├── .gitignore
├── AssemblyHunter
├── app.config
├── Properties
│ └── AssemblyInfo.cs
├── AssemblyHunter.csproj
└── Program.cs
├── AssemblyHunter.sln
├── LICENSE
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | .vs
2 | *.user
3 | [Dd]ebug/
4 | [Rr]elease/
5 | [Bb]in/
6 | [Oo]bj/
7 | [Oo]utput/
8 | .DS_Store
9 |
--------------------------------------------------------------------------------
/AssemblyHunter/app.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/AssemblyHunter.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31424.327
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AssemblyHunter", "AssemblyHunter\AssemblyHunter.csproj", "{967826DD-C228-453D-B3ED-A2159D923A43}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {967826DD-C228-453D-B3ED-A2159D923A43}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {967826DD-C228-453D-B3ED-A2159D923A43}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {967826DD-C228-453D-B3ED-A2159D923A43}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {967826DD-C228-453D-B3ED-A2159D923A43}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {E6781DDA-B46C-40BC-8AE5-E5F6F6BFE88D}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/AssemblyHunter/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("AssemblyHunter")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("AssemblyHunter")]
13 | [assembly: AssemblyCopyright("Copyright © 2022")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("967826dd-c228-453d-b3ed-a2159d923a43")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | BSD 3-Clause License
2 |
3 | Copyright (c) 2022, Steven F
4 | All rights reserved.
5 |
6 | Redistribution and use in source and binary forms, with or without
7 | modification, are permitted provided that the following conditions are met:
8 |
9 | 1. Redistributions of source code must retain the above copyright notice, this
10 | list of conditions and the following disclaimer.
11 |
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 | this list of conditions and the following disclaimer in the documentation
14 | and/or other materials provided with the distribution.
15 |
16 | 3. Neither the name of the copyright holder nor the names of its
17 | contributors may be used to endorse or promote products derived from
18 | this software without specific prior written permission.
19 |
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 |
--------------------------------------------------------------------------------
/AssemblyHunter/AssemblyHunter.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {967826DD-C228-453D-B3ED-A2159D923A43}
8 | Exe
9 | AssemblyHunter
10 | AssemblyHunter
11 | v4.0
12 | 512
13 | true
14 |
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | none
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AssemblyHunter
2 | Tool released in combination with the [Less SmartScreen More Caffeine: ClickOnce (Ab)Use for Trusted Code Execution](https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20video%20and%20slides/DEF%20CON%2030%20-%20Nick%20Powers%2C%20Steven%20Flores%20-%20Less%20SmartScreen%20More%20Caffeine%20-%20ClickOnce%20AbUse%20for%20Trusted%20Code%20Execution.mp4) conference presentation by [zyn3rgy](https://twitter.com/zyn3rgy) and myself.
3 |
4 |
5 | Find assemblies on hosts that can be useful for payloads or post ex. No pre-built assemblies will be provided, open project, select release and build. Build for .Net Framework 4.0+ (some assemblies are not identified correctly less than 4.0)
6 |
7 | ## Core Options:
8 | * path (ex: path=C:\Users) full path to search
9 | * file (ex: file=C:\file.exe) check if a specific file is an assembly
10 | * collection (ex: collection=C:\files.txt) check a list of assemblies from a file
11 | * services (ex: services=true) check all services binpaths for any assemblies
12 | * tasks (ex: tasks=true) check if any exec action tasks are assemblies
13 | * autoruns (ex: autoruns=true) enumerates common autorun locations for assemblies
14 |
15 | ## Optional
16 | * recurse (ex: recurse=true) recurse the path given
17 | * allpaths (ex: allpaths=true) recurses all directores, by default some directores with common Microsoft assemblies are skipped
18 | * exeonly (ex: exeonly=true) return exes only
19 | * getarch (ex: getarch=true) get assembly architecture
20 | * servicename (ex: services=true) check a specific service (needs services run)
21 | * isservice (ex: iservice=true) checks if assembly is a service executable
22 | * getuac (ex: getuac=true) gets UAC settings of assembly
23 | * getrefs (ex: getrefs=true) gets references used by assembly
24 | * getasmid (ex: getasmid=true) gets internal assembly manifest identity");
25 | * getappid (ex: getappid=true) gets internal application manifest identity");
26 | * getappmanifest (ex: getappmanifest=true) gets internal application manifest");
27 | * getasmmanifest (ex: getasmmanifest=true) gets internal assembly manifest");
28 | * clickonce (ex: clickonce=true) returns assemblies that can be deployed via clickonce
29 | * electron (ex: electron=true) finds electron apps instead of assemblies
30 |
