Пример #1
0
        private static RegType GetValueType(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName)
        {
            ManagementBaseObject inParams = mc.GetMethodParameters("EnumValues");

            inParams["hDefKey"]     = hDefKey;
            inParams["sSubKeyName"] = sSubKeyName;

            ManagementNamedValueCollection objCtx = new ManagementNamedValueCollection();

            objCtx.Add("__ProviderArchitecture", 64);
            objCtx.Add("__RequiredArchitecture", true);
            InvokeMethodOptions invokeOptions = new InvokeMethodOptions();

            invokeOptions.Context = objCtx;

            ManagementBaseObject outParams = mc.InvokeMethod("EnumValues", inParams, invokeOptions);

            if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
            {
                string[] sNames = outParams["sNames"] as String[];
                int[]    iTypes = outParams["Types"] as int[];

                for (int i = 0; i < sNames.Length; i++)
                {
                    if (sNames[i] == sValueName)
                    {
                        return((RegType)iTypes[i]);
                    }
                }

                return(0);
            }
            else
            {
                return(0);
            }

            return(0);
        }
Пример #2
0
        public string GetFilthyStdOut(string strKey)
        {
            StringBuilder strOut = new StringBuilder();
            bool          bSeenFinishedMarker = false;

            Console.WriteLine("[i] Getting stdout from registry from " + strKey);

            ManagementClass registry = new ManagementClass(this.Scope, new ManagementPath("StdRegProv"), null);

            // Enumerate the values
            ManagementBaseObject inParams = registry.GetMethodParameters("EnumValues");

            inParams["sSubKeyName"] = strKey;
            inParams["hDefKey"]     = RegHive.HKEY_LOCAL_MACHINE;
            ManagementNamedValueCollection objCtx = new ManagementNamedValueCollection();

            objCtx.Add("__ProviderArchitecture", 64);
            objCtx.Add("__RequiredArchitecture", true);
            InvokeMethodOptions invokeOptions = new InvokeMethodOptions();

            invokeOptions.Context = objCtx;
            ManagementBaseObject outParams = registry.InvokeMethod("EnumValues", inParams, invokeOptions);

            string[] strValues = outParams["sNames"] as string[];

            try
            {
                if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
                {
                }
                else
                {
                    Console.WriteLine("[!] Failed to get values " + outParams["ReturnValue"].ToString());
                    return(null);
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("[!] Failed to get values - command likely not valid i.e. generated no stdout output - " + ex.Message.ToString());
                return(null);
            }

            try
            {
                foreach (string value in strValues)
                {
                    try
                    {
                        RegType rType = GetValueType(registry, RegHive.HKEY_LOCAL_MACHINE, strKey, value);

                        switch (rType)
                        {
                        case RegType.REG_SZ:
                            inParams = registry.GetMethodParameters("GetStringValue");
                            inParams["sSubKeyName"] = strKey;
                            inParams["sValueName"]  = value;
                            inParams["hDefKey"]     = RegHive.HKEY_LOCAL_MACHINE;

                            ManagementBaseObject outParams2 = registry.InvokeMethod("GetStringValue", inParams, invokeOptions);

                            if (outParams2.Properties["sValue"].Value != null)
                            {
                                if (outParams2.Properties["sValue"].Value.ToString().Contains("CDOFINISHED"))
                                {
                                    bSeenFinishedMarker = true;
                                }
                                else
                                {
                                    strOut.AppendLine(outParams2.Properties["sValue"].Value.ToString());
                                }
                            }
                            else
                            {
                            }



                            // One of ours
                            int  intMy;
                            bool isNumeric = int.TryParse("123", out intMy);
                            if (isNumeric && intMy > 0)
                            {
                                inParams = registry.GetMethodParameters("DeleteValue");
                                inParams["sSubKeyName"] = strKey;
                                inParams["sValueName"]  = value;
                                inParams["hDefKey"]     = RegHive.HKEY_LOCAL_MACHINE;
                                registry.InvokeMethod("DeleteValue", inParams, invokeOptions);
                            }

                            break;

                        default:
                            break;
                        }
                    }
                    catch
                    {
                        continue;
                    }
                }

                if (bSeenFinishedMarker == false)
                {
                    Console.WriteLine("[!] WARNING: Didn't see stdout output finished marker - output may be truncated");
                }
                else
                {
                    Console.WriteLine("[i] Full command output received");
                }
                return(strOut.ToString());
            }
            catch
            {
                Console.WriteLine("[i] No registry keys indicating no output");
                return("");
            }
        }