using System; using System.Collections; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Management; using System.Runtime.InteropServices; using System.Security.Principal; using System.Text.RegularExpressions; namespace winPEAS { class ProcessesInfo { public static Hashtable defensiveProcesses = new Hashtable() { {"mcshield.exe" , "McAfee AV"}, {"windefend.exe" , "Windows Defender AV"}, {"MSASCui.exe" , "Windows Defender AV"}, {"MSASCuiL.exe" , "Windows Defender AV"}, {"msmpeng.exe" , "Windows Defender AV"}, {"msmpsvc.exe" , "Windows Defender AV"}, {"WRSA.exe" , "WebRoot AV"}, {"savservice.exe" , "Sophos AV"}, {"TMCCSF.exe" , "Trend Micro AV"}, {"symantec antivirus.exe" , "Symantec AV"}, {"mbae.exe" , "MalwareBytes Anti-Exploit"}, {"parity.exe" , "Bit9 application whitelisting"}, {"cb.exe" , "Carbon Black behavioral analysis"}, {"bds-vision.exe" , "BDS Vision behavioral analysis"}, {"Triumfant.exe" , "Triumfant behavioral analysis"}, {"CSFalcon.exe" , "CrowdStrike Falcon EDR"}, {"ossec.exe" , "OSSEC intrusion detection"}, {"TmPfw.exe" , "Trend Micro firewall"}, {"dgagent.exe" , "Verdasys Digital Guardian DLP"}, {"kvoop.exe" , " DLP process" }, {"AAWTray.exe" , ""}, {"ackwin32.exe" , ""}, {"Ad-Aware.exe" , ""}, {"adaware.exe" , ""}, {"advxdwin.exe" , ""}, {"agentsvr.exe" , ""}, {"agentw.exe" , ""}, {"alertsvc.exe" , ""}, {"alevir.exe" , ""}, {"alogserv.exe" , ""}, {"amon9x.exe" , ""}, {"anti-trojan.exe" , ""}, {"antivirus.exe" , ""}, {"ants.exe" , ""}, {"apimonitor.exe" , ""}, {"aplica32.exe" , ""}, {"apvxdwin.exe" , ""}, {"arr.exe" , ""}, {"atcon.exe" , ""}, {"atguard.exe" , ""}, {"atro55en.exe" , ""}, {"atupdater.exe" , ""}, {"atwatch.exe" , ""}, {"au.exe" , ""}, {"aupdate.exe" , ""}, {"auto-protect.nav80try.exe", ""}, {"autodown.exe" , ""}, {"autoruns.exe" , ""}, {"autorunsc.exe" , ""}, {"autotrace.exe" , ""}, {"autoupdate.exe" , ""}, {"avconsol.exe" , ""}, {"ave32.exe" , ""}, {"avgcc32.exe" , ""}, {"avgctrl.exe" , ""}, {"avgemc.exe" , ""}, {"avgnt.exe" , ""}, {"avgrsx.exe" , ""}, {"avgserv.exe" , ""}, {"avgserv9.exe" , ""}, {"avguard.exe" , ""}, {"avgwdsvc.exe" , ""}, {"avgui.exe" , ""}, {"avgw.exe" , ""}, {"avkpop.exe" , ""}, {"avkserv.exe" , ""}, {"avkservice.exe" , ""}, {"avkwctl9.exe" , ""}, {"avltmain.exe" , ""}, {"avnt.exe" , ""}, {"avp.exe" , ""}, {"avp32.exe" , ""}, {"avpcc.exe" , ""}, {"avpdos32.exe" , ""}, {"avpm.exe" , ""}, {"avptc32.exe" , ""}, {"avpupd.exe" , ""}, {"avsched32.exe" , ""}, {"avsynmgr.exe" , ""}, {"avwin.exe" , ""}, {"avwin95.exe" , ""}, {"avwinnt.exe" , ""}, {"avwupd.exe" , ""}, {"avwupd32.exe" , ""}, {"avwupsrv.exe" , ""}, {"avxmonitor9x.exe" , ""}, {"avxmonitornt.exe" , ""}, {"avxquar.exe" , ""}, {"