31 | path, file, collection, services, tasks, or autoruns should indicate the type of search performed, all other options narrow down the search
32 |
33 | #### Examples:
34 | ##### AssemblyHunter.exe path=C:\ recurse=true signed=true
35 | ##### AssemblyHunter.exe path=C:\Users\Admin\Downloads recurse=true clickonce=true
36 | ##### AssemblyHunter.exe services=true signed=true
37 | ##### AssemblyHunter.exe tasks=true signed=true getarch=true
38 | ##### AssemblyHunter file=C:\Users\admin\elevate.exe getarch=true
39 |
40 | #### Credit
41 | GetPEFileManifest from Kerem Guemruekcue
42 |
43 |
--------------------------------------------------------------------------------
/AssemblyHunter/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Xml.Linq;
4 | using System.Xml;
5 | using System.Reflection;
6 | using System.Management;
7 | using System.Collections.Generic;
8 | using System.Runtime.InteropServices;
9 | using System.ServiceProcess;
10 | using System.Security.Cryptography.X509Certificates;
11 | using Microsoft.Win32;
12 |
13 | namespace AssemblyHunter
14 | {
15 | class Program
16 | {
17 | static void Main(string[] args)
18 | {
19 | if (args.Length < 1)
20 | {
21 | Usage();
22 | return;
23 | }
24 |
25 | if(args[0].ToLower() == "help")
26 | {
27 | Usage();
28 | return;
29 | }
30 | var watch = System.Diagnostics.Stopwatch.StartNew();
31 |
32 | var arguments = new Dictionary();
33 | foreach (string argument in args)
34 | {
35 | int idx = argument.IndexOf('=');
36 | if (idx > 0)
37 | arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
38 | }
39 |
40 | // TODO: Add write to file
41 | // TODO: Finish Autoruns
42 |
43 | string binp = string.Empty;
44 | string servicename = string.Empty;
45 | bool quiet = false;
46 | bool allpaths = false;
47 | bool electron = false;
48 | string electbs = "4D-5A-78-00-01-00-00-00-04-00-00-00-00-00-00-00";
49 |
50 | if (arguments.ContainsKey("electron") && arguments["electron"].ToString().ToLower() == "true")
51 | {
52 | electron = true;
53 | }
54 | if (arguments.ContainsKey("allpaths") && arguments["allpaths"].ToString().ToLower() == "true")
55 | {
56 | allpaths = true;
57 | }
58 | if (arguments.ContainsKey("quiet") && arguments["quiet"].ToString().ToLower() == "true")
59 | {
60 | quiet = true;
61 | }
62 |
63 | if (arguments.ContainsKey("path"))
64 | {
65 | string path = arguments["path"].ToString();
66 | if (File.Exists(path))
67 | {
68 | try
69 | {
70 | if(electron == true)
71 | {
72 | byte[] sixteen = new byte[16];
73 | string hex = string.Empty;
74 | using (BinaryReader reader = new BinaryReader(new FileStream(path, FileMode.Open)))
75 | {
76 | reader.BaseStream.Seek(0, SeekOrigin.Begin);
77 | reader.Read(sixteen, 0, 16);
78 | hex = BitConverter.ToString(sixteen);
79 | if(electbs == hex)
80 | {
81 | ElectronChecks(path, arguments);
82 | }
83 | }
84 | }
85 | else
86 | {
87 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(path);
88 | AssemblyChecks(path, arguments);
89 | }
90 |
91 | }
92 | catch { }
93 |
94 | }
95 | else
96 | {
97 | if (arguments.ContainsKey("recurse") && arguments["recurse"].ToString().ToLower() == "true")
98 | {
99 | List files = DirSearch(path, allpaths, quiet);
100 | foreach (var f in files)
101 | {
102 | try
103 | {
104 | if (electron == true)
105 | {
106 | byte[] sixteen = new byte[16];
107 | string hex = string.Empty;
108 | using (BinaryReader reader = new BinaryReader(new FileStream(f, FileMode.Open)))
109 | {
110 | reader.BaseStream.Seek(0, SeekOrigin.Begin);
111 | var x = reader.Read(sixteen, 0, 16);
112 | hex = BitConverter.ToString(sixteen);
113 | if (electbs == hex)
114 | {
115 | ElectronChecks(f, arguments);
116 | }
117 | }
118 | }
119 | else
120 | {
121 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(f);
122 | AssemblyChecks(f, arguments);
123 | }
124 | }
125 | catch { continue; }
126 | }
127 |
128 | }
129 | else
130 | {
131 | foreach (var f in Directory.GetFiles(path))
132 | {
133 | try
134 | {
135 | if (electron == true)
136 | {
137 | byte[] sixteen = new byte[16];
138 | string hex = string.Empty;
139 | using (BinaryReader reader = new BinaryReader(new FileStream(f, FileMode.Open)))
140 | {
141 | reader.BaseStream.Seek(0, SeekOrigin.Begin);
142 | var x = reader.Read(sixteen, 0, 16);
143 | hex = BitConverter.ToString(sixteen);
144 | if (electbs == hex)
145 | {
146 | ElectronChecks(f, arguments);
147 | }
148 | }
149 | }
150 | else
151 | {
152 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(f);
153 | AssemblyChecks(f, arguments);
154 | }
155 | }
156 | catch { continue; }
157 | }
158 | }
159 | }
160 | watch.Stop();
161 | var ct = watch.ElapsedMilliseconds / 1000.0;
162 | Console.WriteLine("\n\n[+++] Completed in {0} seconds", ct);
163 | }
164 | else if (arguments.ContainsKey("file"))
165 | {
166 | string file = arguments["file"].ToString();
167 | if (!File.Exists(file))
168 | {
169 | Console.WriteLine("[-] File doesn't exist");
170 | return;
171 | }
172 | else
173 | {
174 | try
175 | {
176 | if (electron == true)
177 | {
178 | byte[] sixteen = new byte[16];
179 | string hex = string.Empty;
180 | using (BinaryReader reader = new BinaryReader(new FileStream(file, FileMode.Open)))
181 | {
