示例#1
0
        private void localMachineEvent(object sender, EventArrivedEventArgs e)
        {
            Console.WriteLine("Event");
            RegistryKey key = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");

            foreach (string v in key.GetValueNames())
            {
                if (!localMachineReg.ContainsKey(v))
                {
                    Console.WriteLine("New Entry");
                    string value = Convert.ToString(key.GetValue(v));

                    builder.Clear();
                    builder.Append("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run");
                    builder.Append(v);
                    builder.Append(" - ");
                    builder.Append(value);

                    string detect = "";
                    if (value.Contains(".vbs"))
                    {
                        detect = "System Persistence";
                    }
                    else
                    {
                        detect = "New Startup Item";
                    }

                    RegistryKeyObject evt = new RegistryKeyObject();
                    evt.Key       = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
                    evt.KeyName   = v;
                    evt.Detection = "Persistence";
                    evt.KeyType   = "System Startup";
                    evt.Path      = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + v;
                    addRegistry(this, evt);

                    string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
                    w.write(date, builder.ToString(), detect);

                    localMachineReg.Add(v, value);
                }
            }

            List <string> toremove = new List <string>();

            foreach (string val in localMachineReg.Keys)
            {
                if (!key.GetValueNames().Contains(val))
                {
                    toremove.Add(val);
                }
            }

            foreach (string val in toremove)
            {
                localMachineReg.Remove(val);
                removedEntry(this, val);
            }
        }
示例#2
0
        private void serviceEvent(object sender, EventArrivedEventArgs e)
        {
            RegistryKey   key  = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
            List <string> keys = new List <string>();

            foreach (string s in key.GetSubKeyNames())
            {
                RegistryKey temp = key.OpenSubKey(s);
                string      path = temp.GetValue("ImagePath") as string;
                keys.Add(s);
                if (!serviceReg.ContainsKey(s))
                {
                    serviceReg.Add(s, path);
                    string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
                    if (path.Contains("cscript") && path.Contains(".vbs"))
                    {
                        builder.Clear();
                        builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
                        builder.Append(s);
                        builder.Append(" - ");
                        builder.Append(path);

                        w.write(date, builder.ToString(), "Meterpreter Persistence Service");
                        RegistryKeyObject evt = new RegistryKeyObject();
                        evt.Key       = "HKLM\\System\\CurrentControlSet\\services";
                        evt.KeyName   = s;
                        evt.Detection = "Persistence";
                        evt.KeyType   = "Service";
                        evt.Path      = "HKLM\\System\\CurrentControlSet\\services\\" + s;
                        addRegistry(this, evt);
                    }
                    else if (path.Contains("metsvc"))
                    {
                        builder.Clear();
                        builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
                        builder.Append(s);
                        builder.Append(" - ");
                        builder.Append(path);

                        w.write(date, builder.ToString(), "Metsvc Registry Entry");

                        RegistryKeyObject evt = new RegistryKeyObject();
                        evt.Key       = "HKLM\\System\\CurrentControlSet\\services";
                        evt.KeyName   = s;
                        evt.Detection = "Metsvc";
                        evt.KeyType   = "Service";
                        evt.Path      = "HKLM\\System\\CurrentControlSet\\services\\" + s;
                        addRegistry(this, evt);
                    }
                }
            }

            List <string> toremove = new List <string>();

            foreach (string s in serviceReg.Keys)
            {
                if (!keys.Contains(s))
                {
                    toremove.Add(s);
                }
            }

            foreach (string s in toremove)
            {
                serviceReg.Remove(s);
                removedEntry(this, s);
            }
        }
        private void currentUserEvent(object sender, EventArrivedEventArgs e)
        {
            RegistryKey key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
            foreach (string v in key.GetValueNames())
            {
                if (!currentUserReg.ContainsKey(v))
                {
                    string value = Convert.ToString(key.GetValue(v));

                    builder.Clear();
                    builder.Append("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\");
                    builder.Append(v);
                    builder.Append(" - ");
                    builder.Append(value);

                    string detect = "";
                    if (value.Contains(".vbs"))
                    {
                        detect = "User Persistence";
                    }
                    else
                    {
                        detect = "New Startup Item";
                    }

