public static List<BaseModel> GetBootExecuteList() { List<BaseModel> list = new List<BaseModel>(); RegistryKey key = Registry.LocalMachine.OpenSubKey(BOOT_EXECUTE); object value = key.GetValue("BootExecute"); if (value != null && !value.ToString().Equals(AUTOCHECK)) { BaseModel model = new FileVersionHelper("C:\\Windows\\System32\\autochk.exe").GetFileInfoModel(AUTOCHECK); list.Add(model); } return list; }
public List<BaseModel> GetModelListByValue() { List<BaseModel> list = new List<BaseModel>(); foreach (string valuname in mKey.GetValueNames()) { string value = mKey.GetValue(valuname).ToString(); value = GetPureValueName(value); FileVersionHelper fvHelper = new FileVersionHelper(value); BaseModel model = fvHelper.GetFileInfoModel(); model.Name = valuname; list.Add(model); } return list; }
public static List<BaseModel> GetDriversList() { List<BaseModel> modelList = new List<BaseModel>(); Dictionary<String, IFilter> dic = new Dictionary<string, IFilter>(); dic.Add("Type", new EqualFilter<int>(1)); dic.Add(IMAGE_PATH, new EndWithFileter(".sys")); RegistryReader regReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(SYSTEM_SERVICES)); List<RegistryKey> regList = regReader.GetSubKeys(dic); foreach (RegistryKey r in regList) { string name = r.GetValue(IMAGE_PATH).ToString(); if (name != null && !name.Equals("")) { name = StringUtils.GetLastSubString(name, "system32"); name = "C:\\Windows\\s" + name; BaseModel model = new FileVersionHelper(name).GetFileInfoModel(StringUtils.GetLastSubString(r.Name, "\\")); modelList.Add(model); } } return modelList; }
public static List<BaseModel> GetImageHijacks() { List<BaseModel> list = new List<BaseModel>(); RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(IMAGE_FILE_KEY)); Dictionary<string, IFilter> dic = new Dictionary<string, IFilter>(); dic.Add("Debugger", new NotNullFilter()); List<RegistryKey> kList = rReader.GetSubKeys(dic); foreach (RegistryKey k in kList) { string name = k.GetValue("Debugger").ToString(); BaseModel model = new FileVersionHelper(name).GetFileInfoModel(new RegistryReader(k).GetEntryName()); list.Add(model); } return list; }
private static List<BaseModel> MakeListByKey(RegistryKey objKey) { List<BaseModel> modelList = new List<BaseModel>(); foreach (string value in objKey.GetSubKeyNames()) { try { RegistryKey subKey = objKey.OpenSubKey(value); Object exec = subKey.GetValue("Exec"); if (exec == null) { exec = subKey.GetValue("Script"); } if (exec != null) { FileVersionHelper fHelper = new FileVersionHelper(exec.ToString()); RegistryReader regReader = new RegistryReader(subKey); modelList.Add(fHelper.GetFileInfoModel(regReader.GetEntryName())); } } catch (Exception e) { Console.WriteLine(e.ToString()); } } return modelList; }
private static List<BaseModel> MakeListByKey(RegistryKey objKey, RegistryKey dataKey) { List<BaseModel> modelList = new List<BaseModel>(); string[] valueList = objKey.GetSubKeyNames(); foreach (string value in valueList) { try { RegistryKey rightKey = dataKey.OpenSubKey(value); if (rightKey != null) { RegistryKey subKey = rightKey.OpenSubKey(INPROCSERVER); FileVersionHelper vHelper = new FileVersionHelper(subKey.GetValue("").ToString()); modelList.Add(vHelper.GetFileInfoModel(rightKey.GetValue("").ToString())); } } catch (Exception e) { Console.WriteLine(e.ToString()); } } return modelList; }
public static List<BaseModel> GetWinsockProviderList() { List<BaseModel> list = new List<BaseModel>(); RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(PROTOCOL_CATAOG)); List<RegistryKey> kl = rReader.GetSubKeys(null); ContainFileter cf = new ContainFileter(".dll"); foreach (RegistryKey key in kl) { string value = System.Text.Encoding.Default.GetString((byte[])key.GetValue("PackedCatalogItem")); value = StringUtils.RemoveTailByTag(value, "\0"); string name = key.GetValue("ProtocolName").ToString(); if (cf.Filter(name)) { name = RegistryReader.GetPureValueName(name); FileVersionInfo info = FileVersionInfo.GetVersionInfo("C:\\Windows\\" + name.Substring(14)); name = info.FileDescription; } BaseModel model = new FileVersionHelper(value.Replace("%SystemRoot%", "C:\\Windows")).GetFileInfoModel(name); list.Add(model); } return list; }
public static List<BaseModel> GetServicesList() { List<BaseModel> modelList = new List<BaseModel>(); Dictionary<string, IFilter> dic = new Dictionary<string, IFilter>(); dic.Add("Type", new EqualFilter<int>(16, 32)); dic.Add("Start", new EqualFilter<int>(2)); ContainFileter svhost = new ContainFileter("svchost"); RegistryReader regReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(SYSTEM_SERVICES)); List<RegistryKey> regList = regReader.GetSubKeys(dic); foreach (RegistryKey r in regList) { RegistryKey paramKey = r.OpenSubKey("Parameters"); string name = ""; if (!svhost.Filter(r.GetValue(IMAGE_PATH).ToString())) { name = r.GetValue(IMAGE_PATH).ToString(); name = RegistryReader.GetPureValueName(name); } else if (paramKey != null) { name = paramKey.GetValue("ServiceDLL").ToString(); } else { continue; } BaseModel model = new FileVersionHelper(name).GetFileInfoModel(StringUtils.GetLastSubString(r.Name, "\\")); modelList.Add(model); } return modelList; }
public static List<BaseModel> GetSchedulerTaskList() { List<BaseModel> modelList = new List<BaseModel>(); DirectoryInfo dir = new DirectoryInfo(WINDOWS_TASKS); DirectoryInfo taskDir = new DirectoryInfo(SYSTEM_TASKS); foreach (FileInfo file in dir.GetFiles()) { if (!FileUtils.DirContainFile(taskDir, file.Name+ ".job")) { continue; } StreamReader sReader = new StreamReader(file.FullName); string realName = ""; string line = ""; while ((line = sReader.ReadLine()) != null) { int start = line.IndexOf(COMMADN_TAG); if (start != -1) { realName = line.Substring(start + COMMADN_TAG.Length, line.IndexOf(_COMMADN_TAG) - COMMADN_TAG.Length - start); break; } } BaseModel model = new FileVersionHelper(realName).GetFileInfoModel(file.Name + ".job"); model.ImagePath = realName; modelList.Add(model); } return modelList; }
public static List<BaseModel> GetKnownDllsList() { List<BaseModel> list = new List<BaseModel>(); RegistryReader rReader = new RegistryReader(Registry.LocalMachine.OpenSubKey(KNOWN_DLLS)); List<string> ls = rReader.GetValues(new EndWithFileter(".dll")); foreach (string s in ls) { BaseModel model = new FileVersionHelper("C:\\Windows\\System32\\" + s).GetFileInfoModel(); list.Add(model); } return list; }