182 | reader.BaseStream.Seek(0, SeekOrigin.Begin);
183 | var x = reader.Read(sixteen, 0, 16);
184 | hex = BitConverter.ToString(sixteen);
185 | if (electbs == hex)
186 | {
187 | ElectronChecks(file, arguments);
188 | }
189 | }
190 | }
191 | else
192 | {
193 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(file);
194 | AssemblyChecks(file, arguments);
195 | }
196 | }
197 | catch { }
198 | }
199 | }
200 | else if (arguments.ContainsKey("collection"))
201 | {
202 | string file = arguments["collection"].ToString();
203 | if (!File.Exists(file))
204 | {
205 | Console.WriteLine("[-] File doesn't exist");
206 | return;
207 | }
208 | else
209 | {
210 | string[] readlines = File.ReadAllLines(file);
211 | foreach (string line in readlines)
212 | {
213 | try
214 | {
215 | if (electron == true)
216 | {
217 | byte[] sixteen = new byte[16];
218 | string hex = string.Empty;
219 | using (BinaryReader reader = new BinaryReader(new FileStream(line, FileMode.Open)))
220 | {
221 | reader.BaseStream.Seek(0, SeekOrigin.Begin);
222 | var x = reader.Read(sixteen, 0, 16);
223 | hex = BitConverter.ToString(sixteen);
224 | if (electbs == hex)
225 | {
226 | ElectronChecks(line, arguments);
227 | }
228 | }
229 | }
230 | else
231 | {
232 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(line);
233 | AssemblyChecks(line, arguments);
234 | }
235 | }
236 | catch { continue; }
237 | }
238 | }
239 | }
240 | else if (arguments.ContainsKey("autoruns"))
241 | {
242 | Console.WriteLine("TODO");
243 | return;
244 |
245 | List lmkeys = new List
246 | {
247 | //@"SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell",
248 | //@"Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",
249 | //@"Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",
250 | //@"SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)",
251 | @"System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms",
252 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup",
253 | @"Software\Policies\Microsoft\Windows\System\Scripts\Startup",
254 | @"Software\Policies\Microsoft\Windows\System\Scripts\Logon",
255 | @"Environment\UserInitMprLogonScript",
256 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",
257 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet",
258 | @"Software\Policies\Microsoft\Windows\System\Scripts\Shutdown",
259 | @"Software\Policies\Microsoft\Windows\System\Scripts\Logoff",
260 | @"Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup",
261 | @"Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon",
262 | @"Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff",
263 | @"Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown",
264 | @"Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell",
265 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell",
266 | @"SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell",
267 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman",
268 | @"Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells",
269 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce",
270 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx",
271 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run",
272 | @"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram",
273 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
274 | @"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run",
275 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",
276 | @"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx",
277 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
278 | @"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce",
279 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
280 | @"SOFTWARE\Microsoft\Active Setup\Installed Components",
281 | @"SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components",
282 | @"Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib",
283 | @"SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect",
284 | @"SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect",
285 | @"SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect",
286 | @"SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect"
287 | };
288 |
289 | List cukeys = new List
290 | {
291 | @"Software\Policies\Microsoft\Windows\System\Scripts\Logon",
292 | @"Environment\UserInitMprLogonScript",
293 | @"Software\Policies\Microsoft\Windows\System\Scripts\Logoff",
294 | @"Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup",
295 | @"Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon",
296 | @"Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff",
297 | @"Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown",
298 | @"Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell",
299 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell",
300 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
301 | @"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run",
302 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",
303 | @"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx",
304 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
305 | @"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce",
