示例#1
0
        private string?GetServiceDll(string serviceName)
        {
            // ServiceDll's can be at the following locations
            //  - HKLM\\SYSTEM\\CurrentControlSet\\Services\\ ! ServiceDll
            //    - Ex: DoSvc on Win10
            //  - HKLM\\SYSTEM\\CurrentControlSet\\Services\\Parameters ! ServiceDll
            //    - Ex: DnsCache on Win10

            string path = null;

            try
            {
                path = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"SYSTEM\\CurrentControlSet\\Services\\{serviceName}\\Parameters", "ServiceDll");
            }
            catch
            {
            }

            if (path == null)
            {
                try
                {
                    path = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ServiceDll");
                }
                catch
                {
                }
            }

            return(path);
        }
示例#2
0
        public static void Reload()
        {
            RegistryKey server = RegistryUtil.HKLM.OpenSubKey("SOFTWARE\\Perspective Software\\Blue Iris\\server");

            if (server == null)
            {
                return;
            }
            enabled = RegistryUtil.GetStringValue(server, "enable") == "1";
            if (enabled)
            {
                try
                {
                    lanIp         = RegistryUtil.GetStringValue(server, "lanip");
                    bindLanIpOnly = RegistryUtil.GetStringValue(server, "bind") == "1";
                    port          = RegistryUtil.GetIntValue(server, "port", 80);
                    authenticate  = (AuthenticationMode)RegistryUtil.GetIntValue(server, "authenticate", 0);
                    secureonly    = RegistryUtil.GetStringValue(server, "secureonly") == "1";
                }
                catch
                {
                    enabled = false;
                }
            }
        }
        public override IEnumerable <CommandDTOBase?> Execute(string[] args)
        {
            // ref - @_RastaMouse https://rastamouse.me/2018/09/enumerating-applocker-config/
            var    wmiData       = new ManagementObjectSearcher(@"root\cimv2", "SELECT Name, State FROM win32_service WHERE Name = 'AppIDSvc'");
            var    data          = wmiData.Get();
            string appIdSvcState = "Service not found";

            var rules = new List <string>();

            foreach (var o in data)
            {
                var result = (ManagementObject)o;
                appIdSvcState = result["State"].ToString();
            }

            var keys = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2");

            if (keys != null && keys.Length != 0)
            {
                foreach (var key in keys)
                {
                    var keyName            = key;
                    var enforcementMode    = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}", "EnforcementMode");
                    var enforcementModeStr = enforcementMode switch
                    {
                        null => "not configured",
                        0 => "Audit Mode",
                        1 => "Enforce Mode",
                        _ => $"Unknown value {enforcementMode}"
                    };

                    var ids = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2\\" + key);

                    foreach (var id in ids)
                    {
                        var rule = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value");
                        rules.Add(rule);
                    }

                    yield return(new AppLockerDTO(
                                     configured: true,
                                     appIdSvcState,
                                     keyName,
                                     enforcementModeStr,
                                     rules
                                     ));
                }
            }
            else
            {
                yield return(new AppLockerDTO(
                                 configured: false,
                                 appIdSvcState,
                                 keyName: null,
                                 enforcementMode: null,
                                 rules: null
                                 ));
            }
        }
示例#4
0
        public string?GetStringValue(RegistryHive hive, string path, string value)
        {
            if (!string.IsNullOrEmpty(ComputerName))
            {
                return(RegistryUtil.GetStringValue(hive, path, value, wmiRegProv));
            }

            return(RegistryUtil.GetStringValue(hive, path, value));
        }
示例#5
0
 private string?GetServiceCommandFromRegistry(string serviceName)
 {
     try
     {
         return(RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ImagePath"));
     }
     catch
     {
         return(null);
     }
 }
示例#6
0
 public UserInfo(RegistryKey key, string name)
 {
     this.name        = name;
     admin            = RegistryUtil.GetStringValue(key, "admin") == "1";
     password_encoded = RegistryUtil.GetStringValue(key, "password");
     selgroups        = RegistryUtil.GetStringValue(key, "selgroups");
     noalerts         = RegistryUtil.GetStringValue(key, "noalerts") == "1";
     lanonly          = RegistryUtil.GetStringValue(key, "lanonly") == "1";
     enabled          = RegistryUtil.GetStringValue(key, "enabled") == "1";
     usegroups        = RegistryUtil.GetStringValue(key, "usegroups") == "1";
 }
示例#7
0
        public override IEnumerable <CommandDTOBase?> Execute(string[] args)
        {
            string chromeVersion = "";

