1
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-11-24 01:26:22 +01:00

- added search for hidden files in c:\users

This commit is contained in:
makikvues 2021-01-25 21:39:20 +01:00
parent f5155d5eb4
commit 2a0ab7bf77
4 changed files with 114 additions and 22 deletions

View File

@ -125,6 +125,7 @@ namespace winPEAS.Checks
PrintUsersDocsKeys,
PrintRecentFiles,
PrintRecycleBin,
PrintHiddenFilesAndFolders,
PrintOtherUsersInterestingFiles
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
@ -541,5 +542,106 @@ namespace winPEAS.Checks
Beaprint.PrintException(ex.Message);
}
}
void PrintHiddenFilesAndFolders()
{
HashSet<string> excludedFilenames = new HashSet<string>()
{
"cache.bin",
"container.dat",
"desktop.ini",
"iconcache.db",
"ntuser.ini",
"ntuser.dat",
"ntuser.dat.log1",
"ntuser.dat.log2",
"pof.dat.log1",
"pof.dat.log2",
"privateregistry.bin.log1",
"privateregistry.bin.log2",
"settings.dat.log1",
"settings.dat.log2",
"thumbs.db",
"user.dat.log1",
"user.dat.log2",
"userclasses.dat",
"userclasses.dat.log1",
"userclasses.dat.log2",
"usrclass.dat",
"usrclass.dat.log1",
"usrclass.dat.log2",
};
HashSet<string> excludedExtensions = new HashSet<string>()
{
".blf",
".igpi",
".regtrans-ms",
".search-ms",
".suo",
};
HashSet<string> excludedKnownFolders = new HashSet<string>()
{
"accountpictures",
"appdata",
"application data",
"cookies",
"desktop",
"documents",
"intelgraphicsprofiles",
"libraries",
"local settings",
"my documents",
"nethood",
"printhood",
"recent",
"recent",
"sendto",
"start menu",
"templates",
};
var systemDrive = Environment.GetEnvironmentVariable("SystemDrive");
Beaprint.MainPrint($"Searching hidden files or folders in {systemDrive}\\Users home (can be slow)\n");
foreach (var file in SearchHelper.RootDirUsers)
{
try
{
if (File.GetAttributes(file.FullPath).HasFlag(FileAttributes.Hidden))
{
if (file.Extension != null && excludedExtensions.Contains(file.Extension.ToLower()))
{
continue;
}
if (file.Filename != null && excludedFilenames.Contains(file.Filename.ToLower()))
{
continue;
}
// skip well known folders
if (excludedKnownFolders.Contains(Path.GetFileName(file.FullPath).ToLower()))
{
continue;
}
if (file.FullPath.ToLower().Contains("microsoft"))
{
continue;
}
Beaprint.BadPrint($" {file.FullPath}");
}
}
catch (PathTooLongException ex) { }
catch (Exception ex)
{
// & other exceptions
}
}
}
}
}

View File

@ -6,18 +6,17 @@ namespace winPEAS.Helpers
internal static class CheckRunner
{
public static void Run(Action action, bool isDebug, string description = null)
{
if (!isDebug)
{
action();
}
else
{
var timer = new Stopwatch();
if (isDebug)
{
timer.Start();
}
action();
if (isDebug)
{
timer.Stop();
TimeSpan timeTaken = timer.Elapsed;

View File

@ -10,14 +10,12 @@ namespace winPEAS.Helpers.Search
{
static class SearchHelper
{
private static List<CustomFileInfo> RootDirUsers;
public static List<CustomFileInfo> RootDirUsers;
private static List<CustomFileInfo> RootDirCurrentUser;
private static List<CustomFileInfo> ProgramFiles;
private static List<CustomFileInfo> ProgramFilesX86;
private static List<CustomFileInfo> DocumentsAndSettings;
private static List<CustomFileInfo> GroupPolicyHistory;
// private static List<CustomFileInfo> GroupPolicyHistoryLegacy;
public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
{
@ -32,14 +30,7 @@ namespace winPEAS.Helpers.Search
bool shouldAdd = true;
string startDirLower = startDir.FullName.ToLower();
foreach (var excludedDirPattern in excludedDirs)
{
if (Regex.IsMatch(startDirLower, excludedDirPattern, RegexOptions.IgnoreCase))
{
shouldAdd = false;
break;
}
}
shouldAdd = !excludedDirs.Contains(startDirLower);
if (shouldAdd)
{
@ -171,7 +162,7 @@ namespace winPEAS.Helpers.Search
// c:\users
string rootUsersSearchPath = $"{systemDrive}\\Users\\";
SearchHelper.RootDirUsers = SearchHelper.GetFilesFast(rootUsersSearchPath, globalPattern);
SearchHelper.RootDirUsers = SearchHelper.GetFilesFast(rootUsersSearchPath, globalPattern, isFoldersIncluded: true);
// c:\users\current_user
string rootCurrentUserSearchPath = Environment.GetEnvironmentVariable("USERPROFILE");

View File

@ -8,7 +8,7 @@
<StartArguments>applicationsinfo</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
<StartArguments>cmd fast</StartArguments>
<StartArguments>debug</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
<StartArguments>fast</StartArguments>