// TODO: check out https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna#L10 public static List <Dictionary <string, string> > GetProcessInfo() { List <Dictionary <string, string> > final_results = new List <Dictionary <string, string> >(); try { var wmiQueryString = "SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"; using (var searcher = new ManagementObjectSearcher(wmiQueryString)) using (var results = searcher.Get()) { var query = from p in Process.GetProcesses() join mo in results.Cast <ManagementObject>() on p.Id equals(int)(uint) mo["ProcessId"] select new { Process = p, Path = (string)mo["ExecutablePath"], CommandLine = (string)mo["CommandLine"], Owner = GetProcessUser(p), //Needed inside the next foreach }; foreach (var item in query) { if (item.Path != null) { string companyName = ""; string isDotNet = ""; try { FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(item.Path); companyName = myFileVersionInfo.CompanyName; isDotNet = MyUtils.CheckIfDotNet(item.Path) ? "isDotNet" : ""; } catch (Exception ex) { // Not enough privileges } if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) { Dictionary <string, string> toadd = new Dictionary <string, string>(); toadd["Name"] = item.Process.ProcessName; toadd["ProcessID"] = item.Process.Id.ToString(); toadd["ExecutablePath"] = item.Path; toadd["Product"] = companyName; toadd["Owner"] = item.Owner == null ? "" : item.Owner; toadd["isDotNet"] = isDotNet; toadd["CommandLine"] = item.CommandLine; final_results.Add(toadd); } } } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(final_results); }
public static List <Dictionary <string, string> > GetNonstandardServices() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT * FROM win32_service"); ManagementObjectCollection data = wmiData.Get(); foreach (ManagementObject result in data) { if (result["PathName"] != null) { Match path = Regex.Match(result["PathName"].ToString(), @"^\W*([a-z]:\\.+?(\.exe|\.dll|\.sys))\W*", RegexOptions.IgnoreCase); String binaryPath = path.Groups[1].ToString(); string companyName = ""; string isDotNet = ""; try { FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath); companyName = myFileVersionInfo.CompanyName; isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : ""; } catch (Exception ex) { // Not enough privileges } if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) { Dictionary <string, string> toadd = new Dictionary <string, string>(); toadd["Name"] = String.Format("{0}", result["Name"]); toadd["DisplayName"] = String.Format("{0}", result["DisplayName"]); toadd["CompanyName"] = companyName; toadd["State"] = String.Format("{0}", result["State"]); toadd["StartMode"] = String.Format("{0}", result["StartMode"]); toadd["PathName"] = String.Format("{0}", result["PathName"]); toadd["FilteredPath"] = binaryPath; toadd["isDotNet"] = isDotNet; toadd["Description"] = String.Format("{0}", result["Description"]); results.Add(toadd); } } } } catch (Exception ex) { Console.WriteLine(" [X] Exception: {0}", ex.Message); } return(results); }
public static List <Dictionary <string, string> > GetNonstandardServicesFromReg() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { foreach (string key in MyUtils.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services")) { Dictionary <string, object> key_values = MyUtils.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key); if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath")) { string companyName = ""; string isDotNet = ""; string pathName = Environment.ExpandEnvironmentVariables(String.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\")); string binaryPath = MyUtils.ReconstructExecPath(pathName); if (binaryPath != "") { try { FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(binaryPath); companyName = myFileVersionInfo.CompanyName; isDotNet = MyUtils.CheckIfDotNet(binaryPath) ? "isDotNet" : ""; } catch (Exception ex) { // Not enough privileges } } string displayName = String.Format("{0}", key_values["DisplayName"]); string imagePath = String.Format("{0}", key_values["ImagePath"]); string description = key_values.ContainsKey("Description") ? String.Format("{0}", key_values["Description"]) : ""; string startMode = ""; if (key_values.ContainsKey("Start")) { switch (key_values["Start"].ToString()) { case "0": startMode = "Boot"; break; case "1": startMode = "System"; break; case "2": startMode = "Autoload"; break; case "3": startMode = "System"; break; case "4": startMode = "Manual"; break; case "5": startMode = "Disabled"; break; } } if (String.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) { Dictionary <string, string> toadd = new Dictionary <string, string>(); toadd["Name"] = String.Format("{0}", displayName); toadd["DisplayName"] = String.Format("{0}", displayName); toadd["CompanyName"] = companyName; toadd["State"] = ""; toadd["StartMode"] = startMode; toadd["PathName"] = pathName; toadd["FilteredPath"] = binaryPath; toadd["isDotNet"] = isDotNet; toadd["Description"] = description; results.Add(toadd); } } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }