////////////////////////////////////// //////// PATH DLL Hijacking ///////// ////////////////////////////////////// /// Look for write or equivalent permissions on ay folder in PATH public static Dictionary <string, string> GetPathDLLHijacking() { Dictionary <string, string> results = new Dictionary <string, string>(); try { // grabbed from the registry instead of System.Environment.GetEnvironmentVariable to prevent false positives string path = MyUtils.GetRegValue("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "Path"); if (String.IsNullOrEmpty(path)) { path = Environment.GetEnvironmentVariable("PATH"); } List <string> folders = path.Split(';').ToList(); foreach (string folder in folders) { results[folder] = String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)); } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
public static List <Dictionary <string, string> > GetAutoRunsFolder() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); List <string> autorunLocations = new List <string>(); autorunLocations.Add(Environment.ExpandEnvironmentVariables(@"%appdata%\Microsoft\Windows\Start Menu\Programs\Startup")); autorunLocations.Add(Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup")); foreach (string path in autorunLocations) { foreach (string filepath in Directory.GetFiles(path, "*", SearchOption.TopDirectoryOnly)) { string folder = Path.GetDirectoryName(filepath); results.Add(new Dictionary <string, string>() { { "Reg", "" }, { "Folder", folder }, { "File", filepath }, { "isWritableReg", "" }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) }, { "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs)) }, { "isUnquotedSpaced", "" } }); } } return(results); }
////////////////////////////////////// /////// Get Autorun Registry //////// ////////////////////////////////////// /// Find Autoru registry where you have write or equivalent access public static List <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames) { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { string[] autorunLocations = new string[] { "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }; foreach (string autorunLocation in autorunLocations) { Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { RegistryKey key = Registry.LocalMachine.OpenSubKey(autorunLocation); string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value)); string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", "")); results.Add(new Dictionary <string, string>() { { "Reg", "HKLM\\" + autorunLocation }, { "Folder", folder }, { "File", filepath }, { "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, NtAccountNames)) }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) }, { "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs)) }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() } }); } } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
public static List <Dictionary <string, string> > GetRegistryAutoRuns() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { string[] autorunLocations = new string[] { "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }; foreach (string autorunLocation in autorunLocations) { Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value)); string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", "")); results.Add(new Dictionary <string, string>() { { "Reg", "HKLM\\" + autorunLocation }, { "Folder", folder }, { "File", filepath }, { "isWritableReg", MyUtils.CheckWriteAccessReg("HKLM", autorunLocation).ToString() }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups)) }, { "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups)) }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() } }); } } } } catch (Exception ex) { Console.WriteLine(ex); } return(results); }
public static Dictionary <string, string> GetPathDLLHijacking() { Dictionary <string, string> results = new Dictionary <string, string>(); try { var path_env = Environment.GetEnvironmentVariable("PATH"); List <string> folders = path_env.Split(';').ToList(); foreach (string folder in folders) { results[folder] = String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups)); } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
public static List <Dictionary <string, string> > GetAutoRunsWMIC() { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { SelectQuery query = new SelectQuery("Win32_StartupCommand"); ManagementObjectSearcher searcher = new ManagementObjectSearcher(query); ManagementObjectCollection win32_startup = searcher.Get(); foreach (ManagementObject startup in win32_startup) { string command = startup["command"].ToString(); command = Environment.ExpandEnvironmentVariables(String.Format("{0}", command)); string filepath = MyUtils.GetExecutableFromPath(command); string filepath_cleaned = filepath.Replace("'", "").Replace("\"", ""); string folder = System.IO.Path.GetDirectoryName(filepath_cleaned); results.Add(new Dictionary <string, string>() { { "Reg", "" }, { "RegKey", "From WMIC" }, { "RegPermissions", "" }, { "Folder", folder }, { "File", command }, { "isWritableReg", "" }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) }, { "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs)) }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(command).ToString() } }); } } catch (Exception e) { Beaprint.GrayPrint("Error getting autoruns from WMIC: " + e); } return(results); }
////////////////////////////////////// /////// Get Autorun Registry //////// ////////////////////////////////////// /// Find Autorun registry where you have write or equivalent access public static List <Dictionary <string, string> > GetRegistryAutoRuns(Dictionary <string, string> NtAccountNames) { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { List <List <String> > autorunLocations = new List <List <string> >() { //Common Autoruns new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" }, new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce" }, new List <String> { "HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" }, new List <String> { "HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" }, new List <String> { "HKLM", @"Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunEx" }, //Service Autoruns new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService" }, new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }, //Special Autorun new List <String> { "HKLM", "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" }, new List <String> { "HKLM", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" }, new List <String> { "HKCU", "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" }, new List <String> { "HKCU", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" }, //Startup Path new List <String> { "HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup" }, new List <String> { "HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup" }, new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup" }, new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup" }, //Winlogon new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit" }, new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell" }, //Policy Settings new List <String> { "HKLM", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run" }, new List <String> { "HKCU", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run" }, //AlternateShell in SafeBoot new List <String> { "HKLM", "SYSTEM\\CurrentControlSet\\Control\\SafeBoot", "AlternateShell" }, //Font Drivers new List <String> { "HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers" }, new List <String> { "HKLM", @"SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers" }, //Open Command new List <String> { "HKLM", @"SOFTWARE\Classes\htmlfile\shell\open\command", "" }, //Get (Default) value with empty string new List <String> { "HKLM", @"SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command", "" }, //Get (Default) value with empty string }; List <List <String> > autorunLocationsKeys = new List <List <String> > { //Installed Components new List <String> { "HKLM", "SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "StubPath" }, new List <String> { "HKLM", "SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components", "StubPath" }, new List <String> { "HKCU", "SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "StubPath" }, new List <String> { "HKCU", "SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components", "StubPath" }, }; //This registry expect subkeys with the CLSID name List <List <String> > autorunLocationsKeysCLSIDs = new List <List <String> > { //Browser Helper Objects new List <String> { "HKLM", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" }, new List <String> { "HKLM", @"Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" }, //Internet Explorer Extensions new List <String> { "HKLM", @"Software\Microsoft\Internet Explorer\Extensions" }, new List <String> { "HKLM", @"Software\Wow6432Node\Microsoft\Internet Explorer\Extensions" }, }; //Add the keyvalues inside autorunLocationsKeys to autorunLocations foreach (List <String> autorunLocationKey in autorunLocationsKeys) { List <String> subkeys = MyUtils.GetRegSubkeys(autorunLocationKey[0], autorunLocationKey[1]).ToList(); foreach (String keyname in subkeys) { string clsid_name = keyname; Match clsid = Regex.Match(keyname, @"^\W*(\{[\w\-]+\})\W*"); if (clsid.Groups.Count > 1) //Sometime the CLSID is bad writting and this kind of fix common mistakes { clsid_name = clsid.Groups[1].ToString(); } if (autorunLocationKey.Count > 2) { autorunLocations.Add(new List <string> { autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2] }); } else { autorunLocations.Add(new List <string> { autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name }); } } } //Read registry and get values foreach (List <String> autorunLocation in autorunLocations) { Dictionary <string, object> settings = MyUtils.GetRegValues(autorunLocation[0], autorunLocation[1]); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { RegistryKey key = null; if ("HKLM" == autorunLocation[0]) { key = Registry.LocalMachine.OpenSubKey(autorunLocation[1]); } else { key = Registry.CurrentUser.OpenSubKey(autorunLocation[1]); } if (autorunLocation.Count > 2 && kvp.Key != autorunLocation[2]) { continue; //If only interested on 1 key of the registry and it's that one, continue } string orig_filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value)); string filepath = orig_filepath; if (MyUtils.GetExecutableFromPath(Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value))).Length > 0) { filepath = MyUtils.GetExecutableFromPath(filepath); } string filepath_cleaned = filepath.Replace("'", "").Replace("\"", ""); string folder = System.IO.Path.GetDirectoryName(filepath_cleaned); try { //If the path doesn't exist, pass if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory)) { //If the path is already a folder, change the values of the params orig_filepath = ""; folder = filepath_cleaned; } } catch { } results.Add(new Dictionary <string, string>() { { "Reg", autorunLocation[0] + "\\" + autorunLocation[1] }, { "RegKey", kvp.Key }, { "Folder", folder }, { "File", orig_filepath }, { "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, Program.currentUserSIDs)) }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) }, { "interestingFileRights", orig_filepath.Length > 1 ? String.Join(", ", MyUtils.GetPermissionsFile(orig_filepath, Program.currentUserSIDs)) : "" }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() } }); } } } //Check the autoruns that depends on CLSIDs foreach (List <String> autorunLocation in autorunLocationsKeysCLSIDs) { List <String> CLSIDs = MyUtils.GetRegSubkeys(autorunLocation[0], autorunLocation[1]).ToList(); foreach (String clsid in CLSIDs) { string reg = autorunLocation[1] + "\\" + clsid; RegistryKey key = null; if ("HKLM" == autorunLocation[0]) { key = Registry.LocalMachine.OpenSubKey(reg); } else { key = Registry.CurrentUser.OpenSubKey(reg); } string orig_filepath = MyUtils.GetCLSIDBinPath(clsid); if (String.IsNullOrEmpty(orig_filepath)) { continue; } orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", ""); string folder = System.IO.Path.GetDirectoryName(orig_filepath); results.Add(new Dictionary <string, string>() { { "Reg", autorunLocation[0] + "\\" + reg }, { "RegKey", "" }, { "Folder", folder }, { "File", orig_filepath }, { "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, Program.currentUserSIDs)) }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)) }, { "interestingFileRights", orig_filepath.Length > 1 ? String.Join(", ", MyUtils.GetPermissionsFile(orig_filepath, Program.currentUserSIDs)) : "" }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString() } }); } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }