darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6af00e2b2c
PEASS-ng/winPEAS/winPEASexe/winPEAS/ProcessesInfo.cs
carlospolop 814717819b More stable winPEAS & linpeasv2.2.9
2020-01-17 19:00:00 -05:00

800 lines
45 KiB
C#
Raw Blame History

using System;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Management;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text.RegularExpressions;
namespace winPEAS
{
class ProcessesInfo
{
public static Hashtable defensiveProcesses = new Hashtable()
{
{"mcshield.exe" , "McAfee AV"},
{"windefend.exe" , "Windows Defender AV"},
{"MSASCui.exe" , "Windows Defender AV"},
{"MSASCuiL.exe" , "Windows Defender AV"},
{"msmpeng.exe" , "Windows Defender AV"},
{"msmpsvc.exe" , "Windows Defender AV"},
{"WRSA.exe" , "WebRoot AV"},
{"savservice.exe" , "Sophos AV"},
{"TMCCSF.exe" , "Trend Micro AV"},
{"symantec antivirus.exe" , "Symantec AV"},
{"mbae.exe" , "MalwareBytes Anti-Exploit"},
{"parity.exe" , "Bit9 application whitelisting"},
{"cb.exe" , "Carbon Black behavioral analysis"},
{"bds-vision.exe" , "BDS Vision behavioral analysis"},
{"Triumfant.exe" , "Triumfant behavioral analysis"},
{"CSFalcon.exe" , "CrowdStrike Falcon EDR"},
{"ossec.exe" , "OSSEC intrusion detection"},
{"TmPfw.exe" , "Trend Micro firewall"},
{"dgagent.exe" , "Verdasys Digital Guardian DLP"},
{"kvoop.exe" , "Unknown DLP process" },
{"AAWTray.exe" , "UNKNOWN"},
{"ackwin32.exe" , "UNKNOWN"},
{"Ad-Aware.exe" , "UNKNOWN"},
{"adaware.exe" , "UNKNOWN"},
{"advxdwin.exe" , "UNKNOWN"},
{"agentsvr.exe" , "UNKNOWN"},
{"agentw.exe" , "UNKNOWN"},
{"alertsvc.exe" , "UNKNOWN"},
{"alevir.exe" , "UNKNOWN"},
{"alogserv.exe" , "UNKNOWN"},
{"amon9x.exe" , "UNKNOWN"},
{"anti-trojan.exe" , "UNKNOWN"},
{"antivirus.exe" , "UNKNOWN"},
{"ants.exe" , "UNKNOWN"},
{"apimonitor.exe" , "UNKNOWN"},
{"aplica32.exe" , "UNKNOWN"},
{"apvxdwin.exe" , "UNKNOWN"},
{"arr.exe" , "UNKNOWN"},
{"atcon.exe" , "UNKNOWN"},
{"atguard.exe" , "UNKNOWN"},
{"atro55en.exe" , "UNKNOWN"},
{"atupdater.exe" , "UNKNOWN"},
{"atwatch.exe" , "UNKNOWN"},
{"au.exe" , "UNKNOWN"},
{"aupdate.exe" , "UNKNOWN"},
{"auto-protect.nav80try.exe", "UNKNOWN"},
{"autodown.exe" , "UNKNOWN"},
{"autoruns.exe" , "UNKNOWN"},
{"autorunsc.exe" , "UNKNOWN"},
{"autotrace.exe" , "UNKNOWN"},
{"autoupdate.exe" , "UNKNOWN"},
{"avconsol.exe" , "UNKNOWN"},
{"ave32.exe" , "UNKNOWN"},
{"avgcc32.exe" , "UNKNOWN"},
{"avgctrl.exe" , "UNKNOWN"},
{"avgemc.exe" , "UNKNOWN"},
{"avgnt.exe" , "UNKNOWN"},
{"avgrsx.exe" , "UNKNOWN"},
{"avgserv.exe" , "UNKNOWN"},
{"avgserv9.exe" , "UNKNOWN"},
{"avguard.exe" , "UNKNOWN"},
{"avgwdsvc.exe" , "UNKNOWN"},
{"avgui.exe" , "UNKNOWN"},
{"avgw.exe" , "UNKNOWN"},
{"avkpop.exe" , "UNKNOWN"},
{"avkserv.exe" , "UNKNOWN"},
{"avkservice.exe" , "UNKNOWN"},
{"avkwctl9.exe" , "UNKNOWN"},
{"avltmain.exe" , "UNKNOWN"},
{"avnt.exe" , "UNKNOWN"},
{"avp.exe" , "UNKNOWN"},
{"avp32.exe" , "UNKNOWN"},
{"avpcc.exe" , "UNKNOWN"},
{"avpdos32.exe" , "UNKNOWN"},
{"avpm.exe" , "UNKNOWN"},
{"avptc32.exe" , "UNKNOWN"},
{"avpupd.exe" , "UNKNOWN"},
{"avsched32.exe" , "UNKNOWN"},
{"avsynmgr.exe" , "UNKNOWN"},
{"avwin.exe" , "UNKNOWN"},
{"avwin95.exe" , "UNKNOWN"},
{"avwinnt.exe" , "UNKNOWN"},
{"avwupd.exe" , "UNKNOWN"},
{"avwupd32.exe" , "UNKNOWN"},
{"avwupsrv.exe" , "UNKNOWN"},
{"avxmonitor9x.exe" , "UNKNOWN"},
{"avxmonitornt.exe" , "UNKNOWN"},
{"avxquar.exe" , "UNKNOWN"},
{"backweb.exe" , "UNKNOWN"},
{"bargains.exe" , "UNKNOWN"},
{"bd_professional.exe" , "UNKNOWN"},
{"beagle.exe" , "UNKNOWN"},
{"belt.exe" , "UNKNOWN"},
{"bidef.exe" , "UNKNOWN"},
{"bidserver.exe" , "UNKNOWN"},
{"bipcp.exe" , "UNKNOWN"},
{"bipcpevalsetup.exe" , "UNKNOWN"},
{"bisp.exe" , "UNKNOWN"},
{"blackd.exe" , "UNKNOWN"},
{"blackice.exe" , "UNKNOWN"},
{"blink.exe" , "UNKNOWN"},
{"blss.exe" , "UNKNOWN"},
{"bootconf.exe" , "UNKNOWN"},
{"bootwarn.exe" , "UNKNOWN"},
{"borg2.exe" , "UNKNOWN"},
{"bpc.exe" , "UNKNOWN"},
{"brasil.exe" , "UNKNOWN"},
{"bs120.exe" , "UNKNOWN"},
{"bundle.exe" , "UNKNOWN"},
{"bvt.exe" , "UNKNOWN"},
{"ccapp.exe" , "UNKNOWN"},
{"ccevtmgr.exe" , "UNKNOWN"},
{"ccpxysvc.exe" , "UNKNOWN"},
{"ccSvcHst.exe" , "UNKNOWN"},
{"cdp.exe" , "UNKNOWN"},
{"cfd.exe" , "UNKNOWN"},
{"cfgwiz.exe" , "UNKNOWN"},
{"cfiadmin.exe" , "UNKNOWN"},
{"cfiaudit.exe" , "UNKNOWN"},
{"cfinet.exe" , "UNKNOWN"},
{"cfinet32.exe" , "UNKNOWN"},
{"claw95.exe" , "UNKNOWN"},
{"claw95cf.exe" , "UNKNOWN"},
{"clean.exe" , "UNKNOWN"},
{"cleaner.exe" , "UNKNOWN"},
{"cleaner3.exe" , "UNKNOWN"},
{"cleanpc.exe" , "UNKNOWN"},
{"cleanup.exe" , "UNKNOWN"},
{"click.exe" , "UNKNOWN"},
{"cmdagent.exe" , "UNKNOWN"},
{"cmesys.exe" , "UNKNOWN"},
{"cmgrdian.exe" , "UNKNOWN"},
{"cmon016.exe" , "UNKNOWN"},
{"connectionmonitor.exe" , "UNKNOWN"},
{"cpd.exe" , "UNKNOWN"},
{"cpf9x206.exe" , "UNKNOWN"},
{"cpfnt206.exe" , "UNKNOWN"},
{"ctrl.exe" , "UNKNOWN"},
{"cv.exe" , "UNKNOWN"},
{"cwnb181.exe" , "UNKNOWN"},
{"cwntdwmo.exe" , "UNKNOWN"},
{"CylanceUI.exe" , "UNKNOWN"},
{"CyProtect.exe" , "UNKNOWN"},
{"CyUpdate.exe" , "UNKNOWN"},
{"cyserver.exe" , "UNKNOWN"},
{"cytray.exe" , "UNKNOWN"},
{"CyveraService.exe" , "UNKNOWN"},
{"datemanager.exe" , "UNKNOWN"},
{"dcomx.exe" , "UNKNOWN"},
{"defalert.exe" , "UNKNOWN"},
{"defscangui.exe" , "UNKNOWN"},
{"defwatch.exe" , "UNKNOWN"},
{"deputy.exe" , "UNKNOWN"},
{"divx.exe" , "UNKNOWN"},
{"dgprompt.exe" , "UNKNOWN"},
{"DgService.exe" , "UNKNOWN"},
{"dllcache.exe" , "UNKNOWN"},
{"dllreg.exe" , "UNKNOWN"},
{"doors.exe" , "UNKNOWN"},
{"dpf.exe" , "UNKNOWN"},
{"dpfsetup.exe" , "UNKNOWN"},
{"dpps2.exe" , "UNKNOWN"},
{"drwatson.exe" , "UNKNOWN"},
{"drweb32.exe" , "UNKNOWN"},
{"drwebupw.exe" , "UNKNOWN"},
{"dssagent.exe" , "UNKNOWN"},
{"dumpcap.exe" , "UNKNOWN"},
{"dvp95.exe" , "UNKNOWN"},
{"dvp95_0.exe" , "UNKNOWN"},
{"ecengine.exe" , "UNKNOWN"},
{"efpeadm.exe" , "UNKNOWN"},
{"egui.exe" , "UNKNOWN"},
{"ekrn.exe" , "UNKNOWN"},
{"emet_agent.exe" , "UNKNOWN"},
{"emet_service.exe" , "UNKNOWN"},
{"emsw.exe" , "UNKNOWN"},
{"engineserver.exe" , "UNKNOWN"},
{"ent.exe" , "UNKNOWN"},
{"esafe.exe" , "UNKNOWN"},
{"escanhnt.exe" , "UNKNOWN"},
{"escanv95.exe" , "UNKNOWN"},
{"espwatch.exe" , "UNKNOWN"},
{"ethereal.exe" , "UNKNOWN"},
{"etrustcipe.exe" , "UNKNOWN"},
{"evpn.exe" , "UNKNOWN"},
{"exantivirus-cnet.exe" , "UNKNOWN"},
{"exe.avxw.exe" , "UNKNOWN"},
{"expert.exe" , "UNKNOWN"},
{"explore.exe" , "UNKNOWN"},
{"f-agnt95.exe" , "UNKNOWN"},
{"f-prot.exe" , "UNKNOWN"},
{"f-prot95.exe" , "UNKNOWN"},
{"f-stopw.exe" , "UNKNOWN"},
{"fameh32.exe" , "UNKNOWN"},
{"fast.exe" , "UNKNOWN"},
{"fch32.exe" , "UNKNOWN"},
{"fcagswd.exe" , "McAfee DLP Agent"},
{"fcags.exe" , "McAfee DLP Agent"},
{"fih32.exe" , "UNKNOWN"},
{"findviru.exe" , "UNKNOWN"},
{"firesvc.exe" , "McAfee Host Intrusion Prevention"},
{"firetray.exe" , "UNKNOWN"},
{"firewall.exe" , "UNKNOWN"},
{"fnrb32.exe" , "UNKNOWN"},
{"fp-win.exe" , "UNKNOWN"},
{"fp-win_trial.exe" , "UNKNOWN"},
{"fprot.exe" , "UNKNOWN"},
{"frameworkservice.exe" , "UNKNOWN"},
{"frminst.exe" , "UNKNOWN"},
{"frw.exe" , "UNKNOWN"},
{"fsaa.exe" , "UNKNOWN"},
{"fsav.exe" , "UNKNOWN"},
{"fsav32.exe" , "UNKNOWN"},
{"fsav530stbyb.exe" , "UNKNOWN"},
{"fsav530wtbyb.exe" , "UNKNOWN"},
{"fsav95.exe" , "UNKNOWN"},
{"fsgk32.exe" , "UNKNOWN"},
{"fsm32.exe" , "UNKNOWN"},
{"fsma32.exe" , "UNKNOWN"},
{"fsmb32.exe" , "UNKNOWN"},
{"gator.exe" , "UNKNOWN"},
{"gbmenu.exe" , "UNKNOWN"},
{"gbpoll.exe" , "UNKNOWN"},
{"generics.exe" , "UNKNOWN"},
{"gmt.exe" , "UNKNOWN"},
{"guard.exe" , "UNKNOWN"},
{"guarddog.exe" , "UNKNOWN"},
{"hacktracersetup.exe" , "UNKNOWN"},
{"hbinst.exe" , "UNKNOWN"},
{"hbsrv.exe" , "UNKNOWN"},
{"HijackThis.exe" , "UNKNOWN"},
{"hipsvc.exe" , "UNKNOWN"},
{"HipMgmt.exe" , "McAfee Host Intrusion Protection"},
{"hotactio.exe" , "UNKNOWN"},
{"hotpatch.exe" , "UNKNOWN"},
{"htlog.exe" , "UNKNOWN"},
{"htpatch.exe" , "UNKNOWN"},
{"hwpe.exe" , "UNKNOWN"},
{"hxdl.exe" , "UNKNOWN"},
{"hxiul.exe" , "UNKNOWN"},
{"iamapp.exe" , "UNKNOWN"},
{"iamserv.exe" , "UNKNOWN"},
{"iamstats.exe" , "UNKNOWN"},
{"ibmasn.exe" , "UNKNOWN"},
{"ibmavsp.exe" , "UNKNOWN"},
{"icload95.exe" , "UNKNOWN"},
{"icloadnt.exe" , "UNKNOWN"},
{"icmon.exe" , "UNKNOWN"},
{"icsupp95.exe" , "UNKNOWN"},
{"icsuppnt.exe" , "UNKNOWN"},
{"idle.exe" , "UNKNOWN"},
{"iedll.exe" , "UNKNOWN"},
{"iedriver.exe" , "UNKNOWN"},
{"iface.exe" , "UNKNOWN"},
{"ifw2000.exe" , "UNKNOWN"},
{"inetlnfo.exe" , "UNKNOWN"},
{"infus.exe" , "UNKNOWN"},
{"infwin.exe" , "UNKNOWN"},
{"init.exe" , "UNKNOWN"},
{"intdel.exe" , "UNKNOWN"},
{"intren.exe" , "UNKNOWN"},
{"iomon98.exe" , "UNKNOWN"},
{"istsvc.exe" , "UNKNOWN"},
{"jammer.exe" , "UNKNOWN"},
{"jdbgmrg.exe" , "UNKNOWN"},
{"jedi.exe" , "UNKNOWN"},
{"kavlite40eng.exe" , "UNKNOWN"},
{"kavpers40eng.exe" , "UNKNOWN"},
{"kavpf.exe" , "UNKNOWN"},
{"kazza.exe" , "UNKNOWN"},
