STRLCPY/PEASS-ng

update
carlospolop committed 2 years ago

bbc22b3a

1 parent 56d71ae8

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

winPEAS/README.md

		skipped 13 lines
14	14		- [Link to WinPEAS C# project (.exe)](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) (.Net >= 4.5.2 required)
15	15		- Please, read the Readme of that folder to learn how to execute winpeas from memory or how make colors work among other tricks
16	16
17		-	## Please, if this tool has been useful for you consider to donate
18		-
19		-	[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.patreon.com/peass)
20		-
21	17		## PEASS Style
22	18
23	19		Are you a PEASS fan? Get now our merch at [PEASS Shop](https://teespring.com/stores/peass) and show your love for our favorite peas
		skipped 7 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASbat/README.md

		skipped 128 lines
129	129
130	130		[More info about icacls here](https://ss64.com/nt/icacls.html)
131	131
132		-	## Please, if this tool has been useful for you consider to donate
133		-
134		-	[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.patreon.com/peass)
135		-
136	132		## Advisory
137	133
138	134		All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
		skipped 4 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/README.md

		skipped 65 lines
66	66
67	67		## Help
68	68		```
69		-	quiet Do not print banner
70		-	notcolor Don't use ansi colors (all white)
	69	+	domain Enumerate domain information
71	70		systeminfo Search system information
72	71		userinfo Search user information
73	72		processinfo Search processes information
		skipped 2 lines
76	75		networkinfo Search network information
77	76		windowscreds Search windows credentials
78	77		browserinfo Search browser information
79		-	filesinfo Search files that can contains credentials
	78	+	filesinfo Search generic files that can contains credentials
	79	+	fileanalysis Search specific files that can contains credentials and for regexes inside files
80	80		eventsinfo Display interesting events information
	81	+
	82	+	quiet Do not print banner
	83	+	notcolor Don't use ansi colors (all white)
	84	+	searchpf Search credentials via regex also in Program Files folders
81	85		wait Wait for user input between checks
82	86		debug Display debugging information - memory usage, method execution time
83		-	log=[logfile] Log all output to file defined as logfile, or to "out.txt" if not specified
	87	+	log[=logfile] Log all output to file defined as logfile, or to "out.txt" if not specified
84	88
85	89		Additional checks (slower):
86	90		-lolbas Run additional LOLBAS check
87	91		-linpeas=[url] Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL
88		-	(default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh)
	92	+	(default: https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh)
89	93		```
90	94
91	95		## Basic information
		skipped 183 lines
275	279		If you find any issue, please report it using [github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues).
276	280
277	281		WinPEAS is being updated every time I find something that could be useful to escalate privileges.
278		-
279		-	## Please, if this tool has been useful for you consider to donate
280		-
281		-	[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.patreon.com/peass)
282	282
283	283		## Advisory
284	284
		skipped 5 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

		skipped 20 lines
21	21		public static bool IsDebug = false;
22	22		public static bool IsLinpeas = false;
23	23		public static bool IsLolbas = false;
	24	+	public static bool SearchProgramFiles = false;
24	25
25	26		// Create Dynamic blacklists
26	27		public static readonly string CurrentUserName = Environment.UserName;
		skipped 10 lines
37	38		//static string paint_lockoutUsers = "";
38	39		public static string PaintAdminUsers = "";
39	40		public static YamlConfig YamlConfig;
	41	+	public static YamlRegexConfig RegexesYamlConfig;
40	42
41	43		private static List<SystemCheck> _systemChecks;
42	44		private static readonly HashSet<string> _systemCheckSelectedKeysHashSet = new HashSet<string>();
		skipped 109 lines
152	154		IsDomainEnumeration = true;
153	155		}
154	156
	157	+	if (string.Equals(arg, "searchpf", StringComparison.CurrentCultureIgnoreCase))
	158	+	{
	159	+	SearchProgramFiles = true;
	160	+	}
	161	+
155	162		if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase))
156	163		{
157	164		IsLolbas = true;
		skipped 90 lines
248	255
249	256		try
250	257		{
251		-	Beaprint.GrayPrint(" - Loading YAML definitions file...");
	258	+	Beaprint.GrayPrint(" - Loading sensitive_files yaml definitions file...");
252	259		YamlConfig = YamlConfigHelper.GetWindowsSearchConfig();
253	260		}
254	261		catch (Exception ex)
255	262		{
256		-	Beaprint.GrayPrint("Error while getting AD info: " + ex);
	263	+	Beaprint.GrayPrint("Error while getting sensitive_files yaml info: " + ex);
	264	+	}
	265	+
	266	+	try
	267	+	{
	268	+	Beaprint.GrayPrint(" - Loading regexes yaml definitions file...");
	269	+	RegexesYamlConfig = YamlConfigHelper.GetRegexesSearchConfig();
	270	+	}
	271	+	catch (Exception ex)
	272	+	{
	273	+	Beaprint.GrayPrint("Error while getting regexes yaml info: " + ex);
257	274		}
258	275
259	276		try
		skipped 138 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs

		skipped 2 lines
3	3		using System.IO;
4	4		using System.Linq;
5	5		using System.Text.RegularExpressions;
	6	+	using System.Threading.Tasks;
6	7		using winPEAS.Helpers;
7	8		using winPEAS.Helpers.Search;
8	9		using static winPEAS.Helpers.YamlConfig.YamlConfig.SearchParameters;
9	10
10	11		namespace winPEAS.Checks
11	12		{
	13	+
12	14		internal class FileAnalysis : ISystemCheck
13	15		{
14	16		private const int ListFileLimit = 70;
		skipped 4 lines
19	21
20	22		new List<Action>
21	23		{
22		-	PrintYAMLSearchFiles
	24	+	PrintYAMLSearchFiles,
	25	+	PrintYAMLRegexesSearchFiles
23	26		}.ForEach(action => CheckRunner.Run(action, isDebug));
24	27		}
25	28
26		-	private static List<CustomFileInfo> InitializeFileSearch()
	29	+	private static List<CustomFileInfo> InitializeFileSearch(bool useProgramFiles=true)
27	30		{
28	31		var files = new List<CustomFileInfo>();
29	32		var systemDrive = $"{SearchHelper.SystemDrive}\\";
		skipped 26 lines
56	59		// files.AddRange(SearchHelper.RootDirCurrentUser); // not needed, it's contained within RootDirUsers
57	60		files.AddRange(SearchHelper.DocumentsAndSettings);
58	61		files.AddRange(SearchHelper.GroupPolicyHistory); // TODO maybe not needed here
59		-	files.AddRange(SearchHelper.ProgramFiles);
60		-	files.AddRange(SearchHelper.ProgramFilesX86);
	62	+	if (useProgramFiles)
	63	+	{
	64	+	files.AddRange(SearchHelper.ProgramFiles);
	65	+	files.AddRange(SearchHelper.ProgramFilesX86);
	66	+	}
61	67
62	68		return files;
63	69		}
		skipped 1 lines
65	71		private static bool[] Search(List<CustomFileInfo> files, string fileName, FileSettings fileSettings, ref int resultsCount, string searchName, bool somethingFound)
66	72		{
67	73		bool isRegexSearch = fileName.Contains("*");
	74	+	bool isFolder = fileSettings.files != null;
68	75		string pattern = string.Empty;
	76	+
69	77
70	78		if (isRegexSearch)
71	79		{
		skipped 2 lines
74	82
75	83		foreach (var file in files)
76	84		{
77		-	bool isFileFound;
78		-	if (isRegexSearch)
	85	+	bool isFileFound = false;
	86	+
	87	+	if (isFolder)
79	88		{
80		-	isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase);
	89	+	if (pattern == string.Empty)
	90	+	{
	91	+	isFileFound = file.FullPath.ToLower().Contains($"\\{fileName}\\");
	92	+	}
	93	+	else
	94	+	{
	95	+	foreach (var fold in file.FullPath.Split('\\').Skip(1))
	96	+	{
	97	+	isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase);
	98	+	if (isFileFound) break;
	99	+	}
	100	+	}
81	101		}
82	102		else
83	103		{
84		-	isFileFound = file.Filename.ToLower() == fileName;
	104	+	if (pattern == String.Empty)
	105	+	{
	106	+	isFileFound = file.Filename.ToLower() == fileName.ToLower();
	107	+	}
	108	+	else
	109	+	{
	110	+	isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase);
	111	+	}
85	112		}
	113	+
86	114
87	115		if (isFileFound)
88	116		{
		skipped 2 lines
91	119		somethingFound = true;
92	120		}
93	121
94		-	// there are no inner sections
95		-	if (fileSettings.files == null)
	122	+	if (!isFolder)
96	123		{
97	124		var isProcessed = ProcessResult(file, fileSettings, ref resultsCount);
98	125		if (!isProcessed)
		skipped 6 lines
105	132		{
106	133		foreach (var innerFileToSearch in fileSettings.files)
107	134		{
108		-	// search for inner files/folders by inner file/folder name
109		-	var innerFiles = SearchHelper.GetFilesFast(file.FullPath, innerFileToSearch.name, isFoldersIncluded: true);
110		-
111		-	foreach (var innerFile in innerFiles)
112		-	{
113		-	// process inner file/folder
114		-	var isProcessed = ProcessResult(innerFile, innerFileToSearch.value, ref resultsCount);
115		-	if (!isProcessed)
116		-	{
117		-	return new bool[] { true, somethingFound };
118		-	}
119		-	}
	135	+	List<CustomFileInfo> one_file_list = new List<CustomFileInfo>() { file };
	136	+	Search(one_file_list, innerFileToSearch.name, innerFileToSearch.value, ref resultsCount, searchName, somethingFound);
120	137		}
121	138		}
122	139		}
		skipped 2 lines
125	142		return new bool[] { false, somethingFound };
126	143		}
127	144
	145	+	private static List<string> SearchContent(string text, string regex_str, bool caseinsensitive)
	146	+	{
	147	+	List<string> foundMatches = new List<string>();
	148	+
	149	+	try
	150	+	{
	151	+	Regex rgx;
	152	+	if (caseinsensitive)
	153	+	rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
	154	+	else
	155	+	rgx = new Regex(regex_str.Trim());
	156	+
	157	+	int cont = 0;
	158	+	foreach (Match match in rgx.Matches(text))
	159	+	{
	160	+	if (cont > 4) break;
	161	+
	162	+	if (match.Value.Length < 400 && match.Value.Trim().Length > 2)
	163	+	foundMatches.Add(match.Value);
	164	+
	165	+	cont++;
	166	+	}
	167	+	}
	168	+	catch (Exception e)
	169	+	{
	170	+	Beaprint.GrayPrint($"Error looking for regex {regex_str} inside files: {e}");
	171	+	}
	172	+
	173	+	//}
	174	+
	175	+	return foundMatches;
	176	+	}
	177	+
128	178		private static void PrintYAMLSearchFiles()
129	179		{
130	180		try
131	181		{
132	182		var files = InitializeFileSearch();
133		-	var folders = files.Where(f => f.IsDirectory).ToList();
	183	+	//var folders = files.Where(f => f.IsDirectory).ToList();
134	184		var config = Checks.YamlConfig;
135	185		var defaults = config.defaults;
136		-	var searchItems = config.search.Where(i => i.value.config.auto_check &&
137		-	(i.value.disable == null \|\| !i.value.disable.Contains("winpeas")));
	186	+	var searchItems = config.search.Where(i => !(i.value.disable != null && i.value.disable.Contains("winpeas")));
138	187
139	188		foreach (var searchItem in searchItems)
140	189		{
141		-	if (searchItem.name != "Wifi Connections")
142		-	continue;
143	190		var searchName = searchItem.name;
144	191		var value = searchItem.value;
145	192		var searchConfig = value.config;
		skipped 9 lines
155	202		{
156	203		var fileName = file.name.ToLower();
157	204		var fileSettings = file.value;
158		-	var itemsToSearch = fileSettings.type == "f" ? files : folders;
159	205
160		-	results = Search(itemsToSearch, fileName, fileSettings, ref resultsCount, searchName, somethingFound);
	206	+	results = Search(files, fileName, fileSettings, ref resultsCount, searchName, somethingFound);
161	207
162	208		isSearchFinished = results[0];
163	209		somethingFound = results[1];
		skipped 11 lines
175	221		}
176	222		}
177	223
	224	+	private static void PrintYAMLRegexesSearchFiles()
	225	+	{
	226	+	try
	227	+	{
	228	+	//List<string> extra_no_extensions = new List<string>() { ".msi", ".exe", ".dll", ".pyc", ".pyi", ".lnk", ".css", ".hyb", ".etl", ".mo", ".xrm-ms", ".idl", ".vsix", ".mui", ".qml", ".tt" };
	229	+
	230	+	List<string> valid_extensions = new List<string>() {
	231	+	// text
	232	+	".txt", ".text", ".md", ".markdown", ".toml", ".rtf",
	233	+
	234	+	// config
	235	+	".conf", ".config", ".json", ".yml", ".yaml", ".xml", ".xaml",
	236	+
	237	+	// dev
	238	+	".py", ".js", ".html", ".c", ".cpp", ".pl", ".rb", ".smali", ".java", ".php", ".bat", ".ps1",
	239	+
	240	+	// hidden
	241	+	".id_rsa", ".id_dsa", ".bash_history", ".rsa",
	242	+	};
	243	+
	244	+	List<string> invalid_names = new List<string>()
	245	+	{
	246	+	"eula.rtf", "changelog.md"
	247	+	};
	248	+
	249	+	// No dirs, less thatn 1MB, only interesting extensions and not false positives files.
	250	+	var files = InitializeFileSearch(Checks.SearchProgramFiles).Where(f => !f.IsDirectory && valid_extensions.Contains(f.Extension.ToLower()) && !invalid_names.Contains(f.Filename.ToLower()) && f.Size > 0 && f.Size < 1000000).ToList();
	251	+	var config = Checks.RegexesYamlConfig; // Get yaml info
	252	+	Dictionary<string, Dictionary<string, Dictionary<string, List<string>>>> foundRegexes = new Dictionary<string, Dictionary<string, Dictionary<string, List<string>>>> { };
	253	+
	254	+	/*
	255	+	* Useful for debbugging purposes to see the common file extensions found
	256	+	Dictionary <string, int> dict_str = new Dictionary<string, int>();
	257	+	foreach (var f in files)
	258	+	{
	259	+	if (dict_str.ContainsKey(f.Extension))
	260	+	dict_str[f.Extension] += 1;
	261	+	else
	262	+	dict_str[f.Extension] = 1;
	263	+	}
	264	+
	265	+	var sortedDict = from entry in dict_str orderby entry.Value descending select entry;
	266	+
	267	+	foreach (KeyValuePair<string, int> kvp in sortedDict)
	268	+	{
	269	+	Console.WriteLine(string.Format("Key = {0}, Value = {1}", kvp.Key, kvp.Value));
	270	+	}*/
	271	+
	272	+	double pb = 0;
	273	+	using (var progress = new ProgressBar())
	274	+	{
	275	+	CheckRunner.Run(() =>
	276	+	{
	277	+	int num_threads = 8;
	278	+	try
	279	+	{
	280	+	num_threads = Environment.ProcessorCount;
	281	+	}
	282	+	catch (Exception ex) { }
	283	+
	284	+	Parallel.ForEach(files, new ParallelOptions { MaxDegreeOfParallelism = num_threads }, f =>
	285	+	{
	286	+	//foreach (var f in files)
	287	+	//{
	288	+	foreach (var regex_obj in config.regular_expresions)
	289	+	{
	290	+	foreach (var regex in regex_obj.regexes)
	291	+	{
	292	+	if (regex.disable != null && regex.disable.ToLower().Contains("winpeas"))
	293	+	{
	294	+	continue;
	295	+	}
	296	+
	297	+	List<string> results = new List<string> { };
	298	+
	299	+	try
	300	+	{
	301	+	string text = System.IO.File.ReadAllText(f.FullPath);
	302	+
	303	+	results = SearchContent(text, regex.regex, (bool)regex.caseinsensitive);
	304	+	if (results.Count > 0)
	305	+	{
	306	+	if (!foundRegexes.ContainsKey(regex_obj.name)) foundRegexes[regex_obj.name] = new Dictionary<string, Dictionary<string, List<string>>> { };
	307	+	if (!foundRegexes[regex_obj.name].ContainsKey(regex.name)) foundRegexes[regex_obj.name][regex.name] = new Dictionary<string, List<string>> { };
	308	+
	309	+	foundRegexes[regex_obj.name][regex.name][f.FullPath] = results;
	310	+	}
	311	+	}
	312	+	catch (System.IO.IOException)
	313	+	{
	314	+	// Cannot read the file
	315	+	}
	316	+	}
	317	+	}
	318	+	pb += (double)100 / files.Count;
	319	+	progress.Report(pb / 100); //Value must be in [0..1] range
	320	+	});
	321	+	//}
	322	+	}, Checks.IsDebug);
	323	+	}
	324	+
	325	+	// Print results
	326	+	foreach (KeyValuePair<string, Dictionary<string, Dictionary<string, List<string>>>> item in foundRegexes)
	327	+	{
	328	+	foreach (KeyValuePair<string, Dictionary<string, List<string>>> item2 in item.Value)
	329	+	{
	330	+	string masterCategory = item.Key;
	331	+	string regexCategory = item2.Key;
	332	+	int limit = 70;
	333	+
	334	+	string msg = $"Found {masterCategory}-{regexCategory} Regexes";
	335	+	if (item2.Value.Count > limit)
	336	+	msg += $" (limited to {limit})";
	337	+
	338	+	Beaprint.MainPrint(msg);
	339	+
	340	+	int cont = 0;
	341	+	foreach (KeyValuePair<string, List<string>> item3 in item2.Value)
	342	+	{
	343	+	if (cont > limit)
	344	+	break;
	345	+
	346	+	foreach (string regexMatch in item3.Value)
	347	+	{
	348	+	string filePath = item3.Key;
	349	+	Beaprint.PrintNoNL($"{filePath}: ");
	350	+	Beaprint.BadPrint(regexMatch);
	351	+	}
	352	+
	353	+	cont++;
	354	+	}
	355	+	}
	356	+	}
	357	+	}
	358	+	catch (Exception e)
	359	+	{
	360	+	Beaprint.GrayPrint($"Error looking for regexes inside files: {e}");
	361	+	}
	362	+	}
	363	+
178	364		private static string GetRegexpFromString(string str)
179	365		{
180	366		// we need to update the regexp to work here
		skipped 19 lines
200	386
201	387		if (resultsCount > ListFileLimit) return false;
202	388
	389	+	// If contains undesireable string, stop processing
	390	+	if (fileSettings.remove_path != null && fileSettings.remove_path.Length > 0)
	391	+	{
	392	+	foreach(var rem_path in fileSettings.remove_path.Split('\|'))
	393	+	{
	394	+	if (fileInfo.FullPath.ToLower().Contains(rem_path.ToLower()))
	395	+	return false;
	396	+	}
	397	+	}
203	398
204	399		if (fileSettings.type == "f")
205	400		{
		skipped 114 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs

		skipped 20 lines
21	21		{
22	22		{ badIps, Beaprint.ansi_color_bad },
23	23		{ @"\[\:\:1\]", Beaprint.ansi_color_bad },
	24	+	{ @"\[\:\:\]", Beaprint.ansi_color_bad },
24	25		};
25	26
26	27		public void PrintInfo(bool isDebug)
		skipped 196 lines
223	224
224	225		foreach (var udpConnectionInfo in NetworkInfoHelper.GetUdpConnections(IPVersion.IPv4, processesByPid))
225	226		{
	227	+	if (udpConnectionInfo.ProcessName == "dns") // Hundreds of them sometimes
	228	+	{
	229	+	continue;
	230	+	}
	231	+
226	232		Beaprint.AnsiPrint(
227	233		string.Format(formatString,
228	234		" UDP",
		skipped 25 lines
254	260
255	261		foreach (var udpConnectionInfo in NetworkInfoHelper.GetUdpConnections(IPVersion.IPv6, processesByPid))
256	262		{
	263	+	if (udpConnectionInfo.ProcessName == "dns") // Hundreds of them sometimes
	264	+	{
	265	+	continue;
	266	+	}
	267	+
257	268		Beaprint.AnsiPrint(
258	269		string.Format(formatString,
259	270		" UDP",
		skipped 164 lines

■ ■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs

		skipped 13 lines
14	14
15	15		new List<Action>
16	16		{
17		-	PrintInterestingProcesses,
	17	+	//PrintInterestingProcesses,
	18	+	PrintVulnLeakedHandlers,
18	19		}.ForEach(action => CheckRunner.Run(action, isDebug));
19	20		}
20	21
		skipped 61 lines
82	83		{
83	84		Beaprint.GrayPrint(ex.Message);
84	85		}
	86	+	}
	87	+
	88	+	void PrintVulnLeakedHandlers()
	89	+	{
	90	+	Beaprint.MainPrint("Vulnerable Leaked Handlers");
	91	+	Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation");
	92	+
	93	+	List<Dictionary<string, string>> vulnHandlers = ProcessesInfo.GetVulnHandlers();
	94	+	foreach (Dictionary<string, string> handler in vulnHandlers)
	95	+	{
	96	+	Dictionary<string, string> colors = new Dictionary<string, string>()
	97	+	{
	98	+	{ Checks.CurrentUserName, Beaprint.ansi_color_bad },
	99	+	{ handler["Reason"], Beaprint.ansi_color_bad },
	100	+	};
	101	+
	102	+	Beaprint.DictPrint(vulnHandlers, colors, true);
	103	+	}
	104	+
85	105		}
86	106		}
87	107		}
		skipped 1 lines