            var chromePath = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, @"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "");

            if (chromePath != null)
            {
                chromeVersion = FileVersionInfo.GetVersionInfo(chromePath).ProductVersion;
            }

            var userFolder = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\Users\\";
            var dirs       = Directory.GetDirectories(userFolder);

            foreach (var dir in dirs)
            {
                if (dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") ||
                    dir.EndsWith("All Users"))
                {
                    continue;
                }

                var chromeBasePath = $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\";
                if (!Directory.Exists(chromeBasePath))
                {
                    continue;
                }

                var history   = new DateTime();
                var cookies   = new DateTime();
                var loginData = new DateTime();

                var userChromeHistoryPath = $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History";
                if (File.Exists(userChromeHistoryPath))
                {
                    history = File.GetLastWriteTime(userChromeHistoryPath);
                }

                var userChromeCookiesPath = $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies";
                if (File.Exists(userChromeCookiesPath))
                {
                    cookies = File.GetLastWriteTime(userChromeCookiesPath);
                }

                var userChromeLoginDataPath = $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";
                if (File.Exists(userChromeLoginDataPath))
                {
                    loginData = File.GetLastWriteTime(userChromeLoginDataPath);
                }

                if (history != DateTime.MinValue || cookies != DateTime.MinValue || loginData != DateTime.MinValue)
                {
                    yield return(new ChromePresenceDTO(
                                     $"{dir}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\",
                                     history,
                                     cookies,
                                     loginData,
                                     chromeVersion
                                     ));
                }
            }
        }
示例#8
0
        public override IEnumerable <CommandDTOBase?> Execute(string[] args)
        {
            var ProductName = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
            var EditionID   = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID");
            var ReleaseId   = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId");
            var BuildBranch = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch");
            var CurrentMajorVersionNumber = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber");
            var CurrentVersion            = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion");

            var BuildNumber = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber");
            var UBR         = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR");

            if (!string.IsNullOrEmpty(UBR))  // UBR is not on Win < 10
            {
                BuildNumber += ("." + UBR);
            }

            var isHighIntegrity = SecurityUtil.IsHighIntegrity();
            var isLocalAdmin    = SecurityUtil.IsLocalAdmin();

            var arch           = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
            var ProcessorCount = Environment.ProcessorCount.ToString();
            var isVM           = IsVirtualMachine();

            var now      = DateTime.UtcNow;
            var boot     = now - TimeSpan.FromMilliseconds(Environment.TickCount);
            var BootTime = boot + TimeSpan.FromMilliseconds(Environment.TickCount);

            var strHostName = Dns.GetHostName();
            var properties  = IPGlobalProperties.GetIPGlobalProperties();
            var dnsDomain   = properties.DomainName;

            var timeZone    = TimeZone.CurrentTimeZone;
            var cultureInfo = CultureInfo.InstalledUICulture;

            var machineGuid = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "SOFTWARE\\Microsoft\\Cryptography", "MachineGuid");

            yield return(new OSInfoDTO()
            {
                Hostname = strHostName,
                Domain = dnsDomain,
                Username = WindowsIdentity.GetCurrent().Name,
                ProductName = ProductName,
                EditionId = EditionID,
                ReleaseId = ReleaseId,
                Build = BuildNumber,
                BuildBranch = BuildBranch,
                CurrentMajorVersionNumber = CurrentMajorVersionNumber,
                CurrentVersion = CurrentVersion,
                Architecture = arch,
                ProcessorCount = ProcessorCount,
                IsVirtualMachine = isVM,
                BootTime = BootTime,
                IsHighIntegrity = isHighIntegrity,
                IsLocalAdmin = isLocalAdmin,
                Time = DateTime.Now,
                TimeZone = timeZone.StandardName,
                TimeZoneUtcOffset = timeZone.GetUtcOffset(DateTime.Now).ToString(),
                Locale = cultureInfo.ToString(),
                MachineGuid = machineGuid
            });
        }
示例#9
0
        public override IEnumerable <CommandDTOBase?> Execute(string[] args)
        {
            string chromeVersion = "";

