private void serviceEvent(object sender, EventArrivedEventArgs e)
{
RegistryKey key = Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\services");
List<string> keys = new List<string>();
foreach (string s in key.GetSubKeyNames())
{
RegistryKey temp = key.OpenSubKey(s);
string path = temp.GetValue("ImagePath") as string;
keys.Add(s);
if (!serviceReg.ContainsKey(s))
{
serviceReg.Add(s, path);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
if (path.Contains("cscript") && path.Contains(".vbs")){
builder.Clear();
builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
builder.Append(s);
builder.Append(" - ");
builder.Append(path);
w.write(date, builder.ToString(), "Meterpreter Persistence Service");
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\System\\CurrentControlSet\\services";
evt.KeyName = s;
evt.Detection = "Persistence";
evt.KeyType = "Service";
evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
addRegistry(this, evt);
}else if (path.Contains("metsvc"))
{
builder.Clear();
builder.Append("HKLM\\System\\CurrentControlSet\\services\\");
builder.Append(s);
builder.Append(" - ");
builder.Append(path);
w.write(date, builder.ToString(), "Metsvc Registry Entry");
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\System\\CurrentControlSet\\services";
evt.KeyName = s;
evt.Detection = "Metsvc";
evt.KeyType = "Service";
evt.Path = "HKLM\\System\\CurrentControlSet\\services\\" + s;
addRegistry(this, evt);
}
}
}
List<string> toremove = new List<string>();
foreach (string s in serviceReg.Keys)
{
if (!keys.Contains(s))
toremove.Add(s);
}
foreach (string s in toremove)
{
serviceReg.Remove(s);
removedEntry(this,s);
}
}