■ ■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

		skipped 78 lines
79	79		PrintInetInfo,
80	80		PrintDrivesInfo,
81	81		PrintWSUS,
	82	+	PrintKrbRelayUp,
	83	+	PrintInsideContainer,
82	84		PrintAlwaysInstallElevated,
83	85		PrintLSAInfo,
84	86		PrintNtlmSettings,
		skipped 501 lines
586	588		}
587	589		}
588	590
	591	+	static void PrintKrbRelayUp()
	592	+	{
	593	+	try
	594	+	{
	595	+	Beaprint.MainPrint("Checking KrbRelayUp");
	596	+	Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup");
	597	+
	598	+	if (Checks.CurrentAdDomainName.Length > 0)
	599	+	{
	600	+	Beaprint.BadPrint(" The system is inside a domain (" + Checks.CurrentAdDomainName + ") so it could be vulnerable.");
	601	+	Beaprint.InfoPrint("You can try https://github.com/DecOne/KrbRelayUp to escalate privileges");
	602	+	}
	603	+	else
	604	+	{
	605	+	Beaprint.GoodPrint(" The system isn't inside a domain, so it isn't vulnerable");
	606	+	}
	607	+	}
	608	+	catch (Exception ex)
	609	+	{
	610	+	Beaprint.PrintException(ex.Message);
	611	+	}
	612	+	}
	613	+
	614	+	static void PrintInsideContainer()
	615	+	{
	616	+	try
	617	+	{
	618	+	Beaprint.MainPrint("Checking If Inside Container");
	619	+	Beaprint.LinkPrint("", "If the binary cexecsvc.exe or associated service exists, you are inside Docker");
	620	+	Dictionary<string, object> regVal = RegistryHelper.GetRegValues("HKLM", @"System\CurrentControlSet\Services\cexecsvc");
	621	+	bool cexecsvcExist = File.Exists(Environment.SystemDirectory + @"\cexecsvc.exe");
	622	+	if (regVal != null \|\| cexecsvcExist)
	623	+	{
	624	+	Beaprint.BadPrint("You are inside a container");
	625	+	}
	626	+	else
	627	+	{
	628	+	Beaprint.GoodPrint("You are NOT inside a container");
	629	+	}
	630	+	}
	631	+	catch (Exception ex)
	632	+	{
	633	+	Beaprint.PrintException(ex.Message);
	634	+	}
	635	+	}
	636	+
589	637		static void PrintAlwaysInstallElevated()
590	638		{
591	639		try
		skipped 129 lines
721	769
722	770		try
723	771		{
724		-	string formatString = " {0,-100} {1}\n";
	772	+	string formatString = " {0,-100} {1,-70} {2}\n";
725	773
726		-	Beaprint.NoColorPrint(string.Format($"{formatString}", "Name", "Sddl"));
	774	+	Beaprint.NoColorPrint(string.Format($"{formatString}", "Name", "CurrentUserPerms", "Sddl"));
727	775
728	776		foreach (var namedPipe in NamedPipes.GetNamedPipeInfos())
729	777		{
730		-	Beaprint.BadPrint(string.Format(formatString, namedPipe.Name, namedPipe.Sddl));
	778	+	var colors = new Dictionary<string, string>
	779	+	{
	780	+	{namedPipe.CurrentUserPerms.Replace("[","\\[").Replace("]","\\]"), Beaprint.ansi_color_bad },
	781	+	};
	782	+
	783	+	Beaprint.AnsiPrint(string.Format(formatString, namedPipe.Name, namedPipe.CurrentUserPerms, namedPipe.Sddl), colors);
731	784		}
732	785		}
733	786		catch (Exception ex)
		skipped 419 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

		skipped 33 lines
34	34		private static string Advisory =
35	35		"winpeas should be used for authorized penetration testing and/or educational purposes only." +
36	36		"Any misuse of this software will not be the responsibility of the author or of any other collaborator. " +
37		-	"Use it at your own networks and/or with the network owner's permission.";
38		-
39		-	private static string Version = "ng";
	37	+	"Use it at your own devices and/or with the device owner's permission.";
40	38
41	39		/////////////////////////////////
42	40		///////// PRINT THINGS /////////
		skipped 3 lines
46	44		Console.WriteLine(BLUE + string.Format(@"
47	45		{0}((((((((((((((((((((((((((((((((
48	46		{0}(((((((((((((((((((((((((((((((((((((((((((
49		-	{0}(((((((((((((({2}**********/{1}##########{0}.((((((((((((
50		-	{0}(((((((((((/{2}********************/{1}#######{0}.((((((((((
51		-	{0}(((((((.{2}****************{3}/@@@@@/{0}{2}**{1}######{0}.(((((((((
52		-	{0}(((((.{2}******************{3}@@@@@@@@@@/{0}{2}*,{1}####{0}.(((((((((
53		-	{0}((((.{2}******************{3}/@@@@@%@@@@{0}{2}/******{1}##{0}(((((((((
54		-	{0}.(({1}############{2}*******{3}/%@@@@@@@@@{0}{2}/**********{0}.(((((((
55		-	{0}.({1}##################(/{2}****{3}/@@@@@{0}{2}/*************{0}.(((((
56		-	{0}.({1}#########################(/{2}**********************{0}.((((
57		-	{0}.({1}##############################(/{2}*****************{0}.((((
58		-	{0}.({1}###################################(/{2}************{0}.((((
59		-	{0}.({1}#######################################({2}*********{0}.((((
60		-	{0}.({1}#######(,.*.,(###################(...{2}******{0}.((((
61		-	{0}.({1}#######(#####((##################((######/({2}****{0}.((((
62		-	{0}.({1}###################(/***********(##############({0}).((((
63		-	{0}.(({1}#####################/*******(################{0})((((((
64		-	{0}.((({1}############################################{0}).(((((
65		-	{0}..((({1}##########################################{0}).((((((
66		-	{0}....(({1}########################################{0}).((((((
67		-	{0}......(({1}####################################{0}).(((((((
68		-	{0}((((((((({1}#################################{0}).((((((((
69		-	{0}(((((((((/{1}##########################{0}).((((((((
	47	+	{0}(((((((((((((({2}**********/{1}##########{0}(((((((((((((
	48	+	{0}(((((((((((({2}********************/{1}#######{0}(((((((((((
	49	+	{0}(((((((({2}****************{3}/@@@@@/{0}{2}**{1}######{0}((((((((((
	50	+	{0}(((((({2}******************{3}@@@@@@@@@@/{0}{2}*,{1}####{0}((((((((((
	51	+	{0}((((({2}******************{3}/@@@@@%@@@@/{0}{2}******{1}##{0}(((((((((
	52	+	{0}((({1}############{2}*******{3}/%@@@@@@@@@/{0}{2}**********{0}((((((((
	53	+	{0}(({1}##################(/{2}****{3}/@@@@@/{0}{2}*************{0}((((((
	54	+	{0}(({1}#########################(/{2}**********************{0}(((((
	55	+	{0}(({1}##############################(/{2}*****************{0}(((((
	56	+	{0}(({1}###################################(/{2}************{0}(((((
	57	+	{0}(({1}#######################################({2}*********{0}(((((
	58	+	{0}(({1}#######(,.*.,(###################(...{2}******{0}(((((
	59	+	{0}(({1}#######(#####((##################((######/({2}****{0}(((((
	60	+	{0}(({1}###################(/***********(##############({0})(((((
	61	+	{0}((({1}#####################/*******(################{0})((((((
	62	+	{0}(((({1}############################################{0})((((((
	63	+	{0}((((({1}##########################################{0})(((((((
	64	+	{0}(((((({1}########################################{0})(((((((
	65	+	{0}(((((((({1}####################################{0})((((((((
	66	+	{0}((((((((({1}#################################{0})(((((((((
	67	+	{0}(((((((((({1}##########################{0})(((((((((
70	68		{0}((((((((((((((((((((((((((((((((((((((
71	69		{0}((((((((((((((((((((((((((((((", LGREEN, GREEN, BLUE, NOCOLOR) + NOCOLOR);
72	70
		skipped 8 lines
81	79
82	80		// Patreon link
83	81		Console.WriteLine(GREEN + string.Format(@"
84		-	/---------------------------------------------------------------------------\
85		-	\| {1}Do you like PEASS?{0} \|
86		-	\|---------------------------------------------------------------------------\|
87		-	\| {3}Get latest WinPEAS{0} : {2}https://github.com/sponsors/carlospolop{0} \|
88		-	\| {3}Follow on Twitter{0} : {2}@carlospolopm{0} \|
89		-	\| {3}Respect on HTB{0} : {2}SirBroccoli & makikvues{0} \|
90		-	\|---------------------------------------------------------------------------\|
91		-	\| {1}Thank you!{0} \|
92		-	\---------------------------------------------------------------------------/
	82	+	/---------------------------------------------------------------------------------\
	83	+	\| {1}Do you like PEASS?{0} \|
	84	+	\|---------------------------------------------------------------------------------\|
	85	+	\| {3}Get the latest version{0} : {2}https://github.com/sponsors/carlospolop{0} \|
	86	+	\| {3}Follow on Twitter{0} : {2}@carlospolopm{0} \|
	87	+	\| {3}Respect on HTB{0} : {2}SirBroccoli {0} \|
	88	+	\|---------------------------------------------------------------------------------\|
	89	+	\| {1}Thank you!{0} \|
	90	+	\---------------------------------------------------------------------------------/
93	91		", GREEN, BLUE, RED, YELLOW) + NOCOLOR);
94	92
95	93		}
		skipped 5 lines
101	99		PrintBanner();
102	100		}
103	101
104		-	Console.WriteLine(YELLOW + " WinPEAS" + GREEN + Version + NOCOLOR + YELLOW + " by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)" + NOCOLOR);
	102	+	Console.WriteLine(YELLOW + " WinPEAS-ng" + NOCOLOR + YELLOW + " by @carlospolopm" + NOCOLOR);
105	103
106	104		PrintMarketingBanner();
107	105
		skipped 16 lines
124	122		public static void PrintUsage()
125	123		{
126	124		Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR);
127		-	Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR);
128		-	Console.WriteLine(LBLUE + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR);
129	125		Console.WriteLine(LBLUE + " domain" + GRAY + " Enumerate domain information" + NOCOLOR);
130	126		Console.WriteLine(LBLUE + " systeminfo" + GRAY + " Search system information" + NOCOLOR);
131	127		Console.WriteLine(LBLUE + " userinfo" + GRAY + " Search user information" + NOCOLOR);
		skipped 4 lines
136	132		Console.WriteLine(LBLUE + " windowscreds" + GRAY + " Search windows credentials" + NOCOLOR);
137	133		Console.WriteLine(LBLUE + " browserinfo" + GRAY + " Search browser information" + NOCOLOR);
138	134		Console.WriteLine(LBLUE + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR);
139		-	Console.WriteLine(LBLUE + " fileanalysis" + GRAY + " Search specific files that can contains credentials" + NOCOLOR);
	135	+	Console.WriteLine(LBLUE + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
140	136		Console.WriteLine(LBLUE + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
	137	+	Console.WriteLine();
	138	+	Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR);
	139	+	Console.WriteLine(LBLUE + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR);
	140	+	Console.WriteLine(LBLUE + " searchpf" + GRAY + " Search credentials via regex also in Program Files folders" + NOCOLOR);
141	141		Console.WriteLine(LBLUE + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR);
142	142		Console.WriteLine(LBLUE + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR);
143	143		Console.WriteLine(LBLUE + " log[=logfile]" + GRAY + $" Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
		skipped 86 lines
230	230		GrayPrint($" [X] Exception: {message}");
231	231		}
232	232
	233	+	public static void PrintNoNL(string message)
	234	+	{
	235	+	Console.Write(message);
	236	+	}
	237	+
233	238		public static void AnsiPrint(string to_print, Dictionary<string, string> ansi_colors_regexp)
234	239		{
235	240		if (to_print.Trim().Length > 0)
		skipped 33 lines
269	274		{
270	275		foreach (KeyValuePair<string, string> entry in dicprint)
271	276		{
272		-	if (delete_nulls && string.IsNullOrEmpty(entry.Value.Trim()))
	277	+	if (delete_nulls && (entry.Value == null \|\| string.IsNullOrEmpty(entry.Value.Trim())))
273	278		{
274	279		continue;
275	280		}
		skipped 19 lines
295	300		Console.WriteLine(line);
296	301		}
297	302		}
	303	+
298	304		public static void DictPrint(Dictionary<string, string> dicprint, bool delete_nulls)
299	305		{
300	306		if (dicprint.Count > 0)
		skipped 130 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Helpers/CustomFileInfo.cs