306 | @"Software\Microsoft\Windows NT\CurrentVersion\Windows\Load",
307 | @"Software\Microsoft\Windows NT\CurrentVersion\Windows\Run",
308 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
309 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce",
310 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx",
311 | @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run"
312 | };
313 |
314 | List dlkeys = new List
315 | {
316 | @"Software\Classes\*\ShellEx\ContextMenuHandlers",
317 | @"Software\Classes\Directory\ShellEx\ContextMenuHandlers",
318 | @"Software\Classes\Directory\Shellex\DragDropHandlers",
319 | @"Software\Classes\Directory\Shellex\CopyHookHandlers",
320 | @"Software\Classes\Folder\ShellEx\ContextMenuHandlers",
321 | @"Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects",
322 | @"Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects",
323 | };
324 |
325 | try
326 | {
327 | foreach (string ckey in lmkeys)
328 | {
329 | Console.WriteLine("Current: {0}", ckey);
330 | RegistryKey key = Registry.LocalMachine.OpenSubKey(ckey);
331 | if (key != null)
332 | {
333 | string[] vnames = key.GetValueNames();
334 | foreach (string vs in vnames)
335 | {
336 | object kobj = key.GetValue(vs);
337 | if (kobj != null)
338 | {
339 | //Version version = new Version(o as String);
340 | Console.WriteLine("\t{0}", kobj.ToString());
341 | }
342 | }
343 | }
344 | }
345 |
346 | foreach (string xkey in cukeys)
347 | {
348 | Console.WriteLine("Current: {0}", xkey);
349 | RegistryKey key = Registry.LocalMachine.OpenSubKey(xkey);
350 | if (key != null)
351 | {
352 | string[] vnames = key.GetValueNames();
353 | foreach (string vs in vnames)
354 | {
355 | object kobj = key.GetValue(vs);
356 |
357 | if (kobj != null)
358 | {
359 | //Version version = new Version(o as String);
360 | Console.WriteLine("\t{0}", kobj.ToString());
361 | }
362 | }
363 | }
364 | }
365 | }
366 | catch { }
367 | }
368 | else if (arguments.ContainsKey("tasks"))
369 | {
370 | ManagementObjectSearcher wmiData = null;
371 | try
372 | {
373 | // WMI Code taken and modified from Seatbelt
374 | wmiData = new ManagementObjectSearcher(@"Root\Microsoft\Windows\TaskScheduler", "SELECT * FROM MSFT_ScheduledTask");
375 | ManagementObjectCollection data = wmiData.Get();
376 | foreach (ManagementObject result in data)
377 | {
378 | string taskname = result["TaskName"].ToString();
379 | var actions = (ManagementBaseObject[])result["Actions"];
380 | foreach (var obj in actions)
381 | {
382 | var Properties = new Dictionary();
383 |
384 | foreach (var prop in obj.Properties)
385 | {
386 | if (!prop.Name.Equals("PSComputerName"))
387 | {
388 | Properties[prop.Name] = prop.Value;
389 | }
390 | }
391 | try
392 | {
393 | string targfile = Properties["Execute"].ToString();
394 | var fullpath = Environment.ExpandEnvironmentVariables(targfile);
395 | fullpath = fullpath.Replace("\"", "");
396 |
397 | if (electron == true)
398 | {
399 | byte[] sixteen = new byte[16];
400 | string hex = string.Empty;
401 | using (BinaryReader reader = new BinaryReader(new FileStream(fullpath, FileMode.Open)))
402 | {
403 | reader.BaseStream.Seek(0, SeekOrigin.Begin);
404 | var x = reader.Read(sixteen, 0, 16);
405 | hex = BitConverter.ToString(sixteen);
406 | if (electbs == hex)
407 | {
408 | ElectronChecks(fullpath, arguments);
409 | }
410 | }
411 | }
412 | else
413 | {
414 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(fullpath);
415 | AssemblyChecks(fullpath, arguments, "tasks");
416 | }
417 | }
418 | catch { }
419 | }
420 | }
421 | }
422 | catch (Exception ex)
423 | {
424 | Console.WriteLine(String.Format("[X] Exception {0}", ex.Message));
425 | }
426 | watch.Stop();
427 | var ct = watch.ElapsedMilliseconds / 1000.0;
428 | Console.WriteLine("\n\n[+++] Completed in {0} seconds", ct);
429 | }
430 | else if (arguments.ContainsKey("services"))
431 | {
432 | if (arguments.ContainsKey("servicename"))
433 | {
434 | servicename = arguments["servicename"];
435 | }
436 |
437 | ServiceController[] scServices;
438 | scServices = ServiceController.GetServices();
439 | if (servicename != string.Empty)
440 | {
441 | ManagementObject wmiService;
442 | wmiService = new ManagementObject("Win32_Service.Name='" + servicename + "'");
443 | wmiService.Get();
444 | binp = (string)wmiService["PathName"];
445 | try
446 | {
447 |
448 | if (!binp.StartsWith("\""))
449 | {
450 | string[] subs = binp.Split(' ');
451 | binp = subs[0];
452 | }
453 | binp = binp.Replace("\"", "");
454 |
455 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(binp);
456 | AssemblyChecks(binp, arguments, servicename, "services");
457 | }
458 | catch { }
459 | }
460 | else
461 | {
462 | foreach (ServiceController scTemp in scServices)
463 | {
464 | //if (scTemp.Status == ServiceControllerStatus.Running)
465 | //{
466 | ManagementObject wmiService;
467 | wmiService = new ManagementObject("Win32_Service.Name='" + scTemp.ServiceName + "'");
468 | wmiService.Get();
469 | string sname = scTemp.ServiceName;
470 | binp = (string)wmiService["PathName"];
471 |
472 | try
473 | {
474 |
475 | if (!binp.StartsWith("\""))
476 | {
477 | string[] subs = binp.Split(' ');
478 | binp = subs[0];
479 | }
