private void initializeGui()
{
processTreeView.CanExpandGetter = delegate(object x)
{
if (x is ProcessListObject)
{
ProcessListObject t = (ProcessListObject)x;
if (t.Connections != null)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
};
processTreeView.ChildrenGetter = delegate(object x)
{
ProcessListObject t = (ProcessListObject)x;
return t.Connections;
};
timer = new Timer();
timer.Interval = 1000;
timer.Tick += t_Tick;
processTreeView.FullRowSelect = true;
processTreeView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
processTreeView.Expanded += processTreeView_Expanded;
//Read our current output file in so we have our previous events in our event log
string path = Path.Combine(System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "output.txt");
eventLogEntries = new List<APEventLogEntry>();
if (File.Exists(path))
{
string[] lines = File.ReadAllLines(path);
foreach (string line in lines)
{
Match m = Regex.Match(line, "\\((.*)\\) (.*) \\[(.*)\\]");
APEventLogEntry entry = new APEventLogEntry(m.Groups[1].Value, m.Groups[2].Value, m.Groups[3].Value);
eventLogEntries.Add(entry);
}
}
evtLogList.ShowGroups = false;
evtLogList.EmptyListMsg = "No Events Found";
evtLogList.FullRowSelect = true;
evtLogList.SetObjects(eventLogEntries);
if (eventLogEntries.Count > 0)
evtLogList.EnsureVisible(evtLogList.Items.Count - 1);
if (eventLogEntries.Count == 0)
evtLogList.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
else
evtLogList.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
List<RegistryKeyObject> objects = new List<RegistryKeyObject>();
//Open our registry keys and enumerate entries that we are fairly positive are persistence entries
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string s in key.GetValueNames())
{
if (key.GetValue(s).ToString().Contains(".vbs"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "User Startup";
temp.Path = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + s;
temp.Key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
objects.Add(temp);
}
}
key = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string s in key.GetValueNames())
{
string val = key.GetValue(s) as string;
if (val != null)
{
if (val.ToString().Contains(".vbs"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "System Startup";
temp.Path = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + s;
temp.Key = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
objects.Add(temp);
}
}
}
//Open services and look for persistence
key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
foreach (string s in key.GetSubKeyNames())
{
RegistryKey t = key.OpenSubKey(s);
string p = t.GetValue("ImagePath") as string;
if (p != null)
{
if (p.Contains(".vbs") && p.Contains("cscript"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "Persistence";
temp.KeyName = s;
temp.KeyType = "Service";
temp.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
temp.Key = "HKLM\\System\\CurrentControlSet\\services\\";
objects.Add(temp);
}
else if (p.Contains("metsvc"))
{
RegistryKeyObject temp = new RegistryKeyObject();
temp.Detection = "MetSvc";
temp.KeyName = s;
temp.KeyType = "Service";
temp.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
temp.Key = "HKLM\\System\\CurrentControlSet\\services\\";
objects.Add(temp);
}
}
}
registryListView.FullRowSelect = true;
registryListView.EmptyListMsg = "No Registry Keys Found";
registryListView.ShowGroups = false;
registryListView.SetObjects(objects);
if (objects.Count == 0)
registryListView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
else
registryListView.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
}