/// <summary> /// /// </summary> /// <param name="sender"></param> /// <param name="e"></param> private void contextCopyInfo_Click(object sender, EventArgs e) { AutoRunEntry entry = (AutoRunEntry)listEntries.SelectedObject; string ret = Helper.CopyToClipboard(Global.Columns.Info, entry); UpdateStatusBar(ret); }
/// <summary> /// /// </summary> /// <param name="column"></param> /// <param name="entry"></param> /// <returns></returns> public static string CopyToClipboard(Global.Columns column, AutoRunEntry entry) { switch (column) { case Global.Columns.Description: Clipboard.SetText(entry.FileDescription); return("Copied \"Description\" to clipboard"); case Global.Columns.FileDate: Clipboard.SetText(entry.FileDateText); return("Copied \"File Date\" to clipboard"); case Global.Columns.FileName: Clipboard.SetText(entry.FileName); return("Copied \"File Name\" to clipboard"); case Global.Columns.FilePath: Clipboard.SetText(entry.FilePath); return("Copied \"File Path\" to clipboard"); case Global.Columns.Info: Clipboard.SetText(entry.Info); return("Copied \"Info\" to clipboard"); case Global.Columns.Md5: Clipboard.SetText(entry.Md5); return("Copied \"MD5\" to clipboard"); case Global.Columns.Parameters: Clipboard.SetText(entry.Parameters); return("Copied \"Parameters\" to clipboard"); case Global.Columns.Path: Clipboard.SetText(entry.Path); return("Copied \"Path\" to clipboard"); case Global.Columns.Publisher: Clipboard.SetText(entry.FilePublisher); return("Copied \"Publisher\" to clipboard"); case Global.Columns.SigningDate: Clipboard.SetText(entry.SigningDateText); return("Copied \"SigningDate\" to clipboard"); case Global.Columns.Type: Clipboard.SetText(entry.Type); return("Copied \"Type\" to clipboard"); case Global.Columns.Version: Clipboard.SetText(entry.Version); return("Copied \"Version\" to clipboard"); default: return(string.Empty); } }
/// <summary> /// T /// </summary> /// <param name="driveMappings"></param> /// <param name="autoRunEntry"></param> /// <param name="path"></param> /// <returns></returns> private static AutoRunEntry GetFilePathWithNoParametersEdgeCases(List <DriveMapping> driveMappings, AutoRunEntry autoRunEntry, string path) { int indexOf = path.IndexOf("%SystemRoot%\\system32\\regsvr32.exe", StringComparison.InvariantCultureIgnoreCase); if (indexOf == 0) { autoRunEntry.FilePath = "%SystemRoot%\\system32\\regsvr32.exe"; autoRunEntry.Parameters = path.Substring("%SystemRoot%\\system32\\regsvr32.exe".Length); autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath); return(autoRunEntry); } indexOf = path.IndexOf("Windows\\system32\\Rundll32.exe", StringComparison.InvariantCultureIgnoreCase); if (indexOf > -1) { autoRunEntry.FilePath = path.Substring(0, indexOf + "Windows\\system32\\Rundll32.exe".Length); autoRunEntry.Parameters = path.Substring(autoRunEntry.FilePath.Length); autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath); return(autoRunEntry); } indexOf = path.IndexOf("Windows\\SysWOW64\\Rundll32.exe", StringComparison.InvariantCultureIgnoreCase); if (indexOf > -1) { autoRunEntry.FilePath = path.Substring(0, indexOf + "Windows\\SysWOW64\\Rundll32.exe".Length); autoRunEntry.Parameters = path.Substring(autoRunEntry.FilePath.Length); autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath); return(autoRunEntry); } indexOf = path.IndexOf("regsvr32.exe", StringComparison.InvariantCultureIgnoreCase); if (indexOf == 0) { autoRunEntry.FilePath = "%SystemRoot%\\system32\\regsvr32.exe"; autoRunEntry.Parameters = path.Substring("regsvr32.exe".Length); autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath); return(autoRunEntry); } indexOf = path.IndexOf("bin/pg_ctl.exe", StringComparison.InvariantCultureIgnoreCase); if (indexOf > 0) { autoRunEntry.FilePath = path.Substring(0, indexOf + "bin/pg_ctl.exe".Length); autoRunEntry.Parameters = path.Substring(indexOf + "bin/pg_ctl.exe".Length); autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath); return(autoRunEntry); } autoRunEntry.FilePath = ""; return(autoRunEntry); }