480 | binp = binp.Replace("\"", "");
481 |
482 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(binp);
483 | AssemblyChecks(binp, arguments, sname, "services");
484 | }
485 | catch { continue; }
486 | //}
487 | }
488 | }
489 | watch.Stop();
490 | var ct = watch.ElapsedMilliseconds / 1000.0;
491 | Console.WriteLine("\n\n[+++] Completed in {0} seconds", ct);
492 | }
493 | }
494 |
495 | static void Usage()
496 | {
497 | Console.WriteLine("\n AssemblyHunter.exe");
498 | Console.WriteLine("");
499 | Console.WriteLine(" Run Type Options:");
500 | Console.WriteLine(@" path (ex: path=C:\Users) full path to search");
501 | Console.WriteLine(@" file (ex: file=C:\file.exe) check if a specific file is an assembly");
502 | Console.WriteLine(@" collection (ex: file=C:\files.txt) run checks against assemblies listed in a file");
503 | Console.WriteLine(" services (ex: services=true) enumerates all services for assemblies");
504 | Console.WriteLine(" tasks (ex: tasks=true) enumerates all scheduled tasks for assemblies");
505 | Console.WriteLine(" autoruns (ex: autoruns=true) enumerates common autorun locations for assemblies");
506 | Console.WriteLine("\n Optional args:");
507 | Console.WriteLine(" recurse (ex: recurse=true) recurse the path given");
508 | Console.WriteLine(" allpaths (ex: allpaths=true) recurses all directores, by default some directores with common Microsoft assemblies are skipped");
509 | Console.WriteLine(" exeonly (ex: exeonly=true) look for exes only");
510 | Console.WriteLine(" getarch (ex: getarch=true) get assembly architecture");
511 | Console.WriteLine(" servicename (ex: services=true) check a specific service (needs services run)");
512 | Console.WriteLine(" isservice (ex: isservice=true) check if an exe is a service executable");
513 | Console.WriteLine(" getuac (ex: getuac=true) gets UAC settings of assembly");
514 | Console.WriteLine(" getrefs (ex: getrefs=true) gets references for target assembly");
515 | Console.WriteLine(" getasmid (ex: getasmid=true) gets internal assembly manifest identity");
516 | Console.WriteLine(" getappid (ex: getappid=true) gets internal application manifest identity");
517 | Console.WriteLine(" getappmanifest (ex: getappmanifest=true) gets internal application manifest");
518 | Console.WriteLine(" getasmmanifest (ex: getasmmanifest=true) gets internal assembly manifest");
519 | Console.WriteLine(" electron (ex: electron=true) look for electron apps instead of assemblies");
520 |
521 |
522 | Console.WriteLine("\n* path, file, collection, services, tasks, or autoruns should indicate the type of search performed, all other options narrow down the search");
523 | Console.WriteLine(@"Example: AssemblyHunter.exe path=C:\ recurse=true signed=true");
524 | Console.WriteLine(@"Example: AssemblyHunter.exe services=true signed=true");
525 | Console.WriteLine(@"Example: AssemblyHunter.exe tasks=true signed=true getarch=true");
526 | Console.WriteLine("");
527 | }
528 | static List DirSearch(string dir, bool searchall, bool quiet)
529 | {
530 | List skippath = new List
531 | {
532 | @"C:\Windows\SxS",
533 | @"C:\Windows\CCM",
534 | @"C:\Windows\WinSxS",
535 | @"C:\Windows\SysWOW64\WinMetadata",
536 | @"C:\Windows\SysWOW64\WindowsPowerShell",
537 | @"C:\Windows\SysWOW64\wbem",
538 | @"C:\Windows\SysWOW64",
539 | @"C:\Windows\SystemApps",
540 | @"C:\Windows\System32\WinMetadata",
541 | @"C:\Windows\System32\WindowsPowerShell",
542 | @"C:\Windows\System32\wbem",
543 | @"C:\Windows\Microsoft.NET\Framework64",
544 | @"C:\Windows\Microsoft.NET\Framework",
545 | @"C:\Windows\Microsoft.NET\assembly",
546 | @"C:\Windows\Installer",
547 | @"C:\Windows\assembly",
548 | @"C:\Windows\servicing",
549 | @"C:\Program Files (x86)\dotnet",
550 | @"C:\Program Files (x86)\Microsoft Visual Studio 14.0",
551 | @"C:\Program Files (x86)\IIS",
552 | @"C:\Program Files (x86)\IIS Express",
553 | @"C:\Program Files (x86)\Microsoft Office",
554 | @"C:\Program Files (x86)\Microsoft\Microsoft Search in Bing",
555 | @"C:\Program Files (x86)\Microsoft Azure Information Protection",
556 | @"C:\Program Files (x86)\Microsoft Visual Studio",
557 | @"C:\Program Files (x86)\Microsoft Azure Storage Explorer",
558 | @"C:\Program Files (x86)\Microsoft Intune Management Extension",
559 | @"C:\Program Files (x86)\EventManagement",
560 | @"C:\Program Files (x86)\Windows Kits",
561 | @"C:\Program Files (x86)\Reference Assemblies",
562 | @"C:\Program Files (x86)\Microsoft SDKs",
563 | @"C:\Program Files (x86)\Microsoft Silverlight",
564 | @"C:\Program Files (x86)\Common Files\Microsoft Shared",
565 | @"C:\Program Files (x86)\MSBuild",
566 | @"C:\Program Files (x86)\Workflow Manager Tools",
567 | @"C:\Program Files\PowerShell",
568 | @"C:\Program Files\Microsoft Office",
569 | @"C:\Program Files\WindowsApps",
570 | @"C:\Program Files\IIS",
571 | @"C:\Program Files\IIS Express",
572 | @"C:\Program Files\Microsoft SQL Server",
573 | @"C:\Program Files\dotnet",
574 | @"C:\Program Files\Reference Assemblies\Microsoft",
575 | @"C:\Program Files\Common Files\microsoft shared\VS7DEBUG",
576 | @"C:\ProgramData\Microsoft\DefaultPackMSI",
577 | @"C:\ProgramData\Microsoft\VisualStudio",
578 | @"C:\Users\All Users\Microsoft\VisualStudio",
579 | @"C:\Users\All Users\Microsoft\DefaultPackMSI"
580 | };
581 | List files = new List();
582 | try
583 | {
584 | foreach (string f in Directory.GetFiles(dir))
585 | {
586 | files.Add(f);
587 | }
588 | foreach (string d in Directory.GetDirectories(dir))
589 | {
590 | if(searchall == false)
591 | {
592 | if (!skippath.Contains(d))
593 | {
594 | files.AddRange(DirSearch(d, searchall, quiet));
595 | }
596 | else
597 | {
598 | if(quiet == false)
599 | {
600 | Console.WriteLine("[-] Skipping directory: {0}", d);
601 | }
602 | DirSearch(d, searchall, quiet);
603 | }
604 | }
605 | else
606 | {
607 | files.AddRange(DirSearch(d, searchall, quiet));
608 | }
609 | }
610 | }
611 | catch (Exception)
612 | { }
613 | return files;
614 | }
615 |
616 | static List GetDirs(string dir)
617 | {
618 | List files = new List();
619 | try
620 | {
621 | foreach (string d in Directory.GetDirectories(dir))
622 | {
623 | files.Add(d);
624 | files.AddRange(GetDirs(d));
625 | }
626 | }
627 | catch (Exception)
628 | { }
629 | return files;
630 | }
631 |
632 | static void ElectronChecks(string path, Dictionary arguments, string auxname = null, string runt = null)
633 | {
634 | string targetapp = path;
635 | bool signed = false;
636 | bool exeonly = false;
637 |
638 | if (arguments.ContainsKey("signed") && arguments["signed"].ToString().ToLower() == "true")
639 | {
640 | signed = true;
641 | }
642 | if (arguments.ContainsKey("exeonly") && arguments["exeonly"].ToString().ToLower() == "true")
643 | {
644 | exeonly = true;
645 | }
646 |
647 | if (exeonly == true)
648 | {
649 | if (!CheckFile(targetapp))
650 | {
651 | return;
652 | }
653 | }
654 |
655 | if (signed == true)
656 | {
657 | if (!CheckSigned(targetapp))
658 | {
659 | return;
660 | }
661 | }
662 |
663 |
664 | Console.WriteLine("[+] Found electron app: {0}", targetapp);
665 |
666 | if (runt == "services")
667 | {
668 | Console.WriteLine(" [+] Service Name: {0}", auxname);
669 | }
670 |
671 | else if (runt == "tasks")
672 | {
673 | Console.WriteLine(" [+] Scheduled Task Name: {0}", auxname);
674 | }
675 |
676 | if (signed == true)
677 | {
678 | X509Certificate basicSigner = X509Certificate.CreateFromSignedFile(targetapp);
679 | X509Certificate2 cert = new X509Certificate2(basicSigner);
680 | Console.WriteLine(" [+] Cert Issuer Name: {0}", cert.IssuerName.Name);
681 | Console.WriteLine(" [+] Cert Subject Name: {0}", cert.SubjectName.Name);
682 | }
683 |
684 | Console.WriteLine("");
685 | }
686 |
687 | static void AssemblyChecks(string path, Dictionary arguments, string auxname = null, string runt = null)
688 | {
689 | string targetAssembly = path;
690 | bool signed = false;
691 | bool exeonly = false;
692 | bool getappid = false;
693 | bool getasmid = false;
694 | bool getappmanifest = false;
695 | bool getasmmanifest = false;
696 | bool getarch = false;
697 | bool issvc = false;
698 | bool getuac = false;
699 | bool getrefs = false;
700 | bool clickonce = false;
701 |
702 | if (arguments.ContainsKey("signed") && arguments["signed"].ToString().ToLower() == "true")
703 | {
704 | signed = true;
705 | }
706 | if (arguments.ContainsKey("exeonly") && arguments["exeonly"].ToString().ToLower() == "true")
707 | {
708 | exeonly = true;
709 | }
710 | if (arguments.ContainsKey("getasmid") && arguments["getasmid"].ToString().ToLower() == "true")
711 | {
712 | getasmid = true;
713 | }
714 | if (arguments.ContainsKey("getappid") && arguments["getappid"].ToString().ToLower() == "true")
715 | {
716 | getappid = true;
717 | }
718 | if (arguments.ContainsKey("getappmanifest") && arguments["getappmanifest"].ToString().ToLower() == "true")
719 | {
720 | getappmanifest = true;
721 | }
722 | if (arguments.ContainsKey("getasmmanifest") && arguments["getasmmanifest"].ToString().ToLower() == "true")
723 | {
724 | getasmmanifest = true;
725 | }
726 | if (arguments.ContainsKey("getarch") && arguments["getarch"].ToString().ToLower() == "true")
727 | {
728 | getarch = true;
729 | }
730 | if (arguments.ContainsKey("getuac") && arguments["getuac"].ToString().ToLower() == "true")
731 | {
732 | getuac = true;
733 | }
734 | if (arguments.ContainsKey("getrefs") && arguments["getrefs"].ToString().ToLower() == "true")
735 | {
736 | getrefs = true;
737 | }
738 | if (arguments.ContainsKey("isservice") && arguments["isservice"].ToString().ToLower() == "true")
739 | {
740 | issvc = true;
741 | }
742 | if (arguments.ContainsKey("clickonce") && arguments["clickonce"].ToString().ToLower() == "true")
743 | {
744 | clickonce = true;
745 | exeonly = true;
746 | signed = true;
747 | getappid = true;
748 | getasmid = true;
749 | getuac = true;
750 | }
751 |
752 | if(exeonly == true)
753 | {
754 | if (!CheckFile(targetAssembly))
755 | {
756 | return;
757 | }
758 | }
759 |
760 | if(signed == true)
761 | {
762 | if (!CheckSigned(targetAssembly))
763 | {
764 | return;
765 | }
766 | }
767 |
768 | if(clickonce == true)
769 | {
770 | string uacinfo = string.Empty;
771 | string appidinfo = string.Empty;
772 | uacinfo = GetUacInfo(targetAssembly);
773 | if (uacinfo != "asInvoker" && uacinfo != "No UAC settings")
774 | {
775 | return;
776 | }
