794 lines
38 KiB
C#
Executable File
794 lines
38 KiB
C#
Executable File
using System;
|
|
using System.Collections;
|
|
using System.Collections.Generic;
|
|
using System.Diagnostics;
|
|
using System.Linq;
|
|
using System.Management;
|
|
using System.Runtime.InteropServices;
|
|
using System.Security.Principal;
|
|
using System.Text.RegularExpressions;
|
|
|
|
namespace winPEAS
|
|
{
|
|
class ProcessesInfo
|
|
{
|
|
public static Hashtable defensiveProcesses = new Hashtable()
|
|
{
|
|
{"mcshield.exe" , "McAfee AV"},
|
|
{"windefend.exe" , "Windows Defender AV"},
|
|
{"MSASCui.exe" , "Windows Defender AV"},
|
|
{"MSASCuiL.exe" , "Windows Defender AV"},
|
|
{"msmpeng.exe" , "Windows Defender AV"},
|
|
{"msmpsvc.exe" , "Windows Defender AV"},
|
|
{"WRSA.exe" , "WebRoot AV"},
|
|
{"savservice.exe" , "Sophos AV"},
|
|
{"TMCCSF.exe" , "Trend Micro AV"},
|
|
{"symantec antivirus.exe" , "Symantec AV"},
|
|
{"mbae.exe" , "MalwareBytes Anti-Exploit"},
|
|
{"parity.exe" , "Bit9 application whitelisting"},
|
|
{"cb.exe" , "Carbon Black behavioral analysis"},
|
|
{"bds-vision.exe" , "BDS Vision behavioral analysis"},
|
|
{"Triumfant.exe" , "Triumfant behavioral analysis"},
|
|
{"CSFalcon.exe" , "CrowdStrike Falcon EDR"},
|
|
{"ossec.exe" , "OSSEC intrusion detection"},
|
|
{"TmPfw.exe" , "Trend Micro firewall"},
|
|
{"dgagent.exe" , "Verdasys Digital Guardian DLP"},
|
|
{"kvoop.exe" , " DLP process" },
|
|
{"AAWTray.exe" , ""},
|
|
{"ackwin32.exe" , ""},
|
|
{"Ad-Aware.exe" , ""},
|
|
{"adaware.exe" , ""},
|
|
{"advxdwin.exe" , ""},
|
|
{"agentsvr.exe" , ""},
|
|
{"agentw.exe" , ""},
|
|
{"alertsvc.exe" , ""},
|
|
{"alevir.exe" , ""},
|
|
{"alogserv.exe" , ""},
|
|
{"amon9x.exe" , ""},
|
|
{"anti-trojan.exe" , ""},
|
|
{"antivirus.exe" , ""},
|
|
{"ants.exe" , ""},
|
|
{"apimonitor.exe" , ""},
|
|
{"aplica32.exe" , ""},
|
|
{"apvxdwin.exe" , ""},
|
|
{"arr.exe" , ""},
|
|
{"atcon.exe" , ""},
|
|
{"atguard.exe" , ""},
|
|
{"atro55en.exe" , ""},
|
|
{"atupdater.exe" , ""},
|
|
{"atwatch.exe" , ""},
|
|
{"au.exe" , ""},
|
|
{"aupdate.exe" , ""},
|
|
{"auto-protect.nav80try.exe", ""},
|
|
{"autodown.exe" , ""},
|
|
{"autoruns.exe" , ""},
|
|
{"autorunsc.exe" , ""},
|
|
{"autotrace.exe" , ""},
|
|
{"autoupdate.exe" , ""},
|
|
{"avconsol.exe" , ""},
|
|
{"ave32.exe" , ""},
|
|
{"avgcc32.exe" , ""},
|
|
{"avgctrl.exe" , ""},
|
|
{"avgemc.exe" , ""},
|
|
{"avgnt.exe" , ""},
|
|
{"avgrsx.exe" , ""},
|
|
{"avgserv.exe" , ""},
|
|
{"avgserv9.exe" , ""},
|
|
{"avguard.exe" , ""},
|
|
{"avgwdsvc.exe" , ""},
|
|
{"avgui.exe" , ""},
|
|
{"avgw.exe" , ""},
|
|
{"avkpop.exe" , ""},
|
|
{"avkserv.exe" , ""},
|
|
{"avkservice.exe" , ""},