/// <summary> /// /// </summary> public FormMain() { InitializeComponent(); _importer = new Importer(); _importer.EntryFound += OnImporter_EntryFound; _importer.Complete += OnImporter_Complete; // This is a delegate that allows us to set a custom backcolour // depending on the entries properties e.g. exists on disk/signed listEntries.RowFormatter = delegate(OLVListItem olvi) { AutoRunEntry autoRunEntry = (AutoRunEntry)olvi.RowObject; if (autoRunEntry.Exists == false) { olvi.BackColor = Color.FromArgb(255, 255, 153); // Yellow } else { if (autoRunEntry.Verified.ToLower() != "true") { olvi.BackColor = Color.FromArgb(255, 83, 83); // Red } else { olvi.BackColor = Color.FromArgb(66, 244, 140); // Red } } }; SysImageListHelper helper = new SysImageListHelper(this.listEntries); this.olvcType.ImageGetter = delegate(object x) { AutoRunEntry autoRunEntry = (AutoRunEntry)x; return(helper.GetImageIndex(autoRunEntry.FilePath)); }; }
/// <summary> /// /// </summary> /// <param name="are"></param> /// <returns></returns> public static AutoRunEntry GetFileInformation(Dictionary <string, bool> hashes, string sigCheckPath, AutoRunEntry are) { try { if (are.FilePath.ToLower().Contains("googleupdate.exe")) { } string sha256 = wincatalogdotnet.WinCatalog.CalculateFileHash(are.FilePath, "SHA256"); if (hashes.ContainsKey(sha256) == true) { are.Verified = "True"; } else { string sha1 = wincatalogdotnet.WinCatalog.CalculateFileHash(are.FilePath, "SHA1"); if (hashes.ContainsKey(sha1) == true) { are.Verified = "True"; } else { string output = Misc.ShellProcessWithOutput(sigCheckPath, Global.SIGCHECK_FLAGS + "\"" + are.FilePath + "\""); are = Helper.ParseSigCheckOutput(are, output); if (are.Verified.ToLower() == "signed") { are.Verified = "True"; } else { are.Verified = "False"; } } } } catch (Exception ex) { Helper.WriteErrorToLog(ex.Message, string.Empty, string.Empty, are.FilePath); are.Verified = "Error"; } try { FileInfo fi = new System.IO.FileInfo(are.FilePath); are.FileDate = fi.CreationTime; FileVersionInfo fvi = FileVersionInfo.GetVersionInfo(are.FilePath); are.FilePublisher = fvi.CompanyName; are.FileDescription = fvi.FileDescription; are.Version = fvi.ProductVersion; are.FileVersion = fvi.FileVersion; are.InternalName = fvi.InternalName; } catch (Exception ex) { Helper.WriteErrorToLog(ex.Message, string.Empty, string.Empty, are.FilePath); } return(are); }
/// <summary> /// Extracts information from the sigcheck output /// </summary> /// <param name="autoRunEntry"></param> /// <param name="output"></param> /// <returns></returns> public static AutoRunEntry ParseSigCheckOutput(AutoRunEntry autoRunEntry, string output) { Regex regex = new Regex(@"\s+Verified:\s+?(.*)", RegexOptions.IgnoreCase); Match match = regex.Match(output); if (match.Success == true) { autoRunEntry.Verified = CultureInfo.InvariantCulture.TextInfo.ToTitleCase(match.Groups[1].Value.Trim()); } //regex = new Regex(@"\s+Publisher:\s+?(.*)", RegexOptions.IgnoreCase); //match = regex.Match(output); //if (match.Success == true) //{ // autoRunEntry.FilePublisher = match.Groups[1].Value.Trim(); //} //regex = new Regex(@"\s+Description:\s+?(.*)", RegexOptions.IgnoreCase); //match = regex.Match(output); //if (match.Success == true) //{ // autoRunEntry.FileDescription = match.Groups[1].Value.Trim(); //} //regex = new Regex(@"\s+Strong Name:\s+?(.*)", RegexOptions.IgnoreCase); //match = regex.Match(output); //if (match.Success == true) //{ // autoRunEntry.StrongName = match.Groups[1].Value.Trim(); //} //regex = new Regex(@"\s+Version:\s+?(.*)", RegexOptions.IgnoreCase); //match = regex.Match(output); //if (match.Success == true) //{ // autoRunEntry.Version = match.Groups[1].Value.Trim(); //} //regex = new Regex(@"\s+File version:\s+?(.*)", RegexOptions.IgnoreCase); //match = regex.Match(output); //if (match.Success == true) //{ // autoRunEntry.FileVersion = match.Groups[1].Value.Trim(); //} //regex = new Regex(@"\s+File date:\s+?(.*)", RegexOptions.IgnoreCase); //match = regex.Match(output); //if (match.Success == true) //{ // autoRunEntry.FileDate = DateTime.Parse(match.Groups[1].Value.Trim()); //} //regex = new Regex(@"\s+Signing date:\s+?(.*)", RegexOptions.IgnoreCase); //match = regex.Match(output); //if (match.Success == true) //{ // autoRunEntry.SigningDate = DateTime.Parse(match.Groups[1].Value.Trim()); //} return(autoRunEntry); }