		skipped 4 lines
5	5		public string Filename { get; }
6	6		public string Extension { get; }
7	7		public string FullPath { get; }
	8	+	public long Size { get; }
8	9		public bool IsDirectory { get; }
9	10
10		-	public CustomFileInfo(string filename, string extension, string fullPath, bool isDirectory)
	11	+	public CustomFileInfo(string filename, string extension, string fullPath, long size, bool isDirectory)
11	12		{
12	13		Filename = filename;
13	14		Extension = extension;
14	15		FullPath = fullPath;
	16	+	Size = size;
15	17		IsDirectory = isDirectory;
16	18		}
17	19		}
		skipped 2 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Helpers/HandlesHelper.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.Diagnostics;
4	+	using System.Linq;
5	+	using System.Runtime.InteropServices;
6	+	using System.Security.Principal;
7	+	using System.Text;
8	+	using System.Threading.Tasks;
9	+
10	+	namespace winPEAS.Helpers
11	+	{
12	+	internal class HandlesHelper
13	+	{
14	+	private const int CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION = 64;
15	+	public const uint STATUS_INFO_LENGTH_MISMATCH = 0xC0000004;
16	+	public const int DUPLICATE_SAME_ACCESS = 0x2;
17	+
18	+	[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
19	+	public struct FILE_NAME_INFO
20	+	{
21	+	public int FileNameLength;
22	+	[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 1000)]
23	+	public string FileName;
24	+	}
25	+
26	+	[StructLayout(LayoutKind.Sequential)]
27	+	public struct THREAD_BASIC_INFORMATION
28	+	{
29	+	public uint ExitStatus;
30	+	public IntPtr TebBaseAdress;
31	+	public CLIENT_ID ClientId;
32	+	public uint AffinityMask;
33	+	public uint Priority;
34	+	public uint BasePriority;
35	+	}
36	+
37	+	[StructLayout(LayoutKind.Sequential)]
38	+	public struct CLIENT_ID
39	+	{
40	+	public int UniqueProcess;
41	+	public int UniqueThread;
42	+	}
43	+
44	+	[StructLayout(LayoutKind.Sequential)]
45	+	public struct PROCESS_BASIC_INFORMATION
46	+	{
47	+	public int ExitStatus;
48	+	public IntPtr PebBaseAddress;
49	+	public IntPtr AffinityMask;
50	+	public int BasePriority;
51	+	public IntPtr UniqueProcessId;
52	+	public IntPtr InheritedFromUniqueProcessId;
53	+	}
54	+
55	+	[StructLayout(LayoutKind.Sequential)]
56	+	public struct SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
57	+	{
58	+	public IntPtr Object;
59	+	public UIntPtr UniqueProcessId;
60	+	public IntPtr HandleValue;
61	+	public uint GrantedAccess;
62	+	public ushort CreatorBackTraceIndex;
63	+	public ushort ObjectTypeIndex;
64	+	public uint HandleAttributes;
65	+	public uint Reserved;
66	+	}
67	+
68	+	[Flags]
69	+	public enum ProcessAccessFlags : uint
70	+	{
71	+	All = 0x001F0FFF,
72	+	Terminate = 0x00000001,
73	+	CreateThread = 0x00000002,
74	+	VMOperation = 0x00000008,
75	+	VMRead = 0x00000010,
76	+	VMWrite = 0x00000020,
77	+	DupHandle = 0x00000040,
78	+	SetInformation = 0x00000200,
79	+	QueryInformation = 0x00000400,
80	+	QueryLimitedInformation = 0x1000,
81	+	Synchronize = 0x00100000
82	+	}
83	+
84	+	[StructLayout(LayoutKind.Sequential)]
85	+	public struct OBJECT_BASIC_INFORMATION
86	+	{ // Information Class 0
87	+	public int Attributes;
88	+	public int GrantedAccess;
89	+	public int HandleCount;
90	+	public int PointerCount;
91	+	public int PagedPoolUsage;
92	+	public int NonPagedPoolUsage;
93	+	public int Reserved1;
94	+	public int Reserved2;
95	+	public int Reserved3;
96	+	public int NameInformationLength;
97	+	public int TypeInformationLength;
98	+	public int SecurityDescriptorLength;
99	+	public System.Runtime.InteropServices.ComTypes.FILETIME CreateTime;
100	+	}
101	+
102	+	[StructLayout(LayoutKind.Sequential)]
103	+	public struct UNICODE_STRING
104	+	{
105	+	public ushort Length;
106	+	public ushort MaximumLength;
107	+	public IntPtr Buffer;
108	+	}
109	+
110	+
111	+	[StructLayout(LayoutKind.Sequential)]
112	+	public struct OBJECT_NAME_INFORMATION
113	+	{ // Information Class 1
114	+	public UNICODE_STRING Name;
115	+	}
116	+
117	+	[StructLayout(LayoutKind.Sequential)]
118	+	public struct OBJECT_TYPE_INFORMATION
119	+	{ // Information Class 1
120	+	public UNICODE_STRING Name;
121	+	public ulong TotalNumberOfObjects;
122	+	public ulong TotalNumberOfHandles;
123	+	}
124	+
125	+	public enum ObjectInformationClass : int
126	+	{
127	+	ObjectBasicInformation = 0,
128	+	ObjectNameInformation = 1,
129	+	ObjectTypeInformation = 2,
130	+	ObjectAllTypesInformation = 3,
131	+	ObjectHandleInformation = 4
132	+	}
133	+
134	+	public struct VULNERABLE_HANDLER_INFO
135	+	{
136	+	public string handlerType;
137	+	public bool isVuln;
138	+	public string reason;
139	+	}
140	+
141	+	public struct PT_RELEVANT_INFO
142	+	{
143	+	public int pid;
144	+	public string name;
145	+	public string imagePath;
146	+	public string userName;
147	+	public string userSid;
148	+	}
149	+
150	+	public struct KEY_RELEVANT_INFO
151	+	{
152	+	public string hive;
153	+	public string path;
154	+	}
155	+
156	+
157	+
158	+
159	+
160	+
161	+
162	+
163	+
164	+
165	+	// Check if the given handler is exploitable
166	+	public static VULNERABLE_HANDLER_INFO checkExploitaible(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX h, string typeName)
167	+	{
168	+	VULNERABLE_HANDLER_INFO vulnHandler = new VULNERABLE_HANDLER_INFO();
169	+	vulnHandler.handlerType = typeName;
170	+
171	+	if (typeName == "process")
172	+	{
173	+	// Hex perms from https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights and https://github.com/buffer/maltracer/blob/master/defines.py
174	+
175	+	//PROCESS_ALL_ACCESS
176	+	if ((h.GrantedAccess & 0x001F0FFF) == h.GrantedAccess)
177	+	{
178	+	vulnHandler.isVuln = true;
179	+	vulnHandler.reason = "PROCESS_ALL_ACCESS";
180	+	}
181	+
182	+	//PROCESS_CREATE_PROCESS
183	+	else if ((h.GrantedAccess & 0x0080) == h.GrantedAccess)
184	+	{
185	+	vulnHandler.isVuln = true;
186	+	vulnHandler.reason = "PROCESS_CREATE_PROCESS";
187	+	}
188	+
189	+	//PROCESS_CREATE_THREAD
190	+	else if ((h.GrantedAccess & 0x0002) == h.GrantedAccess)
191	+	{
192	+	vulnHandler.isVuln = true;
193	+	vulnHandler.reason = "PROCESS_CREATE_THREAD";
194	+	}
195	+
196	+	//PROCESS_DUP_HANDLE
197	+	else if ((h.GrantedAccess & 0x0040) == h.GrantedAccess)
198	+	{
199	+	vulnHandler.isVuln = true;
200	+	vulnHandler.reason = "PROCESS_DUP_HANDLE";
201	+	}
202	+
203	+	//PROCESS_VM_WRITE
204	+	else if ((h.GrantedAccess & 0x0020) == h.GrantedAccess)
205	+	{
206	+	vulnHandler.isVuln = true;
207	+	vulnHandler.reason = "PROCESS_VM_WRITE";
208	+
209	+	if ((h.GrantedAccess & 0x0010) == h.GrantedAccess)
210	+	vulnHandler.reason += "& PROCESS_VM_READ";
211	+
212	+	if ((h.GrantedAccess & 0x0008) == h.GrantedAccess)
213	+	vulnHandler.reason += "& PROCESS_VM_OPERATION";
214	+	}
215	+	}
216	+
217	+	else if (typeName == "thread")
218	+	{
219	+	// Codes from https://docs.microsoft.com/en-us/windows/win32/procthread/thread-security-and-access-rights and https://github.com/x0r19x91/code-injection/blob/master/inject.asm
220	+
221	+	//THREAD_ALL_ACCESS
222	+	if ((h.GrantedAccess & 0x1f03ff) == h.GrantedAccess)
223	+	{
224	+	vulnHandler.isVuln = true;
225	+	vulnHandler.reason = "THREAD_ALL_ACCESS";
226	+	}
227	+
228	+	//THREAD_DIRECT_IMPERSONATION
229	+	else if ((h.GrantedAccess & 0x0200) == h.GrantedAccess)
230	+	{
231	+	vulnHandler.isVuln = true;
232	+	vulnHandler.reason = "THREAD_DIRECT_IMPERSONATION";
233	+	}
234	+
235	+	//THREAD_GET_CONTEXT & THREAD_SET_CONTEXT
236	+	else if (((h.GrantedAccess & 0x0008) == h.GrantedAccess) && ((h.GrantedAccess & 0x0010) == h.GrantedAccess))
237	+	{
238	+	vulnHandler.isVuln = true;
239	+	vulnHandler.reason = "THREAD_GET_CONTEXT & THREAD_SET_CONTEXT";
240	+	}
241	+	}
242	+
243	+	else if (typeName == "file")
244	+	{
245	+
246	+	string perm = PermissionsHelper.PermInt2Str((int)h.GrantedAccess, PermissionType.WRITEABLE_OR_EQUIVALENT);
247	+	if (perm != null && perm.Length> 0)
248	+	{
249	+	vulnHandler.isVuln = true;
250	+	vulnHandler.reason = perm;
251	+	}
252	+	}
253	+
254	+	else if (typeName == "key")
255	+	{
256	+	string perm = PermissionsHelper.PermInt2Str((int)h.GrantedAccess, PermissionType.WRITEABLE_OR_EQUIVALENT_REG);
257	+	if (perm != null && perm.Length > 0)
258	+	{
259	+	vulnHandler.isVuln = true;
260	+	vulnHandler.reason = perm;
261	+	}
262	+	}
263	+
264	+	else if (typeName == "section")
265	+	{
266	+	// Perms from
267	+	// https://docs.microsoft.com/en-us/windows/win32/secauthz/standard-access-rights
268	+	// https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
269	+	// https://github.com/lab52io/LeakedHandlesFinder/blob/master/LeakedHandlesFinder/LeakedHandlesFinder.cpp
270	+
271	+
272	+	//MAP_WRITE
273	+	if ((h.GrantedAccess & 0x2) == h.GrantedAccess)
274	+	{
275	+	vulnHandler.isVuln = true;
276	+	vulnHandler.reason = "MAP_WRITE (Research Needed)";
277	+	}
278	+	//DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER = STANDARD_RIGHTS_ALL
279	+	else if ((h.GrantedAccess & 0xf0000) == h.GrantedAccess)
280	+	{
281	+	vulnHandler.isVuln = true;
282	+	vulnHandler.reason = "STANDARD_RIGHTS_ALL (Research Needed)";
283	+	}
284	+	}
285	+
286	+	return vulnHandler;
287	+	}
288	+
289	+	// Given a found handler get what type is it.
290	+	public static string GetObjectType(IntPtr handle)
291	+	{
292	+	OBJECT_TYPE_INFORMATION basicType = new OBJECT_TYPE_INFORMATION();
