private void localMachineEvent(object sender, EventArrivedEventArgs e)
{
Console.WriteLine("Event");
RegistryKey key = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string v in key.GetValueNames())
{
if (!localMachineReg.ContainsKey(v))
{
Console.WriteLine("New Entry");
string value = Convert.ToString(key.GetValue(v));
builder.Clear();
builder.Append("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run");
builder.Append(v);
builder.Append(" - ");
builder.Append(value);
string detect = "";
if (value.Contains(".vbs"))
{
detect = "System Persistence";
}
else
{
detect = "New Startup Item";
}
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
evt.KeyName = v;
evt.Detection = "Persistence";
evt.KeyType = "System Startup";
evt.Path = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + v;
addRegistry(this, evt);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
w.write(date, builder.ToString(), detect);
localMachineReg.Add(v, value);
}
}
List <string> toremove = new List <string>();
foreach (string val in localMachineReg.Keys)
{
if (!key.GetValueNames().Contains(val))
{
toremove.Add(val);
}
}
foreach (string val in toremove)
{
localMachineReg.Remove(val);
removedEntry(this, val);
}
}
private void serviceEvent(object sender, EventArrivedEventArgs e)
{
RegistryKey key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
List <string> keys = new List <string>();
foreach (string s in key.GetSubKeyNames())
{
RegistryKey temp = key.OpenSubKey(s);
string path = temp.GetValue("ImagePath") as string;
keys.Add(s);
if (!serviceReg.ContainsKey(s))
{
serviceReg.Add(s, path);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
if (path.Contains("cscript") && path.Contains(".vbs"))
{
builder.Clear();
builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
builder.Append(s);
builder.Append(" - ");
builder.Append(path);
w.write(date, builder.ToString(), "Meterpreter Persistence Service");
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\System\\CurrentControlSet\\services";
evt.KeyName = s;
evt.Detection = "Persistence";
evt.KeyType = "Service";
evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
addRegistry(this, evt);
}
else if (path.Contains("metsvc"))
{
builder.Clear();
builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
builder.Append(s);
builder.Append(" - ");
builder.Append(path);
w.write(date, builder.ToString(), "Metsvc Registry Entry");
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\System\\CurrentControlSet\\services";
evt.KeyName = s;
evt.Detection = "Metsvc";
evt.KeyType = "Service";
evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
addRegistry(this, evt);
}
}
}
List <string> toremove = new List <string>();
foreach (string s in serviceReg.Keys)
{
if (!keys.Contains(s))
{
toremove.Add(s);
}
}
foreach (string s in toremove)
{
serviceReg.Remove(s);
removedEntry(this, s);
}
}
private void currentUserEvent(object sender, EventArrivedEventArgs e)
{
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string v in key.GetValueNames())
{
if (!currentUserReg.ContainsKey(v))
{
string value = Convert.ToString(key.GetValue(v));
builder.Clear();
builder.Append("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\");
builder.Append(v);
builder.Append(" - ");
builder.Append(value);
string detect = "";
if (value.Contains(".vbs"))
{
detect = "User Persistence";
}
else
{
detect = "New Startup Item";
}
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run";
evt.KeyName = v;
evt.Detection = "Persistence";
evt.KeyType = "User Startup";
evt.Path = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + v;
addRegistry(this, evt);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
w.write(date, builder.ToString(), detect);
currentUserReg.Add(v, value);
}
}
List<string> toremove = new List<string>();
foreach (string val in currentUserReg.Keys)
{
if (!key.GetValueNames().Contains(val))
{
toremove.Add(val);
}
}
foreach (string val in toremove)
{
currentUserReg.Remove(val);
removedEntry(this, val);
}
}
private void serviceEvent(object sender, EventArrivedEventArgs e)
{
RegistryKey key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
List<string> keys = new List<string>();
foreach (string s in key.GetSubKeyNames())
{
RegistryKey temp = key.OpenSubKey(s);
string path = temp.GetValue("ImagePath") as string;
keys.Add(s);
if (!serviceReg.ContainsKey(s))
{
serviceReg.Add(s, path);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
if (path.Contains("cscript") && path.Contains(".vbs")){
builder.Clear();
builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
builder.Append(s);
builder.Append(" - ");
builder.Append(path);
w.write(date, builder.ToString(), "Meterpreter Persistence Service");
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\System\\CurrentControlSet\\services";
evt.KeyName = s;
evt.Detection = "Persistence";
evt.KeyType = "Service";
evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
addRegistry(this, evt);
}else if (path.Contains("metsvc"))
{
builder.Clear();
builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
builder.Append(s);
builder.Append(" - ");
builder.Append(path);
w.write(date, builder.ToString(), "Metsvc Registry Entry");
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\System\\CurrentControlSet\\services";
evt.KeyName = s;
evt.Detection = "Metsvc";
evt.KeyType = "Service";
evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
addRegistry(this, evt);
}
}
}
List<string> toremove = new List<string>();
foreach (string s in serviceReg.Keys)
{
if (!keys.Contains(s))
toremove.Add(s);
}
foreach (string s in toremove)
{
serviceReg.Remove(s);
removedEntry(this,s);
}
}
/// <summary>
/// Initializes various important parts of the GUI for first view
/// </summary>
private void initializeGui()
{
processTreeView.CanExpandGetter = delegate(object x)
{
if (x is ProcessListObject)
{
ProcessListObject t = (ProcessListObject)x;
if (t.Connections != null)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
};
processTreeView.ChildrenGetter = delegate(object x)
{
ProcessListObject t = (ProcessListObject)x;
return t.Connections;
};
timer = new Timer();
timer.Interval = 1000;
timer.Tick += t_Tick;
processTreeView.FullRowSelect = true;
processTreeView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
processTreeView.Expanded += processTreeView_Expanded;
//Read our current output file in so we have our previous events in our event log
string path = Path.Combine(System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "output.txt");
eventLogEntries = new List<APEventLogEntry>();
if (File.Exists(path))
{
string[] lines = File.ReadAllLines(path);
foreach (string line in lines)
{
Match m = Regex.Match(line, "\\((.*)\\) (.*) \\[(.*)\\]");
APEventLogEntry entry = new APEventLogEntry(m.Groups[1].Value, m.Groups[2].Value, m.Groups[3].Value);
eventLogEntries.Add(entry);
}
}
evtLogList.ShowGroups = false;
evtLogList.EmptyListMsg = "No Events Found";
evtLogList.FullRowSelect = true;
evtLogList.SetObjects(eventLogEntries);
if (eventLogEntries.Count > 0)
evtLogList.EnsureVisible(evtLogList.Items.Count - 1);
if (eventLogEntries.Count == 0)
evtLogList.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
else
evtLogList.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
List<RegistryKeyObject> objects = new List<RegistryKeyObject>();
//Open our registry keys and enumerate entries that we are fairly positive are persistence entries
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string s in key.GetValueNames())
{
if (key.GetValue(s).ToString().Contains(".vbs"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "User Startup";
temp.Path = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + s;
temp.Key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
objects.Add(temp);
}
}
key = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string s in key.GetValueNames())
{
string val = key.GetValue(s) as string;
if (val != null)
{
if (val.ToString().Contains(".vbs"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "System Startup";
temp.Path = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + s;
temp.Key = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
objects.Add(temp);
}
}
}
//Open services and look for persistence
key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
foreach (string s in key.GetSubKeyNames())
{
RegistryKey t = key.OpenSubKey(s);
string p = t.GetValue("ImagePath") as string;
if (p != null)
{
if (p.Contains(".vbs") && p.Contains("cscript"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "Service";
temp.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
temp.Key = "HKLM\\System\\CurrentControlSet\\services\\";
objects.Add(temp);
}
else if (p.Contains("metsvc"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "MetSvc";
temp.KeyName = s;
temp.KeyType = "Service";
temp.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
temp.Key = "HKLM\\System\\CurrentControlSet\\services\\";
objects.Add(temp);
}
}
}
registryListView.FullRowSelect = true;
registryListView.EmptyListMsg = "No Registry Keys Found";
registryListView.ShowGroups = false;
registryListView.SetObjects(objects);
if (objects.Count == 0)
registryListView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
else
registryListView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
}
/// <summary>
/// Adds a registry entry to the registry list
/// </summary>
/// <param name="sender">The sending object</param>
/// <param name="e">Encapsulating Object to store our data</param>
void regwatch_addRegistry(object sender, RegistryKeyObject e)
{
if (registryListView.InvokeRequired)
{
registryListView.Invoke(new UpdateRegistryCallback(regwatch_addRegistry), new Object[] { sender, e});
}
else
{
registryListView.AddObject(e);
registryListView.AutoResizeColumns();
}
}