                    RegistryKeyObject evt = new RegistryKeyObject();
                    evt.Key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run";
                    evt.KeyName = v;
                    evt.Detection = "Persistence";
                    evt.KeyType = "User Startup";
                    evt.Path = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + v;
                    addRegistry(this, evt);

                    string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
                    w.write(date, builder.ToString(), detect);

                    currentUserReg.Add(v, value);
                }
            }

            List<string> toremove = new List<string>();

            foreach (string val in currentUserReg.Keys)
            {
                if (!key.GetValueNames().Contains(val))
                {
                    toremove.Add(val);
                }
            }

            foreach (string val in toremove)
            {
                currentUserReg.Remove(val);
                removedEntry(this, val);
            }
        }
        private void serviceEvent(object sender, EventArrivedEventArgs e)
        {
            RegistryKey key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
            List<string> keys = new List<string>();
            foreach (string s in key.GetSubKeyNames())
            {
                RegistryKey temp = key.OpenSubKey(s);
                string path = temp.GetValue("ImagePath") as string;
                keys.Add(s);
                if (!serviceReg.ContainsKey(s))
                {
                    serviceReg.Add(s, path);
                    string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
                    if (path.Contains("cscript") && path.Contains(".vbs")){

                        builder.Clear();
                        builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
                        builder.Append(s);
                        builder.Append(" - ");
                        builder.Append(path);

                        w.write(date, builder.ToString(), "Meterpreter Persistence Service");
                        RegistryKeyObject evt = new RegistryKeyObject();
                        evt.Key = "HKLM\\System\\CurrentControlSet\\services";
                        evt.KeyName = s;
                        evt.Detection = "Persistence";
                        evt.KeyType = "Service";
                        evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
                        addRegistry(this, evt);
                    }else if (path.Contains("metsvc"))
                    {
                        builder.Clear();
                        builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
                        builder.Append(s);
                        builder.Append(" - ");
                        builder.Append(path);

                        w.write(date, builder.ToString(), "Metsvc Registry Entry");

                        RegistryKeyObject evt = new RegistryKeyObject();
                        evt.Key = "HKLM\\System\\CurrentControlSet\\services";
                        evt.KeyName = s;
                        evt.Detection = "Metsvc";
                        evt.KeyType = "Service";
                        evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
                        addRegistry(this, evt);
                    }
                }
            }

            List<string> toremove = new List<string>();

            foreach (string s in serviceReg.Keys)
            {
                if (!keys.Contains(s))
                    toremove.Add(s);
            }

            foreach (string s in toremove)
            {
                serviceReg.Remove(s);
                removedEntry(this,s);
            }
        }
示例#5
0
        /// <summary>
        /// Initializes various important parts of the GUI for first view
        /// </summary>
        private void initializeGui()
        {
            processTreeView.CanExpandGetter = delegate(object x)
            {
                if (x is ProcessListObject)
                {
                    ProcessListObject t = (ProcessListObject)x;
                    if (t.Connections != null)
                    {
                        return true;
                    }
                    else
                    {
                        return false;
                    }
                }
                else
                {
                    return false;
                }
            };

            processTreeView.ChildrenGetter = delegate(object x)
            {
                ProcessListObject t = (ProcessListObject)x;
                return t.Connections;
            };
            timer = new Timer();
            timer.Interval = 1000;
            timer.Tick += t_Tick;

            processTreeView.FullRowSelect = true;

            processTreeView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);

            processTreeView.Expanded += processTreeView_Expanded;