777 |
778 | try
779 | {
780 | var getapp = GetPEFileManifest(targetAssembly);
781 | XmlDocument appxml = new XmlDocument();
782 | appxml.LoadXml(getapp.OuterXml);
783 | XmlNodeList applicationidentity = appxml.GetElementsByTagName("assemblyIdentity");
784 | var appidentity = applicationidentity[0].OuterXml;
785 | if (!appidentity.Contains("processorArchitecture"))
786 | {
787 | return;
788 | }
789 | }
790 | catch { }
791 |
792 | }
793 |
794 | AssemblyName assemblyName = AssemblyName.GetAssemblyName(targetAssembly);
795 | Assembly tasm = null;
796 | ProcessorArchitecture procinfo;
797 | if (getarch == true || getrefs == true)
798 | {
799 | try
800 | {
801 | tasm = Assembly.LoadFrom(targetAssembly);
802 | }
803 | catch { }
804 | }
805 |
806 | Console.WriteLine("[+] Found assembly: {0}", targetAssembly);
807 |
808 | if (runt == "services")
809 | {
810 | Console.WriteLine(" [+] Service Name: {0}", auxname);
811 | }
812 |
813 | else if (runt == "tasks")
814 | {
815 | Console.WriteLine(" [+] Scheduled Task Name: {0}", auxname);
816 | }
817 |
818 | if (getarch == true)
819 | {
820 | procinfo = assemblyName.ProcessorArchitecture;
821 | try
822 | {
823 |
824 | PortableExecutableKinds peKind;
825 | ImageFileMachine machine;
826 | tasm.ManifestModule.GetPEKind(out peKind, out machine);
827 | Console.WriteLine(" [+] Assembly Architecture: {0} {1}", procinfo, peKind);
828 | }
829 | catch
830 | {
831 | Console.WriteLine(" [+] Assembly Architecture: {0}", procinfo);
832 | }
833 | }
834 |
835 | if (signed == true)
836 | {
837 | X509Certificate basicSigner = X509Certificate.CreateFromSignedFile(targetAssembly);
838 | X509Certificate2 cert = new X509Certificate2(basicSigner);
839 | Console.WriteLine(" [+] Cert Issuer Name: {0}", cert.IssuerName.Name);
840 | Console.WriteLine(" [+] Cert Subject Name: {0}", cert.SubjectName.Name);
841 | }
842 |
843 | if (issvc == true)
844 | {
845 | bool svccheck = CheckIfService(targetAssembly);
846 | Console.WriteLine(" [+] Is a service exe: {0}", svccheck);
847 | }
848 |
849 | if (getuac == true)
850 | {
851 | string uacout = string.Empty;
852 | uacout = GetUacInfo(targetAssembly);
853 | if(uacout != "No UAC settings")
854 | {
855 | Console.WriteLine(" [+] UAC settings: {0}", uacout);
856 | }
857 | else
858 | {
859 | Console.WriteLine(" [-] No UAC settings");
860 | }
861 | }
862 |
863 | if (getasmid == true)
864 | {
865 | try
866 | {
867 | var defid = GetDefinitionIdentity(targetAssembly);
868 | Console.WriteLine(" [+] Assembly Manifest Identity: {0}", defid);
869 | }
870 | catch (Exception)
871 | {
872 | Console.WriteLine(" [-] No Assembly Manifest Identity");
873 | }
874 | }
875 |
876 | if (getappid == true)
877 | {
878 | try
879 | {
880 | var getapp = GetPEFileManifest(targetAssembly);
881 | XmlDocument appxml = new XmlDocument();
882 | appxml.LoadXml(getapp.OuterXml);
883 | XmlNodeList applicationidentity = appxml.GetElementsByTagName("assemblyIdentity");
884 | var appidentity = applicationidentity[0].OuterXml;
885 | if (appidentity.Contains("xmlns=\"urn:schemas-microsoft-com:asm.v1\""))
886 | {
887 | appidentity = appidentity.Replace("xmlns=\"urn:schemas-microsoft-com:asm.v1\"", "");
888 | }
889 |
890 | if (applicationidentity[0].ParentNode.Name != "dependentAssembly")
891 | {
892 | Console.WriteLine(" [+] Application Manifest Identity : {0}", appidentity);
893 | }
894 | else
895 | {
896 | Console.WriteLine(" [-] No Application Manifest Identity");
897 | }
898 | }
899 | catch
900 | {
901 | Console.WriteLine(" [-] No Application Manifest Identity");
902 | }
903 | }
904 |
905 | if (getappmanifest == true)
906 | {
907 | try
908 | {
909 | var pemanifest = GetPEFileManifest(targetAssembly);
910 | XDocument doc = XDocument.Parse(pemanifest.OuterXml);
911 | Console.WriteLine(" [+] Internal Application Manifest: {0}", doc);
912 | }
913 | catch (Exception)
914 | {
915 | Console.WriteLine(" [-] No Internal Application Manifest");
916 | }
917 | }
918 |
919 | if (getasmmanifest == true)
920 | {
921 | // Might not be needed/wanted
922 | }
923 |
924 | if (getrefs == true)
925 | {
926 | try
927 | {
928 | Console.WriteLine(" [+] Application References");
929 | foreach (AssemblyName an in tasm.GetReferencedAssemblies())
930 | {
931 | Console.WriteLine(" [+] Name={0}, Version={1}, PublicKey token={2}", an.Name, an.Version, (BitConverter.ToString(an.GetPublicKeyToken())));
932 | }
933 | }
934 | catch { }
935 | }
936 | Console.WriteLine("");
937 | }
938 |
939 | public static bool CheckSigned(string assemblyName)
940 | {
941 | bool signed = false;
942 | X509Certificate basicSigner = X509Certificate.CreateFromSignedFile(assemblyName);
943 | X509Certificate2 cert = new X509Certificate2(basicSigner);
944 |
945 | if (cert != null)
946 | {
947 | signed = true;
948 | }
949 | return signed;
950 | }
951 |
952 | public static bool CheckFile(string assemblyName)
953 | {
954 | bool exe = false;
955 | string fileExt = Path.GetExtension(assemblyName);
956 | if (fileExt.ToLower() == ".exe")
957 | {
958 | exe = true;
959 | }
960 | return exe;
961 | }
962 |
963 | public static bool CheckManifest(string assemblyName)
964 | {
965 | bool hasval = true;
