/// <summary>
///
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void contextCopyInfo_Click(object sender, EventArgs e)
{
AutoRunEntry entry = (AutoRunEntry)listEntries.SelectedObject;
string ret = Helper.CopyToClipboard(Global.Columns.Info, entry);
UpdateStatusBar(ret);
}
/// <summary>
///
/// </summary>
/// <param name="column"></param>
/// <param name="entry"></param>
/// <returns></returns>
public static string CopyToClipboard(Global.Columns column, AutoRunEntry entry)
{
switch (column)
{
case Global.Columns.Description:
Clipboard.SetText(entry.FileDescription);
return("Copied \"Description\" to clipboard");
case Global.Columns.FileDate:
Clipboard.SetText(entry.FileDateText);
return("Copied \"File Date\" to clipboard");
case Global.Columns.FileName:
Clipboard.SetText(entry.FileName);
return("Copied \"File Name\" to clipboard");
case Global.Columns.FilePath:
Clipboard.SetText(entry.FilePath);
return("Copied \"File Path\" to clipboard");
case Global.Columns.Info:
Clipboard.SetText(entry.Info);
return("Copied \"Info\" to clipboard");
case Global.Columns.Md5:
Clipboard.SetText(entry.Md5);
return("Copied \"MD5\" to clipboard");
case Global.Columns.Parameters:
Clipboard.SetText(entry.Parameters);
return("Copied \"Parameters\" to clipboard");
case Global.Columns.Path:
Clipboard.SetText(entry.Path);
return("Copied \"Path\" to clipboard");
case Global.Columns.Publisher:
Clipboard.SetText(entry.FilePublisher);
return("Copied \"Publisher\" to clipboard");
case Global.Columns.SigningDate:
Clipboard.SetText(entry.SigningDateText);
return("Copied \"SigningDate\" to clipboard");
case Global.Columns.Type:
Clipboard.SetText(entry.Type);
return("Copied \"Type\" to clipboard");
case Global.Columns.Version:
Clipboard.SetText(entry.Version);
return("Copied \"Version\" to clipboard");
default:
return(string.Empty);
}
}
/// <summary>
/// T
/// </summary>
/// <param name="driveMappings"></param>
/// <param name="autoRunEntry"></param>
/// <param name="path"></param>
/// <returns></returns>
private static AutoRunEntry GetFilePathWithNoParametersEdgeCases(List <DriveMapping> driveMappings,
AutoRunEntry autoRunEntry,
string path)
{
int indexOf = path.IndexOf("%SystemRoot%\\system32\\regsvr32.exe", StringComparison.InvariantCultureIgnoreCase);
if (indexOf == 0)
{
autoRunEntry.FilePath = "%SystemRoot%\\system32\\regsvr32.exe";
autoRunEntry.Parameters = path.Substring("%SystemRoot%\\system32\\regsvr32.exe".Length);
autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath);
return(autoRunEntry);
}
indexOf = path.IndexOf("Windows\\system32\\Rundll32.exe", StringComparison.InvariantCultureIgnoreCase);
if (indexOf > -1)
{
autoRunEntry.FilePath = path.Substring(0, indexOf + "Windows\\system32\\Rundll32.exe".Length);
autoRunEntry.Parameters = path.Substring(autoRunEntry.FilePath.Length);
autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath);
return(autoRunEntry);
}
indexOf = path.IndexOf("Windows\\SysWOW64\\Rundll32.exe", StringComparison.InvariantCultureIgnoreCase);
if (indexOf > -1)
{
autoRunEntry.FilePath = path.Substring(0, indexOf + "Windows\\SysWOW64\\Rundll32.exe".Length);
autoRunEntry.Parameters = path.Substring(autoRunEntry.FilePath.Length);
autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath);
return(autoRunEntry);
}