293	+
294	+	try
295	+	{
296	+	IntPtr _basic = IntPtr.Zero;
297	+	string name;
298	+	int nameLength = 0;
299	+
300	+	try
301	+	{
302	+	_basic = Marshal.AllocHGlobal(0x1000);
303	+
304	+	Native.Ntdll.NtQueryObject(handle, (int)ObjectInformationClass.ObjectTypeInformation, _basic, 0x1000, ref nameLength);
305	+	basicType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(_basic, basicType.GetType());
306	+	name = Marshal.PtrToStringUni(basicType.Name.Buffer, basicType.Name.Length >> 1);
307	+	return name;
308	+	}
309	+	finally
310	+	{
311	+	if (_basic != IntPtr.Zero)
312	+	Marshal.FreeHGlobal(_basic);
313	+	}
314	+	}
315	+	catch { }
316	+
317	+	return null;
318	+	}
319	+
320	+	// Get the name of the handler (if any)
321	+	public static string GetObjectName(IntPtr handle)
322	+	{
323	+	OBJECT_BASIC_INFORMATION basicInfo = new OBJECT_BASIC_INFORMATION();
324	+	try
325	+	{
326	+
327	+	IntPtr _basic = IntPtr.Zero;
328	+	int nameLength = 0;
329	+
330	+	try
331	+	{
332	+	_basic = Marshal.AllocHGlobal(Marshal.SizeOf(basicInfo));
333	+
334	+	Native.Ntdll.NtQueryObject(handle, (int)ObjectInformationClass.ObjectBasicInformation, _basic, Marshal.SizeOf(basicInfo), ref nameLength);
335	+	basicInfo = (OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(_basic, basicInfo.GetType());
336	+	nameLength = basicInfo.NameInformationLength;
337	+	}
338	+	finally
339	+	{
340	+	if (_basic != IntPtr.Zero)
341	+	Marshal.FreeHGlobal(_basic);
342	+	}
343	+
344	+	if (nameLength == 0)
345	+	{
346	+	return null;
347	+	}
348	+
349	+	OBJECT_NAME_INFORMATION nameInfo = new OBJECT_NAME_INFORMATION();
350	+	IntPtr _objectName = Marshal.AllocHGlobal(nameLength);
351	+
352	+	try
353	+	{
354	+	while ((uint)(Native.Ntdll.NtQueryObject(handle, (int)ObjectInformationClass.ObjectNameInformation, _objectName, nameLength, ref nameLength)) == STATUS_INFO_LENGTH_MISMATCH)
355	+	{
356	+	Marshal.FreeHGlobal(_objectName);
357	+	_objectName = Marshal.AllocHGlobal(nameLength);
358	+	}
359	+	nameInfo = (OBJECT_NAME_INFORMATION)Marshal.PtrToStructure(_objectName, nameInfo.GetType());
360	+	}
361	+	finally
362	+	{
363	+	Marshal.FreeHGlobal(_objectName);
364	+	}
365	+
366	+	try
367	+	{
368	+	if (nameInfo.Name.Length > 0)
369	+	return Marshal.PtrToStringUni(nameInfo.Name.Buffer, nameInfo.Name.Length >> 1);
370	+	}
371	+	catch
372	+	{
373	+
374	+	}
375	+
376	+	return null;
377	+	}
378	+	catch { return null; }
379	+	}
380	+
381	+	// Get all handlers inside the system
382	+	public static List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> GetAllHandlers()
383	+	{
384	+	bool is_64 = Marshal.SizeOf(typeof(IntPtr)) == 8 ? true : false;
385	+	int infoLength = 0x10000;
386	+	int length = 0;
387	+	IntPtr _info = Marshal.AllocHGlobal(infoLength);
388	+	IntPtr _handle = IntPtr.Zero;
389	+	long handleCount = 0;
390	+
391	+
392	+	// Try to find the size
393	+	while ((Native.Ntdll.NtQuerySystemInformation(CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION, _info, infoLength, ref length)) == STATUS_INFO_LENGTH_MISMATCH)
394	+	{
395	+	infoLength = length;
396	+	Marshal.FreeHGlobal(_info);
397	+	_info = Marshal.AllocHGlobal(infoLength);
398	+	}
399	+
400	+
401	+	if (is_64)
402	+	{
403	+	handleCount = Marshal.ReadInt64(_info);
404	+	_handle = new IntPtr(_info.ToInt64() + 16);
405	+	}
406	+	else
407	+	{
408	+	handleCount = Marshal.ReadInt32(_info);
409	+	_handle = new IntPtr(_info.ToInt32() + 8);
410	+	}
411	+
412	+	SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleInfo = new SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX();
413	+	List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles = new List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX>();
414	+
415	+	int infoSize = Marshal.SizeOf(handleInfo);
416	+	Type infoType = handleInfo.GetType();
417	+
418	+
419	+	for (long i = 0; i < handleCount; i++)
420	+	{
421	+	if (is_64)
422	+	{
423	+	handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType);
424	+	_handle = new IntPtr(_handle.ToInt64() + infoSize);
425	+	}
426	+	else
427	+	{
428	+	handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)Marshal.PtrToStructure(_handle, infoType);
429	+	_handle = new IntPtr(_handle.ToInt32() + infoSize);
430	+	}
431	+
432	+	handles.Add(handleInfo);
433	+	}
434	+
435	+	return handles;
436	+	}
437	+
438	+	// Get the owner of a process given the PID
439	+	public static Dictionary<string, string> GetProcU(Process p)
440	+	{
441	+	Dictionary<string, string> data = new Dictionary<string, string>();
442	+	data["name"] = "";
443	+	data["sid"] = "";
444	+	IntPtr pHandle = IntPtr.Zero;
445	+	try
446	+	{
447	+	Native.Advapi32.OpenProcessToken(p.Handle, 8, out pHandle);
448	+	WindowsIdentity WI = new WindowsIdentity(pHandle);
449	+	string uSEr = WI.Name;
450	+	string sid = WI.User.Value;
451	+	data["name"] = uSEr.Contains(@"\") ? uSEr.Substring(uSEr.IndexOf(@"\") + 1) : uSEr;
452	+	data["sid"] = sid;
453	+	return data;
454	+	}
455	+	catch
456	+	{
457	+	return data;
458	+	}
459	+	finally
460	+	{
461	+	if (pHandle != IntPtr.Zero)
462	+	{
463	+	Native.Kernel32.CloseHandle(pHandle);
464	+	}
465	+	}
466	+	}
467	+
468	+	// Get info of the process given the PID
469	+	public static PT_RELEVANT_INFO getProcInfoById(int pid)
470	+	{
471	+	PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO();
472	+
473	+	Process proc = Process.GetProcessById(pid);
474	+	Dictionary<string,string> user = GetProcU(proc);
475	+
476	+	StringBuilder fileName = new StringBuilder(2000);
477	+	Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000);
478	+
479	+	pri.pid = pid;
480	+	pri.name = proc.ProcessName;
481	+	pri.userName = user["name"];
482	+	pri.userSid = user["sid"];
483	+	pri.imagePath = fileName.ToString();
484	+
485	+	return pri;
486	+	}
487	+
488	+	// Get information of a handler of type process
489	+	public static PT_RELEVANT_INFO getProcessHandlerInfo(IntPtr handle)
490	+	{
491	+	PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO();
492	+	PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
493	+	IntPtr[] pbi_arr = new IntPtr[6];
494	+	int pid;
495	+
496	+
497	+	int retLength = 0;
498	+
499	+	// Try to find the size
500	+	uint status = (uint)Native.Ntdll.NtQueryInformationProcess(handle, 0, pbi_arr, 48, ref retLength);
501	+	if (status == 0)
502	+	{
503	+
504	+	//pbi.ExitStatus = (int)pbi_arr[0];
505	+	//pbi.PebBaseAddress = pbi_arr[1];
506	+	//pbi.AffinityMask = pbi_arr[2];
507	+	//pbi.BasePriority = (int)pbi_arr[3];
508	+	pbi.UniqueProcessId = pbi_arr[4];
509	+	//pbi.InheritedFromUniqueProcessId = pbi_arr[5];
510	+	pid = (int)pbi.UniqueProcessId;
511	+	}
512	+	else
513	+	{
514	+	pid = (int)Native.Kernel32.GetProcessId(handle);
515	+	}
516	+
517	+	if (pid == 0)
518	+	return pri;
519	+
520	+	return getProcInfoById(pid);
521	+	}
522	+
523	+	// Get information of a handler of type thread
524	+	public static PT_RELEVANT_INFO getThreadHandlerInfo(IntPtr handle)
525	+	{
526	+	PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO();
527	+	THREAD_BASIC_INFORMATION tbi = new THREAD_BASIC_INFORMATION();
528	+	IntPtr[] tbi_arr = new IntPtr[6];
529	+	int pid;
530	+
531	+
532	+	/* You could also get the PID using this method
533	+	int retLength = 0;
534	+	uint status = (uint)NtQueryInformationThread(handle, 0, tbi_arr, 48, ref retLength);
535	+	if (status != 0)
536	+	{
537	+	return pri;
538	+	}
539	+
540	+	pid = (int)GetProcessIdOfThread(handle);
541	+
542	+	CLIENT_ID ci = new CLIENT_ID();
543	+
544	+	tbi.ExitStatus = (uint)tbi_arr[0];
545	+	tbi.TebBaseAdress = tbi_arr[1];
546	+	tbi.ClientId = tbi_arr[2];
547	+	tbi.AffinityMask = (uint)tbi_arr[3];
548	+	tbi.Priority = (uint)tbi_arr[4];
549	+	tbi.BasePriority = (uint)tbi_arr[5];*/
550	+
551	+	pid = (int)Native.Kernel32.GetProcessIdOfThread(handle);
552	+	if (pid == 0)
553	+	return pri;
554	+
555	+	return getProcInfoById(pid);
556	+	}
557	+
558	+	// Get information of a handler of type key
559	+	public static KEY_RELEVANT_INFO getKeyHandlerInfo(IntPtr handle)
560	+	{
561	+	KEY_RELEVANT_INFO kri = new KEY_RELEVANT_INFO();
562	+	int retLength = 0;
563	+
564	+	// Get KeyNameInformation (3)
565	+	uint status = (uint)Native.Ntdll.NtQueryKey(handle, 3, null, 0, ref retLength);
566	+	var keyInformation = new byte[retLength];
567	+	status = (uint)Native.Ntdll.NtQueryKey(handle, 3, keyInformation, retLength, ref retLength);
568	+
569	+	string path = Encoding.Unicode.GetString(keyInformation, 4, keyInformation.Length - 4).ToLower();
570	+	string hive = "";
571	+
572	+	// https://groups.google.com/g/comp.os.ms-windows.programmer.win32/c/nCs-9zFRm6I
573	+	if (path.StartsWith(@"\registry\machine"))
574	+	{
575	+	path = path.Replace(@"\registry\machine", "");
576	+	hive = "HKLM";
577	+	}
578	+
579	+	else if (path.StartsWith(@"\registry\user"))
580	+	{
581	+	path = path.Replace(@"\registry\user", "");
582	+	hive = "HKU";
583	+	}
584	+
585	+	else
586	+	{ // This shouldn't be needed
587	+	if (path.StartsWith("\\"))
588	+	path = path.Substring(1);
589	+	hive = Helpers.Registry.RegistryHelper.CheckIfExists(path);
590	+	}
591	+
592	+	if (path.StartsWith("\\"))
593	+	path = path.Substring(1);
594	+
595	+	kri.hive = hive;
596	+	kri.path = path;
597	+
598	+	return kri;
599	+	}
600	+	}
601	+	}
602	+