|
|
{"avkwctl9.exe" , ""},
|
|
{"avltmain.exe" , ""},
|
|
{"avnt.exe" , ""},
|
|
{"avp.exe" , ""},
|
|
{"avp32.exe" , ""},
|
|
{"avpcc.exe" , ""},
|
|
{"avpdos32.exe" , ""},
|
|
{"avpm.exe" , ""},
|
|
{"avptc32.exe" , ""},
|
|
{"avpupd.exe" , ""},
|
|
{"avsched32.exe" , ""},
|
|
{"avsynmgr.exe" , ""},
|
|
{"avwin.exe" , ""},
|
|
{"avwin95.exe" , ""},
|
|
{"avwinnt.exe" , ""},
|
|
{"avwupd.exe" , ""},
|
|
{"avwupd32.exe" , ""},
|
|
{"avwupsrv.exe" , ""},
|
|
{"avxmonitor9x.exe" , ""},
|
|
{"avxmonitornt.exe" , ""},
|
|
{"avxquar.exe" , ""},
|
|
{"backweb.exe" , ""},
|
|
{"bargains.exe" , ""},
|
|
{"bd_professional.exe" , ""},
|
|
{"beagle.exe" , ""},
|
|
{"belt.exe" , ""},
|
|
{"bidef.exe" , ""},
|
|
{"bidserver.exe" , ""},
|
|
{"bipcp.exe" , ""},
|
|
{"bipcpevalsetup.exe" , ""},
|
|
{"bisp.exe" , ""},
|
|
{"blackd.exe" , ""},
|
|
{"blackice.exe" , ""},
|
|
{"blink.exe" , ""},
|
|
{"blss.exe" , ""},
|
|
{"bootconf.exe" , ""},
|
|
{"bootwarn.exe" , ""},
|
|
{"borg2.exe" , ""},
|
|
{"bpc.exe" , ""},
|
|
{"brasil.exe" , ""},
|
|
{"bs120.exe" , ""},
|
|
{"bundle.exe" , ""},
|
|
{"bvt.exe" , ""},
|
|
{"ccapp.exe" , ""},
|
|
{"ccevtmgr.exe" , ""},
|
|
{"ccpxysvc.exe" , ""},
|
|
{"ccSvcHst.exe" , ""},
|
|
{"cdp.exe" , ""},
|
|
{"cfd.exe" , ""},
|
|
{"cfgwiz.exe" , ""},
|
|
{"cfiadmin.exe" , ""},
|
|
{"cfiaudit.exe" , ""},
|
|
{"cfinet.exe" , ""},
|
|
{"cfinet32.exe" , ""},
|
|
{"claw95.exe" , ""},
|
|
{"claw95cf.exe" , ""},
|
|
{"clean.exe" , ""},
|
|
{"cleaner.exe" , ""},
|
|
{"cleaner3.exe" , ""},
|
|
{"cleanpc.exe" , ""},
|
|
{"cleanup.exe" , ""},
|
|
{"click.exe" , ""},
|
|
{"cmdagent.exe" , ""},
|
|
{"cmesys.exe" , ""},
|
|
{"cmgrdian.exe" , ""},
|
|
{"cmon016.exe" , ""},
|
|
{"connectionmonitor.exe" , ""},
|
|
{"cpd.exe" , ""},
|
|
{"cpf9x206.exe" , ""},
|
|
{"cpfnt206.exe" , ""},
|
|
{"ctrl.exe" , ""},
|
|
{"cv.exe" , ""},
|
|
{"cwnb181.exe" , ""},
|
|
{"cwntdwmo.exe" , ""},
|
|
{"CylanceUI.exe" , ""},
|
|
{"CyProtect.exe" , ""},
|
|
{"CyUpdate.exe" , ""},
|
|
{"cyserver.exe" , ""},
|
|
{"cytray.exe" , ""},
|
|
{"CyveraService.exe" , ""},
|
|
{"datemanager.exe" , ""},
|
|
{"dcomx.exe" , ""},
|
|
{"defalert.exe" , ""},
|
|
{"defscangui.exe" , ""},
|
|
{"defwatch.exe" , ""},
|
|
{"deputy.exe" , ""},
|
|
{"divx.exe" , ""},
|
|
{"dgprompt.exe" , ""},
|
|
{"DgService.exe" , ""},
|
|
{"dllcache.exe" , ""},
|
|
{"dllreg.exe" , ""},
|
|
{"doors.exe" , ""},
|
|
{"dpf.exe" , ""},
|
|
{"dpfsetup.exe" , ""},
|
|
{"dpps2.exe" , ""},
|
|
{"drwatson.exe" , ""},
|
|
{"drweb32.exe" , ""},
|
|
{"drwebupw.exe" , ""},
|
|
{"dssagent.exe" , ""},
|
|
{"dumpcap.exe" , ""},
|
|
{"dvp95.exe" , ""},
|
|
{"dvp95_0.exe" , ""},
|
|
{"ecengine.exe" , ""},
|
|
{"efpeadm.exe" , ""},
|
|
{"egui.exe" , ""},
|
|
{"ekrn.exe" , ""},
|
|
{"emet_agent.exe" , ""},
|
|
{"emet_service.exe" , ""},
|
|
{"emsw.exe" , ""},
|
|
{"engineserver.exe" , ""},
|
|
{"ent.exe" , ""},
|
|
{"esafe.exe" , ""},
|
|
{"escanhnt.exe" , ""},
|
|
{"escanv95.exe" , ""},
|
|
{"espwatch.exe" , ""},
|
|
{"ethereal.exe" , ""},
|
|
{"etrustcipe.exe" , ""},
|
|
{"evpn.exe" , ""},
|
|
{"exantivirus-cnet.exe" , ""},
|
|
{"exe.avxw.exe" , ""},
|
|
{"expert.exe" , ""},
|
|
{"explore.exe" , ""},
|
|
{"f-agnt95.exe" , ""},
|
|
{"f-prot.exe" , ""},
|
|
{"f-prot95.exe" , ""},
|
|
{"f-stopw.exe" , ""},
|
|
{"fameh32.exe" , ""},
|
|
{"fast.exe" , ""},
|
|
{"fch32.exe" , ""},
|
|
{"fcagswd.exe" , "McAfee DLP Agent"},
|
|
{"fcags.exe" , "McAfee DLP Agent"},
|
|
{"fih32.exe" , ""},
|
|
{"findviru.exe" , ""},
|
|
{"firesvc.exe" , "McAfee Host Intrusion Prevention"},
|
|
{"firetray.exe" , ""},
|
|
{"firewall.exe" , ""},
|
|
{"fnrb32.exe" , ""},
|
|
{"fp-win.exe" , ""},
|
|
{"fp-win_trial.exe" , ""},
|
|
{"fprot.exe" , ""},
|
|
{"frameworkservice.exe" , ""},
|
|
{"frminst.exe" , ""},
|
|
{"frw.exe" , ""},
|
|
{"fsaa.exe" , ""},
|
|
{"fsav.exe" , ""},
|
|
{"fsav32.exe" , ""},
|
|
{"fsav530stbyb.exe" , ""},
|
|
{"fsav530wtbyb.exe" , ""},
|
|
{"fsav95.exe" , ""},
|
|
{"fsgk32.exe" , ""},
|
|
{"fsm32.exe" , ""},
|
|
{"fsma32.exe" , ""},
|
|
{"fsmb32.exe" , ""},
|
|
{"gator.exe" , ""},
|
|
{"gbmenu.exe" , ""},
|
|
{"gbpoll.exe" , ""},
|
|
{"generics.exe" , ""},
|
|
{"gmt.exe" , ""},
|
|
{"guard.exe" , ""},
|
|
{"guarddog.exe" , ""},
|
|
{"hacktracersetup.exe" , ""},
|
|
{"hbinst.exe" , ""},
|
|
{"hbsrv.exe" , ""},
|
|
{"HijackThis.exe" , ""},
|
|
{"hipsvc.exe" , ""},
|
|
{"HipMgmt.exe" , "McAfee Host Intrusion Protection"},
|
|
{"hotactio.exe" , ""},
|
|
{"hotpatch.exe" , ""},
|
|
{"htlog.exe" , ""},
|
|
{"htpatch.exe" , ""},
|
|
{"hwpe.exe" , ""},
|
|
{"hxdl.exe" , ""},
|
|
{"hxiul.exe" , ""},
|
|
{"iamapp.exe" , ""},
|
|
{"iamserv.exe" , ""},
|
|
{"iamstats.exe" , ""},
|
|
{"ibmasn.exe" , ""},
|
|
{"ibmavsp.exe" , ""},
|
|
{"icload95.exe" , ""},
|
|
{"icloadnt.exe" , ""},
|
|
{"icmon.exe" , ""},
|
|
{"icsupp95.exe" , ""},
|
|
{"icsuppnt.exe" , ""},
|
|
{"idle.exe" , ""},
|
|
{"iedll.exe" , ""},
|
|
{"iedriver.exe" , ""},
|
|
{"iface.exe" , ""},
|
|
{"ifw2000.exe" , ""},
|
|
{"inetlnfo.exe" , ""},
|
|
{"infus.exe" , ""},
|
|
{"infwin.exe" , ""},
|
|
{"init.exe" , ""},
|
|
{"intdel.exe" , ""},
|
|
{"intren.exe" , ""},
|
|
{"iomon98.exe" , ""},
|
|
{"istsvc.exe" , ""},
|
|
{"jammer.exe" , ""},
|
|
{"jdbgmrg.exe" , ""},
|
|
{"jedi.exe" , ""},
|
|
{"kavlite40eng.exe" , ""},
|
|
{"kavpers40eng.exe" , ""},
|
|
{"kavpf.exe" , ""},
|
|
{"kazza.exe" , ""},
|
|
{"keenvalue.exe" , ""},
|
|
{"kerio-pf-213-en-win.exe" , ""},
|
|
{"kerio-wrl-421-en-win.exe" , ""},
|
|
{"kerio-wrp-421-en-win.exe" , ""},
|
|
{"kernel32.exe" , ""},
|
|
{"KeyPass.exe" , ""},
|
|
{"killprocesssetup161.exe" , ""},
|
|
{"launcher.exe" , ""},
|
|
{"ldnetmon.exe" , ""},
|
|
{"ldpro.exe" , ""},
|
|
{"ldpromenu.exe" , ""},
|
|
{"ldscan.exe" , ""},
|
|
{"lnetinfo.exe" , ""},
|
|
{"loader.exe" , ""},
|
|
{"localnet.exe" , ""},
|
|
{"lockdown.exe" , ""},
|
|
{"lockdown2000.exe" , ""},
|
|
{"lookout.exe" , ""},
|
|
{"lordpe.exe" , ""},
|
|
{"lsetup.exe" , ""},
|
|
{"luall.exe" , ""},
|
|
{"luau.exe" , ""},
|
|
{"lucomserver.exe" , ""},
|
|
{"luinit.exe" , ""},
|
|
{"luspt.exe" , ""},
|
|
{"mapisvc32.exe" , ""},
|
|
{"masvc.exe" , "McAfee Agent"},
|
|
{"mbamservice.exe" , ""},
|
|
{"mcafeefire.exe" , ""},
|
|
{"mcagent.exe" , ""},
|
|
{"mcmnhdlr.exe" , ""},
|
|
{"mcscript.exe" , ""},
|
|
{"mcscript_inuse.exe" , ""},
|
|
{"mctool.exe" , ""},
|
|
{"mctray.exe" , ""},
|
|
{"mcupdate.exe" , ""},
|
|
{"mcvsrte.exe" , ""},
|
|
{"mcvsshld.exe" , ""},
|
|
{"md.exe" , ""},
|
|
{"mfeann.exe" , "McAfee VirusScan Enterprise"},
|
|
{"mfemactl.exe" , "McAfee VirusScan Enterprise"},
|
|
{"mfevtps.exe" , ""},
|
|
{"mfin32.exe" , ""},
|
|
{"mfw2en.exe" , ""},
|
|
{"mfweng3.02d30.exe" , ""},
|
|
{"mgavrtcl.exe" , ""},
|
|
{"mgavrte.exe" , ""},
|
|
{"mghtml.exe" , ""},
|
|
{"mgui.exe" , ""},
|
|
{"minilog.exe" , ""},
|
|
{"minionhost.exe" , ""},
|
|
{"mmod.exe" , ""},
|
|
{"monitor.exe" , ""},
|
|
{"moolive.exe" , ""},
|
|
{"mostat.exe" , ""},
|
|
{"mpfagent.exe" , ""},
|
|
{"mpfservice.exe" , ""},
|
|
{"mpftray.exe" , ""},
|
|
{"mrflux.exe" , ""},
|
|
{"msapp.exe" , ""},
|
|
{"msbb.exe" , ""},
|
|
{"msblast.exe" , ""},
|
|
{"mscache.exe" , ""},
|
|
{"msccn32.exe" , ""},
|
|
{"mscman.exe" , ""},
|
|
{"msconfig.exe" , ""},
|
|
{"msdm.exe" , ""},
|
|
{"msdos.exe" , ""},
|
|
{"msiexec16.exe" , ""},
|
|
{"msinfo32.exe" , ""},
|
|
{"mslaugh.exe" , ""},
|
|
{"msmgt.exe" , ""},
|
|
{"msmsgri32.exe" , ""},
|
|
{"MsSense.exe" , "Microsoft Defender ATP"},
|
|
{"mssmmc32.exe" , ""},
|
|
{"mssys.exe" , ""},
|
|
{"msvxd.exe" , ""},
|
|
{"mu0311ad.exe" , ""},
|
|
{"mwatch.exe" , ""},
|
|
{"n32scanw.exe" , ""},
|
|
{"naprdmgr.exe" , ""},
|
|
{"nav.exe" , ""},
|
|
{"navap.navapsvc.exe" , ""},
|
|
{"navapsvc.exe" , ""},
|
|
{"navapw32.exe" , ""},
|
|
{"navdx.exe" , ""},
|
|
{"navlu32.exe" , ""},
|
|
{"navnt.exe" , ""},
|
|
{"navstub.exe" , ""},
|
|
{"navw32.exe" , ""},
|
|
{"navwnt.exe" , ""},
|
|
{"nc2000.exe" , ""},
|
|
{"ncinst4.exe" , ""},
|
|
{"ndd32.exe" , ""},
