Sign in to follow this  
Followers 0
iamtheky

SHGetFileInfo

3 posts in this topic

#1 ·  Posted (edited)

#RequireAdmin
DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1)

#include <WinAPI.au3>
#include <WinAPIShellEx.au3>
#include <File.au3>

Global $aArray[17]

$aArray[0] = "C:\Program Files"
$aArray[1] =  "C:\Program Files\Common Files"
$aArray[2] = "C:\Program Files (x86)"
$aArray[3] = "C:\Program Files (x86) \Common Files"
$aArray[4] = "C:\ProgramData"
$aArray[5] = "C:\Windows"
$aArray[6] = "C:\Windows\System32"
$aArray[7] = "C:\Windows\System32\Drivers"
$aArray[8] = "C:\Windows\System32\Drivers\etc"
$aArray[9] = "C:\Windows\System32\Sysprep"
$aArray[10] = "C:\Windows\System32\wbem"
$aArray[11] = "C:\Windows\System32\WindowsPowerShell\v1.0"
$aArray[12] = "C:\Windows\Web"
$aArray[13] = "C:\Windows\SysWOW64"
$aArray[14] = "C:\Windows\SysWOW64\Drivers"
$aArray[15] = "C:\Windows\SysWOW64\wbem"
$aArray[16] = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"

;THIS FOLDER, SUBFOLDERS AND FILES:
local $aRecThese = ["C:\Boot","C:\Perflogs","C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup", _
"C:\Users\Public","C:\Users\*\AppData\Local","C:\Users\*\AppData\Local\Temp","C:\Users\" & @UserName & "\AppData\LocalLow", _
"C:\Users\" & @UserName & "\AppData\Roaming","C:\Windows\Scripts","C:\Windows\System","C:\Windows\System32\Tasks", _
"C:\Windows\system32\config\systemprofile\AppData","C:\Windows\sysWOW64\sysprep", _
"C:\Windows\ sysWOW64\config\systemprofile\AppData"]

;~ _ArrayDisplay($aRecThese)

for $i = 0 to ubound($aRecThese) - 1
  local $aList[0]
    $aList = _FileListToArrayRec($aRecThese[$i] , "*" , 0 , 1 , 0 , 2)
;~      _ArrayDisplay($aList)
        _ArrayDelete($aList , 0)
        _ArrayAdd($aArray , $aRecThese[$i])
        if ubound($aList) > 1 Then _ArrayAdd($aArray , $aList)
;~      _ArrayDisplay($aArray)
next

Global $aOut[0][2]

For $i = 0 to ubound($aArray) - 1
Local $t_SHFILEINFO = DllStructCreate($tagSHFILEINFO)
_WinAPI_ShellGetFileInfo($aArray[$i], $SHGFI_ATTRIBUTES, $FILE_ATTRIBUTE_NORMAL, $t_SHFILEINFO)
    _ArrayAdd($aOut , $aArray[$i])
    $aOut[ubound($aOut) - 1][1] = DllStructGetData($t_SHFILEINFO, 3)
Next

_ArrayDisplay($aOut)

 

Any detailed info on the Attributes value that is returned?  Identifying it as having been modified is nice, but i would like to glean what was modified if possible.

List of files/folders comes from the Bsides Austin guys

http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/568190d9df40f3651d7d422b/1451331801205/Windows+File+Auditing+Cheat+Sheet+ver+Jan+2016.pdf

Edited by iamtheky
list credit

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites



After much searching I think I found the list of attributes you're looking for here. Convert the number returned to Hex, and then parse the list of hex values in this table to get the attributes that are affected.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

While I am doing that, I have an interim solution and added ACLs as well I will add to examples

;FileList Via @HackerHurricane

#RequireAdmin
DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1)

#include <WinAPI.au3>
#include <WinAPIShellEx.au3>
#include <File.au3>

;-------specific paths to be checked----------------

Global $aArray[17]

$aArray[0] = "C:\Program Files"
$aArray[1] = "C:\Program Files\Common Files"
$aArray[2] = "C:\Program Files (x86)"
$aArray[3] = "C:\Program Files (x86)\Common Files"
$aArray[4] = "C:\ProgramData"
$aArray[5] = "C:\Windows"
$aArray[6] = "C:\Windows\System32"
$aArray[7] = "C:\Windows\System32\Drivers"
$aArray[8] = "C:\Windows\System32\Drivers\etc"
$aArray[9] = "C:\Windows\System32\Sysprep"
$aArray[10] = "C:\Windows\System32\wbem"
$aArray[11] = "C:\Windows\System32\WindowsPowerShell\v1.0"
$aArray[12] = "C:\Windows\Web"
$aArray[13] = "C:\Windows\SysWOW64"
$aArray[14] = "C:\Windows\SysWOW64\Drivers"
$aArray[15] = "C:\Windows\SysWOW64\wbem"
$aArray[16] = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"


;----------Folders to be recursed and all contents checked-----------------------------
;"C:\Users\Public","C:\Users\" & @UserName & "\AppData\Local","C:\Users\" & @UserName & "\AppData\Local\Temp","C:\Users\" & @UserName & "\AppData\LocalLow"
;"C:\Users\" & @UserName & "\AppData\Roaming"

local $aRecThese = ["C:\Boot","C:\Perflogs","C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup", _
"C:\Windows\Scripts","C:\Windows\System","C:\Windows\System32\Tasks", _
"C:\Windows\system32\config\systemprofile\AppData","C:\Windows\sysWOW64\sysprep", _
"C:\Windows\sysWOW64\config\systemprofile\AppData"]

;~ _ArrayDisplay($aRecThese)

for $i = 0 to ubound($aRecThese) - 1
  local $aList[0]
    $aList = _FileListToArrayRec($aRecThese[$i] , "*" , 0 , 1 , 0 , 2)
;~      _ArrayDisplay($aList)
        _ArrayDelete($aList , 0)
        _ArrayAdd($aArray , $aRecThese[$i])
        if ubound($aList) > 1 Then _ArrayAdd($aArray , $aList)
;~      _ArrayDisplay($aArray)
next

;-------------------------------------------------------------------------------------

Global $aOut[0][3]   ; Declare Final Array

;--------START LOOP THROUGH ARRAY OF Files and Folders----------------------------------

For $i = 0 to ubound($aArray) - 1

    ;-----------------------------GET ATTRIBUTES------------------------------------------------

    $sAttrib = FileGetAttrib($aArray[$i])

    ;---------------------------GET ACLs----------------------------------------------------------
    $iPID = run ("cmd /c icacls " & '"' & $aArray[$i] & '"' ,  "", @SW_HIDE , $stdout_child)

    $sOutput = ""

         While 1
                $sOutput &= StdoutRead($iPID)
                If @error Then
                    ExitLoop
                EndIf
         WEnd

    ProcessClose($iPID)

$aSplit = stringsplit($sOutput , @LF , 2)

;------------Add All THat Stuff to the Final Array-----------------------------------------------------------

    _ArrayAdd($aOut , $aArray[$i])  ; Create a new row, Add the path to column 1
    $aOut[ubound($aOut) - 1][1] = $sAttrib ; add the attribute string to column 2
    $aOut[ubound($aOut) - 1][2] = stringregexpreplace(_ArrayToString($aSplit , ",," , 1 , ubound($aSplit) - 4) , "\s\s+" , "") ;ACL string in column 3

Next

_ArrayDisplay($aOut)

 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0