void scan() { List <ScannedObject> list = new List <ScannedObject>(); if (listView1.InvokeRequired) { listView1.Invoke(new MethodInvoker(delegate { listView1.Items.Clear(); })); } else { listView1.Items.Clear(); } //////////////////////////////////////////// // search in autostart filesystem locations //////////////////////////////////////////// log("Searching in autostart filesystem locations..."); string appDataDir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); FileUtils.fileSearch(appDataDir + @"\Microsoft\Windows\Start Menu\Programs\Startup", list); FileUtils.fileSearch(@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp", list); if (!Settings.working) { return; } ///////////////////////////////////// // search in selected registry hives ///////////////////////////////////// log("Searching in registry..."); RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list); RegistryUtils.regSearch(true, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list); RegistryUtils.regSearch(true, "Environment", "UserInitMprLogonScript", list); if (!Settings.working) { return; } ////////////////////////// // search scheduled tasks ////////////////////////// log("Searching in scheduled tasks..."); tasksSearch(list); if (!Settings.working) { return; } ////////////////////////// // search processes ////////////////////////// log("Searching in process list..."); ProcessUtils.listProcesses(list); if (!Settings.working) { return; } //////////////////////////////////////////////////////// // search for files in My Documents and Desktop folders //////////////////////////////////////////////////////// log("Searching for documents in user folders..."); FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments), list, Settings.dangerousDocumentExtensions); FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.Desktop), list, Settings.dangerousDocumentExtensions); FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile) + "\\Downloads", list, Settings.dangerousDocumentExtensions); if (!Settings.working) { return; } //////////////////////////////////////////////////////// // Searching done // Check these files and objects //////////////////////////////////////////////////////// int progressValue = 0; if (progressBar1.InvokeRequired) { listView1.Invoke(new MethodInvoker(delegate { progressBar1.Maximum = list.Count; })); } else { progressBar1.Maximum = list.Count; } foreach (ScannedObject sobj in list) { if (!Settings.working) { return; } log($"Checking {sobj.path}..."); progress(++progressValue); if (sobj.path.Contains(Settings.ignoreFolderName)) { continue; } if (sobj.type.Equals("registry")) { addObject(sobj); } string path = sobj.path.ToLower(); try { if (Settings.dangerousDocumentExtensions.Any(e => path.EndsWith(e))) { log($"Checking if {path} contains macros... "); if (OfficeUtils.containsMacro(path)) { sobj.type = "macro"; addObject(sobj); } } if (sobj.type.Equals("process") && sobj.path.Contains("powershell")) { addObject(sobj); } else if (sobj.path.Contains("regsvr") || sobj.path.Contains("cmd") || sobj.path.Contains("rundll32")) { if (sobj.commandLine.Contains("\\Users\\")) { addObject(sobj); } } else if (isPathSuspected(path)) { if (path.EndsWith(".exe")) { try { X509Certificate basicSigner = X509Certificate.CreateFromSignedFile(path); if (!Settings.certSubjectIgnore.Any(s => basicSigner.Subject.Contains(s))) { // cert subject is not in our ignore list log($"Checking {path} on VirusTotal... "); string detections = SandboxUtils.checkFile(path); sobj.info = detections; addObject(sobj); } } catch (Exception sigex) { // executable file is not signed log($"Checking {path} on VirusTotal... "); string detections = SandboxUtils.checkFile(path); sobj.info = detections; addObject(sobj); } } } } catch (Exception ex) { } } log("Scanning done"); }