|
|
{"neomonitor.exe" , ""},
|
|
{"neowatchlog.exe" , ""},
|
|
{"netarmor.exe" , ""},
|
|
{"netd32.exe" , ""},
|
|
{"netinfo.exe" , ""},
|
|
{"netmon.exe" , ""},
|
|
{"netscanpro.exe" , ""},
|
|
{"netspyhunter-1.2.exe" , ""},
|
|
{"netstat.exe" , ""},
|
|
{"netutils.exe" , ""},
|
|
{"nisserv.exe" , ""},
|
|
{"nisum.exe" , ""},
|
|
{"nmain.exe" , ""},
|
|
{"nod32.exe" , ""},
|
|
{"normist.exe" , ""},
|
|
{"norton_internet_secu_3.0_407.exe" , ""},
|
|
{"notstart.exe" , ""},
|
|
{"npf40_tw_98_nt_me_2k.exe" , ""},
|
|
{"npfmessenger.exe" , ""},
|
|
{"nprotect.exe" , ""},
|
|
{"npscheck.exe" , ""},
|
|
{"npssvc.exe" , ""},
|
|
{"nsched32.exe" , ""},
|
|
{"nssys32.exe" , ""},
|
|
{"nstask32.exe" , ""},
|
|
{"nsupdate.exe" , ""},
|
|
{"nt.exe" , ""},
|
|
{"ntrtscan.exe" , ""},
|
|
{"ntvdm.exe" , ""},
|
|
{"ntxconfig.exe" , ""},
|
|
{"nui.exe" , ""},
|
|
{"nupgrade.exe" , ""},
|
|
{"nvarch16.exe" , ""},
|
|
{"nvc95.exe" , ""},
|
|
{"nvsvc32.exe" , ""},
|
|
{"nwinst4.exe" , ""},
|
|
{"nwservice.exe" , ""},
|
|
{"nwtool16.exe" , ""},
|
|
{"nxlog.exe" , ""},
|
|
{"ollydbg.exe" , ""},
|
|
{"onsrvr.exe" , ""},
|
|
{"optimize.exe" , ""},
|
|
{"ostronet.exe" , ""},
|
|
{"osqueryd.exe" , ""},
|
|
{"otfix.exe" , ""},
|
|
{"outpost.exe" , ""},
|
|
{"outpostinstall.exe" , ""},
|
|
{"outpostproinstall.exe" , ""},
|
|
{"padmin.exe" , ""},
|
|
{"panixk.exe" , ""},
|
|
{"patch.exe" , ""},
|
|
{"pavcl.exe" , ""},
|
|
{"pavproxy.exe" , ""},
|
|
{"pavsched.exe" , ""},
|
|
{"pavw.exe" , ""},
|
|
{"pccwin98.exe" , ""},
|
|
{"pcfwallicon.exe" , ""},
|
|
{"pcip10117_0.exe" , ""},
|
|
{"pcscan.exe" , ""},
|
|
{"pdsetup.exe" , ""},
|
|
{"periscope.exe" , ""},
|
|
{"persfw.exe" , ""},
|
|
{"perswf.exe" , ""},
|
|
{"pf2.exe" , ""},
|
|
{"pfwadmin.exe" , ""},
|
|
{"pgmonitr.exe" , ""},
|
|
{"pingscan.exe" , ""},
|
|
{"platin.exe" , ""},
|
|
{"pop3trap.exe" , ""},
|
|
{"poproxy.exe" , ""},
|
|
{"popscan.exe" , ""},
|
|
{"portdetective.exe" , ""},
|
|
{"portmonitor.exe" , ""},
|
|
{"powerscan.exe" , ""},
|
|
{"ppinupdt.exe" , ""},
|
|
{"pptbc.exe" , ""},
|
|
{"ppvstop.exe" , ""},
|
|
{"prizesurfer.exe" , ""},
|
|
{"prmt.exe" , ""},
|
|
{"prmvr.exe" , ""},
|
|
{"procdump.exe" , ""},
|
|
{"processmonitor.exe" , ""},
|
|
{"procexp.exe" , ""},
|
|
{"procexp64.exe" , ""},
|
|
{"procexplorerv1.0.exe" , ""},
|
|
{"procmon.exe" , ""},
|
|
{"programauditor.exe" , ""},
|
|
{"proport.exe" , ""},
|
|
{"protectx.exe" , ""},
|
|
{"pspf.exe" , ""},
|
|
{"purge.exe" , ""},
|
|
{"qconsole.exe" , ""},
|
|
{"qserver.exe" , ""},
|
|
{"rapapp.exe" , ""},
|
|
{"rav7.exe" , ""},
|
|
{"rav7win.exe" , ""},
|
|
{"rav8win32eng.exe" , ""},
|
|
{"ray.exe" , ""},
|
|
{"rb32.exe" , ""},
|
|
{"rcsync.exe" , ""},
|
|
{"realmon.exe" , ""},
|
|
{"reged.exe" , ""},
|
|
{"regedit.exe" , ""},
|
|
{"regedt32.exe" , ""},
|
|
{"rescue.exe" , ""},
|
|
{"rescue32.exe" , ""},
|
|
{"rrguard.exe" , ""},
|
|
{"rtvscan.exe" , ""},
|
|
{"rtvscn95.exe" , ""},
|
|
{"rulaunch.exe" , ""},
|
|
{"run32dll.exe" , ""},
|
|
{"rundll.exe" , ""},
|
|
{"rundll16.exe" , ""},
|
|
{"ruxdll32.exe" , ""},
|
|
{"safeweb.exe" , ""},
|
|
{"sahagent.exescan32.exe" , ""},
|
|
{"save.exe" , ""},
|
|
{"savenow.exe" , ""},
|
|
{"sbserv.exe" , ""},
|
|
{"scam32.exe" , ""},
|
|
{"scan32.exe" , ""},
|
|
{"scan95.exe" , ""},
|
|
{"scanpm.exe" , ""},
|
|
{"scrscan.exe" , ""},
|
|
{"SentinelOne.exe" , ""},
|
|
{"serv95.exe" , ""},
|
|
{"setupvameeval.exe" , ""},
|
|
{"setup_flowprotector_us.exe", ""},
|
|
{"sfc.exe" , ""},
|
|
{"sgssfw32.exe" , ""},
|
|
{"sh.exe" , ""},
|
|
{"shellspyinstall.exe" , ""},
|
|
{"shn.exe" , ""},
|
|
{"showbehind.exe" , ""},
|
|
{"shstat.exe" , "McAfee VirusScan Enterprise"},
|
|
{"SISIDSService.exe" , ""},
|
|
{"SISIPSUtil.exe" , ""},
|
|
{"smc.exe" , ""},
|
|
{"sms.exe" , ""},
|
|
{"smss32.exe" , ""},
|
|
{"soap.exe" , ""},
|
|
{"sofi.exe" , ""},
|
|
{"sperm.exe" , ""},
|
|
{"splunk.exe" , "Splunk"},
|
|
{"splunkd.exe" , "Splunk"},
|
|
{"splunk-admon.exe" , "Splunk"},
|
|
{"splunk-powershell.exe" , "Splunk"},
|
|
{"splunk-winevtlog.exe" , "Splunk"},
|
|
{"spf.exe" , ""},
|
|
{"sphinx.exe" , ""},
|
|
{"spoler.exe" , ""},
|
|
{"spoolcv.exe" , ""},
|
|
{"spoolsv32.exe" , ""},
|
|
{"spyxx.exe" , ""},
|
|
{"srexe.exe" , ""},
|
|
{"srng.exe" , ""},
|
|
{"ss3edit.exe" , ""},
|
|
{"ssgrate.exe" , ""},
|
|
{"ssg_4104.exe" , ""},
|
|
{"st2.exe" , ""},
|
|
{"start.exe" , ""},
|
|
{"stcloader.exe" , ""},
|
|
{"supftrl.exe" , ""},
|
|
{"support.exe" , ""},
|
|
{"supporter5.exe" , ""},
|
|
{"svchostc.exe" , ""},
|
|
{"svchosts.exe" , ""},
|
|
{"sweep95.exe" , ""},
|
|
{"sweepnet.sweepsrv.sys.swnetsup.exe", ""},
|
|
{"symproxysvc.exe" , ""},
|
|
{"symtray.exe" , ""},
|
|
{"sysedit.exe" , ""},
|
|
{"sysmon.exe" , "Sysinternals Sysmon"},
|
|
{"sysupd.exe" , ""},
|
|
{"TaniumClient.exe" , "Tanium"},
|
|
{"taskmg.exe" , ""},
|
|
{"taskmo.exe" , ""},
|
|
{"taumon.exe" , ""},
|
|
{"tbmon.exe" , ""},
|
|
{"tbscan.exe" , ""},
|
|
{"tc.exe" , ""},
|
|
{"tca.exe" , ""},
|
|
{"tcm.exe" , ""},
|
|
{"tcpview.exe" , ""},
|
|
{"tds-3.exe" , ""},
|
|
{"tds2-98.exe" , ""},
|
|
{"tds2-nt.exe" , ""},
|
|
{"teekids.exe" , ""},
|
|
{"tfak.exe" , ""},
|
|
{"tfak5.exe" , ""},
|
|
{"tgbob.exe" , ""},
|
|
{"titanin.exe" , ""},
|
|
{"titaninxp.exe" , ""},
|
|
{"tlaservice.exe" , ""},
|
|
{"tlaworker.exe" , ""},
|
|