backweb.exe" , ""}, {"bargains.exe" , ""}, {"bd_professional.exe" , ""}, {"beagle.exe" , ""}, {"belt.exe" , ""}, {"bidef.exe" , ""}, {"bidserver.exe" , ""}, {"bipcp.exe" , ""}, {"bipcpevalsetup.exe" , ""}, {"bisp.exe" , ""}, {"blackd.exe" , ""}, {"blackice.exe" , ""}, {"blink.exe" , ""}, {"blss.exe" , ""}, {"bootconf.exe" , ""}, {"bootwarn.exe" , ""}, {"borg2.exe" , ""}, {"bpc.exe" , ""}, {"brasil.exe" , ""}, {"bs120.exe" , ""}, {"bundle.exe" , ""}, {"bvt.exe" , ""}, {"ccapp.exe" , ""}, {"ccevtmgr.exe" , ""}, {"ccpxysvc.exe" , ""}, {"ccSvcHst.exe" , ""}, {"cdp.exe" , ""}, {"cfd.exe" , ""}, {"cfgwiz.exe" , ""}, {"cfiadmin.exe" , ""}, {"cfiaudit.exe" , ""}, {"cfinet.exe" , ""}, {"cfinet32.exe" , ""}, {"claw95.exe" , ""}, {"claw95cf.exe" , ""}, {"clean.exe" , ""}, {"cleaner.exe" , ""}, {"cleaner3.exe" , ""}, {"cleanpc.exe" , ""}, {"cleanup.exe" , ""}, {"click.exe" , ""}, {"cmdagent.exe" , ""}, {"cmesys.exe" , ""}, {"cmgrdian.exe" , ""}, {"cmon016.exe" , ""}, {"connectionmonitor.exe" , ""}, {"cpd.exe" , ""}, {"cpf9x206.exe" , ""}, {"cpfnt206.exe" , ""}, {"ctrl.exe" , ""}, {"cv.exe" , ""}, {"cwnb181.exe" , ""}, {"cwntdwmo.exe" , ""}, {"CylanceUI.exe" , ""}, {"CyProtect.exe" , ""}, {"CyUpdate.exe" , ""}, {"cyserver.exe" , ""}, {"cytray.exe" , ""}, {"CyveraService.exe" , ""}, {"datemanager.exe" , ""}, {"dcomx.exe" , ""}, {"defalert.exe" , ""}, {"defscangui.exe" , ""}, {"defwatch.exe" , ""}, {"deputy.exe" , ""}, {"divx.exe" , ""}, {"dgprompt.exe" , ""}, {"DgService.exe" , ""}, {"dllcache.exe" , ""}, {"dllreg.exe" , ""}, {"doors.exe" , ""}, {"dpf.exe" , ""}, {"dpfsetup.exe" , ""}, {"dpps2.exe" , ""}, {"drwatson.exe" , ""}, {"drweb32.exe" , ""}, {"drwebupw.exe" , ""}, {"dssagent.exe" , ""}, {"dumpcap.exe" , ""}, {"dvp95.exe" , ""}, {"dvp95_0.exe" , ""}, {"ecengine.exe" , ""}, {"efpeadm.exe" , ""}, {"egui.exe" , ""}, {"ekrn.exe" , ""}, {"emet_agent.exe" , ""}, {"emet_service.exe" , ""}, {"emsw.exe" , ""}, {"engineserver.exe" , ""}, {"ent.exe" , ""}, {"esafe.exe" , ""}, {"escanhnt.exe" , ""}, {"escanv95.exe" , ""}, {"espwatch.exe" , ""}, {"ethereal.exe" , ""}, {"etrustcipe.exe" , ""}, {"evpn.exe" , ""}, {"exantivirus-cnet.exe" , ""}, {"exe.avxw.exe" , ""}, {"expert.exe" , ""}, {"explore.exe" , ""}, {"f-agnt95.exe" , ""}, {"f-prot.exe" , ""}, {"f-prot95.exe" , ""}, {"f-stopw.exe" , ""}, {"fameh32.exe" , ""}, {"fast.exe" , ""}, {"fch32.exe" , ""}, {"fcagswd.exe" , "McAfee DLP Agent"}, {"fcags.exe" , "McAfee DLP Agent"}, {"fih32.exe" , ""}, {"findviru.exe" , ""}, {"firesvc.exe" , "McAfee Host Intrusion