            if (!ThisRunTime.ISRemote())
            {
                // TODO: translate the chrome path to a UNC path
                var chromePath = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, @"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "");

                if (chromePath != null)
                {
                    chromeVersion = FileVersionInfo.GetVersionInfo(chromePath).ProductVersion;
                }
            }

            var dirs = ThisRunTime.GetDirectories("\\Users\\");

            foreach (var dir in dirs)
            {
                if (dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") ||
                    dir.EndsWith("All Users"))
                {
                    continue;
                }

                string[] paths =
                {
                    "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\",
                    "\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\",
                    "\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\",
                    "\\AppData\\Roaming\\Opera Software\\Opera Stable\\"
                };

                foreach (string path in paths)
                {
                    var chromeBasePath = $"{dir}{path}";

                    if (!Directory.Exists(chromeBasePath))
                    {
                        continue;
                    }

                    var history   = new DateTime();
                    var cookies   = new DateTime();
                    var loginData = new DateTime();

                    var userChromeHistoryPath = $"{chromeBasePath}History";
                    if (File.Exists(userChromeHistoryPath))
                    {
                        history = File.GetLastWriteTime(userChromeHistoryPath);
                    }

                    var userChromeCookiesPath = $"{chromeBasePath}Cookies";
                    if (File.Exists(userChromeCookiesPath))
                    {
                        cookies = File.GetLastWriteTime(userChromeCookiesPath);
                    }

                    var userChromeLoginDataPath = $"{chromeBasePath}LoginData";
                    if (File.Exists(userChromeLoginDataPath))
                    {
                        loginData = File.GetLastWriteTime(userChromeLoginDataPath);
                    }

                    if (history != DateTime.MinValue || cookies != DateTime.MinValue || loginData != DateTime.MinValue)
                    {
                        yield return(new ChromiumPresenceDTO(
                                         $"{chromeBasePath}",
                                         history,
                                         cookies,
                                         loginData,
                                         chromeVersion
                                         ));
                    }
                }
            }
        }
        public override IEnumerable <CommandDTOBase?> Execute(string[] args)
        {
            var ProductName = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
            var EditionID   = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID");
            var ReleaseId   = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId");
            var BuildBranch = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch");
            var CurrentMajorVersionNumber = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber");
            var CurrentVersion            = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion");

            var BuildNumber = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber");
            var UBR         = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR");

            if (!string.IsNullOrEmpty(UBR))  // UBR is not on Win < 10
            {
                BuildNumber += ("." + UBR);
            }

            var isHighIntegrity = SecurityUtil.IsHighIntegrity();
            var isLocalAdmin    = SecurityUtil.IsLocalAdmin();

            var arch           = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
            var ProcessorCount = Environment.ProcessorCount.ToString();
            var isVM           = IsVirtualMachine();

            var now         = DateTime.UtcNow;
            var bootTimeUtc = now - TimeSpan.FromMilliseconds(Environment.TickCount);

            var strHostName = Dns.GetHostName();
            var properties  = IPGlobalProperties.GetIPGlobalProperties();
            var dnsDomain   = properties.DomainName;

            var timeZone      = TimeZone.CurrentTimeZone;
            var cultureInfo   = CultureInfo.InstalledUICulture;
            var inputLanguage = InputLanguage.CurrentInputLanguage.LayoutName;

            var installedInputLanguages = new List <string>();

            foreach (InputLanguage l in InputLanguage.InstalledInputLanguages)
            {
                installedInputLanguages.Add(l.LayoutName);
            }

            var machineGuid = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "SOFTWARE\\Microsoft\\Cryptography", "MachineGuid");


            yield return(new OSInfoDTO(
                             strHostName,
                             dnsDomain,
                             WindowsIdentity.GetCurrent().Name,
                             ProductName,
                             EditionID,
                             ReleaseId,
                             BuildNumber,
                             BuildBranch,
                             CurrentMajorVersionNumber,
                             CurrentVersion,
                             arch,
                             ProcessorCount,
                             isVM,
                             bootTimeUtc,
                             isHighIntegrity,
                             isLocalAdmin,
                             DateTime.UtcNow,
                             timeZone.StandardName,
                             timeZone.GetUtcOffset(DateTime.Now).ToString(),
                             cultureInfo.ToString(),
                             inputLanguage,
                             installedInputLanguages.ToArray(),
                             machineGuid
                             ));
        }
示例#11
0
        public override IEnumerable <CommandDTOBase?> Execute(string[] args)
        {
            var ProductName = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
            var EditionID   = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID");
            var ReleaseId   = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId");
            var BuildBranch = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch");
            var CurrentMajorVersionNumber = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber");
            var CurrentVersion            = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion");