{"tracert.exe" , ""},
|
|
{"trickler.exe" , ""},
|
|
{"trjscan.exe" , ""},
|
|
{"trjsetup.exe" , ""},
|
|
{"trojantrap3.exe" , ""},
|
|
{"tsadbot.exe" , ""},
|
|
{"tshark.exe" , ""},
|
|
{"tvmd.exe" , ""},
|
|
{"tvtmd.exe" , ""},
|
|
{"udaterui.exe" , ""},
|
|
{"undoboot.exe" , ""},
|
|
{"updat.exe" , ""},
|
|
{"update.exe" , ""},
|
|
{"updaterui.exe" , ""},
|
|
{"upgrad.exe" , ""},
|
|
{"utpost.exe" , ""},
|
|
{"vbcmserv.exe" , ""},
|
|
{"vbcons.exe" , ""},
|
|
{"vbust.exe" , ""},
|
|
{"vbwin9x.exe" , ""},
|
|
{"vbwinntw.exe" , ""},
|
|
{"vcsetup.exe" , ""},
|
|
{"vet32.exe" , ""},
|
|
{"vet95.exe" , ""},
|
|
{"vettray.exe" , ""},
|
|
{"vfsetup.exe" , ""},
|
|
{"vir-help.exe" , ""},
|
|
{"virusmdpersonalfirewall.exe", ""},
|
|
{"vnlan300.exe" , ""},
|
|
{"vnpc3000.exe" , ""},
|
|
{"vpc32.exe" , ""},
|
|
{"vpc42.exe" , ""},
|
|
{"vpfw30s.exe" , ""},
|
|
{"vptray.exe" , ""},
|
|
{"vscan40.exe" , ""},
|
|
{"vscenu6.02d30.exe" , ""},
|
|
{"vsched.exe" , ""},
|
|
{"vsecomr.exe" , ""},
|
|
{"vshwin32.exe" , ""},
|
|
{"vsisetup.exe" , ""},
|
|
{"vsmain.exe" , ""},
|
|
{"vsmon.exe" , ""},
|
|
{"vsstat.exe" , ""},
|
|
{"vstskmgr.exe" , "McAfee VirusScan Enterprise"},
|
|
{"vswin9xe.exe" , ""},
|
|
{"vswinntse.exe" , ""},
|
|
{"vswinperse.exe" , ""},
|
|
{"w32dsm89.exe" , ""},
|
|
{"w9x.exe" , ""},
|
|
{"watchdog.exe" , ""},
|
|
{"webdav.exe" , ""},
|
|
{"webscanx.exe" , ""},
|
|
{"webtrap.exe" , ""},
|
|
{"wfindv32.exe" , ""},
|
|
{"whoswatchingme.exe" , ""},
|
|
{"wimmun32.exe" , ""},
|
|
{"win-bugsfix.exe" , ""},
|
|
{"win32.exe" , ""},
|
|
{"win32us.exe" , ""},
|
|
{"winactive.exe" , ""},
|
|
{"window.exe" , ""},
|
|
{"windows.exe" , ""},
|
|
{"wininetd.exe" , ""},
|
|
{"wininitx.exe" , ""},
|
|
{"winlogin.exe" , ""},
|
|
{"winmain.exe" , ""},
|
|
{"winnet.exe" , ""},
|
|
{"winppr32.exe" , ""},
|
|
{"winrecon.exe" , ""},
|
|
{"winservn.exe" , ""},
|
|
{"winssk32.exe" , ""},
|
|
{"winstart.exe" , ""},
|
|
{"winstart001.exe" , ""},
|
|
{"wintsk32.exe" , ""},
|
|
{"winupdate.exe" , ""},
|
|
{"wireshark.exe" , ""},
|
|
{"wkufind.exe" , ""},
|
|
{"wnad.exe" , ""},
|
|
{"wnt.exe" , ""},
|
|
{"wradmin.exe" , ""},
|
|
{"wrctrl.exe" , ""},
|
|
{"wsbgate.exe" , ""},
|
|
{"wupdater.exe" , ""},
|
|
{"wupdt.exe" , ""},
|
|
{"wyvernworksfirewall.exe" , ""},
|
|
{"xagt.exe" , ""},
|
|
{"xpf202en.exe" , ""},
|
|
{"zapro.exe" , ""},
|
|
{"zapsetup3001.exe" , ""},
|
|
{"zatutor.exe" , ""},
|
|
/*{"zonalm2601" , ""}, These names (ending in .exe) are detected by AVs
|
|
{"zonealarm" , ""},
|
|
{"_avp32" , ""},
|
|
{"_avpcc" , ""},
|
|
{"rshell" , ""},
|
|
{"_avpms" , ""}*/
|
|
};
|
|
|
|
// TODO: cyberark? other password managers?