Prevention"}, {"firetray.exe" , ""}, {"firewall.exe" , ""}, {"fnrb32.exe" , ""}, {"fp-win.exe" , ""}, {"fp-win_trial.exe" , ""}, {"fprot.exe" , ""}, {"frameworkservice.exe" , ""}, {"frminst.exe" , ""}, {"frw.exe" , ""}, {"fsaa.exe" , ""}, {"fsav.exe" , ""}, {"fsav32.exe" , ""}, {"fsav530stbyb.exe" , ""}, {"fsav530wtbyb.exe" , ""}, {"fsav95.exe" , ""}, {"fsgk32.exe" , ""}, {"fsm32.exe" , ""}, {"fsma32.exe" , ""}, {"fsmb32.exe" , ""}, {"gator.exe" , ""}, {"gbmenu.exe" , ""}, {"gbpoll.exe" , ""}, {"generics.exe" , ""}, {"gmt.exe" , ""}, {"guard.exe" , ""}, {"guarddog.exe" , ""}, {"hacktracersetup.exe" , ""}, {"hbinst.exe" , ""}, {"hbsrv.exe" , ""}, {"HijackThis.exe" , ""}, {"hipsvc.exe" , ""}, {"HipMgmt.exe" , "McAfee Host Intrusion Protection"}, {"hotactio.exe" , ""}, {"hotpatch.exe" , ""}, {"htlog.exe" , ""}, {"htpatch.exe" , ""}, {"hwpe.exe" , ""}, {"hxdl.exe" , ""}, {"hxiul.exe" , ""}, {"iamapp.exe" , ""}, {"iamserv.exe" , ""}, {"iamstats.exe" , ""}, {"ibmasn.exe" , ""}, {"ibmavsp.exe" , ""}, {"icload95.exe" , ""}, {"icloadnt.exe" , ""}, {"icmon.exe" , ""}, {"icsupp95.exe" , ""}, {"icsuppnt.exe" , ""}, {"idle.exe" , ""}, {"iedll.exe" , ""}, {"iedriver.exe" , ""}, {"iface.exe" , ""}, {"ifw2000.exe" , ""}, {"inetlnfo.exe" , ""}, {"infus.exe" , ""}, {"infwin.exe" , ""}, {"init.exe" , ""}, {"intdel.exe" , ""}, {"intren.exe" , ""}, {"iomon98.exe" , ""}, {"istsvc.exe" , ""}, {"jammer.exe" , ""}, {"jdbgmrg.exe" , ""}, {"jedi.exe" , ""}, {"kavlite40eng.exe" , ""}, {"kavpers40eng.exe" , ""}, {"kavpf.exe" , ""}, {"kazza.exe" , ""}, {"keenvalue.exe" , ""}, {"kerio-pf-213-en-win.exe" , ""}, {"kerio-wrl-421-en-win.exe" , ""}, {"kerio-wrp-421-en-win.exe" , ""}, {"kernel32.exe" , ""}, {"KeyPass.exe" , ""}, {"killprocesssetup161.exe" , ""}, {"launcher.exe" , ""}, {"ldnetmon.exe" , ""}, {"ldpro.exe" , ""}, {"ldpromenu.exe" , ""}, {"ldscan.exe" , ""}, {"lnetinfo.exe" , ""}, {"loader.exe" , ""}, {"localnet.exe" , ""}, {"lockdown.exe" , ""}, {"lockdown2000.exe" , ""}, {"lookout.exe" , ""}, {"lordpe.exe" , ""}, {"lsetup.exe" , ""}, {"luall.exe" , ""}, {"luau.exe" , ""}, {"lucomserver.exe" , ""}, {"luinit.exe" , ""}, {"luspt.exe" , ""}, {"mapisvc32.exe" , ""}, {"masvc.exe" , "McAfee Agent"}, {"mbamservice.exe" , ""}, {"mcafeefire.exe" , ""}, {"mcagent.exe" , ""}, {"mcmnhdlr.exe" , ""}, {"mcscript.exe" , ""}, {"mcscript_inuse.exe" , ""}, {"mctool.exe" , ""}, {"mctray.exe" , ""}, {"mcupdate.exe" , ""}, {"mcvsrte.exe" , ""}, {"mcvsshld.exe" , ""}, {"md.exe" , ""}, {"mfeann.exe" , "McAfee VirusScan Enterprise"}, {"mfemactl.exe" , "McAfee VirusScan