{"keenvalue.exe" , "UNKNOWN"},
{"kerio-pf-213-en-win.exe" , "UNKNOWN"},
{"kerio-wrl-421-en-win.exe" , "UNKNOWN"},
{"kerio-wrp-421-en-win.exe" , "UNKNOWN"},
{"kernel32.exe" , "UNKNOWN"},
{"KeyPass.exe" , "UNKNOWN"},
{"killprocesssetup161.exe" , "UNKNOWN"},
{"launcher.exe" , "UNKNOWN"},
{"ldnetmon.exe" , "UNKNOWN"},
{"ldpro.exe" , "UNKNOWN"},
{"ldpromenu.exe" , "UNKNOWN"},
{"ldscan.exe" , "UNKNOWN"},
{"lnetinfo.exe" , "UNKNOWN"},
{"loader.exe" , "UNKNOWN"},
{"localnet.exe" , "UNKNOWN"},
{"lockdown.exe" , "UNKNOWN"},
{"lockdown2000.exe" , "UNKNOWN"},
{"lookout.exe" , "UNKNOWN"},
{"lordpe.exe" , "UNKNOWN"},
{"lsetup.exe" , "UNKNOWN"},
{"luall.exe" , "UNKNOWN"},
{"luau.exe" , "UNKNOWN"},
{"lucomserver.exe" , "UNKNOWN"},
{"luinit.exe" , "UNKNOWN"},
{"luspt.exe" , "UNKNOWN"},
{"mapisvc32.exe" , "UNKNOWN"},
{"masvc.exe" , "McAfee Agent"},
{"mbamservice.exe" , "UNKNOWN"},
{"mcafeefire.exe" , "UNKNOWN"},
{"mcagent.exe" , "UNKNOWN"},
{"mcmnhdlr.exe" , "UNKNOWN"},
{"mcscript.exe" , "UNKNOWN"},
{"mcscript_inuse.exe" , "UNKNOWN"},
{"mctool.exe" , "UNKNOWN"},
{"mctray.exe" , "UNKNOWN"},
{"mcupdate.exe" , "UNKNOWN"},
{"mcvsrte.exe" , "UNKNOWN"},
{"mcvsshld.exe" , "UNKNOWN"},
{"md.exe" , "UNKNOWN"},
{"mfeann.exe" , "McAfee VirusScan Enterprise"},
{"mfemactl.exe" , "McAfee VirusScan Enterprise"},
{"mfevtps.exe" , "UNKNOWN"},
{"mfin32.exe" , "UNKNOWN"},
{"mfw2en.exe" , "UNKNOWN"},
{"mfweng3.02d30.exe" , "UNKNOWN"},
{"mgavrtcl.exe" , "UNKNOWN"},
{"mgavrte.exe" , "UNKNOWN"},
{"mghtml.exe" , "UNKNOWN"},
{"mgui.exe" , "UNKNOWN"},
{"minilog.exe" , "UNKNOWN"},
{"minionhost.exe" , "UNKNOWN"},
{"mmod.exe" , "UNKNOWN"},
{"monitor.exe" , "UNKNOWN"},
{"moolive.exe" , "UNKNOWN"},
{"mostat.exe" , "UNKNOWN"},
{"mpfagent.exe" , "UNKNOWN"},
{"mpfservice.exe" , "UNKNOWN"},
{"mpftray.exe" , "UNKNOWN"},
{"mrflux.exe" , "UNKNOWN"},
{"msapp.exe" , "UNKNOWN"},
{"msbb.exe" , "UNKNOWN"},
{"msblast.exe" , "UNKNOWN"},
{"mscache.exe" , "UNKNOWN"},
{"msccn32.exe" , "UNKNOWN"},
{"mscman.exe" , "UNKNOWN"},
{"msconfig.exe" , "UNKNOWN"},
{"msdm.exe" , "UNKNOWN"},
{"msdos.exe" , "UNKNOWN"},
{"msiexec16.exe" , "UNKNOWN"},
{"msinfo32.exe" , "UNKNOWN"},
{"mslaugh.exe" , "UNKNOWN"},
{"msmgt.exe" , "UNKNOWN"},
{"msmsgri32.exe" , "UNKNOWN"},
{"MsSense.exe" , "Microsoft Defender ATP"},
{"mssmmc32.exe" , "UNKNOWN"},
{"mssys.exe" , "UNKNOWN"},
{"msvxd.exe" , "UNKNOWN"},
{"mu0311ad.exe" , "UNKNOWN"},
{"mwatch.exe" , "UNKNOWN"},
{"n32scanw.exe" , "UNKNOWN"},
{"naprdmgr.exe" , "UNKNOWN"},
{"nav.exe" , "UNKNOWN"},
{"navap.navapsvc.exe" , "UNKNOWN"},
{"navapsvc.exe" , "UNKNOWN"},
{"navapw32.exe" , "UNKNOWN"},
{"navdx.exe" , "UNKNOWN"},
{"navlu32.exe" , "UNKNOWN"},
{"navnt.exe" , "UNKNOWN"},
{"navstub.exe" , "UNKNOWN"},
{"navw32.exe" , "UNKNOWN"},
{"navwnt.exe" , "UNKNOWN"},
{"nc2000.exe" , "UNKNOWN"},
{"ncinst4.exe" , "UNKNOWN"},
{"ndd32.exe" , "UNKNOWN"},
{"neomonitor.exe" , "UNKNOWN"},