|
|
public static Hashtable interestingProcesses = new Hashtable()
|
|
{
|
|
{"CmRcService.exe" , "Configuration Manager Remote Control Service"},
|
|
{"ftp.exe" , "Misc. FTP client"},
|
|
{"LMIGuardian.exe" , "LogMeIn Reporter"},
|
|
{"LogMeInSystray.exe" , "LogMeIn System Tray"},
|
|
{"RaMaint.exe" , "LogMeIn maintenance sevice"},
|
|
{"mmc.exe" , "Microsoft Management Console"},
|
|
{"putty.exe" , "Putty SSH client"},
|
|
{"pscp.exe" , "Putty SCP client"},
|
|
{"psftp.exe" , "Putty SFTP client"},
|
|
{"puttytel.exe" , "Putty Telnet client"},
|
|
{"plink.exe" , "Putty CLI client"},
|
|
{"pageant.exe" , "Putty SSH auth agent"},
|
|
{"kitty.exe" , "Kitty SSH client"},
|
|
{"telnet.exe" , "Misc. Telnet client"},
|
|
{"SecureCRT.exe" , "SecureCRT SSH/Telnet client"},
|
|
{"TeamViewer.exe" , "TeamViewer"},
|
|
{"tv_x64.exe" , "TeamViewer x64 remote control"},
|
|
{"tv_w32.exe" , "TeamViewer x86 remote control"},
|
|
{"keepass.exe" , "KeePass password vault"},
|
|
{"mstsc.exe" , "Microsoft RDP client"},
|
|
{"vnc.exe" , "Possible VNC client"},
|
|
{"powershell.exe" , "PowerShell host process"},
|
|
{"cmd.exe" , "Command Prompt"},
|
|
};
|
|
|
|
[DllImport("advapi32.dll", SetLastError = true)]
|
|
private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
|
|
[DllImport("kernel32.dll", SetLastError = true)]
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
private static extern bool CloseHandle(IntPtr hObject);
|
|
private static string GetProcU(Process p)
|
|
{
|
|
IntPtr pHandle = IntPtr.Zero;
|
|
try
|
|
{
|
|
OpenProcessToken(p.Handle, 8, out pHandle);
|
|
WindowsIdentity WI = new WindowsIdentity(pHandle);
|
|
String uSEr = WI.Name;
|
|
return uSEr.Contains(@"\") ? uSEr.Substring(uSEr.IndexOf(@"\") + 1) : uSEr;
|
|
}
|
|
catch
|
|
{
|
|
return null;
|
|
}
|
|
finally
|
|
{
|
|
if (pHandle != IntPtr.Zero)
|
|
{
|
|
CloseHandle(pHandle);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
|
|
// TODO: check out https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna#L10
|
|
public static List<Dictionary<string, string>> GetProcInfo()
|
|
{
|
|
List<Dictionary<string, string>> f_results = new List<Dictionary<string, string>>();
|
|
try
|
|
{
|
|
var wmiQueRyStr = "SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process";
|
|
using (var srcher = new ManagementObjectSearcher(wmiQueRyStr))
|
|
using (var reslts = srcher.Get())
|
|
{
|
|
var queRy = from p in Process.GetProcesses()
|
|
join mo in reslts.Cast<ManagementObject>()
|
|
on p.Id equals (int)(uint)mo["ProcessId"]
|
|
select new
|
|
{
|
|
Proc = p,
|
|
Pth = (string)mo["ExecutablePath"],
|
|
CommLine = (string)mo["CommandLine"],
|
|
Owner = GetProcU(p), //Needed inside the next foreach
|
|
};
|
|
|
|
foreach (var itm in queRy)
|
|
{
|
|
if (itm.Pth != null)
|
|
{
|
|
string companyName = "";
|
|
string isDotNet = "";
|
|
try
|
|
{
|
|
FileVersionInfo myFileVerInfo = FileVersionInfo.GetVersionInfo(itm.Pth);
|
|
//compName = myFileVerInfo.CompanyName;
|
|
isDotNet = MyUtils.CheckIfDotNet(itm.Pth) ? "isDotNet" : "";
|
|
}
|
|
catch
|
|
{
|
|
// Not enough privileges
|
|
}
|
|
if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
|
|
{
|
|
Dictionary<string, string> to_add = new Dictionary<string, string>();
|
|
to_add["Name"] = itm.Proc.ProcessName;
|
|
to_add["ProcessID"] = itm.Proc.Id.ToString();
|
|
to_add["ExecutablePath"] = itm.Pth;
|
|
to_add["Product"] = companyName;
|
|
to_add["Owner"] = itm.Owner == null ? "" : itm.Owner;
|
|
to_add["isDotNet"] = isDotNet;
|
|
to_add["CommandLine"] = itm.CommLine;
|
|
f_results.Add(to_add);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
|
}
|
|
return f_results;
|
|
}
|
|
}
|
|
}
|