            var BuildNumber = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber");
            var UBR         = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR");

            if (!string.IsNullOrEmpty(UBR))  // UBR is not on Win < 10
            {
                BuildNumber += ("." + UBR);
            }

            if (ThisRunTime.ISRemote())
            {
                var isHighIntegrity = true;
                var isLocalAdmin    = true;

                var arch           = ThisRunTime.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
                var ProcessorCount = ThisRunTime.GetEnvironmentVariable("NUMBER_OF_PROCESSORS");
                var isVM           = IsVirtualMachine();

                var bootTimeUtc = new DateTime();

                var strHostName = ThisRunTime.ComputerName;

                var domain  = "";
                var wmiData = ThisRunTime.GetManagementObjectSearcher(@"root\cimv2", "Select Domain from Win32_ComputerSystem");
                var data    = wmiData.Get();
                foreach (var o in data)
                {
                    var result = (ManagementObject)o;
                    domain = result["Domain"].ToString();
                }

                var machineGuid = ThisRunTime.GetStringValue(RegistryHive.LocalMachine, "SOFTWARE\\Microsoft\\Cryptography", "MachineGuid");
                var temp        = new string[0];

                yield return(new OSInfoDTO(
                                 strHostName,
                                 domain,
                                 "",
                                 ProductName,
                                 EditionID,
                                 ReleaseId,
                                 BuildNumber,
                                 BuildBranch,
                                 CurrentMajorVersionNumber.ToString(),
                                 CurrentVersion,
                                 arch,
                                 ProcessorCount,
                                 isVM,
                                 bootTimeUtc,
                                 isHighIntegrity,
                                 isLocalAdmin,
                                 DateTime.UtcNow,
                                 null,
                                 null,
                                 null,
                                 null,
                                 temp,
                                 machineGuid
                                 ));
            }
            else
            {
                var isHighIntegrity = SecurityUtil.IsHighIntegrity();
                var isLocalAdmin    = SecurityUtil.IsLocalAdmin();

                var arch           = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
                var ProcessorCount = Environment.ProcessorCount.ToString();
                var isVM           = IsVirtualMachine();

                var now         = DateTime.UtcNow;
                var bootTimeUtc = now - TimeSpan.FromMilliseconds(Environment.TickCount);

                var strHostName = Dns.GetHostName();
                var properties  = IPGlobalProperties.GetIPGlobalProperties();
                var dnsDomain   = properties.DomainName;

                var timeZone      = TimeZone.CurrentTimeZone;
                var cultureInfo   = CultureInfo.InstalledUICulture;
                var inputLanguage = InputLanguage.CurrentInputLanguage.LayoutName;

                var installedInputLanguages = new List <string>();
                foreach (InputLanguage l in InputLanguage.InstalledInputLanguages)
                {
                    installedInputLanguages.Add(l.LayoutName);
                }

                var machineGuid = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, "SOFTWARE\\Microsoft\\Cryptography", "MachineGuid");


                yield return(new OSInfoDTO(
                                 strHostName,
                                 dnsDomain,
                                 WindowsIdentity.GetCurrent().Name,
                                 ProductName,
                                 EditionID,
                                 ReleaseId,
                                 BuildNumber,
                                 BuildBranch,
                                 CurrentMajorVersionNumber.ToString(),
                                 CurrentVersion,
                                 arch,
                                 ProcessorCount,
                                 isVM,
                                 bootTimeUtc,
                                 isHighIntegrity,
                                 isLocalAdmin,
                                 DateTime.UtcNow,
                                 timeZone.StandardName,
                                 timeZone.GetUtcOffset(DateTime.Now).ToString(),
                                 cultureInfo.ToString(),
                                 inputLanguage,
                                 installedInputLanguages.ToArray(),
                                 machineGuid
                                 ));
            }
        }