Enterprise"}, {"mfevtps.exe" , ""}, {"mfin32.exe" , ""}, {"mfw2en.exe" , ""}, {"mfweng3.02d30.exe" , ""}, {"mgavrtcl.exe" , ""}, {"mgavrte.exe" , ""}, {"mghtml.exe" , ""}, {"mgui.exe" , ""}, {"minilog.exe" , ""}, {"minionhost.exe" , ""}, {"mmod.exe" , ""}, {"monitor.exe" , ""}, {"moolive.exe" , ""}, {"mostat.exe" , ""}, {"mpfagent.exe" , ""}, {"mpfservice.exe" , ""}, {"mpftray.exe" , ""}, {"mrflux.exe" , ""}, {"msapp.exe" , ""}, {"msbb.exe" , ""}, {"msblast.exe" , ""}, {"mscache.exe" , ""}, {"msccn32.exe" , ""}, {"mscman.exe" , ""}, {"msconfig.exe" , ""}, {"msdm.exe" , ""}, {"msdos.exe" , ""}, {"msiexec16.exe" , ""}, {"msinfo32.exe" , ""}, {"mslaugh.exe" , ""}, {"msmgt.exe" , ""}, {"msmsgri32.exe" , ""}, {"MsSense.exe" , "Microsoft Defender ATP"}, {"mssmmc32.exe" , ""}, {"mssys.exe" , ""}, {"msvxd.exe" , ""}, {"mu0311ad.exe" , ""}, {"mwatch.exe" , ""}, {"n32scanw.exe" , ""}, {"naprdmgr.exe" , ""}, {"nav.exe" , ""}, {"navap.navapsvc.exe" , ""}, {"navapsvc.exe" , ""}, {"navapw32.exe" , ""}, {"navdx.exe" , ""}, {"navlu32.exe" , ""}, {"navnt.exe" , ""}, {"navstub.exe" , ""}, {"navw32.exe" , ""}, {"navwnt.exe" , ""}, {"nc2000.exe" , ""}, {"ncinst4.exe" , ""}, {"ndd32.exe" , ""}, {"neomonitor.exe" , ""}, {"neowatchlog.exe" , ""}, {"netarmor.exe" , ""}, {"netd32.exe" , ""}, {"netinfo.exe" , ""}, {"netmon.exe" , ""}, {"netscanpro.exe" , ""}, {"netspyhunter-1.2.exe" , ""}, {"netstat.exe" , ""}, {"netutils.exe" , ""}, {"nisserv.exe" , ""}, {"nisum.exe" , ""}, {"nmain.exe" , ""}, {"nod32.exe" , ""}, {"normist.exe" , ""}, {"norton_internet_secu_3.0_407.exe" , ""}, {"notstart.exe" , ""}, {"npf40_tw_98_nt_me_2k.exe" , ""}, {"npfmessenger.exe" , ""}, {"nprotect.exe" , ""}, {"npscheck.exe" , ""}, {"npssvc.exe" , ""}, {"nsched32.exe" , ""}, {"nssys32.exe" , ""}, {"nstask32.exe" , ""}, {"nsupdate.exe" , ""}, {"nt.exe" , ""}, {"ntrtscan.exe" , ""}, {"ntvdm.exe" , ""}, {"ntxconfig.exe" , ""}, {"nui.exe" , ""}, {"nupgrade.exe" , ""}, {"nvarch16.exe" , ""}, {"nvc95.exe" , ""}, {"nvsvc32.exe" , ""}, {"nwinst4.exe" , ""}, {"nwservice.exe" , ""}, {"nwtool16.exe" , ""}, {"nxlog.exe" , ""}, {"ollydbg.exe" , ""}, {"onsrvr.exe" , ""}, {"optimize.exe" , ""}, {"ostronet.exe" , ""}, {"osqueryd.exe" , ""}, {"otfix.exe" , ""}, {"outpost.exe" , ""}, {"outpostinstall.exe" , ""}, {"outpostproinstall.exe" , ""}, {"padmin.exe" , ""}, {"panixk.exe" , ""}, {"patch.exe" , ""}, {"pavcl.exe" , ""}, {"pavproxy.exe" , ""}, {"pavsched.exe" , ""}, {"pavw.exe" , ""}, {"pccwin98.exe" , ""}, {"pcfwallicon.exe" , ""}, {"pcip10117_0.exe" , ""}, {"pcscan.exe" , ""}, {"pdsetup.exe" , ""}, {"periscope.exe" , ""}, {"persfw.exe" , ""}, {"perswf.exe" , ""}, {"pf2.exe" , ""}, {"pfwadmin.exe" , ""}, {"pgmonitr.exe" , ""}, {"pingscan.exe" , ""}, {"platin.exe" , ""}, {"pop3trap.exe" , ""}, {"poproxy.exe" , ""}, {"popscan.exe" , ""}, {"portdetective.exe" , ""}, {"portmonitor.exe" , ""}, {"powerscan.exe" , ""}, {"ppinupdt.exe" , ""}, {"pptbc.exe" , ""}, {