{"neowatchlog.exe" , "UNKNOWN"},
{"netarmor.exe" , "UNKNOWN"},
{"netd32.exe" , "UNKNOWN"},
{"netinfo.exe" , "UNKNOWN"},
{"netmon.exe" , "UNKNOWN"},
{"netscanpro.exe" , "UNKNOWN"},
{"netspyhunter-1.2.exe" , "UNKNOWN"},
{"netstat.exe" , "UNKNOWN"},
{"netutils.exe" , "UNKNOWN"},
{"nisserv.exe" , "UNKNOWN"},
{"nisum.exe" , "UNKNOWN"},
{"nmain.exe" , "UNKNOWN"},
{"nod32.exe" , "UNKNOWN"},
{"normist.exe" , "UNKNOWN"},
{"norton_internet_secu_3.0_407.exe" , "UNKNOWN"},
{"notstart.exe" , "UNKNOWN"},
{"npf40_tw_98_nt_me_2k.exe" , "UNKNOWN"},
{"npfmessenger.exe" , "UNKNOWN"},
{"nprotect.exe" , "UNKNOWN"},
{"npscheck.exe" , "UNKNOWN"},
{"npssvc.exe" , "UNKNOWN"},
{"nsched32.exe" , "UNKNOWN"},
{"nssys32.exe" , "UNKNOWN"},
{"nstask32.exe" , "UNKNOWN"},
{"nsupdate.exe" , "UNKNOWN"},
{"nt.exe" , "UNKNOWN"},
{"ntrtscan.exe" , "UNKNOWN"},
{"ntvdm.exe" , "UNKNOWN"},
{"ntxconfig.exe" , "UNKNOWN"},
{"nui.exe" , "UNKNOWN"},
{"nupgrade.exe" , "UNKNOWN"},
{"nvarch16.exe" , "UNKNOWN"},
{"nvc95.exe" , "UNKNOWN"},
{"nvsvc32.exe" , "UNKNOWN"},
{"nwinst4.exe" , "UNKNOWN"},
{"nwservice.exe" , "UNKNOWN"},
{"nwtool16.exe" , "UNKNOWN"},
{"nxlog.exe" , "UNKNOWN"},
{"ollydbg.exe" , "UNKNOWN"},
{"onsrvr.exe" , "UNKNOWN"},
{"optimize.exe" , "UNKNOWN"},
{"ostronet.exe" , "UNKNOWN"},
{"osqueryd.exe" , "UNKNOWN"},
{"otfix.exe" , "UNKNOWN"},
{"outpost.exe" , "UNKNOWN"},
{"outpostinstall.exe" , "UNKNOWN"},
{"outpostproinstall.exe" , "UNKNOWN"},
{"padmin.exe" , "UNKNOWN"},
{"panixk.exe" , "UNKNOWN"},
{"patch.exe" , "UNKNOWN"},
{"pavcl.exe" , "UNKNOWN"},
{"pavproxy.exe" , "UNKNOWN"},
{"pavsched.exe" , "UNKNOWN"},
{"pavw.exe" , "UNKNOWN"},
{"pccwin98.exe" , "UNKNOWN"},
{"pcfwallicon.exe" , "UNKNOWN"},
{"pcip10117_0.exe" , "UNKNOWN"},
{"pcscan.exe" , "UNKNOWN"},
{"pdsetup.exe" , "UNKNOWN"},
{"periscope.exe" , "UNKNOWN"},
{"persfw.exe" , "UNKNOWN"},
{"perswf.exe" , "UNKNOWN"},
{"pf2.exe" , "UNKNOWN"},
{"pfwadmin.exe" , "UNKNOWN"},
{"pgmonitr.exe" , "UNKNOWN"},
{"pingscan.exe" , "UNKNOWN"},
{"platin.exe" , "UNKNOWN"},
{"pop3trap.exe" , "UNKNOWN"},
{"poproxy.exe" , "UNKNOWN"},
{"popscan.exe" , "UNKNOWN"},
{"portdetective.exe" , "UNKNOWN"},
{"portmonitor.exe" , "UNKNOWN"},
{"powerscan.exe" , "UNKNOWN"},
{"ppinupdt.exe" , "UNKNOWN"},
{"pptbc.exe" , "UNKNOWN"},
{"ppvstop.exe" , "UNKNOWN"},
{"prizesurfer.exe" , "UNKNOWN"},
{"prmt.exe" , "UNKNOWN"},
{"prmvr.exe" , "UNKNOWN"},
{"procdump.exe" , "UNKNOWN"},
{"processmonitor.exe" , "UNKNOWN"},
{"procexp.exe" , "UNKNOWN"},
{"procexp64.exe" , "UNKNOWN"},
{"procexplorerv1.0.exe" , "UNKNOWN"},
{"procmon.exe" , "UNKNOWN"},
{"programauditor.exe" , "UNKNOWN"},
{"proport.exe" , "UNKNOWN"},
{"protectx.exe" , "UNKNOWN"},
{"pspf.exe" , "UNKNOWN"},
{"purge.exe" , "UNKNOWN"},
{"qconsole.exe" , "UNKNOWN"},
{"qserver.exe" , "UNKNOWN"},
{"rapapp.exe" , "UNKNOWN"},
{"rav7.exe" , "UNKNOWN"},
{"rav7win.exe" , "UNKNOWN"},
{"rav8win32eng.exe" , "UNKNOWN"},
{"ray.exe" , "UNKNOWN"},
