public KillEmAll(bool debugMode = false)
{
if (debugMode)
{
_debugMode = true;
// get new settings that are only used in debug mode anyway
getSettingsFromINI();
}
else
{
_debugMode = false;
}
_allowList.Clear();
_internalFileNames.Clear();
_internalWindowsFileNames.Clear();
_internalWindowsFiles.Clear();
_terminatedProcesses.Clear();
_skippedProcesses.Clear();
sbLog.Clear();
// this is reliable even when Environment.OSVersion is lying, because we only care if it is XP/2003 for this variable...
_isWinXP = Environment.OSVersion.Version.ToString().Substring(0, 1).Equals("5");
_winDir = Directory.GetParent(Environment.GetFolderPath(Environment.SpecialFolder.System)).ToString().ToLower() + "\\";
_sys32 = _winDir + "system32\\";
_sys64 = _winDir + "syswow64\\";
// get my process ID for skipping in the Start() loop
_myPID = Process.GetCurrentProcess().Id;
// get parent process for the same reason as above...
// it's ok for _myParentPID to stay at 0 as initialized if parent process isn't running.
var parentProcess = ParentProcessUtilities.GetParentProcess(_myPID);
if (parentProcess != null)
{
_myParentPID = parentProcess.Id;
}
// these are Windows processes that should not be terminated, or that it's pointless to try and terminate, full paths.
// of course add 3rd party processes (full paths) as desired, like the last two added for VirtualBox.
string[] filePathsArr = { _winDir + "explorer.exe", _sys32 + "services.exe", _sys32 + "winlogon.exe", _sys32 + "lsass.exe", _sys32 + "logonui.exe", _sys32 + "spoolsv.exe",
_sys32 + "alg.exe", _sys32 + "lsm.exe", _sys32 + "audiodg.exe", _sys32 + "dllhost.exe", _sys32 + "msdtc.exe", _sys32 + "wscntfy.exe", _sys32 + "wudfhost.exe",
_sys32 + "wininit.exe", _sys32 + "mdm.exe", _sys32 + "rdpclip.exe", _sys32 + "taskmgr.exe", _sys32 + "dwm.exe", _sys32 + "taskhost.exe", _sys32 + "taskeng.exe",
_sys32 + "sppsvc.exe", _sys32 + "conhost.exe", _sys32 + "wisptis.exe", _sys32 + "tabtip.exe", _sys32 + "inputpersonalization.exe", _sys32 + "wbem\\wmiprvse.exe",
_sys64 + "wbem\\wmiprvse.exe", _sys32 + "ui0detect.exe", _sys32 + "sihost.exe", _sys32 + "ctfmon.exe", _sys32 + "wlms\\wlms.exe", _sys32 + "smss.exe",
_sys32 + "csrss.exe", _sys32 + "svchost.exe", _sys64 + "svchost.exe", _sys32 + "dashost.exe", _sys32 + "runtimebroker.exe", _sys32 + "taskhostw.exe",
_sys32 + "sppsvc.exe", _sys32 + "fontdrvhost.exe", _sys32 + "systemsettingsbroker.exe", _sys32 + "securityhealthservice.exe", _sys32 + "sgrmbroker.exe",
_sys32 + "vboxtray.exe", _sys32 + "vboxservice.exe" };
foreach (string fullPath in filePathsArr)
{
try
{
// add to full path dictionary
_internalWindowsFiles.Add(fullPath.ToLower(), "");
// now strip path for the filename only dictionary
string theFileOnly = StripString(fullPath, "\\", StripStringReturnType.ReturnAfterLastDelimiter);
_internalWindowsFileNames.Add(theFileOnly.ToLower(), "");
}
catch
{
}
}
// add any whole filenames to this dictionary - these will be whitelisted regardless of path!
// the first three are Windows Defender files where the path may not be as predictable and I didn't feel like tracking down everywhere on every OS/version...
// the second two are for Teamviewer, and they could be in any %programfiles(x86)% or %appdata%...
// the last is related to our d7x tech tool.
string[] fileNamesArr = { "msmpeng.exe", "msmpengcp.exe", "nissrv.exe", "tv_w32.exe", "tv_x64.exe", "d7xsvcwait.exe" };
foreach (string fileName in fileNamesArr)
{
try
{
_internalFileNames.Add(fileName.ToLower(), "");
}
catch
{
}
}
// add partial filenames for a 'contains' search - this also ignores path. this was implemented for remote support software or other 3rd party apps.
// keep it short and sweet since this is a slow search method, but NOT too generic! this is whitelisting every file with the exact string
// included in the filename, regardless of what path it is in!
_internalPartialFileNameArray = new string[] { "d7x v", "cryptoprevent", "teamviewer", "screenconnect", "lmiguardian", "lmi_", "logmein",
"callingcard", "unattended" };
// we need to determine if we have the d7x EXE before creating an allow list dictionary
_file_d7xEXE = Program.RegReadValueHKLM("Software\\d7xTech\\d7x\\Session\\Paths", "AppEXE");
if (_file_d7xEXE.Length > 0)
{
if (!File.Exists(_file_d7xEXE))
{
_file_d7xEXE = ""; // empty string if file doesn't exist; we'll just test for this string later
}
}
_path_d7x3pt = Program.RegReadValueHKLM("Software\\d7xTech\\d7x\\Session\\Paths", "3ptDir");
if (_path_d7x3pt.Length > 0)
{
if (!Directory.Exists(_path_d7x3pt))
{
_path_d7x3pt = "";
}
}
// finally, create our dictionary for any external allow list present
createAllowListDictionary();
}
private static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref ParentProcessUtilities processInformation, int processInformationLength, out int returnLength);