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Helpers/ProgressBar.cs

1	+	using System;
2	+	using System.Text;
3	+	using System.Threading;
4	+
5	+	namespace winPEAS.Helpers
6	+	{
7	+	internal class ProgressBar : IDisposable, IProgress<double>
8	+	{
9	+	private const int blockCount = 10;
10	+	private readonly TimeSpan animationInterval = TimeSpan.FromSeconds(1.0 / 8);
11	+	private const string animation = @"\|/-\";
12	+
13	+	private readonly Timer timer;
14	+
15	+	private double currentProgress = 0;
16	+	private string currentText = string.Empty;
17	+	private bool disposed = false;
18	+	private int animationIndex = 0;
19	+
20	+	public ProgressBar()
21	+	{
22	+	timer = new Timer(TimerHandler, new object(), animationInterval, animationInterval);
23	+	}
24	+
25	+	public void Report(double value)
26	+	{
27	+	// Make sure value is in [0..1] range
28	+	value = Math.Max(0, Math.Min(1, value));
29	+	Interlocked.Exchange(ref currentProgress, value);
30	+	}
31	+
32	+	private void TimerHandler(object state)
33	+	{
34	+	lock (timer)
35	+	{
36	+	if (disposed) return;
37	+
38	+	int progressBlockCount = (int)(currentProgress * blockCount);
39	+	int percent = (int)(currentProgress * 100);
40	+	string text = string.Format("[{0}{1}] {2,3}% {3}",
41	+	new string('#', progressBlockCount), new string('-', blockCount - progressBlockCount),
42	+	percent,
43	+	animation[animationIndex++ % animation.Length]);
44	+	UpdateText(text);
45	+	}
46	+	}
47	+
48	+	private void UpdateText(string text)
49	+	{
50	+	// Get length of common portion
51	+	int commonPrefixLength = 0;
52	+	int commonLength = Math.Min(currentText.Length, text.Length);
53	+	while (commonPrefixLength < commonLength && text[commonPrefixLength] == currentText[commonPrefixLength])
54	+	{
55	+	commonPrefixLength++;
56	+	}
57	+
58	+	// Backtrack to the first differing character
59	+	StringBuilder outputBuilder = new StringBuilder();
60	+	outputBuilder.Append('\b', currentText.Length - commonPrefixLength);
61	+
62	+	// Output new suffix
63	+	outputBuilder.Append(text.Substring(commonPrefixLength));
64	+
65	+	// If the new text is shorter than the old one: delete overlapping characters
66	+	int overlapCount = currentText.Length - text.Length;
67	+	if (overlapCount > 0)
68	+	{
69	+	outputBuilder.Append(' ', overlapCount);
70	+	outputBuilder.Append('\b', overlapCount);
71	+	}
72	+
73	+	Console.Write(outputBuilder);
74	+	currentText = text;
75	+	}
76	+
77	+	public void Dispose()
78	+	{
79	+	lock (timer)
80	+	{
81	+	disposed = true;
82	+	UpdateText(string.Empty);
83	+	timer.Dispose();
84	+	}
85	+	}
86	+
87	+	}
88	+	}
89	+

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs

		skipped 11 lines
12	12		///////////////////////////////////////////
13	13		/// Functions related to obtain keys and values from the registry
14	14		/// Some parts adapted from Seatbelt
	15	+	public static Microsoft.Win32.RegistryKey GetReg(string hive, string path)
	16	+	{
	17	+	if (hive == "HKCU")
	18	+	return Microsoft.Win32.Registry.CurrentUser.OpenSubKey(path);
	19	+
	20	+	else if (hive == "HKU")
	21	+	return Microsoft.Win32.Registry.Users.OpenSubKey(path);
	22	+
	23	+	else
	24	+	return Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
	25	+	}
	26	+
15	27		public static string GetRegValue(string hive, string path, string value)
16	28		{
17	29		// returns a single registry value under the specified path in the specified hive (HKLM/HKCU)
		skipped 155 lines
173	185		}
174	186
175	187		return null;
	188	+	}
	189	+
	190	+	public static string CheckIfExists(string path)
	191	+	{
	192	+	try
	193	+	{
	194	+	var key = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
	195	+	if (key != null)
	196	+	return "HKLM";
	197	+
	198	+	key = Microsoft.Win32.Registry.Users.OpenSubKey(path);
	199	+	if (key != null)
	200	+	return "HKU";
	201	+
	202	+	key = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(path);
	203	+	if (key != null)
	204	+	return "HKCU";
	205	+
	206	+	return null;
	207	+	}
	208	+	catch
	209	+	{
	210	+	return null;
	211	+	}
176	212		}
177	213		}
178	214		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs

		skipped 19 lines
20	20		public static string SystemDrive = Environment.GetEnvironmentVariable("SystemDrive");
21	21		private static string GlobalPattern = "*";
22	22
	23	+	public static List<string> StaticExtensions = new List<string>() {
	24	+	// archives
	25	+	".7z", ".tar", ".zip", ".gz",
	26	+
	27	+	// audio/video
	28	+	".avi", ".mp3", ".mp4", ".wav", ".wmf", ".wmv", ".ts", ".pak",
	29	+
	30	+	// icons
	31	+	".ico",
	32	+
	33	+	// fonts
	34	+	".eot", ".fnt", ".fon", ".otf", ".odttf", ".ttc", ".ttf", ".woff", "woff2", "woff3",
	35	+
	36	+	// images
	37	+	".bmp", ".emf", ".gif", ".pm",
	38	+	".jif", ".jfi", ".jfif", ".jpe", ".jpeg", ".jpg",
	39	+	".png", ".psd", ".raw", ".svg", ".svgz", ".tif", ".tiff", ".webp",
	40	+	};
	41	+
23	42		public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
24	43		{
25	44		ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
		skipped 26 lines
52	71		Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern, isFoldersIncluded), (dir) =>
53	72		{
54	73		GetFiles(dir.FullName, pattern).ForEach(
55		-	(f) => {
56		-	CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, false);
57		-	files.Add(file_info);
	74	+	(f) =>
	75	+	{
	76	+	if (!StaticExtensions.Contains(f.Extension.ToLower()))
	77	+	{
	78	+	// It should always be lesss than 260, but some times it isn't so this will bypass that file
	79	+	if (f.FullName.Length <= 260)
	80	+	{
	81	+	CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false);
	82	+	files.Add(file_info);
58	83
59		-	CustomFileInfo file_dir = new CustomFileInfo(f.Directory.Name, "", f.Directory.FullName, true);
60		-	if (!known_dirs.Contains(file_dir.FullPath))
61		-	{
62		-	known_dirs.Add(file_dir.FullPath);
63		-	files.Add(file_dir);
	84	+	CustomFileInfo file_dir = new CustomFileInfo(f.Directory.Name, "", f.Directory.FullName, 0, true);
	85	+	if (!known_dirs.Contains(file_dir.FullPath))
	86	+	{
	87	+	known_dirs.Add(file_dir.FullPath);
	88	+	files.Add(file_dir);
	89	+	}
	90	+	}
64	91		}
65		-	}
	92	+	}
66	93		) ;
67	94		});
68	95		});
		skipped 73 lines
142	169		{
143	170		foreach (var directory in directories)
144	171		{
145		-	files.Add(new CustomFileInfo(directory.Name, null, directory.FullName, true));
	172	+	files.Add(new CustomFileInfo(directory.Name, null, directory.FullName, 0, true));
146	173		}
147	174		}
148	175
149	176		foreach (var f in dirInfo.GetFiles(pattern))
150	177		{
151		-	files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName, false));
	178	+	if (!StaticExtensions.Contains(f.Extension.ToLower()))
	179	+	files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false));
152	180		}
153	181
154	182		if (directories.Length > 1) return new List<DirectoryInfo>(directories);
		skipped 290 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Helpers/YamlConfig/YamlConfig.cs

		skipped 1 lines
2	2
3	3		namespace winPEAS.Helpers.YamlConfig
4	4		{
	5	+	public class YamlRegexConfig
	6	+	{
	7	+	public class RegularExpressions
	8	+	{
	9	+	public string name { get; set; }
	10	+	public RegularExpression[] regexes { get; set; }
	11	+	public class RegularExpression {
	12	+	public string name { get; set; }
	13	+	public string regex { get; set; }
	14	+
	15	+	public bool caseinsensitive { get; set; }
	16	+
	17	+	public string disable { get; set; }
	18	+	}
	19	+	}
	20	+
	21	+	public RegularExpressions[] regular_expresions { get; set; }
	22	+	}
5	23		public class YamlConfig
6	24		{
7	25
		skipped 16 lines
24	42		public bool? remove_empty_lines { get; set; }
25	43		// public string remove_path { get; set; } // not used in Winpeas
26	44		public string remove_regex { get; set; }
	45	+	public string remove_path { get; set; }
27	46		// public string[] search_in { get; set; } // not used in Winpeas
28	47		public string type { get; set; }
29	48		public FileParam[] files { get; set; }
		skipped 54 lines

■ ■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Helpers/YamlConfig/YamlConfigHelper.cs

		skipped 3 lines
4	4		using System.Reflection;
5	5		using System.Linq;
6	6		using static winPEAS.Helpers.YamlConfig.YamlConfig;
	7	+	using static winPEAS.Helpers.YamlConfig.YamlRegexConfig;
	8	+
7	9
8	10		namespace winPEAS.Helpers.YamlConfig
9	11		{
10	12		internal class YamlConfigHelper
11	13		{
	14	+	const string REGEXES_FILES = "regexes.yaml";
12	15		const string SENSITIVE_FILES = "sensitive_files.yaml";
13	16
	17	+	public static YamlRegexConfig GetRegexesSearchConfig()
	18	+	{
	19	+	var assembly = Assembly.GetExecutingAssembly();
	20	+	var resourceName = assembly.GetManifestResourceNames().Where(i => i.EndsWith(REGEXES_FILES)).FirstOrDefault();
	21	+
	22	+	try
	23	+	{
	24	+	using (Stream stream = assembly.GetManifestResourceStream(resourceName))
	25	+	using (StreamReader reader = new StreamReader(stream))
	26	+	{
	27	+	string configFileContent = reader.ReadToEnd();
	28	+
	29	+	YamlSerializer yamlSerializer = new YamlSerializer();
	30	+	YamlRegexConfig yamlConfig = (YamlRegexConfig)yamlSerializer.Deserialize(configFileContent, typeof(YamlRegexConfig))[0];
	31	+
	32	+	// check
	33	+	if (yamlConfig.regular_expresions == null \|\| yamlConfig.regular_expresions.Length == 0)
	34	+	{
	35	+	throw new System.Exception("No configuration was read");
	36	+	}
	37	+
	38	+	return yamlConfig;
	39	+
	40	+	}
	41	+	}
	42	+	catch (System.Exception e)
	43	+	{
	44	+	Beaprint.PrintException($"An exception occured while parsing regexes.yaml configuration file: {e.Message}");
	45	+
	46	+	throw;
	47	+	}
	48	+	}
	49	+
14	50		public static YamlConfig GetWindowsSearchConfig()
15	51		{
16	52		var assembly = Assembly.GetExecutingAssembly();
		skipped 35 lines
52	88		}
53	89		catch (System.Exception e)
54	90		{
55		-	Beaprint.PrintException($"An exception occured while parsing YAML configuration file: {e.Message}");
	91	+	Beaprint.PrintException($"An exception occured while parsing sensitive_files.yaml configuration file: {e.Message}");
56	92
57	93		throw;
58	94		}
		skipped 19 lines
78	114		value.only_bad_lines = GetValueOrDefault(value.only_bad_lines, defaults.only_bad_lines);
79	115		value.remove_empty_lines = GetValueOrDefault(value.remove_empty_lines, defaults.remove_empty_lines);
80	116		value.remove_regex = GetValueOrDefault(value.remove_regex, defaults.remove_regex);
	117	+	value.remove_path = GetValueOrDefault(value.remove_path, defaults.remove_path);
81	118		value.type = GetValueOrDefault(value.type, defaults.type).ToLower();
82	119
83	120		if (value.files != null)
		skipped 28 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkInfoHelper.cs