{"rb32.exe" , "UNKNOWN"},
{"rcsync.exe" , "UNKNOWN"},
{"realmon.exe" , "UNKNOWN"},
{"reged.exe" , "UNKNOWN"},
{"regedit.exe" , "UNKNOWN"},
{"regedt32.exe" , "UNKNOWN"},
{"rescue.exe" , "UNKNOWN"},
{"rescue32.exe" , "UNKNOWN"},
{"rrguard.exe" , "UNKNOWN"},
{"rtvscan.exe" , "UNKNOWN"},
{"rtvscn95.exe" , "UNKNOWN"},
{"rulaunch.exe" , "UNKNOWN"},
{"run32dll.exe" , "UNKNOWN"},
{"rundll.exe" , "UNKNOWN"},
{"rundll16.exe" , "UNKNOWN"},
{"ruxdll32.exe" , "UNKNOWN"},
{"safeweb.exe" , "UNKNOWN"},
{"sahagent.exescan32.exe" , "UNKNOWN"},
{"save.exe" , "UNKNOWN"},
{"savenow.exe" , "UNKNOWN"},
{"sbserv.exe" , "UNKNOWN"},
{"scam32.exe" , "UNKNOWN"},
{"scan32.exe" , "UNKNOWN"},
{"scan95.exe" , "UNKNOWN"},
{"scanpm.exe" , "UNKNOWN"},
{"scrscan.exe" , "UNKNOWN"},
{"SentinelOne.exe" , "UNKNOWN"},
{"serv95.exe" , "UNKNOWN"},
{"setupvameeval.exe" , "UNKNOWN"},
{"setup_flowprotector_us.exe", "UNKNOWN"},
{"sfc.exe" , "UNKNOWN"},
{"sgssfw32.exe" , "UNKNOWN"},
{"sh.exe" , "UNKNOWN"},
{"shellspyinstall.exe" , "UNKNOWN"},
{"shn.exe" , "UNKNOWN"},
{"showbehind.exe" , "UNKNOWN"},
{"shstat.exe" , "McAfee VirusScan Enterprise"},
{"SISIDSService.exe" , "UNKNOWN"},
{"SISIPSUtil.exe" , "UNKNOWN"},
{"smc.exe" , "UNKNOWN"},
{"sms.exe" , "UNKNOWN"},
{"smss32.exe" , "UNKNOWN"},
{"soap.exe" , "UNKNOWN"},
{"sofi.exe" , "UNKNOWN"},
{"sperm.exe" , "UNKNOWN"},
{"splunk.exe" , "Splunk"},
{"splunkd.exe" , "Splunk"},
{"splunk-admon.exe" , "Splunk"},
{"splunk-powershell.exe" , "Splunk"},
{"splunk-winevtlog.exe" , "Splunk"},
{"spf.exe" , "UNKNOWN"},
{"sphinx.exe" , "UNKNOWN"},
{"spoler.exe" , "UNKNOWN"},
{"spoolcv.exe" , "UNKNOWN"},
{"spoolsv32.exe" , "UNKNOWN"},
{"spyxx.exe" , "UNKNOWN"},
{"srexe.exe" , "UNKNOWN"},
{"srng.exe" , "UNKNOWN"},
{"ss3edit.exe" , "UNKNOWN"},
{"ssgrate.exe" , "UNKNOWN"},
{"ssg_4104.exe" , "UNKNOWN"},
{"st2.exe" , "UNKNOWN"},
{"start.exe" , "UNKNOWN"},
{"stcloader.exe" , "UNKNOWN"},
{"supftrl.exe" , "UNKNOWN"},
{"support.exe" , "UNKNOWN"},
{"supporter5.exe" , "UNKNOWN"},
{"svchostc.exe" , "UNKNOWN"},
{"svchosts.exe" , "UNKNOWN"},
{"sweep95.exe" , "UNKNOWN"},
{"sweepnet.sweepsrv.sys.swnetsup.exe", "UNKNOWN"},
{"symproxysvc.exe" , "UNKNOWN"},
{"symtray.exe" , "UNKNOWN"},
{"sysedit.exe" , "UNKNOWN"},
{"sysmon.exe" , "Sysinternals Sysmon"},
{"sysupd.exe" , "UNKNOWN"},
{"TaniumClient.exe" , "Tanium"},
{"taskmg.exe" , "UNKNOWN"},
{"taskmo.exe" , "UNKNOWN"},
{"taumon.exe" , "UNKNOWN"},
{"tbmon.exe" , "UNKNOWN"},
{"tbscan.exe" , "UNKNOWN"},
{"tc.exe" , "UNKNOWN"},
{"tca.exe" , "UNKNOWN"},
{"tcm.exe" , "UNKNOWN"},
{"tcpview.exe" , "UNKNOWN"},
{"tds-3.exe" , "UNKNOWN"},
{"tds2-98.exe" , "UNKNOWN"},
{"tds2-nt.exe" , "UNKNOWN"},
{"teekids.exe" , "UNKNOWN"},
{"tfak.exe" , "UNKNOWN"},
{"tfak5.exe" , "UNKNOWN"},
{"tgbob.exe" , "UNKNOWN"},
{"titanin.exe" , "UNKNOWN"},
{"titaninxp.exe" , "UNKNOWN"},
{"tlaservice.exe" , "UNKNOWN"},
{"tlaworker.exe" , "UNKNOWN"},
