- added check PrintExecutablesInNonDefaultFoldersWithWritePermissions()

2021-01-25 22:46:14 +01:00 · 2021-01-25 22:46:14 +01:00 · 23d3e1cd22
commit 23d3e1cd22
parent 2a0ab7bf77
2 changed files with 43 additions and 0 deletions
--- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
@ -244,6 +244,7 @@ namespace winPEAS.Checks
                    Dictionary<string, string> colorsD = new Dictionary<string, string>()
                        {
                            { "Permissions.*", Beaprint.ansi_color_bad },
+                            { "Capcom.sys", Beaprint.ansi_color_bad },
                            { pathDriver.Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+"), (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
                        };

--- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
@ -127,6 +127,7 @@ namespace winPEAS.Checks
                PrintRecycleBin,
                PrintHiddenFilesAndFolders,
                PrintOtherUsersInterestingFiles
+                PrintExecutablesInNonDefaultFoldersWithWritePermissions,
            }.ForEach(action => CheckRunner.Run(action, isDebug));
        }

@ -643,5 +644,46 @@ namespace winPEAS.Checks
                }
            }
        }
+
+        private void PrintExecutablesInNonDefaultFoldersWithWritePermissions()
+        {
+            Beaprint.MainPrint($"Searching executable files in non-default folders with write (equivalent) permissions (can be slow)");
+
+            var systemDrive = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\";
+
+            var excludedDirs = new HashSet<string>()
+            {
+                @"c:\esupport",
+                @"c:\perflogs",
+                @"c:\programdata",
+                @"c:\program files(x86)",
+                @"c:\program files",
+                @"c:\windows",
+                @"c:\windows.old",
+            };
+
+            var allowedExtensions = new HashSet<string>()
+            {
+                ".bat",
+                ".exe",
+                ".ps1"
+            };
+
+            var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs);
+
+            foreach (var file in files)
+            {
+                if (file.Extension != null && allowedExtensions.Contains(file.Extension.ToLower()))
+                {
+                    // check the file permissions
+                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true);
+
+                    if (fileRights.Count > 0)
+                    {
+                        Beaprint.BadPrint($"     File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights));
+                    }
+                }
+            }
+        }
    }
 }