		skipped 347 lines
348	348		MIB_TCPROW_OWNER_PID tcpRow = (MIB_TCPROW_OWNER_PID)Marshal.PtrToStructure(tableRowPtr, typeof(MIB_TCPROW_OWNER_PID));
349	349
350	350		// Add row to list of TcpConnetions.
	351	+	string proc_name = GetProcessNameByPid(tcpRow.owningPid, processesByPid);
	352	+	if (proc_name == "Idle")
	353	+	{ //Sometime too many Idle connections that doesn't provide sensitive info
	354	+	continue;
	355	+	}
	356	+
351	357		tcpTableRecords.Add(new TcpConnectionInfo(
352	358		Protocol.TCP,
353	359		new IPAddress(tcpRow.localAddr),
		skipped 6 lines
360	366		tcpRow.remotePort[0] }, 0),
361	367		tcpRow.owningPid,
362	368		tcpRow.state,
363		-	GetProcessNameByPid(tcpRow.owningPid, processesByPid)));
	369	+	proc_name));
364	370
365	371		tableRowPtr = (IntPtr)((long)tableRowPtr + Marshal.SizeOf(tcpRow));
366	372		}
		skipped 10 lines
377	383		{
378	384		MIB_TCP6ROW_OWNER_PID tcpRow = (MIB_TCP6ROW_OWNER_PID)Marshal.PtrToStructure(tableRowPtr, typeof(MIB_TCP6ROW_OWNER_PID));
379	385
	386	+	string proc_name = GetProcessNameByPid(tcpRow.owningPid, processesByPid);
	387	+	if (proc_name == "Idle")
	388	+	{ //Sometime too many Idle connections that doesn't provide sensitive info
	389	+	continue;
	390	+	}
	391	+
380	392		tcpTableRecords.Add(new TcpConnectionInfo(
381	393		Protocol.TCP,
382	394		new IPAddress(tcpRow.localAddr, tcpRow.localScopeId),
		skipped 6 lines
389	401		tcpRow.remotePort[0] }, 0),
390	402		tcpRow.owningPid,
391	403		tcpRow.state,
392		-	GetProcessNameByPid(tcpRow.owningPid, processesByPid)));
	404	+	proc_name));
393	405
394	406		tableRowPtr = (IntPtr)((long)tableRowPtr + Marshal.SizeOf(tcpRow));
395	407		}
		skipped 139 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/ProcessesInfo.cs

1		-	using System;
	1	+	using Microsoft.Win32;
	2	+	using System;
2	3		using System.Collections.Generic;
3	4		using System.Diagnostics;
4	5		using System.Linq;
5	6		using System.Management;
	7	+	using System.Runtime.InteropServices;
6	8		using System.Security.Principal;
	9	+	using System.Text;
7	10		using System.Text.RegularExpressions;
	11	+	using System.Threading.Tasks;
8	12		using winPEAS.Helpers;
9		-	using winPEAS.Native;
10	13
11	14		namespace winPEAS.Info.ProcessInfo
12	15		{
13	16		internal class ProcessesInfo
14	17		{
15		-	private static string GetProcU(Process p)
16		-	{
17		-	IntPtr pHandle = IntPtr.Zero;
18		-	try
19		-	{
20		-	Advapi32.OpenProcessToken(p.Handle, 8, out pHandle);
21		-	WindowsIdentity WI = new WindowsIdentity(pHandle);
22		-	String uSEr = WI.Name;
23		-	return uSEr.Contains(@"\") ? uSEr.Substring(uSEr.IndexOf(@"\") + 1) : uSEr;
24		-	}
25		-	catch
26		-	{
27		-	return null;
28		-	}
29		-	finally
30		-	{
31		-	if (pHandle != IntPtr.Zero)
32		-	{
33		-	Kernel32.CloseHandle(pHandle);
34		-	}
35		-	}
36		-	}
37		-
38	18		// TODO: check out https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna#L10
39	19		public static List<Dictionary<string, string>> GetProcInfo()
40	20		{
		skipped 12 lines
53	33		Proc = p,
54	34		Pth = (string)mo["ExecutablePath"],
55	35		CommLine = (string)mo["CommandLine"],
56		-	Owner = GetProcU(p), //Needed inside the next foreach
	36	+	Owner = Helpers.HandlesHelper.GetProcU(p)["name"], //Needed inside the next foreach
57	37		};
58	38
59	39		foreach (var itm in queRy)
		skipped 33 lines
93	73		Beaprint.PrintException(ex.Message);
94	74		}
95	75		return f_results;
	76	+	}
	77	+
	78	+	public static List<Dictionary<string, string>> GetVulnHandlers()
	79	+	{
	80	+	List<Dictionary<string, string>> vulnHandlers = new List<Dictionary<string, string>>();
	81	+	List<HandlesHelper.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handlers = HandlesHelper.GetAllHandlers();
	82	+	List<string> interestingHandlerTypes = new List<string>() { "file", "key", "process", "thread" }; //section
	83	+
	84	+	foreach (HandlesHelper.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX h in handlers)
	85	+	{
	86	+	// skip some objects to avoid getting stuck
	87	+	// see: https://github.com/adamdriscoll/PoshInternals/issues/7
	88	+	if (h.GrantedAccess == 0x0012019f
	89	+	\|\| h.GrantedAccess == 0x00120189
	90	+	\|\| h.GrantedAccess == 0x120089
	91	+	\|\| h.GrantedAccess == 0x1A019F)
	92	+	continue;
	93	+
	94	+	IntPtr dupHandle;
	95	+	IntPtr _processHandle = Native.Kernel32.OpenProcess(HandlesHelper.ProcessAccessFlags.DupHandle \| HandlesHelper.ProcessAccessFlags.QueryInformation, false, h.UniqueProcessId);
	96	+
	97	+	if (_processHandle == (IntPtr)0)
	98	+	continue;
	99	+
	100	+	uint status = (uint)Native.Ntdll.NtDuplicateObject(
	101	+	_processHandle,
	102	+	h.HandleValue,
	103	+	Native.Kernel32.GetCurrentProcess(),
	104	+	out dupHandle,
	105	+	0,
	106	+	false,
	107	+	HandlesHelper.DUPLICATE_SAME_ACCESS);
	108	+
	109	+	Native.Kernel32.CloseHandle(_processHandle);
	110	+
	111	+	if (status != 0)
	112	+	continue;
	113	+
	114	+	string typeName = HandlesHelper.GetObjectType(dupHandle).ToLower();
	115	+	if (interestingHandlerTypes.Contains(typeName))
	116	+	{
	117	+	HandlesHelper.VULNERABLE_HANDLER_INFO handlerExp = HandlesHelper.checkExploitaible(h, typeName);
	118	+	if (handlerExp.isVuln == true)
	119	+	{
	120	+	HandlesHelper.PT_RELEVANT_INFO origProcInfo = HandlesHelper.getProcInfoById((int)h.UniqueProcessId);
	121	+	if (!Checks.Checks.CurrentUserSiDs.ContainsKey(origProcInfo.userSid))
	122	+	continue;
	123	+
	124	+	string hName = HandlesHelper.GetObjectName(dupHandle);
	125	+
	126	+	Dictionary<string, string> to_add = new Dictionary<string, string>();
	127	+	to_add["Handle Name"] = hName;
	128	+	to_add["Handle"] = h.HandleValue.ToString() + "(" + typeName + ")";
	129	+	to_add["Handle Owner"] = "Pid is " + h.UniqueProcessId.ToString() + "(" + origProcInfo.name + ") with owner: " + origProcInfo.userName;
	130	+	to_add["Reason"] = handlerExp.reason;
	131	+
	132	+	if (typeName == "process" \|\| typeName == "thread")
	133	+	{
	134	+	HandlesHelper.PT_RELEVANT_INFO hInfo;
	135	+	if (typeName == "process")
	136	+	{
	137	+	hInfo = HandlesHelper.getProcessHandlerInfo(dupHandle);
	138	+	}
	139	+
	140	+	else //Thread
	141	+	{
	142	+	hInfo = HandlesHelper.getThreadHandlerInfo(dupHandle);
	143	+	}
	144	+
	145	+	// If the privileged access is from a proc to itself, or to a process of the same user, not a privesc
	146	+	if (hInfo.pid == 0 \|\|
	147	+	(int)h.UniqueProcessId == hInfo.pid \|\|
	148	+	origProcInfo.userSid == hInfo.userSid)
	149	+	continue;
	150	+
	151	+	to_add["Handle PID"] = hInfo.pid.ToString() + "(" + hInfo.userName + ")";
	152	+	}
	153	+
	154	+	else if (typeName == "file")
	155	+	{
	156	+	//StringBuilder filePath = new StringBuilder(2000);
	157	+	//HandlersHelper.GetFinalPathNameByHandle(dupHandle, filePath, 2000, 0);
	158	+
	159	+	HandlesHelper.FILE_NAME_INFO fni = new HandlesHelper.FILE_NAME_INFO();
	160	+
	161	+	// Sometimes both GetFileInformationByHandle and GetFileInformationByHandleEx hangs
	162	+	// So a timeput of 1s is put to the function to prevent that
	163	+	var task = Task.Run(() =>
	164	+	{
	165	+	// FILE_NAME_INFO (2)
	166	+	return Native.Kernel32.GetFileInformationByHandleEx(dupHandle, 2, out fni, (uint)Marshal.SizeOf(fni));
	167	+	});
	168	+
	169	+	bool isCompletedSuccessfully = task.Wait(TimeSpan.FromMilliseconds(1000));
	170	+
	171	+	if (!isCompletedSuccessfully)
	172	+	{
	173	+	//throw new TimeoutException("The function has taken longer than the maximum time allowed.");
	174	+	continue;
	175	+	}
	176	+
	177	+	string sFilePath = fni.FileName;
	178	+	if (sFilePath.Length == 0)
	179	+	continue;
	180	+
	181	+	List<string> permsFile = PermissionsHelper.GetPermissionsFile(sFilePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
	182	+	try
	183	+	{
	184	+	System.Security.AccessControl.FileSecurity fs = System.IO.File.GetAccessControl(sFilePath);
	185	+	IdentityReference sid = fs.GetOwner(typeof(SecurityIdentifier));
	186	+	string ownerName = sid.Translate(typeof(NTAccount)).ToString();
	187	+
	188	+	// If current user already have permissions over that file or the proc belongs to the owner of the file,
	189	+	// handler not interesting to elevate privs
	190	+	if (permsFile.Count > 0 \|\| origProcInfo.userSid == sid.Value)
	191	+	continue;
	192	+
	193	+	to_add["File Path"] = sFilePath;
	194	+	to_add["File Owner"] = ownerName;
	195	+	}
	196	+	catch (System.IO.FileNotFoundException)
	197	+	{
	198	+	// File wasn't found
	199	+	continue;
	200	+	}
	201	+	catch (System.InvalidOperationException)
	202	+	{
	203	+	continue;
	204	+	}
	205	+
	206	+	}
	207	+
	208	+	else if (typeName == "key")
	209	+	{
	210	+	HandlesHelper.KEY_RELEVANT_INFO kri = HandlesHelper.getKeyHandlerInfo(dupHandle);
	211	+	if (kri.path.Length == 0 && kri.hive != null && kri.hive.Length> 0)
	212	+	continue;
	213	+
	214	+	RegistryKey regKey = Helpers.Registry.RegistryHelper.GetReg(kri.hive, kri.path);
	215	+	if (regKey == null)
	216	+	continue;
	217	+
	218	+	List<string> permsReg = PermissionsHelper.GetMyPermissionsR(regKey, Checks.Checks.CurrentUserSiDs);
	219	+
	220	+	// If current user already have permissions over that reg, handle not interesting to elevate privs
	221	+	if (permsReg.Count > 0)
	222	+	continue;
	223	+
	224	+	to_add["Registry"] = kri.hive + "\\" + kri.path;
	225	+	}
	226	+
	227	+
	228	+	vulnHandlers.Add(to_add);
	229	+	}
	230	+	}
	231	+	}
	232	+
	233	+	return vulnHandlers;
96	234		}
97	235		}
98	236		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/NamedPipes/NamedPipeInfo.cs