{"tracert.exe" , "UNKNOWN"},
{"trickler.exe" , "UNKNOWN"},
{"trjscan.exe" , "UNKNOWN"},
{"trjsetup.exe" , "UNKNOWN"},
{"trojantrap3.exe" , "UNKNOWN"},
{"tsadbot.exe" , "UNKNOWN"},
{"tshark.exe" , "UNKNOWN"},
{"tvmd.exe" , "UNKNOWN"},
{"tvtmd.exe" , "UNKNOWN"},
{"udaterui.exe" , "UNKNOWN"},
{"undoboot.exe" , "UNKNOWN"},
{"updat.exe" , "UNKNOWN"},
{"update.exe" , "UNKNOWN"},
{"updaterui.exe" , "UNKNOWN"},
{"upgrad.exe" , "UNKNOWN"},
{"utpost.exe" , "UNKNOWN"},
{"vbcmserv.exe" , "UNKNOWN"},
{"vbcons.exe" , "UNKNOWN"},
{"vbust.exe" , "UNKNOWN"},
{"vbwin9x.exe" , "UNKNOWN"},
{"vbwinntw.exe" , "UNKNOWN"},
{"vcsetup.exe" , "UNKNOWN"},
{"vet32.exe" , "UNKNOWN"},
{"vet95.exe" , "UNKNOWN"},
{"vettray.exe" , "UNKNOWN"},
{"vfsetup.exe" , "UNKNOWN"},
{"vir-help.exe" , "UNKNOWN"},
{"virusmdpersonalfirewall.exe", "UNKNOWN"},
{"vnlan300.exe" , "UNKNOWN"},
{"vnpc3000.exe" , "UNKNOWN"},
{"vpc32.exe" , "UNKNOWN"},
{"vpc42.exe" , "UNKNOWN"},
{"vpfw30s.exe" , "UNKNOWN"},
{"vptray.exe" , "UNKNOWN"},
{"vscan40.exe" , "UNKNOWN"},
{"vscenu6.02d30.exe" , "UNKNOWN"},
{"vsched.exe" , "UNKNOWN"},
{"vsecomr.exe" , "UNKNOWN"},
{"vshwin32.exe" , "UNKNOWN"},
{"vsisetup.exe" , "UNKNOWN"},
{"vsmain.exe" , "UNKNOWN"},
{"vsmon.exe" , "UNKNOWN"},
{"vsstat.exe" , "UNKNOWN"},
{"vstskmgr.exe" , "McAfee VirusScan Enterprise"},
{"vswin9xe.exe" , "UNKNOWN"},
{"vswinntse.exe" , "UNKNOWN"},
{"vswinperse.exe" , "UNKNOWN"},
{"w32dsm89.exe" , "UNKNOWN"},
{"w9x.exe" , "UNKNOWN"},
{"watchdog.exe" , "UNKNOWN"},
{"webdav.exe" , "UNKNOWN"},
{"webscanx.exe" , "UNKNOWN"},
{"webtrap.exe" , "UNKNOWN"},
{"wfindv32.exe" , "UNKNOWN"},
{"whoswatchingme.exe" , "UNKNOWN"},
{"wimmun32.exe" , "UNKNOWN"},
{"win-bugsfix.exe" , "UNKNOWN"},
{"win32.exe" , "UNKNOWN"},
{"win32us.exe" , "UNKNOWN"},
{"winactive.exe" , "UNKNOWN"},
{"window.exe" , "UNKNOWN"},
{"windows.exe" , "UNKNOWN"},
{"wininetd.exe" , "UNKNOWN"},
{"wininitx.exe" , "UNKNOWN"},
{"winlogin.exe" , "UNKNOWN"},
{"winmain.exe" , "UNKNOWN"},
{"winnet.exe" , "UNKNOWN"},
{"winppr32.exe" , "UNKNOWN"},
{"winrecon.exe" , "UNKNOWN"},
{"winservn.exe" , "UNKNOWN"},
{"winssk32.exe" , "UNKNOWN"},
{"winstart.exe" , "UNKNOWN"},
{"winstart001.exe" , "UNKNOWN"},
{"wintsk32.exe" , "UNKNOWN"},
{"winupdate.exe" , "UNKNOWN"},
{"wireshark.exe" , "UNKNOWN"},
{"wkufind.exe" , "UNKNOWN"},
{"wnad.exe" , "UNKNOWN"},
{"wnt.exe" , "UNKNOWN"},
{"wradmin.exe" , "UNKNOWN"},
{"wrctrl.exe" , "UNKNOWN"},
{"wsbgate.exe" , "UNKNOWN"},
{"wupdater.exe" , "UNKNOWN"},
{"wupdt.exe" , "UNKNOWN"},
{"wyvernworksfirewall.exe" , "UNKNOWN"},
{"xagt.exe" , "UNKNOWN"},
{"xpf202en.exe" , "UNKNOWN"},
{"zapro.exe" , "UNKNOWN"},
{"zapsetup3001.exe" , "UNKNOWN"},
{"zatutor.exe" , "UNKNOWN"},
{"zonalm2601.exe" , "UNKNOWN"},
{"zonealarm.exe" , "UNKNOWN"},
{"_avp32.exe" , "UNKNOWN"},
{"_avpcc.exe" , "UNKNOWN"},
{"rshell.exe" , "UNKNOWN"},
{"_avpm.exe" , "UNKNOWN"}
};
// TODO: cyberark? other password managers?