indexOf = path.IndexOf("regsvr32.exe", StringComparison.InvariantCultureIgnoreCase);
if (indexOf == 0)
{
autoRunEntry.FilePath = "%SystemRoot%\\system32\\regsvr32.exe";
autoRunEntry.Parameters = path.Substring("regsvr32.exe".Length);
autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath);
return(autoRunEntry);
}
indexOf = path.IndexOf("bin/pg_ctl.exe", StringComparison.InvariantCultureIgnoreCase);
if (indexOf > 0)
{
autoRunEntry.FilePath = path.Substring(0, indexOf + "bin/pg_ctl.exe".Length);
autoRunEntry.Parameters = path.Substring(indexOf + "bin/pg_ctl.exe".Length);
autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath);
return(autoRunEntry);
}
autoRunEntry.FilePath = "";
return(autoRunEntry);
}
/// <summary>
///
/// </summary>
public FormMain()
{
InitializeComponent();
_importer = new Importer();
_importer.EntryFound += OnImporter_EntryFound;
_importer.Complete += OnImporter_Complete;
// This is a delegate that allows us to set a custom backcolour
// depending on the entries properties e.g. exists on disk/signed
listEntries.RowFormatter = delegate(OLVListItem olvi)
{
AutoRunEntry autoRunEntry = (AutoRunEntry)olvi.RowObject;
if (autoRunEntry.Exists == false)
{
olvi.BackColor = Color.FromArgb(255, 255, 153); // Yellow
}
else
{
if (autoRunEntry.Verified.ToLower() != "true")
{
olvi.BackColor = Color.FromArgb(255, 83, 83); // Red
}
else
{
olvi.BackColor = Color.FromArgb(66, 244, 140); // Red
}
}
};
SysImageListHelper helper = new SysImageListHelper(this.listEntries);
this.olvcType.ImageGetter = delegate(object x)
{
AutoRunEntry autoRunEntry = (AutoRunEntry)x;
return(helper.GetImageIndex(autoRunEntry.FilePath));
};
}
/// <summary>
///
/// </summary>
/// <param name="are"></param>
/// <returns></returns>
public static AutoRunEntry GetFileInformation(Dictionary <string, bool> hashes, string sigCheckPath, AutoRunEntry are)
{
try
{
if (are.FilePath.ToLower().Contains("googleupdate.exe"))
{
}
string sha256 = wincatalogdotnet.WinCatalog.CalculateFileHash(are.FilePath, "SHA256");
if (hashes.ContainsKey(sha256) == true)
{
are.Verified = "True";
}
else
{
string sha1 = wincatalogdotnet.WinCatalog.CalculateFileHash(are.FilePath, "SHA1");
if (hashes.ContainsKey(sha1) == true)
{
are.Verified = "True";
}
else
{
string output = Misc.ShellProcessWithOutput(sigCheckPath, Global.SIGCHECK_FLAGS + "\"" + are.FilePath + "\"");
are = Helper.ParseSigCheckOutput(are, output);
if (are.Verified.ToLower() == "signed")
{
are.Verified = "True";
}
else
{
are.Verified = "False";
}
}
}
}
catch (Exception ex)
{
Helper.WriteErrorToLog(ex.Message, string.Empty, string.Empty, are.FilePath);
are.Verified = "Error";
}
try
{
FileInfo fi = new System.IO.FileInfo(are.FilePath);
are.FileDate = fi.CreationTime;
FileVersionInfo fvi = FileVersionInfo.GetVersionInfo(are.FilePath);
are.FilePublisher = fvi.CompanyName;
are.FileDescription = fvi.FileDescription;
are.Version = fvi.ProductVersion;
are.FileVersion = fvi.FileVersion;
are.InternalName = fvi.InternalName;
}
catch (Exception ex)
{
Helper.WriteErrorToLog(ex.Message, string.Empty, string.Empty, are.FilePath);
}
return(are);
}
/// <summary>
/// Extracts information from the sigcheck output
/// </summary>
/// <param name="autoRunEntry"></param>
/// <param name="output"></param>
/// <returns></returns>