            //Read our current output file in so we have our previous events in our event log
            string path = Path.Combine(System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "output.txt");
            eventLogEntries = new List<APEventLogEntry>();
            if (File.Exists(path))
            {
                string[] lines = File.ReadAllLines(path);
                foreach (string line in lines)
                {
                    Match m = Regex.Match(line, "\\((.*)\\) (.*) \\[(.*)\\]");
                    APEventLogEntry entry = new APEventLogEntry(m.Groups[1].Value, m.Groups[2].Value, m.Groups[3].Value);
                    eventLogEntries.Add(entry);
                }
            }
            evtLogList.ShowGroups = false;
            evtLogList.EmptyListMsg = "No Events Found";
            evtLogList.FullRowSelect = true;
            evtLogList.SetObjects(eventLogEntries);
            if (eventLogEntries.Count > 0)
                evtLogList.EnsureVisible(evtLogList.Items.Count - 1);
            if (eventLogEntries.Count == 0)
                evtLogList.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
            else
                evtLogList.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);

            List<RegistryKeyObject> objects = new List<RegistryKeyObject>();

            //Open our registry keys and enumerate entries that we are fairly positive are persistence entries
            RegistryKey key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");

            foreach (string s in key.GetValueNames())
            {
                if (key.GetValue(s).ToString().Contains(".vbs"))
                {
                    RegistryKeyObject temp = new RegistryKeyObject();
                    temp.Detection = "Persistence";
                    temp.KeyName = s;
                    temp.KeyType = "User Startup";
                    temp.Path = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + s;
                    temp.Key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";

                    objects.Add(temp);
                }
            }

            key = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");

            foreach (string s in key.GetValueNames())
            {
                string val = key.GetValue(s) as string;
                if (val != null)
                {
                    if (val.ToString().Contains(".vbs"))
                    {
                        RegistryKeyObject temp = new RegistryKeyObject();
                        temp.Detection = "Persistence";
                        temp.KeyName = s;
                        temp.KeyType = "System Startup";
                        temp.Path = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + s;
                        temp.Key = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";

                        objects.Add(temp);
                    }
                }
            }

            //Open services and look for persistence
            key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
            foreach (string s in key.GetSubKeyNames())
            {
                RegistryKey t = key.OpenSubKey(s);
                string p = t.GetValue("ImagePath") as string;
                if (p != null)
                {
                    if (p.Contains(".vbs") && p.Contains("cscript"))
                    {
                        RegistryKeyObject temp = new RegistryKeyObject();
                        temp.Detection = "Persistence";
                        temp.KeyName = s;
                        temp.KeyType = "Service";
                        temp.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
                        temp.Key = "HKLM\\System\\CurrentControlSet\\services\\";

                        objects.Add(temp);
                    }
                    else if (p.Contains("metsvc"))
                    {
                        RegistryKeyObject temp = new RegistryKeyObject();
                        temp.Detection = "MetSvc";
                        temp.KeyName = s;
                        temp.KeyType = "Service";
                        temp.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
                        temp.Key = "HKLM\\System\\CurrentControlSet\\services\\";

                        objects.Add(temp);
                    }
                }
            }

            registryListView.FullRowSelect = true;
            registryListView.EmptyListMsg = "No Registry Keys Found";
            registryListView.ShowGroups = false;
            registryListView.SetObjects(objects);
            if (objects.Count == 0)
                registryListView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
            else
                registryListView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
        }
示例#6
0
 /// <summary>
 /// Adds a registry entry to the registry list
 /// </summary>
 /// <param name="sender">The sending object</param>
 /// <param name="e">Encapsulating Object to store our data</param>
 void regwatch_addRegistry(object sender, RegistryKeyObject e)
 {
     if (registryListView.InvokeRequired)
     {
         registryListView.Invoke(new UpdateRegistryCallback(regwatch_addRegistry), new Object[] { sender, e});
     }
     else
     {
         registryListView.AddObject(e);
         registryListView.AutoResizeColumns();
     }
 }