966 | var pemanifest = GetPEFileManifest(assemblyName);
967 | try
968 | {
969 | XmlDocument xmlinfo = new XmlDocument();
970 | xmlinfo.LoadXml(pemanifest.OuterXml);
971 | if (pemanifest.OuterXml.Contains("requestedPrivileges"))
972 | {
973 |
974 | hasval = false;
975 | }
976 | }
977 | catch (Exception)
978 | {
979 | hasval = false;
980 | }
981 | return hasval;
982 | }
983 |
984 | public static bool CheckIfService(string assemblyName)
985 | {
986 | bool isservice = false;
987 |
988 | try
989 | {
990 | Assembly tasm = Assembly.LoadFrom(assemblyName);
991 | Type[] asmtypes = tasm.GetTypes();
992 | foreach (Type t in asmtypes)
993 | {
994 | try
995 | {
996 | if (t.BaseType.FullName.Contains("System.ServiceProcess.ServiceBase"))
997 | {
998 | isservice = true;
999 | }
1000 | }
1001 | catch { }
1002 | }
1003 | return isservice;
1004 | }
1005 | catch
1006 | {
1007 | return false;
1008 | }
1009 |
1010 | }
1011 |
1012 | public static string GetUacInfo(string assemblyName)
1013 | {
1014 | string uac = string.Empty;
1015 | try
1016 | {
1017 |
1018 | var uacset = GetPEFileManifest(assemblyName);
1019 | XmlDocument xmlinfo = new XmlDocument();
1020 | xmlinfo.LoadXml(uacset.OuterXml);
1021 | XmlNodeList requestedExecutionLevel = xmlinfo.GetElementsByTagName("requestedExecutionLevel");
1022 | var uacsetting = requestedExecutionLevel[0].Attributes[0].InnerText;
1023 | uac = uacsetting;
1024 | return uac;
1025 | }
1026 | catch
1027 | {
1028 | uac = "No UAC settings";
1029 | return uac;
1030 | }
1031 | }
1032 |
1033 | public static ProcessorArchitecture CheckArch(string assemblyName)
1034 | {
1035 | AssemblyName asminfo = System.Reflection.AssemblyName.GetAssemblyName(assemblyName);
1036 | ProcessorArchitecture archtype = asminfo.ProcessorArchitecture;
1037 | return archtype;
1038 | }
1039 |
1040 | public static string GetDefinitionIdentity(string filename)
1041 | {
1042 | string identityinfo;
1043 | Exception err;
1044 | GetDefinitionIdentity(filename, out identityinfo, out err);
1045 | return identityinfo;
1046 | }
1047 |
1048 | public static bool GetDefinitionIdentity(string filename, out string identityinfo, out Exception err)
1049 | {
1050 | try
1051 | {
1052 | Assembly SystemDeploymentAssembly = Assembly.Load("System.Deployment, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
1053 | Type SystemUtilsClass = SystemDeploymentAssembly.GetType("System.Deployment.Application.Win32InterOp.SystemUtils");
1054 | Object SystemUtils = Activator.CreateInstance(SystemUtilsClass);
1055 | var definitionidentity = SystemUtils.GetType().InvokeMember(
1056 | "GetDefinitionIdentityFromManagedAssembly",
1057 | BindingFlags.InvokeMethod |
1058 | BindingFlags.NonPublic |
1059 | BindingFlags.Static,
1060 | null,
1061 | SystemUtils,
1062 | new Object[] { filename });
1063 |
1064 | identityinfo = definitionidentity.ToString();
1065 | }
1066 | catch (Exception e)
1067 | {
1068 | err = e;
1069 | identityinfo = null;
1070 | return false;
1071 | }
1072 | err = null;
1073 | return true;
1074 | }
1075 |
1076 | public static XmlDocument GetPEFileManifest(string filename)
1077 | {
1078 | XmlDocument xmld;
1079 | Exception err;
1080 | GetPEFileManifest(filename, out xmld, out err);
1081 |
1082 | return xmld;
1083 | }
1084 |
1085 | public static bool GetPEFileManifest(string filename, out XmlDocument applicationXmlManifest, out Exception error)
1086 | {
1087 | try
1088 | {
1089 | if (System.String.IsNullOrEmpty(filename) == true)
1090 | throw new System.NullReferenceException("Parameter \"fileName\" cant be null or empty");
1091 |
1092 | if (System.IO.File.Exists(filename) == false)
1093 | throw new System.IO.FileNotFoundException
1094 | ("Parameter \"fileName\" does not point to a existing file");
1095 |
1096 | Assembly SystemDeploymentAssembly = Assembly.Load("System.Deployment, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
1097 | Type SystemUtilsClass = SystemDeploymentAssembly.GetType("System.Deployment.Application.Win32InterOp.SystemUtils");
1098 | Object SystemUtils = Activator.CreateInstance(SystemUtilsClass);
1099 | Byte[] ManifestBytes = SystemUtils.GetType().InvokeMember(
1100 | "GetManifestFromPEResources",
1101 | BindingFlags.InvokeMethod |
1102 | BindingFlags.Public |
1103 | BindingFlags.Static,
1104 | null,
1105 | SystemUtils,
1106 | new Object[] { filename }) as Byte[];
1107 |
1108 | string ManifestXmlString = string.Empty;
1109 |
1110 | using (MemoryStream ManifestBytesMemoryStream =
1111 | new MemoryStream(ManifestBytes))
1112 | using (StreamReader ManifestBytesStreamReader =
1113 | new StreamReader(ManifestBytesMemoryStream, true))
1114 | {
1115 | ManifestXmlString = ManifestBytesStreamReader.ReadToEnd().Trim();
1116 | }
1117 |
1118 | XmlDocument ManifestXmlDocument = new XmlDocument();
1119 |
1120 | ManifestXmlDocument.LoadXml(ManifestXmlString);
1121 |
1122 | applicationXmlManifest = ManifestXmlDocument;
1123 |
1124 | error = null;
1125 | return true;
1126 | }
1127 | catch (Exception err)
1128 | {
1129 | error = err;
1130 | applicationXmlManifest = null;
1131 | return false;
1132 | }
1133 | }
1134 | }
1135 | }
1136 |
--------------------------------------------------------------------------------