Пример #1
0
        private static void AddFiles(List <Autorunpoints> xlselements, string location, DateTime registryMod)
        {
            string xlsfolder;
            string owner;

            using (RegistryKey reglocation = Registry.Users.OpenSubKey(location))
            {
                xlsfolder = reglocation.GetValue("Path").ToString();
                owner     = RegistryUtil.GetRegKeyOwner(reglocation);
            }

            if (Directory.Exists(xlsfolder) == true)
            {
                foreach (var file in Directory.GetFiles(xlsfolder))
                {
                    Autorunpoints autopoint = new Autorunpoints();
                    autopoint.Type                = "XLSStart";
                    autopoint.IsFile              = true;
                    autopoint.FilePath            = file;
                    autopoint.RegistryPath        = location;
                    autopoint.RegistryValueName   = "Path";
                    autopoint.RegistryValueString = xlsfolder;
                    autopoint.RegistryOwner       = owner;
                    autopoint.RegistryModified    = registryMod.ToString(DBManager.DateTimeFormat);
                    xlselements.Add(autopoint);
                }
            }
        }
Пример #2
0
        private static void ReadHiveValue(string hive, string key, string valname, char[] delim, bool is64, bool type, string runtype, List <Autorunpoints> lstAutoRuns)
        {
            try
            {
                RegistryKey basekey = null;
                RegistryKey runkey  = null;

                if (hive == "LocalMachine")
                {
                    basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32);
                    runkey  = basekey.OpenSubKey(key);
                }
                else
                {
                    RegistryKey runhive = Registry.Users.OpenSubKey(hive);
                    if (runhive != null)
                    {
                        runkey = runhive.OpenSubKey(key);
                    }
                }
                string owner = RegistryUtil.GetRegKeyOwner(runkey);
                if (runkey != null)
                {
                    try
                    {
                        string keyValue = Convert.ToString(runkey.GetValue(valname));
                        if (!string.IsNullOrEmpty(keyValue))
                        {
                            string[] vals = keyValue.Split(delim);

                            foreach (var valstring in vals)
                            {
                                Autorunpoints runPoint = new Autorunpoints();
                                runPoint.Type = "AppInit_Dlls";
                                if (hive == "LocalMachine")
                                {
                                    runPoint.RegistryPath = "LocalMachine\\" + key;
                                }
                                else
                                {
                                    runPoint.RegistryPath = hive + "\\" + key;
                                }

                                runPoint.RegistryValueName   = valname;
                                runPoint.RegistryValueString = valstring;
                                runPoint.FilePath            = valstring;
                                runPoint.RegistryOwner       = owner;
                                lstAutoRuns.Add(runPoint);
                            }
                        }
                    }
                    catch (Exception)
                    {
                    }
                }
                if (basekey != null)
                {
                    basekey.Close();
                }

                if (runkey != null)
                {
                    runkey.Close();
                }
            }
            catch (Exception)
            {
            }
        }
Пример #3
0
        private static void AuditHive(string hive, string run, bool is64, string runtype, List <Autorunpoints> regrunlist)
        {
            try
            {
                RegistryKey basekey = null;
                RegistryKey runkey  = null;

                if (hive == "LocalMachine")
                {
                    basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32);
                    runkey  = basekey.OpenSubKey(run);
                }
                else
                {
                    RegistryKey runhive = Registry.Users.OpenSubKey(hive);
                    if (runhive != null)
                    {
                        runkey = runhive.OpenSubKey(run);
                    }
                }
                string owner = string.Empty;
                if (runkey != null)
                {
                    DateTime regModified = RegistryModified.lastWriteTime(runkey);
                    owner = RegistryUtil.GetRegKeyOwner(runkey);
                    foreach (var value in runkey.GetValueNames())
                    {
                        Autorunpoints autoruns = new Autorunpoints();
                        try
                        {
                            string keyValue = Convert.ToString(runkey.GetValue(value));

                            if (hive == "LocalMachine")
                            {
                                autoruns.RegistryPath = "LocalMachine\\" + run;
                            }
                            else
                            {
                                autoruns.RegistryPath = hive + "\\" + run;
                            }
                            autoruns.RegistryValueString = keyValue;
                            autoruns.RegistryValueName   = value;

                            if (!string.IsNullOrEmpty(autoruns.RegistryValueString))
                            {
                                string[] pathAndArgument = autoruns.RegistryValueString.Split(new string[] { " -", " /", " \"" }, 2, StringSplitOptions.RemoveEmptyEntries);
                                if (pathAndArgument.Length > 0)
                                {
                                    autoruns.RegistryValueString = pathAndArgument[0].Replace("\"", string.Empty);
                                    autoruns.FilePath            = autoruns.RegistryValueString;
                                }
                            }
                            autoruns.IsRegistry       = true;
                            autoruns.RegistryOwner    = owner;
                            autoruns.RegistryModified = regModified.ToString(DBManager.DateTimeFormat);
                            autoruns.Type             = runtype;
                            regrunlist.Add(autoruns);
                        }
                        catch (Exception)
                        {
                        }
                    }
                    if (basekey != null)
                    {
                        basekey.Close();
                    }
                    runkey.Close();
                }
            }
            catch (Exception)
            {
            }
        }