public static AutoRunEntry ParseSigCheckOutput(AutoRunEntry autoRunEntry,
string output)
{
Regex regex = new Regex(@"\s+Verified:\s+?(.*)", RegexOptions.IgnoreCase);
Match match = regex.Match(output);
if (match.Success == true)
{
autoRunEntry.Verified = CultureInfo.InvariantCulture.TextInfo.ToTitleCase(match.Groups[1].Value.Trim());
}
//regex = new Regex(@"\s+Publisher:\s+?(.*)", RegexOptions.IgnoreCase);
//match = regex.Match(output);
//if (match.Success == true)
//{
// autoRunEntry.FilePublisher = match.Groups[1].Value.Trim();
//}
//regex = new Regex(@"\s+Description:\s+?(.*)", RegexOptions.IgnoreCase);
//match = regex.Match(output);
//if (match.Success == true)
//{
// autoRunEntry.FileDescription = match.Groups[1].Value.Trim();
//}
//regex = new Regex(@"\s+Strong Name:\s+?(.*)", RegexOptions.IgnoreCase);
//match = regex.Match(output);
//if (match.Success == true)
//{
// autoRunEntry.StrongName = match.Groups[1].Value.Trim();
//}
//regex = new Regex(@"\s+Version:\s+?(.*)", RegexOptions.IgnoreCase);
//match = regex.Match(output);
//if (match.Success == true)
//{
// autoRunEntry.Version = match.Groups[1].Value.Trim();
//}
//regex = new Regex(@"\s+File version:\s+?(.*)", RegexOptions.IgnoreCase);
//match = regex.Match(output);
//if (match.Success == true)
//{
// autoRunEntry.FileVersion = match.Groups[1].Value.Trim();
//}
//regex = new Regex(@"\s+File date:\s+?(.*)", RegexOptions.IgnoreCase);
//match = regex.Match(output);
//if (match.Success == true)
//{
// autoRunEntry.FileDate = DateTime.Parse(match.Groups[1].Value.Trim());
//}
//regex = new Regex(@"\s+Signing date:\s+?(.*)", RegexOptions.IgnoreCase);
//match = regex.Match(output);
//if (match.Success == true)
//{
// autoRunEntry.SigningDate = DateTime.Parse(match.Groups[1].Value.Trim());
//}
return(autoRunEntry);
}
/// <summary>
/// Attempts to strip the binary (and full path) from the parameters. It also replaces
/// the path to the binary with the user selected one e.g. the image is mounted
/// at J:\ so C:\someprog.exe becomes J:\someprog.exe
/// </summary>
/// <param name="driveMappings"></param>
/// <param name="autoRunEntry"></param>
/// <param name="path"></param>
/// <returns></returns>
public static AutoRunEntry GetFilePathWithNoParameters(List <DriveMapping> driveMappings,
AutoRunEntry autoRunEntry,
string path)
{
if (path.Trim().Length == 0)
{
return(null);
}
//string parameters = string.Empty;
if (path.StartsWith("\"") == true)
{
// We appear to be quoted, so the file path should be between the quotes
string temp = path.Substring(1);
int index = temp.IndexOf('"');
if (index > -1)
{
autoRunEntry.Parameters = temp.Substring(index + 1, temp.Length - (index + 1));
autoRunEntry.FilePath = temp.Substring(0, index);
}
autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath);
}
else
{
autoRunEntry = GetFilePathWithNoParametersEdgeCases(driveMappings, autoRunEntry, path);
if (autoRunEntry.FilePath.Length > 0)
{
return(autoRunEntry);
}
string[] parts = path.Split(new string[] { "\\" }, StringSplitOptions.RemoveEmptyEntries);
int firstPartWithSpace = 0;
for (int index = 0; index < parts.Length; index++)
{
int indexOf = parts[index].IndexOf(" ");
if (indexOf > -1)
{
firstPartWithSpace = index;
break;
}
}
if (firstPartWithSpace != 0)
{
string tempFileEx = parts[firstPartWithSpace].Substring(0, parts[firstPartWithSpace].IndexOf(" "));
if (tempFileEx.EndsWith(".exe") || tempFileEx.EndsWith(".dll"))
{
//C:\windows\system32\cmd.exe /D /C start C:\windows\system32\ie4uinit.exe -ClearIconCache
string tempFile = string.Join("\\", parts.Slice(0, firstPartWithSpace));
tempFile += @"\" + parts[firstPartWithSpace].Substring(0, parts[firstPartWithSpace].IndexOf(" "));
tempFile = woanware.Path.ReplaceIllegalPathChars(tempFile, string.Empty);
autoRunEntry.FilePath = tempFile;
autoRunEntry.Parameters = parts[firstPartWithSpace].Substring(parts[firstPartWithSpace].IndexOf(" ")) + string.Join("\\", parts.Slice(firstPartWithSpace, parts.Length));
}
else
{
if (parts[parts.Length - 1].IndexOf(' ') > -1)
{
//c:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
string tempFile2 = parts[parts.Length - 1].Substring(0, parts[parts.Length - 1].IndexOf(" "));
autoRunEntry.Parameters = parts[parts.Length - 1].Substring(parts[parts.Length - 1].IndexOf(" "));
path = string.Join("\\", parts.Slice(0, parts.Length - 1));
if (path.StartsWith("\"") == true)
{
path = path.Substring(1);
}
tempFile2 = woanware.Path.ReplaceIllegalPathChars(tempFile2, string.Empty);
autoRunEntry.FilePath = System.IO.Path.Combine(path, tempFile2);
}
else
{
if (path.StartsWith("\"") == true)
{
path = path.Substring(1);
}
if (path.EndsWith("\"") == true)
{
path = path.Substring(0, path.Length - 1);
}
autoRunEntry.FilePath = path;
}
}
}
else
{
if (path.StartsWith("\"") == true)
{
path = path.Substring(1);
}
if (path.EndsWith("\"") == true)
{
path = path.Substring(0, path.Length - 1);
}
autoRunEntry.FilePath = path;
}
//if (parts[parts.Length - 1].IndexOf(' ') > -1)
// if (path.IndexOf(" ") > -1)
// {
// int index = path.IndexOf(" ");
// if (index > -1)
// {
// autoRunEntry.Parameters = path.Substring(index + 1, path.Length - (index + 1));
// autoRunEntry.FilePath = path.Substring(0, index);
// }
// else
// {
// autoRunEntry.FilePath = woanware.Path.ReplaceIllegalPathChars(path, string.Empty);
// }
// string tempFile = parts[parts.Length - 1].Substring(0, parts[parts.Length - 1].IndexOf(" "));
// autoRunEntry.Parameters = parts[parts.Length - 1].Substring(parts[parts.Length - 1].IndexOf(" "));
// path = string.Join("\\", parts.Slice(0, parts.Length - 1));
// if (path.StartsWith("\"") == true)
// {
// path = path.Substring(1);
// }
// tempFile = woanware.Path.ReplaceIllegalPathChars(tempFile, string.Empty);
// autoRunEntry.FilePath = System.IO.Path.Combine(path, tempFile);
// }
// else
// {
// if (path.StartsWith("\"") == true)
// {
// path = path.Substring(1);
// }
// if (path.EndsWith("\"") == true)
// {
// path = path.Substring(0, path.Length - 1);
// }
// autoRunEntry.FilePath = path;
// }
autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath);
}
return(autoRunEntry);
}
/// <summary>
///
/// </summary>
/// <param name="message"></param>
private void OnEntryFound(AutoRunEntry autoRunEntry)
{
EntryFound?.Invoke(autoRunEntry);
}
/// <summary>
///
/// </summary>
/// <param name="filePath"></param>
/// <param name="path"></param>
/// <param name="type"></param>
/// <param name="info"></param>
/// <param name="sourceFile">The registry file the entry was identified from</param>
/// <param name="regModified"></param>
private void ProcessEntry(string filePath,
string path,
string type,
string info,
