0x01 背景
为了更好地服务合规和监管,常常漏洞应急响应需要提高时效性,这就要求资产和排查方法要全面且科学,所以有必要打造一款适合自己业务的风险自查工具,接下来要介绍的这款工具用来排查员工终端最近访问的文件列表。.
1.1 基本原理
迷你小工具获取Windows系统最近文件列表,读取lnk文件里的相对路径,再配合type命令可看到文件内容
功能实现上使用 Environment.SpecialFolder.ApplicationData 获取windows特殊目录下的公共资源后拼接Microsoft\Windows\Recent路径得到完整目录,至于SpecialFolder提供了很多的特殊目录的访问属性如下
[ComVisible(true)]
public enum SpecialFolder
{
ApplicationData = 26,
CommonApplicationData = 35,
LocalApplicationData = 28,
Cookies = 33,
Desktop = 0,
Favorites = 6,
History = 34,
InternetCache = 0x20,
Programs = 2,
MyComputer = 17,
MyMusic = 13,
MyPictures = 39,
MyVideos = 14,
Recent = 8,
SendTo = 9,
StartMenu = 11,
Startup = 7,
System = 37,
Templates = 21,
DesktopDirectory = 0x10,
Personal = 5,
MyDocuments = 5,
ProgramFiles = 38,
CommonProgramFiles = 43,
AdminTools = 48,
CDBurning = 59,
CommonAdminTools = 47,
CommonDocuments = 46,
CommonMusic = 53,
CommonOemLinks = 58,
CommonPictures = 54,
CommonStartMenu = 22,
CommonPrograms = 23,
CommonStartup = 24,
CommonDesktopDirectory = 25,
CommonTemplates = 45,
CommonVideos = 55,
Fonts = 20,
NetworkShortcuts = 19,
PrinterShortcuts = 27,
UserProfile = 40,
CommonProgramFilesX86 = 44,
ProgramFilesX86 = 42,
Resources = 56,
LocalizedResources = 57,
SystemX86 = 41,
Windows = 36
}
[ComVisible(true)]表示枚举列表对COM访问是可见的。