/// <summary> /// Attempts to strip the binary (and full path) from the parameters. It also replaces /// the path to the binary with the user selected one e.g. the image is mounted /// at J:\ so C:\someprog.exe becomes J:\someprog.exe /// </summary> /// <param name="driveMappings"></param> /// <param name="autoRunEntry"></param> /// <param name="path"></param> /// <returns></returns> public static AutoRunEntry GetFilePathWithNoParameters(List <DriveMapping> driveMappings, AutoRunEntry autoRunEntry, string path) { if (path.Trim().Length == 0) { return(null); } //string parameters = string.Empty; if (path.StartsWith("\"") == true) { // We appear to be quoted, so the file path should be between the quotes string temp = path.Substring(1); int index = temp.IndexOf('"'); if (index > -1) { autoRunEntry.Parameters = temp.Substring(index + 1, temp.Length - (index + 1)); autoRunEntry.FilePath = temp.Substring(0, index); } autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath); } else { autoRunEntry = GetFilePathWithNoParametersEdgeCases(driveMappings, autoRunEntry, path); if (autoRunEntry.FilePath.Length > 0) { return(autoRunEntry); } string[] parts = path.Split(new string[] { "\\" }, StringSplitOptions.RemoveEmptyEntries); int firstPartWithSpace = 0; for (int index = 0; index < parts.Length; index++) { int indexOf = parts[index].IndexOf(" "); if (indexOf > -1) { firstPartWithSpace = index; break; } } if (firstPartWithSpace != 0) { string tempFileEx = parts[firstPartWithSpace].Substring(0, parts[firstPartWithSpace].IndexOf(" ")); if (tempFileEx.EndsWith(".exe") || tempFileEx.EndsWith(".dll")) { //C:\windows\system32\cmd.exe /D /C start C:\windows\system32\ie4uinit.exe -ClearIconCache string tempFile = string.Join("\\", parts.Slice(0, firstPartWithSpace)); tempFile += @"\" + parts[firstPartWithSpace].Substring(0, parts[firstPartWithSpace].IndexOf(" ")); tempFile = woanware.Path.ReplaceIllegalPathChars(tempFile, string.Empty); autoRunEntry.FilePath = tempFile; autoRunEntry.Parameters = parts[firstPartWithSpace].Substring(parts[firstPartWithSpace].IndexOf(" ")) + string.Join("\\", parts.Slice(firstPartWithSpace, parts.Length)); } else { if (parts[parts.Length - 1].IndexOf(' ') > -1) { //c:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll string tempFile2 = parts[parts.Length - 1].Substring(0, parts[parts.Length - 1].IndexOf(" ")); autoRunEntry.Parameters = parts[parts.Length - 1].Substring(parts[parts.Length - 1].IndexOf(" ")); path = string.Join("\\", parts.Slice(0, parts.Length - 1)); if (path.StartsWith("\"") == true) { path = path.Substring(1); } tempFile2 = woanware.Path.ReplaceIllegalPathChars(tempFile2, string.Empty); autoRunEntry.FilePath = System.IO.Path.Combine(path, tempFile2); } else { if (path.StartsWith("\"") == true) { path = path.Substring(1); } if (path.EndsWith("\"") == true) { path = path.Substring(0, path.Length - 1); } autoRunEntry.FilePath = path; } } } else { if (path.StartsWith("\"") == true) { path = path.Substring(1); } if (path.EndsWith("\"") == true) { path = path.Substring(0, path.Length - 1); } autoRunEntry.FilePath = path; } //if (parts[parts.Length - 1].IndexOf(' ') > -1) // if (path.IndexOf(" ") > -1) // { // int index = path.IndexOf(" "); // if (index > -1) // { // autoRunEntry.Parameters = path.Substring(index + 1, path.Length - (index + 1)); // autoRunEntry.FilePath = path.Substring(0, index); // } // else // { // autoRunEntry.FilePath = woanware.Path.ReplaceIllegalPathChars(path, string.Empty); // } // string tempFile = parts[parts.Length - 1].Substring(0, parts[parts.Length - 1].IndexOf(" ")); // autoRunEntry.Parameters = parts[parts.Length - 1].Substring(parts[parts.Length - 1].IndexOf(" ")); // path = string.Join("\\", parts.Slice(0, parts.Length - 1)); // if (path.StartsWith("\"") == true) // { // path = path.Substring(1); // } // tempFile = woanware.Path.ReplaceIllegalPathChars(tempFile, string.Empty); // autoRunEntry.FilePath = System.IO.Path.Combine(path, tempFile); // } // else // { // if (path.StartsWith("\"") == true) // { // path = path.Substring(1); // } // if (path.EndsWith("\"") == true) // { // path = path.Substring(0, path.Length - 1); // } // autoRunEntry.FilePath = path; // } autoRunEntry.FilePath = Helper.NormalisePath(driveMappings, autoRunEntry.FilePath); } return(autoRunEntry); }