string sourceFile,
string serviceDisplayName,
string serviceDescription,
DateTimeOffset?regModified)
{
try
{
filePath = Text.ReplaceNulls(filePath);
AutoRunEntry autoRunEntry = new AutoRunEntry
{
Type = type,
Info = info,
Path = path,
ServiceDisplayName = serviceDisplayName,
ServiceDescription = serviceDescription,
SourceFile = sourceFile
};
autoRunEntry = Helper.GetFilePathWithNoParameters(_driveMappings, autoRunEntry, filePath);
if (autoRunEntry == null)
{
return;
}
if (autoRunEntry.FilePath.Length == 0)
{
return;
}
autoRunEntry.FileName = System.IO.Path.GetFileName(autoRunEntry.FilePath.Replace("\"", string.Empty));
if (System.IO.Path.GetExtension(autoRunEntry.FileName) == ".lnk")
{
try
{
ShellLinkFile shellLinkFile = ShellLinkFile.Load(autoRunEntry.FilePath);
autoRunEntry = new AutoRunEntry
{
Type = type,
Info = info
};
autoRunEntry.Info = filePath;
autoRunEntry = Helper.GetFilePathWithNoParameters(_driveMappings, autoRunEntry, System.IO.Path.Combine(shellLinkFile.LinkInfo.LocalBasePath, shellLinkFile.LinkInfo.CommonPathSuffix) + " " + shellLinkFile.Arguments);
autoRunEntry.Path = System.IO.Path.Combine(shellLinkFile.LinkInfo.LocalBasePath, shellLinkFile.LinkInfo.CommonPathSuffix) + " " + shellLinkFile.Arguments;
autoRunEntry.FileName = System.IO.Path.GetFileName(autoRunEntry.FilePath.Replace("\"", string.Empty));
}
catch (Exception ex)
{
_hasErrors = true;
Helper.WriteErrorToLog(ex.ToString(), filePath, autoRunEntry.FilePath, path);
}
}
if (autoRunEntry.FilePath.Length == 0)
{
Helper.WriteErrorToLog("FilePath is zero length", filePath, autoRunEntry.FilePath, path);
return;
}
Console.WriteLine(autoRunEntry.FilePath);
_entries.Add(autoRunEntry);
try
{
using (new PrivilegeEnabler(System.Diagnostics.Process.GetCurrentProcess(), Privilege.TakeOwnership))
{
FileInfo fileInfo = new FileInfo(autoRunEntry.FilePath);
FileSecurity fileSecurity = fileInfo.GetAccessControl();
fileSecurity.SetOwner(WindowsIdentity.GetCurrent().User);
File.SetAccessControl(autoRunEntry.FilePath, fileSecurity);
if (File.Exists(autoRunEntry.FilePath) == false)
{
autoRunEntry.Error = "Does Not Exist";
OnEntryFound(autoRunEntry);
return;
}
autoRunEntry.Exists = true;
autoRunEntry.FileSystemAccessed = fileInfo.LastAccessTime;
autoRunEntry.FileSystemCreated = fileInfo.CreationTime;
autoRunEntry.FileSystemModified = fileInfo.LastWriteTime;
autoRunEntry.RegistryModified = regModified;
//string output = Misc.ShellProcessWithOutput(_sigCheckPath, Global.SIGCHECK_FLAGS + "\"" + autoRunEntry.FilePath + "\"");
//autoRunEntry = Helper.ParseSigCheckOutput(autoRunEntry, output);
autoRunEntry = Helper.GetFileInformation(hashes, _sigCheckPath, autoRunEntry);
autoRunEntry.Md5 = Security.GenerateMd5HashStream(autoRunEntry.FilePath);
autoRunEntry.Sha256 = Helper.GetFileSha256Hash(autoRunEntry.FilePath);
OnEntryFound(autoRunEntry);
}
}
catch (Exception ex)
{
Helper.WriteErrorToLog(ex.ToString(), filePath, autoRunEntry.FilePath, path);
autoRunEntry.Error = "Error: " + ex.Message;
OnEntryFound(autoRunEntry);
}
}
catch (Exception ex)
{
_hasErrors = true;
Helper.WriteErrorToLog(ex.ToString(), filePath, filePath, path);
}
}
/// <summary>
///
/// </summary>
/// <param name="autoRunEntry"></param>
private void OnImporter_EntryFound(AutoRunEntry autoRunEntry)
{
listEntries.AddObject(autoRunEntry);
}