		skipped 3 lines
4	4		{
5	5		public string Name { get; }
6	6		public string Sddl { get; }
	7	+	public string CurrentUserPerms { get; }
7	8
8		-	public NamedPipeInfo(string name, string sddl)
	9	+	public NamedPipeInfo(string name, string sddl, string currentUserPerms)
9	10		{
10	11		Name = name;
11	12		Sddl = sddl;
	13	+	CurrentUserPerms = currentUserPerms;
12	14		}
13	15		}
14	16		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/NamedPipes/NamedPipes.cs

		skipped 2 lines
3	3		using System.Runtime.InteropServices;
4	4		using System.Security.AccessControl;
5	5		using winPEAS.Native;
	6	+	using System.Security.Principal;
	7	+
6	8
7	9		namespace winPEAS.Info.SystemInfo.NamedPipes
8	10		{
		skipped 33 lines
42	44		foreach (var namedPipe in namedPipes)
43	45		{
44	46		string sddl;
	47	+	string currentUserPerms;
45	48		bool isError = false;
46	49
47	50		try
48	51		{
49	52		var security = File.GetAccessControl($"\\\\.\\pipe\\{namedPipe}");
50	53		sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
	54	+	List<string> currentUserPermsList = winPEAS.Helpers.PermissionsHelper.GetMyPermissionsF(security, winPEAS.Checks.Checks.CurrentUserSiDs);
	55	+	currentUserPerms = string.Join(", ", currentUserPermsList);
51	56		}
52	57		catch
53	58		{
54	59		isError = true;
55	60		sddl = "ERROR";
	61	+	currentUserPerms = "ERROR";
56	62		}
57	63
58	64		if (!isError && !string.IsNullOrEmpty(sddl))
59	65		{
60		-	yield return new NamedPipeInfo(namedPipe, sddl);
	66	+	yield return new NamedPipeInfo(namedPipe, sddl, currentUserPerms);
61	67		}
62	68		}
63	69		}
		skipped 3 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs

		skipped 159 lines
160	160		{
161	161		Dictionary<string, string> results = new Dictionary<string, string>();
162	162		string whitelistpaths = "";
	163	+
163	164		try
164	165		{
165		-	whitelistpaths = String.Join("\n ", RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths").Keys);
	166	+	var keys = RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths");
	167	+	if (keys != null)
	168	+	whitelistpaths = String.Join("\n ", keys.Keys);
	169	+
166	170		using (ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct"))
167	171		{
168	172		using (var data = wmiData.Get())
		skipped 328 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Native/Kernel32.cs

1	1		using System;
2	2		using System.Runtime.ConstrainedExecution;
3	3		using System.Runtime.InteropServices;
	4	+	using System.Text;
4	5		using winPEAS.Info.SystemInfo.NamedPipes;
5	6
6	7		namespace winPEAS.Native
		skipped 59 lines
66	67
67	68		[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
68	69		internal static extern int GetPrivateProfileString(string? section, string? key, string defaultValue, [In, Out] char[] value, int size, string filePath);
	70	+
	71	+	[DllImport("kernel32.dll")]
	72	+	public static extern IntPtr OpenProcess(Helpers.HandlesHelper.ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
	73	+
	74	+	[DllImport("kernel32.dll")]
	75	+	public static extern IntPtr OpenProcess(Helpers.HandlesHelper.ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, UIntPtr dwProcessId);
	76	+
	77	+	[DllImport("kernel32.dll", SetLastError = true)]
	78	+	[return: MarshalAs(UnmanagedType.Bool)]
	79	+	public static extern bool DuplicateHandle(IntPtr hSourceProcessHandle, ushort hSourceHandle, IntPtr hTargetProcessHandle, out IntPtr lpTargetHandle, uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions);
	80	+
	81	+	[DllImport("kernel32.dll", SetLastError = true)]
	82	+	[return: MarshalAs(UnmanagedType.Bool)]
	83	+	public static extern bool DuplicateHandle(IntPtr hSourceProcessHandle, IntPtr hSourceHandle, IntPtr hTargetProcessHandle, out IntPtr lpTargetHandle, uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions);
	84	+
	85	+	[DllImport("kernel32.dll", SetLastError = true)]
	86	+	public static extern uint GetProcessIdOfThread(IntPtr handle);
	87	+
	88	+	[DllImport("kernel32.dll", SetLastError = true)]
	89	+	public static extern uint GetProcessId(IntPtr handle);
	90	+
	91	+	[DllImport("Kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
	92	+	public static extern uint GetFinalPathNameByHandle(IntPtr hFile, [MarshalAs(UnmanagedType.LPTStr)] StringBuilder lpszFilePath, uint cchFilePath, uint dwFlags);
	93	+
	94	+	[DllImport("kernel32.dll", SetLastError = true)]
	95	+	public static extern uint GetFileInformationByHandleEx(IntPtr hFile, int infoClass, out Helpers.HandlesHelper.FILE_NAME_INFO lpFileInformation, uint dwBufferSize);
	96	+
	97	+	[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
	98	+	public static extern unsafe int GetFullPathName(string lpFileName, int nBufferLength, [Out, MarshalAs(UnmanagedType.LPTStr)] StringBuilder lpBuffer, [Out, MarshalAs(UnmanagedType.LPTStr)] StringBuilder lpFilePart);
69	99
70	100		}
71	101		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Native/Ntdll.cs

1	+	using System;
2	+	using System.Runtime.ConstrainedExecution;
3	+	using System.Runtime.InteropServices;
4	+	using winPEAS.Info.SystemInfo.NamedPipes;
5	+
6	+	namespace winPEAS.Native
7	+	{
8	+	internal class Ntdll
9	+	{
10	+	[DllImport("ntdll.dll")]
11	+	public static extern int NtQueryObject(IntPtr ObjectHandle, int ObjectInformationClass, IntPtr ObjectInformation, int ObjectInformationLength, ref int returnLength);
12	+
13	+	[DllImport("ntdll.dll")]
14	+	public static extern uint NtQuerySystemInformation(int SystemInformationClass, IntPtr SystemInformation, int SystemInformationLength, ref int returnLength);
15	+
16	+	[DllImport("ntdll.dll")]
17	+	internal static extern int NtQueryInformationProcess(IntPtr ProcessHandle, int ProcessInformationClass, IntPtr[] ProcessInformation, int ProcessInformationLength, ref int ReturnLength);
18	+
19	+	[DllImport("ntdll.dll")]
20	+	internal static extern int NtQueryInformationThread(IntPtr hThread, int ThreadInformationClass, IntPtr[] ThreadInformation, int ThreadInformationLength, ref int ReturnLength);
21	+
22	+	[DllImport("ntdll.dll")]
23	+	internal static extern int NtDuplicateObject(IntPtr hSourceProcessHandle, IntPtr hSourceHandle, IntPtr hTargetProcessHandle, out IntPtr lpTargetHandle, uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, ulong dwOptions);
24	+
25	+	[DllImport("ntdll.dll")]
26	+	public static extern uint NtQueryKey(IntPtr KeyHandle, int KeyInformationClass, byte[] KeyInformation, int Length, ref int ResultLength);
27	+	}
28	+	}
29	+

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/Native/Psapi.cs

		skipped 25 lines
26	26		StringBuilder name,
27	27		UInt32 nameSize
28	28		);
	29	+
	30	+	[DllImport("psapi.dll")]
	31	+	internal static extern uint GetProcessImageFileName(
	32	+	IntPtr hProcess,
	33	+	[Out] StringBuilder lpImageFileName,
	34	+	[In][MarshalAs(UnmanagedType.U4)] int nSize
	35	+	);
29	36		}
30	37		}
31	38

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/winPEAS.csproj

		skipped 421 lines
422	422		<Compile Include="Helpers\AppLocker\AppLockerRules.cs" />
423	423		<Compile Include="Helpers\AppLocker\IAppIdPolicyHandler.cs" />
424	424		<Compile Include="Helpers\AppLocker\SharpAppLocker.cs" />
	425	+	<Compile Include="Helpers\HandlesHelper.cs" />
	426	+	<Compile Include="Helpers\ProgressBar.cs" />
425	427		<Compile Include="Helpers\CredentialManager\Credential.cs" />
426	428		<Compile Include="Helpers\CredentialManager\CredentialManager.cs" />
427	429		<Compile Include="Helpers\CredentialManager\CredentialType.cs" />
		skipped 163 lines
591	593		<Compile Include="Native\Enums\UserPrivType.cs" />
592	594		<Compile Include="Native\Enums\WTS_INFO_CLASS.cs" />
593	595		<Compile Include="Native\Iphlpapi.cs" />
	596	+	<Compile Include="Native\Ntdll.cs" />
594	597		<Compile Include="Native\Kernel32.cs" />
595	598		<Compile Include="Native\Netapi32.cs" />
596	599		<Compile Include="Native\Ntdsapi.cs" />
		skipped 89 lines
686	689		<Compile Include="Wifi\NativeWifiApi\WlanClient.cs" />
687	690		</ItemGroup>
688	691		<ItemGroup>
	692	+	<EmbeddedResource Include="..\..\..\build_lists\regexes.yaml">
	693	+	<Link>regexes.yaml</Link>
	694	+	</EmbeddedResource>
	695	+	<EmbeddedResource Include="..\..\..\build_lists\sensitive_files.yaml">
	696	+	<Link>sensitive_files.yaml</Link>
	697	+	</EmbeddedResource>
689	698		<None Include="App.config" />
690	699		<None Include="TaskScheduler\V1\TaskSchedulerV1Schema.xsd">
691	700		<SubType>Designer</SubType>
		skipped 3 lines
695	704		</None>
696	705		</ItemGroup>
697	706		<ItemGroup>
698		-	<EmbeddedResource Include="..\..\..\build_lists\sensitive_files.yaml" />
699	707		<EmbeddedResource Include="Properties\Resources.de.resx" />
700	708		<EmbeddedResource Include="Properties\Resources.es.resx" />
701	709		<EmbeddedResource Include="Properties\Resources.fr.resx" />
		skipped 23 lines

■ ■ ■ ■ ■ ■

winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user

		skipped 4 lines
5	5		</StartArguments>
6	6		</PropertyGroup>
7	7		<PropertyGroup Condition="'$(Configuration)\|$(Platform)' == 'Debug\|AnyCPU'">
8		-	<StartArguments>fileAnalysis</StartArguments>
	8	+	<StartArguments>fileanalysis</StartArguments>
9	9		</PropertyGroup>
10	10		<PropertyGroup Condition="'$(Configuration)\|$(Platform)' == 'Debug\|x64'">
11	11		<StartArguments>debug</StartArguments>
		skipped 23 lines

update