public void write(string time, string eventstring, string detectstring)
{
APEventLogEntry temp = new APEventLogEntry(time, eventstring, detectstring);
RaiseLogAdded(new AddLogEventArgs(temp));
//Format will be: (timestamp) Event [what is it],
builder.Clear();
builder.Append("(");
builder.Append(time);
builder.Append(") ");
builder.Append(eventstring);
builder.Append(" [");
builder.Append(detectstring);
builder.Append("]");
builder.Append(",");
builder.Append(Environment.NewLine);
using (StreamWriter w = File.AppendText(path))
{
w.Write(builder.ToString());
}
}
public void write(string time, string eventstring, string detectstring)
{
APEventLogEntry temp = new APEventLogEntry(time, eventstring, detectstring);
RaiseLogAdded(new AddLogEventArgs(temp));
//Format will be: (timestamp) Event [what is it],
builder.Clear();
builder.Append("(");
builder.Append(time);
builder.Append(") ");
builder.Append(eventstring);
builder.Append(" [");
builder.Append(detectstring);
builder.Append("]");
builder.Append(",");
builder.Append(Environment.NewLine);
using (StreamWriter w = File.AppendText(path))
{
w.Write(builder.ToString());
}
}
public AddLogEventArgs(APEventLogEntry e)
{
this.entry = e;
}
public AddLogEventArgs(APEventLogEntry e)
{
this.entry = e;
}
public void write(string input)
{
APEventLogEntry temp = new APEventLogEntry(DateTime.Now.ToLongDateString(), input, "test");
RaiseLogAdded(new AddLogEventArgs(temp));
}
public void write(string input)
{
APEventLogEntry temp = new APEventLogEntry(DateTime.Now.ToLongDateString(), input, "test");
RaiseLogAdded(new AddLogEventArgs(temp));
}
/// <summary>
/// Initializes various important parts of the GUI for first view
/// </summary>
private void initializeGui()
{
processTreeView.CanExpandGetter = delegate(object x)
{
if (x is ProcessListObject)
{
ProcessListObject t = (ProcessListObject)x;
if (t.Connections != null)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
};
processTreeView.ChildrenGetter = delegate(object x)
{
ProcessListObject t = (ProcessListObject)x;
return t.Connections;
};
timer = new Timer();
timer.Interval = 1000;
timer.Tick += t_Tick;
processTreeView.FullRowSelect = true;
processTreeView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
processTreeView.Expanded += processTreeView_Expanded;
//Read our current output file in so we have our previous events in our event log
string path = Path.Combine(System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "output.txt");
eventLogEntries = new List<APEventLogEntry>();
if (File.Exists(path))
{
string[] lines = File.ReadAllLines(path);
foreach (string line in lines)
{
Match m = Regex.Match(line, "\\((.*)\\) (.*) \\[(.*)\\]");
APEventLogEntry entry = new APEventLogEntry(m.Groups[1].Value, m.Groups[2].Value, m.Groups[3].Value);
eventLogEntries.Add(entry);
}
}
evtLogList.ShowGroups = false;
evtLogList.EmptyListMsg = "No Events Found";
evtLogList.FullRowSelect = true;
evtLogList.SetObjects(eventLogEntries);
if (eventLogEntries.Count > 0)
evtLogList.EnsureVisible(evtLogList.Items.Count - 1);
if (eventLogEntries.Count == 0)
evtLogList.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
else
evtLogList.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
List<RegistryKeyObject> objects = new List<RegistryKeyObject>();
//Open our registry keys and enumerate entries that we are fairly positive are persistence entries
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string s in key.GetValueNames())
{
if (key.GetValue(s).ToString().Contains(".vbs"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "User Startup";
temp.Path = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + s;
temp.Key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
objects.Add(temp);
}
}
key = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string s in key.GetValueNames())
{
string val = key.GetValue(s) as string;
if (val != null)
{
if (val.ToString().Contains(".vbs"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "System Startup";
temp.Path = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + s;
temp.Key = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
objects.Add(temp);
}
}
}
//Open services and look for persistence
key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
foreach (string s in key.GetSubKeyNames())
{
RegistryKey t = key.OpenSubKey(s);
string p = t.GetValue("ImagePath") as string;
if (p != null)
{
if (p.Contains(".vbs") && p.Contains("cscript"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "Service";
temp.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
temp.Key = "HKLM\\System\\CurrentControlSet\\services\\";
objects.Add(temp);
}
else if (p.Contains("metsvc"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "MetSvc";
temp.KeyName = s;
temp.KeyType = "Service";
temp.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
temp.Key = "HKLM\\System\\CurrentControlSet\\services\\";
objects.Add(temp);
}
}
}
registryListView.FullRowSelect = true;
registryListView.EmptyListMsg = "No Registry Keys Found";
registryListView.ShowGroups = false;
registryListView.SetObjects(objects);
if (objects.Count == 0)
registryListView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
else
registryListView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
}