"ppvstop.exe" , ""}, {"prizesurfer.exe" , ""}, {"prmt.exe" , ""}, {"prmvr.exe" , ""}, {"procdump.exe" , ""}, {"processmonitor.exe" , ""}, {"procexp.exe" , ""}, {"procexp64.exe" , ""}, {"procexplorerv1.0.exe" , ""}, {"procmon.exe" , ""}, {"programauditor.exe" , ""}, {"proport.exe" , ""}, {"protectx.exe" , ""}, {"pspf.exe" , ""}, {"purge.exe" , ""}, {"qconsole.exe" , ""}, {"qserver.exe" , ""}, {"rapapp.exe" , ""}, {"rav7.exe" , ""}, {"rav7win.exe" , ""}, {"rav8win32eng.exe" , ""}, {"ray.exe" , ""}, {"rb32.exe" , ""}, {"rcsync.exe" , ""}, {"realmon.exe" , ""}, {"reged.exe" , ""}, {"regedit.exe" , ""}, {"regedt32.exe" , ""}, {"rescue.exe" , ""}, {"rescue32.exe" , ""}, {"rrguard.exe" , ""}, {"rtvscan.exe" , ""}, {"rtvscn95.exe" , ""}, {"rulaunch.exe" , ""}, {"run32dll.exe" , ""}, {"rundll.exe" , ""}, {"rundll16.exe" , ""}, {"ruxdll32.exe" , ""}, {"safeweb.exe" , ""}, {"sahagent.exescan32.exe" , ""}, {"save.exe" , ""}, {"savenow.exe" , ""}, {"sbserv.exe" , ""}, {"scam32.exe" , ""}, {"scan32.exe" , ""}, {"scan95.exe" , ""}, {"scanpm.exe" , ""}, {"scrscan.exe" , ""}, {"SentinelOne.exe" , ""}, {"serv95.exe" , ""}, {"setupvameeval.exe" , ""}, {"setup_flowprotector_us.exe", ""}, {"sfc.exe" , ""}, {"sgssfw32.exe" , ""}, {"sh.exe" , ""}, {"shellspyinstall.exe" , ""}, {"shn.exe" , ""}, {"showbehind.exe" , ""}, {"shstat.exe" , "McAfee VirusScan Enterprise"}, {"SISIDSService.exe" , ""}, {"SISIPSUtil.exe" , ""}, {"smc.exe" , ""}, {"sms.exe" , ""}, {"smss32.exe" , ""}, {"soap.exe" , ""}, {"sofi.exe" , ""}, {"sperm.exe" , ""}, {"splunk.exe" , "Splunk"}, {"splunkd.exe" , "Splunk"}, {"splunk-admon.exe" , "Splunk"}, {"splunk-powershell.exe" , "Splunk"}, {"splunk-winevtlog.exe" , "Splunk"}, {"spf.exe" , ""}, {"sphinx.exe" , ""}, {"spoler.exe" , ""}, {"spoolcv.exe" , ""}, {"spoolsv32.exe" , ""}, {"spyxx.exe" , ""}, {"srexe.exe" , ""}, {"srng.exe" , ""}, {"ss3edit.exe" , ""}, {"ssgrate.exe" , ""}, {"ssg_4104.exe" , ""}, {"st2.exe" , ""}, {"start.exe" , ""}, {"stcloader.exe" , ""}, {"supftrl.exe" , ""}, {"support.exe" , ""}, {"supporter5.exe" , ""}, {"svchostc.exe" , ""}, {"svchosts.exe" , ""}, {"sweep95.exe" , ""}, {"sweepnet.sweepsrv.sys.swnetsup.exe", ""}, {"symproxysvc.exe" , ""}, {"symtray.exe" , ""}, {"sysedit.exe" , ""}, {"sysmon.exe" , "Sysinternals Sysmon"}, {"sysupd.exe" , ""}, {"TaniumClient.exe" , "Tanium"}, {"taskmg.exe" , ""}, {"taskmo.exe" , ""}, {"taumon.exe" , ""}, {"tbmon.exe" , ""}, {"tbscan.exe" , ""}, {"tc.exe" , ""}, {"tca.exe" , ""}, {"tcm.exe" , ""}, {"tcpview.exe" , ""}, {"tds-3.exe" , ""}, {"tds2-98.exe" , ""}, {"tds2-nt.exe" , ""}, {"teekids.exe" , ""}, {"tfak.exe" , ""}, {"tfak5.exe" , ""}, {"tgbob.exe" , ""}, {"titanin.exe" , ""}, {"titaninxp.exe" , ""}, {"tlaservice.exe" , ""}, {"tlaworker.exe" , ""}, {"tracert.exe" , ""}, {"trickler.exe" , ""}, {"trjscan.exe" , ""}, {"trjsetup.exe" , ""}, {"trojantrap3.exe" , ""}, {"tsadbot.exe" , ""}, {"tshark.exe" , ""}, {"tvmd.exe" , ""}, {"tvtmd.exe" , ""}, {"udaterui.exe" , ""}, {"undoboot.exe" , ""}, {"updat.exe" , ""}, {"update.exe" , ""}, {"updaterui.exe" , ""}, {"upgrad.exe" , ""}, {"utpost.exe" , ""}, {"vbcmserv.exe" , ""}, {"vbcons.exe" , ""}, {"vbust.exe" , ""}, {"vbwin9x.exe" , ""}, {"vbwinntw.exe" , ""}, {"vcsetup.exe" , ""}, {"vet32.exe" , ""}, {"vet95.exe" , ""}, {"vettray.exe" , ""}, {"vfsetup.exe" , ""}, {"vir-help.exe" , ""}, {"virusmdpersonalfirewall.exe", ""}, {"vnlan300.exe" , ""}, {"vnpc3000.exe" , ""}, {"vpc32.exe" , ""}, {"vpc42.exe" , ""}, {"vpfw30s.exe" , ""}, {"vptray.exe" , ""}, {"vscan40.exe" , ""}, {"vscenu6.02d30.exe" , ""}, {"vsched.exe" , ""}, {"vsecomr.exe" , ""}, {"vshwin32.exe" , ""}, {"vsisetup.exe" , ""}, {"vsmain.exe" , ""}, {"vsmon.exe" , ""}, {"vsstat.exe" , ""}, {"vstskmgr.exe" , "McAfee VirusScan Enterprise"}, {"vswin9xe.exe" , ""}, {"vswinntse.exe" , ""}, {"vswinperse.exe" , ""}, {"w32dsm89.exe" , ""}, {"w9x.exe" , ""}, {"watchdog.exe" , ""}, {"webdav.exe" , ""}, {"webscanx.exe" , ""}, {"webtrap.exe" , ""}, {"wfindv32.exe" , ""}, {"whoswatchingme.exe" , ""}, {"wimmun32.exe" , ""}, {"win-bugsfix.exe" , ""}, {"win32.exe" , ""}, {"win32us.exe" , ""}, {"winactive.exe" , ""}, {"window.exe" , ""}, {"windows.exe" , ""}, {"wininetd.exe" , ""}, {"wininitx.exe" , ""}, {"winlogin.exe" , ""}, {"winmain.exe" , ""}, {"winnet.exe" , ""}, {"winppr32.exe" , ""}, {"winrecon.exe" , ""}, {"winservn.exe" , ""}, {"winssk32.exe" , ""}, {"winstart.exe" , ""}, {"winstart001.exe" , ""}, {"wintsk32.exe" , ""}, {"winupdate.exe" , ""}, {"wireshark.exe" , ""}, {"wkufind.exe" , ""}, {"wnad.exe" , ""}, {"wnt.exe" , ""}, {"wradmin.exe" , ""}, {"wrctrl.exe" , ""}, {"wsbgate.exe" , ""}, {"wupdater.exe" , ""}, {"wupdt.exe" , ""}, {"wyvernworksfirewall.exe" , ""}, {"xagt.exe" , ""}, {"xpf202en.exe" , ""}, {"zapro.exe" , ""}, {"zapsetup3001.exe" , ""}, {"zatutor.exe" , ""}, /*{"zonalm2601" , ""}, These names (ending in .exe) are detected by AVs {"zonealarm" , ""}, {"_avp32" , ""}, {"_avpcc" , ""}, {"rshell" , ""}, {"_avpms" , ""}*/ }; // TODO: cyberark? other password managers? public static Hashtable interestingProcesses = new Hashtable() { {"CmRcService.exe" , "Configuration Manager Remote Control Service"}, {"ftp.exe" , "Misc. FTP client"}, {"LMIGuardian.exe" , "LogMeIn Reporter"}, {"LogMeInSystray.exe" , "LogMeIn System Tray"}, {"RaMaint.exe" , "LogMeIn maintenance sevice"}, {"mmc.exe" , "Microsoft Management