/// <summary> /// /// </summary> /// <param name="message"></param> private void OnEntryFound(AutoRunEntry autoRunEntry) { EntryFound?.Invoke(autoRunEntry); }
/// <summary> /// /// </summary> /// <param name="filePath"></param> /// <param name="path"></param> /// <param name="type"></param> /// <param name="info"></param> /// <param name="sourceFile">The registry file the entry was identified from</param> /// <param name="regModified"></param> private void ProcessEntry(string filePath, string path, string type, string info, string sourceFile, string serviceDisplayName, string serviceDescription, DateTimeOffset?regModified) { try { filePath = Text.ReplaceNulls(filePath); AutoRunEntry autoRunEntry = new AutoRunEntry { Type = type, Info = info, Path = path, ServiceDisplayName = serviceDisplayName, ServiceDescription = serviceDescription, SourceFile = sourceFile }; autoRunEntry = Helper.GetFilePathWithNoParameters(_driveMappings, autoRunEntry, filePath); if (autoRunEntry == null) { return; } if (autoRunEntry.FilePath.Length == 0) { return; } autoRunEntry.FileName = System.IO.Path.GetFileName(autoRunEntry.FilePath.Replace("\"", string.Empty)); if (System.IO.Path.GetExtension(autoRunEntry.FileName) == ".lnk") { try { ShellLinkFile shellLinkFile = ShellLinkFile.Load(autoRunEntry.FilePath); autoRunEntry = new AutoRunEntry { Type = type, Info = info }; autoRunEntry.Info = filePath; autoRunEntry = Helper.GetFilePathWithNoParameters(_driveMappings, autoRunEntry, System.IO.Path.Combine(shellLinkFile.LinkInfo.LocalBasePath, shellLinkFile.LinkInfo.CommonPathSuffix) + " " + shellLinkFile.Arguments); autoRunEntry.Path = System.IO.Path.Combine(shellLinkFile.LinkInfo.LocalBasePath, shellLinkFile.LinkInfo.CommonPathSuffix) + " " + shellLinkFile.Arguments; autoRunEntry.FileName = System.IO.Path.GetFileName(autoRunEntry.FilePath.Replace("\"", string.Empty)); } catch (Exception ex) { _hasErrors = true; Helper.WriteErrorToLog(ex.ToString(), filePath, autoRunEntry.FilePath, path); } } if (autoRunEntry.FilePath.Length == 0) { Helper.WriteErrorToLog("FilePath is zero length", filePath, autoRunEntry.FilePath, path); return; } Console.WriteLine(autoRunEntry.FilePath); _entries.Add(autoRunEntry); try { using (new PrivilegeEnabler(System.Diagnostics.Process.GetCurrentProcess(), Privilege.TakeOwnership)) { FileInfo fileInfo = new FileInfo(autoRunEntry.FilePath); FileSecurity fileSecurity = fileInfo.GetAccessControl(); fileSecurity.SetOwner(WindowsIdentity.GetCurrent().User); File.SetAccessControl(autoRunEntry.FilePath, fileSecurity); if (File.Exists(autoRunEntry.FilePath) == false) { autoRunEntry.Error = "Does Not Exist"; OnEntryFound(autoRunEntry); return; } autoRunEntry.Exists = true; autoRunEntry.FileSystemAccessed = fileInfo.LastAccessTime; autoRunEntry.FileSystemCreated = fileInfo.CreationTime; autoRunEntry.FileSystemModified = fileInfo.LastWriteTime; autoRunEntry.RegistryModified = regModified; //string output = Misc.ShellProcessWithOutput(_sigCheckPath, Global.SIGCHECK_FLAGS + "\"" + autoRunEntry.FilePath + "\""); //autoRunEntry = Helper.ParseSigCheckOutput(autoRunEntry, output); autoRunEntry = Helper.GetFileInformation(hashes, _sigCheckPath, autoRunEntry); autoRunEntry.Md5 = Security.GenerateMd5HashStream(autoRunEntry.FilePath); autoRunEntry.Sha256 = Helper.GetFileSha256Hash(autoRunEntry.FilePath); OnEntryFound(autoRunEntry); } } catch (Exception ex) { Helper.WriteErrorToLog(ex.ToString(), filePath, autoRunEntry.FilePath, path); autoRunEntry.Error = "Error: " + ex.Message; OnEntryFound(autoRunEntry); } } catch (Exception ex) { _hasErrors = true; Helper.WriteErrorToLog(ex.ToString(), filePath, filePath, path); } }
/// <summary> /// /// </summary> /// <param name="autoRunEntry"></param> private void OnImporter_EntryFound(AutoRunEntry autoRunEntry) { listEntries.AddObject(autoRunEntry); }