public FileWatchers() { systemp = sysroot + "temp\\"; //c:\Windows psexecWatcher = new FileSystemWatcher(); psexecWatcher.Path = sysroot; psexecWatcher.Filter = "*.*"; psexecWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size; psexecWatcher.IncludeSubdirectories = false; psexecWatcher.Changed += new FileSystemEventHandler(psexecChanged); psexecWatcher.EnableRaisingEvents = true; //%temp% exploitWatcher = new FileSystemWatcher(); exploitWatcher.Path = usertemp; exploitWatcher.Filter = "*.*"; exploitWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size; exploitWatcher.IncludeSubdirectories = true; exploitWatcher.Changed += new FileSystemEventHandler(exploitChanged); exploitWatcher.EnableRaisingEvents = true; //c:\windows\temp systempWatcher = new FileSystemWatcher(); systempWatcher.Path = systemp; systempWatcher.Filter = "*.*"; systempWatcher.NotifyFilter = NotifyFilters.FileName | NotifyFilters.Size; systempWatcher.IncludeSubdirectories = false; systempWatcher.Changed += new FileSystemEventHandler(systempChanged); systempWatcher.EnableRaisingEvents = true; w = Writer.getInstance(); }
public EventLogWatchers() { EventLog evtLog = new EventLog("Security"); evtLog.EntryWritten += new EntryWrittenEventHandler(entryWritten); evtLog.EnableRaisingEvents = true; builder = new StringBuilder(); w = Writer.getInstance(); }
public ProcWatchers() { //Hook WMI because its awesome watcher = new ManagementEventWatcher(); WqlEventQuery query = new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"); watcher.Query = query; watcher.EventArrived += new EventArrivedEventHandler(watcher_EventArrived); watcher.Start(); w = Writer.getInstance(); builder = new StringBuilder(); }
public RegistryWatchers() { WqlEventQuery bootQuery = new WqlEventQuery(bootSql); WqlEventQuery serviceQuery = new WqlEventQuery(serviceSql); WindowsIdentity currentUser = WindowsIdentity.GetCurrent(); WqlEventQuery userQuery = new WqlEventQuery("SELECT * FROM RegistryTreeChangeEvent WHERE " + "Hive = 'HKEY_USERS' " + @"AND RootPath = '" + currentUser.User.Value + @"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"); userWatch.Query = userQuery; bootWatch.Query = bootQuery; serviceWatch.Query = serviceQuery; userWatch.EventArrived += new EventArrivedEventHandler(currentUserEvent); userWatch.Start(); bootWatch.EventArrived += new EventArrivedEventHandler(localMachineEvent); bootWatch.Start(); serviceWatch.EventArrived += new EventArrivedEventHandler(serviceEvent); serviceWatch.Start(); initialize(); w = Writer.getInstance(); }