Console"}, {"putty.exe" , "Putty SSH client"}, {"pscp.exe" , "Putty SCP client"}, {"psftp.exe" , "Putty SFTP client"}, {"puttytel.exe" , "Putty Telnet client"}, {"plink.exe" , "Putty CLI client"}, {"pageant.exe" , "Putty SSH auth agent"}, {"kitty.exe" , "Kitty SSH client"}, {"telnet.exe" , "Misc. Telnet client"}, {"SecureCRT.exe" , "SecureCRT SSH/Telnet client"}, {"TeamViewer.exe" , "TeamViewer"}, {"tv_x64.exe" , "TeamViewer x64 remote control"}, {"tv_w32.exe" , "TeamViewer x86 remote control"}, {"keepass.exe" , "KeePass password vault"}, {"mstsc.exe" , "Microsoft RDP client"}, {"vnc.exe" , "Possible VNC client"}, {"powershell.exe" , "PowerShell host process"}, {"cmd.exe" , "Command Prompt"}, }; [DllImport("advapi32.dll", SetLastError = true)] private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle); [DllImport("kernel32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool CloseHandle(IntPtr hObject); private static string GetProcU(Process p) { IntPtr pHandle = IntPtr.Zero; try { OpenProcessToken(p.Handle, 8, out pHandle); WindowsIdentity WI = new WindowsIdentity(pHandle); String uSEr = WI.Name; return uSEr.Contains(@"\") ? uSEr.Substring(uSEr.IndexOf(@"\") + 1) : uSEr; } catch { return null; } finally { if (pHandle != IntPtr.Zero) { CloseHandle(pHandle); } } } // // TODO: check out https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna#L10 public static List> GetProcInfo() { List> f_results = new List>(); try { var wmiQueRyStr = "SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"; using (var srcher = new ManagementObjectSearcher(wmiQueRyStr)) using (var reslts = srcher.Get()) { var queRy = from p in Process.GetProcesses() join mo in reslts.Cast() on p.Id equals (int)(uint)mo["ProcessId"] select new { Proc = p, Pth = (string)mo["ExecutablePath"], CommLine = (string)mo["CommandLine"], Owner = GetProcU(p), //Needed inside the next foreach }; foreach (var itm in queRy) { if (itm.Pth != null) { string companyName = ""; string isDotNet = ""; try { FileVersionInfo myFileVerInfo = FileVersionInfo.GetVersionInfo(itm.Pth); //compName = myFileVerInfo.CompanyName; isDotNet = MyUtils.CheckIfDotNet(itm.Pth) ? "isDotNet" : ""; } catch { // Not enough privileges } if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) { Dictionary to_add = new Dictionary(); to_add["Name"] = itm.Proc.ProcessName; to_add["ProcessID"] = itm.Proc.Id.ToString(); to_add["ExecutablePath"] = itm.Pth; to_add["Product"] = companyName; to_add["Owner"] = itm.Owner == null ? "" : itm.Owner; to_add["isDotNet"] = isDotNet; to_add["CommandLine"] = itm.CommLine; f_results.Add(to_add); } } } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return f_results; } } }