private static void AddFiles(List <Autorunpoints> xlselements, string location, DateTime registryMod)
{
string xlsfolder;
string owner;
using (RegistryKey reglocation = Registry.Users.OpenSubKey(location))
{
xlsfolder = reglocation.GetValue("Path").ToString();
owner = RegistryUtil.GetRegKeyOwner(reglocation);
}
if (Directory.Exists(xlsfolder) == true)
{
foreach (var file in Directory.GetFiles(xlsfolder))
{
Autorunpoints autopoint = new Autorunpoints();
autopoint.Type = "XLSStart";
autopoint.IsFile = true;
autopoint.FilePath = file;
autopoint.RegistryPath = location;
autopoint.RegistryValueName = "Path";
autopoint.RegistryValueString = xlsfolder;
autopoint.RegistryOwner = owner;
autopoint.RegistryModified = registryMod.ToString(DBManager.DateTimeFormat);
xlselements.Add(autopoint);
}
}
}
private static void ExtractFileInfo(Autorunpoints runPoint)
{
bool isFileExist = false;
if (string.IsNullOrEmpty(runPoint.FilePath))
{
return;
}
IntPtr wow64Value = IntPtr.Zero;
if (File.Exists(runPoint.FilePath))
{
isFileExist = true;
}
else
{
if (runPoint.FilePath.ToLower().StartsWith(@"c:\windows\system32"))
{
Forensics.Util.Wow64DisableWow64FsRedirection(ref wow64Value);
if (File.Exists(runPoint.FilePath))
{
isFileExist = true;
}
}
}
if (isFileExist)
{
try
{
FileInfo fi = new FileInfo(runPoint.FilePath);
runPoint.FileCreated = fi.CreationTimeUtc.ToString("yyyy-MM-dd HH:mm:ss.fff");
runPoint.FileModified = fi.LastWriteTimeUtc.ToString("yyyy-MM-dd HH:mm:ss.fff");
FileSecurity fileSecurity = File.GetAccessControl(runPoint.FilePath);
IdentityReference sid = fileSecurity.GetOwner(typeof(SecurityIdentifier));
NTAccount ntAccount = sid.Translate(typeof(NTAccount)) as NTAccount;
runPoint.FileOwner = ntAccount.Value;
}
catch (Exception)
{
}
}
if (wow64Value != IntPtr.Zero)
{
Forensics.Util.Wow64RevertWow64FsRedirection(wow64Value);
}
}
public static void GetCLSIDDetails(List <Autorunpoints> lstAutoRuns, string[] regdl, string owner, string type, string regModified)
{
if (regdl != null)
{
for (int i = 0; i < regdl.Length; i++)
{
Autorunpoints runPoint = new Autorunpoints();
runPoint.RegistryPath = "LocalMachine\\Software\\Classes\\CLSID\\" + regdl[i];
runPoint.RegistryValueName = "Default";
runPoint.RegistryValueString = RegistryUtil.GetStringSubValue("LocalMachine",
"Software\\Classes\\CLSID\\" + regdl[i], "", false);
runPoint.FilePath = RegistryUtil.GetStringSubValue("LocalMachine",
"Software\\Classes\\CLSID\\" + regdl[i] + "\\InprocServer32", "", false);
runPoint.IsRegistry = true;
runPoint.RegistryOwner = owner;
runPoint.RegistryModified = regModified;
runPoint.Type = type;
lstAutoRuns.Add(runPoint);
}
}
}
private static void ReadHiveValue(string hive, string key, string valname, char[] delim, bool is64, bool type, string runtype, List <Autorunpoints> lstAutoRuns)
{
try
{
RegistryKey basekey = null;
RegistryKey runkey = null;
if (hive == "LocalMachine")
{
basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32);
runkey = basekey.OpenSubKey(key);
}
else
{
RegistryKey runhive = Registry.Users.OpenSubKey(hive);
if (runhive != null)
{
runkey = runhive.OpenSubKey(key);
}
}
string owner = RegistryUtil.GetRegKeyOwner(runkey);
if (runkey != null)
{
try
{
string keyValue = Convert.ToString(runkey.GetValue(valname));
if (!string.IsNullOrEmpty(keyValue))
{
string[] vals = keyValue.Split(delim);
foreach (var valstring in vals)
{
Autorunpoints runPoint = new Autorunpoints();
runPoint.Type = "AppInit_Dlls";
if (hive == "LocalMachine")
{
runPoint.RegistryPath = "LocalMachine\\" + key;
}
else
{
runPoint.RegistryPath = hive + "\\" + key;
}
runPoint.RegistryValueName = valname;
runPoint.RegistryValueString = valstring;
runPoint.FilePath = valstring;
runPoint.RegistryOwner = owner;
lstAutoRuns.Add(runPoint);
}
}
}
catch (Exception)
{
}
}
if (basekey != null)
{
basekey.Close();
}
if (runkey != null)
{
runkey.Close();
}
}
catch (Exception)
{
}
}
private static void AuditHive(string hive, string run, bool is64, string runtype, List <Autorunpoints> regrunlist)
{
try
{
RegistryKey basekey = null;
RegistryKey runkey = null;
if (hive == "LocalMachine")
{
basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32);
runkey = basekey.OpenSubKey(run);
}
else
{
RegistryKey runhive = Registry.Users.OpenSubKey(hive);
if (runhive != null)
{
runkey = runhive.OpenSubKey(run);
}
}
string owner = string.Empty;
if (runkey != null)
{
DateTime regModified = RegistryModified.lastWriteTime(runkey);
owner = RegistryUtil.GetRegKeyOwner(runkey);
foreach (var value in runkey.GetValueNames())
{
Autorunpoints autoruns = new Autorunpoints();
try
{
string keyValue = Convert.ToString(runkey.GetValue(value));
if (hive == "LocalMachine")
{
autoruns.RegistryPath = "LocalMachine\\" + run;
}
else
{
autoruns.RegistryPath = hive + "\\" + run;
}
autoruns.RegistryValueString = keyValue;
autoruns.RegistryValueName = value;
if (!string.IsNullOrEmpty(autoruns.RegistryValueString))
{
string[] pathAndArgument = autoruns.RegistryValueString.Split(new string[] { " -", " /", " \"" }, 2, StringSplitOptions.RemoveEmptyEntries);
if (pathAndArgument.Length > 0)
{
autoruns.RegistryValueString = pathAndArgument[0].Replace("\"", string.Empty);
autoruns.FilePath = autoruns.RegistryValueString;
}
}
autoruns.IsRegistry = true;
autoruns.RegistryOwner = owner;
autoruns.RegistryModified = regModified.ToString(DBManager.DateTimeFormat);
autoruns.Type = runtype;
regrunlist.Add(autoruns);
}
catch (Exception)
{
}
}
if (basekey != null)
{
basekey.Close();
}
runkey.Close();
}
}
catch (Exception)
{
}
}