void scan() { List <ScannedObject> list = new List <ScannedObject>(); if (listView1.InvokeRequired) { listView1.Invoke(new MethodInvoker(delegate { listView1.Items.Clear(); })); } else { listView1.Items.Clear(); } //////////////////////////////////////////// // search in autostart filesystem locations //////////////////////////////////////////// log("Searching in autostart filesystem locations..."); string appDataDir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); FileUtils.fileSearch(appDataDir + @"\Microsoft\Windows\Start Menu\Programs\Startup", list); FileUtils.fileSearch(@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp", list); if (!Settings.working) { return; } ///////////////////////////////////// // search in selected registry hives ///////////////////////////////////// log("Searching in registry..."); RegistryUtils.regSearch(Registry.LocalMachine, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list); RegistryUtils.regSearch(Registry.LocalMachine, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list); RegistryUtils.regSearch(Registry.CurrentUser, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", null, list); RegistryUtils.regSearch(Registry.CurrentUser, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", null, list); RegistryUtils.regSearch(Registry.CurrentUser, "Environment", "UserInitMprLogonScript", list); if (!Settings.working) { return; } ////////////////////////// // search scheduled tasks ////////////////////////// log("Searching in scheduled tasks..."); tasksSearch(list); if (!Settings.working) { return; } ////////////////////////// // search processes ////////////////////////// log("Searching in process list..."); ProcessUtils.listProcesses(list); if (!Settings.working) { return; } //////////////////////////////////////////////////////// // search for files in My Documents and Desktop folders //////////////////////////////////////////////////////// log("Searching for documents in user folders..."); //string[] dangerousExt = Settings.dangerousDocumentExtensions.Concat(Settings.dangerousScriptExtensions).ToArray(); string[] dangerousExt = Settings.dangerousDocumentExtensions.Concat(Settings.dangerousScriptExtensions).Concat(new string[] { ".jar" }).ToArray(); FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments), list, dangerousExt); FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.Desktop), list, dangerousExt); FileUtils.fileSearch(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile) + "\\Downloads", list, dangerousExt); if (!Settings.working) { return; } //////////////////////////////////////////////////////// // Searching done // Check these files and objects //////////////////////////////////////////////////////// int progressValue = 0; if (progressBar1.InvokeRequired) { listView1.Invoke(new MethodInvoker(delegate { progressBar1.Maximum = list.Count; })); } else { progressBar1.Maximum = list.Count; } foreach (ScannedObject sobj in list) { if (!Settings.working) { return; } log($"Checking {sobj.path} ..."); progress(++progressValue); string path = Environment.ExpandEnvironmentVariables(sobj.path).ToLower().Trim('\"'); string ext = Path.GetExtension(path); string cmdline = sobj.commandLine.ToLower(); if (sobj.path.Contains(Settings.ignoreFolderName)) { continue; } ///////////////////// // registry object ///////////////////// if (sobj.type.Equals("registry")) { addObject(sobj); continue; } /////////////////////// // file or lnk object /////////////////////// if (sobj.type.Equals("file") || sobj.type.Equals("lnk")) { if (path.EndsWith(".jar")) { sobj.type = "jar"; sobj.info = ""; addObject(sobj); } if (Settings.dangerousScriptExtensions.Any(e => path.EndsWith(e))) { sobj.type = "script"; sobj.info = ""; addObject(sobj); } else if (Settings.dangerousDocumentExtensions.Any(e => path.EndsWith(e))) { log($"Checking if {path} contains macros... "); string macros = OfficeUtils.containsMacro(path); if (!macros.Equals("")) { sobj.type = "macro"; sobj.info = macros; addObject(sobj); } } continue; } ///////////////////// // process object ///////////////////// if (sobj.type.Equals("process")) { if (path.Contains("powershell")) { addObject(sobj); } else if (path.Contains("script") || path.Contains("regsvr") || path.Contains("conhost") || path.Contains("cmd") || path.Contains("rundll32") || path.Contains("javaw")) { if (cmdline.Contains("\\users\\") || cmdline.Contains(@"\programdata\") || cmdline.Contains(@"powershell")) { addObject(sobj); } } else { /* if (path.EndsWith(".exe")) * { * * try * { * X509Certificate basicSigner = X509Certificate.CreateFromSignedFile(path); * * if (!Settings.certSubjectIgnore.Any(s => basicSigner.Subject.Contains(s))) * { * // cert subject is not in our ignore list * log($"Checking {path} on VirusTotal... "); * * string detections = SandboxUtils.checkFile(path); * sobj.info = detections; * addObject(sobj); * * } * * } * catch (Exception sigex) * { * // executable file is not signed * log($"Checking {path} on VirusTotal... "); * string detections = SandboxUtils.checkFile(path); * sobj.info = detections; * addObject(sobj); * * } * }*/ } continue; } } log("Scanning done"); }