public static Hashtable interestingProcesses = new Hashtable()
{
{"CmRcService" , "Configuration Manager Remote Control Service"},
{"ftp" , "Misc. FTP client"},
{"LMIGuardian" , "LogMeIn Reporter"},
{"LogMeInSystray" , "LogMeIn System Tray"},
{"RaMaint" , "LogMeIn maintenance sevice"},
{"mmc" , "Microsoft Management Console"},
{"putty" , "Putty SSH client"},
{"pscp" , "Putty SCP client"},
{"psftp" , "Putty SFTP client"},
{"puttytel" , "Putty Telnet client"},
{"plink" , "Putty CLI client"},
{"pageant" , "Putty SSH auth agent"},
{"kitty" , "Kitty SSH client"},
{"telnet" , "Misc. Telnet client"},
{"SecureCRT" , "SecureCRT SSH/Telnet client"},
{"TeamViewer" , "TeamViewer"},
{"tv_x64" , "TeamViewer x64 remote control"},
{"tv_w32" , "TeamViewer x86 remote control"},
{"keepass" , "KeePass password vault"},
{"mstsc" , "Microsoft RDP client"},
{"vnc" , "Possible VNC client"},
{"powershell" , "PowerShell host process"},
{"cmd" , "Command Prompt"},
};
public static Hashtable browserProcesses = new Hashtable()
{
{"chrome" , "Google Chrome"},
{"iexplore" , "Microsoft Internet Explorer"},
{"MicrosoftEdge" , "Microsoft Edge"},
{"firefox" , "Mozilla Firefox"}
};
private static string GetProcessUser(Process process)
{
IntPtr processHandle = IntPtr.Zero;
try
{
OpenProcessToken(process.Handle, 8, out processHandle);
WindowsIdentity wi = new WindowsIdentity(processHandle);
string user = wi.Name;
return user.Contains(@"\") ? user.Substring(user.IndexOf(@"\") + 1) : user;
}
catch
{
return null;
}
finally
{
if (processHandle != IntPtr.Zero)
{
CloseHandle(processHandle);
}
}
}
[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle(IntPtr hObject);
// TODO: check out https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna#L10
public static List<Dictionary<string, string>> GetProcessInfo()
{
List<Dictionary<string, string>> final_results = new List<Dictionary<string, string>>();
try
{
var wmiQueryString = "SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process";
using (var searcher = new ManagementObjectSearcher(wmiQueryString))
using (var results = searcher.Get())
{
var query = from p in Process.GetProcesses()
join mo in results.Cast<ManagementObject>()
on p.Id equals (int)(uint)mo["ProcessId"]
select new
{
Process = p,
Path = (string)mo["ExecutablePath"],
CommandLine = (string)mo["CommandLine"],
Owner = GetProcessUser(p), //Needed inside the next foreach
};
foreach (var item in query)
{
if (item.Path != null)
{
string companyName = "";
string isDotNet = "";
try
{
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(item.Path);
companyName = myFileVersionInfo.CompanyName;
isDotNet = MyUtils.CheckIfDotNet(item.Path) ? "isDotNet" : "";
}
catch (Exception ex)
{
// Not enough privileges
}
if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary<string, string> toadd = new Dictionary<string, string>();
toadd["Name"] = item.Process.ProcessName;
toadd["ProcessID"] = item.Process.Id.ToString();
toadd["ExecutablePath"] = item.Path;
toadd["Product"] = companyName;
toadd["Owner"] = item.Owner == null ? "" : item.Owner;
toadd["isDotNet"] = isDotNet;
toadd["CommandLine"] = item.CommandLine;
final_results.Add(toadd);
}
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return final_results;
}
}
}
Reference in New Issue View Git Blame Copy Permalink