italianncheater

Timesmasher

Jan 19th, 2021
652
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Diagnostics.Eventing.Reader;
  4. using System.Threading;
  5.  
  6. namespace TimeModificationCheck {
  7.     class Program {
  8.  
  9.         class CheckInfo {
  10.             public CheckInfo(bool result, DateTime previousTime, DateTime newTime, DateTime? generatedAt, long? recordIdentifier) {
  11.                 this.Result = result;
  12.                 this.Previous = previousTime;
  13.                 this.New = newTime;
  14.                 this.Time = generatedAt;
  15.                 this.Id = recordIdentifier;
  16.             }
  17.  
  18.             public CheckInfo(bool result) {
  19.                 this.Result = result;
  20.             }
  21.  
  22.             public bool Result { get; }
  23.             public DateTime Previous { get; }
  24.             public DateTime New { get; }
  25.             public DateTime? Time { get; }
  26.             public long? Id { get; }
  27.  
  28.         };
  29.  
  30.         static void Main(string[] args) {
  31.  
  32.             Console.Title = "Timesmasher by @italianncheater";
  33.             Console.ForegroundColor = ConsoleColor.Yellow;
  34.             Console.WriteLine("Analyzing logs...\n\n");
  35.             Console.ForegroundColor = ConsoleColor.White;
  36.  
  37.             CheckInfo info = checkTimeModification();
  38.  
  39.             Thread.Sleep(2000);
  40.             if (info.Result) {
  41.                 Console.WriteLine("[!] And u got exposed!");
  42.                 Console.WriteLine("Previous time: {0} | New time: {1}\nGenerated at: {2} | Record ID: {3}\n\n",
  43.                     info.Previous, info.New, info.Time, info.Id);
  44.             } else Console.WriteLine("[?] U seems to be legit!\n\n");
  45.  
  46.             Console.Write("Press ENTER to exit the program...");
  47.             Console.ReadLine();
  48.         }
  49.  
  50.         static CheckInfo checkTimeModification() {
  51.             EventRecord entry;
  52.             string logPath = @"C:\Windows\System32\winevt\Logs\Security.evtx";
  53.             EventLogReader logReader = new EventLogReader(logPath, PathType.FilePath);
  54.             DateTime pcStartTime = startTime();
  55.  
  56.             while ((entry = logReader.ReadEvent()) != null) {
  57.                 if (entry.Id != 4616) continue;
  58.                 if (entry.TimeCreated <= pcStartTime) continue;
  59.  
  60.                 IList<EventProperty> properties = entry.Properties;
  61.                 DateTime previousTime = DateTime.Parse(properties[4].Value.ToString());
  62.                 DateTime newTime = DateTime.Parse(properties[5].Value.ToString());
  63.  
  64.                 if (Math.Abs((previousTime - newTime).TotalMinutes) > 5)
  65.                     return new CheckInfo(true, previousTime, newTime, entry.TimeCreated, entry.RecordId);
  66.             }
  67.             return new CheckInfo(false);
  68.         }
  69.  
  70.         static DateTime startTime() {
  71.             return DateTime.Now.AddMilliseconds(-Environment.TickCount);
  72.         }
  73.     }
  74. }
  75.  
RAW Paste Data