Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- using System;
- using System.Collections.Generic;
- using System.IO;
- using System.Text;
- using Microsoft.Win32;
- using System.Diagnostics;
- namespace DetectNanoCore
- {
- class Program
- {
- static void Main(string[] args)
- {
- string key = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography";
- string serial = (string)Registry.GetValue(key, "MachineGuid", (object)"default");
- int pid = Process.GetCurrentProcess().Id;
- var netPid = new List<int>();
- string appDataFolder = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), serial);
- bool procdump = false;
- if(Directory.Exists(appDataFolder))
- {
- Console.WriteLine("GUID Folder Exists..");
- if(File.Exists(appDataFolder + "\\storage.dat") || File.Exists(appDataFolder + "\\run.dat") || Directory.Exists(appDataFolder + "\\Logs"))
- {
- Console.WriteLine("Significant Indicators to Nanocore available.");
- Process[] processlist = Process.GetProcesses();
- foreach(Process theprocess in processlist){
- if (theprocess.Id != pid)
- {
- try
- {
- foreach (ProcessModule module in theprocess.Modules)
- {
- string mod = module.FileName;
- if (mod.Contains("Microsoft.NET"))
- {
- Console.WriteLine("Process has .NET Module. PID: " + theprocess.Id);
- if (!netPid.Contains(theprocess.Id))
- {
- System.Diagnostics.Process process = new System.Diagnostics.Process();
- System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
- startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
- startInfo.FileName = "cmd.exe";
- startInfo.Arguments = "/c strings2 -pid " + theprocess.Id + " > " + theprocess.Id + ".txt";
- process.StartInfo = startInfo;
- process.Start();
- netPid.Add(theprocess.Id);
- procdump = true;
- }
- }
- }
- }
- catch (Exception e)
- {
- Console.WriteLine("Process modules unable to be listed. PID: " + theprocess.Id);
- }
- }
- }
- if(procdump == true)
- {
- System.Threading.Thread.Sleep(15000);
- foreach(int ids in netPid)
- {
- var filez = File.ReadAllText(ids + ".txt");
- if(filez.Contains("PrimaryConnectionHost") && filez.Contains("ConnectionPort") && filez.Contains("NtSetInformationProcess"))
- {
- int pos = filez.IndexOf("PrimaryConnectionHost");
- int pos2 = filez.IndexOf("ConnectionPort");
- string host = filez.Substring(pos, pos2 - pos);
- Console.WriteLine("Suspected PID: " + ids + " has matching memory signatures for NanoCore");
- Console.WriteLine("Suspected Host connecting to\r\n: " + host);
- }
- }
- }
- }
- }
- Console.WriteLine("Serial for this computer: " + serial);
- Console.ReadLine();
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement