] != null))
{
int commandInterest = (int)command["InterestLevel"];
interestLevel = interestLevel + commandInterest;
}
assessedScheduledTask.Add("Command", command);
assessedScheduledTask.Add("Arguments", arguments);
JObject assessedWorkingDir =
FileSystem.InvestigatePath(JUtil.GetSafeString(scheduledTask["Properties"], "@startIn"));
if ((assessedWorkingDir != null) && assessedWorkingDir.HasValues)
{
assessedScheduledTask.Add("Working Dir", assessedWorkingDir);
}
assessedScheduledTask.Add("Comment", JUtil.GetSafeString(scheduledTask["Properties"], "@comment"));
}
if (interestLevel < GlobalVar.IntLevelToShow)
{
return(null);
}
return(assessedScheduledTask);
}
private JObject GetAssessedRegistrySetting(JToken gppRegSetting)
{
JObject jankyDb = JankyDb.Instance;
// get our data about what regkeys are interesting
JArray intRegKeysData = (JArray)jankyDb["regKeys"];
JObject assessedRegistrySetting = new JObject();
assessedRegistrySetting.Add("Display Name", JUtil.GetSafeString(gppRegSetting, "@name"));
assessedRegistrySetting.Add("Status", JUtil.GetSafeString(gppRegSetting, "@status"));
assessedRegistrySetting.Add("Changed", JUtil.GetSafeString(gppRegSetting, "@changed"));
assessedRegistrySetting.Add("Action", JUtil.GetActionString(gppRegSetting["Properties"]["@action"].ToString()));
assessedRegistrySetting.Add("Default", JUtil.GetSafeString(gppRegSetting["Properties"], "@default"));
assessedRegistrySetting.Add("Hive", JUtil.GetSafeString(gppRegSetting["Properties"], "@hive"));
string key = JUtil.GetSafeString(gppRegSetting["Properties"], "@key");
int interestLevel = 1;
foreach (JToken intRegKey in intRegKeysData)
{
if (key.ToLower().Contains(intRegKey["regKey"].ToString().ToLower()))
{
// get the name
string interestLevelString = intRegKey["intLevel"].ToString();
// if it matches at all it's a 1.
// if we can get the interest level from it, do so, otherwise throw an error that we need to fix something.
if (!int.TryParse(interestLevelString, out interestLevel))
{
Utility.Output.DebugWrite(intRegKey["regKey"].ToString() +
" in jankydb doesn't have an interest level assigned.");
}
}
}
JObject investigatedKey = FileSystem.InvestigateString(key);
if ((int)investigatedKey["InterestLevel"] >= interestLevel)
{
interestLevel = (int)investigatedKey["InterestLevel"];
}
assessedRegistrySetting.Add("Key", investigatedKey);
string name = JUtil.GetSafeString(gppRegSetting["Properties"], "@name");
JObject investigatedName = FileSystem.InvestigateString(name);
if ((int)investigatedName["InterestLevel"] >= interestLevel)
{
interestLevel = (int)investigatedKey["InterestLevel"];
}
assessedRegistrySetting.Add("Name", investigatedName);
assessedRegistrySetting.Add("Type", JUtil.GetSafeString(gppRegSetting["Properties"], "@type"));
string value = JUtil.GetSafeString(gppRegSetting["Properties"], "@value");
JObject investigatedValue = FileSystem.InvestigateString(value);
if ((int)investigatedValue["InterestLevel"] >= interestLevel)
{
interestLevel = (int)investigatedKey["InterestLevel"];
}
assessedRegistrySetting.Add("Value", investigatedValue);
if (interestLevel >= GlobalVar.IntLevelToShow)
{
return(new JObject(assessedRegistrySetting));
}
else
{
return(null);
}
}