Exemplo n.º 1
0
        private static IEnumerable <Dictionary <string, string> > GetAutoRunsFolder()
        {
            List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();

            var systemDrive      = Environment.GetEnvironmentVariable("SystemDrive");
            var autorunLocations = new List <string>
            {
                Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"),
            };

            string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));

            usersPath = Directory.GetParent(usersPath).FullName;

            try
            {
                var userDirs = Directory.EnumerateDirectories(usersPath);

                foreach (var userDir in userDirs)
                {
                    string startupPath = $@"{userDir}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";

                    if (Directory.Exists(startupPath))
                    {
                        autorunLocations.Add(startupPath);
                    }
                }
            }
            catch (Exception)
            {
            }

            foreach (string path in autorunLocations)
            {
                try
                {
                    var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);

                    foreach (string filepath in files)
                    {
                        string folder = Path.GetDirectoryName(filepath);
                        results.Add(new Dictionary <string, string>()
                        {
                            { "Reg", "" },
                            { "RegKey", "" },
                            { "RegPermissions", "" },
                            { "Folder", folder },
                            { "File", filepath },
                            { "isWritableReg", "" },
                            { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs)) },
                            { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs)) },
                            { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
                        });
                    }
                }
                catch (Exception)
                {
                }
            }

            var taskAutorunLocations = new HashSet <string>()
            {
                $"{systemDrive}\\windows\\tasks",
                $"{systemDrive}\\windows\\system32\\tasks",
            };

            foreach (string folder in taskAutorunLocations)
            {
                try
                {
                    results.Add(new Dictionary <string, string>()
                    {
                        { "Reg", "" },
                        { "RegKey", "" },
                        { "RegPermissions", "" },
                        { "Folder", folder },
                        { "File", "" },
                        { "isWritableReg", "" },
                        { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs)) },
                        { "interestingFileRights", "" },
                        { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() }
                    });
                }
                catch (Exception)
                {
                }
            }

            return(results);
        }
Exemplo n.º 2
0
        //////////////////////////////////////
        ///////  Get Autorun Registry ////////
        //////////////////////////////////////
        /// Find Autorun registry where you have write or equivalent access
        private static IEnumerable <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames)
        {
            List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();

            try
            {
                //Add the keyvalues inside autorunLocationsKeys to autorunLocations
                foreach (List <string> autorunLocationKey in autorunLocationsKeys)
                {
                    List <string> subkeys = RegistryHelper.GetRegSubkeys(autorunLocationKey[0], autorunLocationKey[1]).ToList();
                    foreach (string keyname in subkeys)
                    {
                        string clsid_name = keyname;
                        Match  clsid      = Regex.Match(keyname, @"^\W*(\{[\w\-]+\})\W*");
                        if (clsid.Groups.Count > 1) //Sometime the CLSID is bad writting and this kind of fix common mistakes
                        {
                            clsid_name = clsid.Groups[1].ToString();
                        }

                        autorunLocations.Add(autorunLocationKey.Count > 2
                            ? new List <string>
                        {
                            autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2]
                        }
                            : new List <string> {
                            autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name
                        });
                    }
                }

                //Read registry and get values
                foreach (List <string> autorunLocation in autorunLocations)
                {
                    Dictionary <string, object> settings = RegistryHelper.GetRegValues(autorunLocation[0], autorunLocation[1]);
                    if ((settings != null) && (settings.Count != 0))
                    {
                        foreach (KeyValuePair <string, object> kvp in settings)
                        {
                            RegistryKey key = null;
                            if ("HKLM" == autorunLocation[0])
                            {
                                key = Registry.LocalMachine.OpenSubKey(autorunLocation[1]);
                            }
                            else
                            {
                                key = Registry.CurrentUser.OpenSubKey(autorunLocation[1]);
                            }

                            if (autorunLocation.Count > 2 && kvp.Key != autorunLocation[2])
                            {
                                continue; //If only interested on 1 key of the registry and it's that one, continue
                            }

                            string orig_filepath = Environment.ExpandEnvironmentVariables(string.Format("{0}", kvp.Value));
                            string filepath      = orig_filepath;

                            if (MyUtils.GetExecutableFromPath(Environment.ExpandEnvironmentVariables(string.Format("{0}", kvp.Value))).Length > 0)
                            {
                                filepath = MyUtils.GetExecutableFromPath(filepath);
                            }

                            string filepath_cleaned = filepath.Replace("'", "").Replace("\"", "");
                            string folder           = Path.GetDirectoryName(filepath_cleaned);

                            try
                            {
                                //If the path doesn't exist, pass
                                if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory))
                                {
                                    //If the path is already a folder, change the values of the params
                                    orig_filepath = "";
                                    folder        = filepath_cleaned;
                                }
                            }
                            catch
                            {
                            }

                            results.Add(new Dictionary <string, string>()
                            {
                                { "Reg", autorunLocation[0] + "\\" + autorunLocation[1] },
                                { "RegKey", kvp.Key },
                                { "Folder", folder },
                                { "File", orig_filepath },
                                {
                                    "RegPermissions",
                                    string.Join(", ", PermissionsHelper.GetMyPermissionsR(key, Checks.Checks.CurrentUserSiDs))
                                },
                                {
                                    "interestingFolderRights",
                                    string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))
                                },
                                {
                                    "interestingFileRights",
                                    orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
                                },
                                { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
                            });
                        }
                    }
                }

                //Check the autoruns that depends on CLSIDs
                foreach (List <string> autorunLocation in autorunLocationsKeysCLSIDs)
                {
                    List <string> CLSIDs = RegistryHelper.GetRegSubkeys(autorunLocation[0], autorunLocation[1]).ToList();
                    foreach (string clsid in CLSIDs)
                    {
                        string      reg = autorunLocation[1] + "\\" + clsid;
                        RegistryKey key = null;
                        if ("HKLM" == autorunLocation[0])
                        {
                            key = Registry.LocalMachine.OpenSubKey(reg);
                        }
                        else
                        {
                            key = Registry.CurrentUser.OpenSubKey(reg);
                        }

                        string orig_filepath = MyUtils.GetCLSIDBinPath(clsid);
                        if (string.IsNullOrEmpty(orig_filepath))
                        {
                            continue;
                        }
                        orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
                        string folder = Path.GetDirectoryName(orig_filepath);

                        results.Add(new Dictionary <string, string>()
                        {
                            { "Reg", autorunLocation[0] + "\\" + reg },
                            { "RegKey", "" },
                            { "Folder", folder },
                            { "File", orig_filepath },
                            {
                                "RegPermissions",
                                string.Join(", ", PermissionsHelper.GetMyPermissionsR(key, Checks.Checks.CurrentUserSiDs))
                            },
                            {
                                "interestingFolderRights",
                                string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))
                            },
                            {
                                "interestingFileRights",
                                orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
                            },
                            { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString() }
                        });
                    }
                }
            }
            catch (Exception ex)
            {
                Beaprint.PrintException(ex.Message);
            }
            return(results);
        }