一款基于C#设计的敏感信息自查工具

0x01 背景

为了更好地服务合规和监管,常常漏洞应急响应需要提高时效性,这就要求资产和排查方法要全面且科学,所以有必要打造一款适合自己业务的风险自查工具,接下来要介绍的这款工具用来排查员工终端最近访问的文件列表。.

1.1 基本原理

迷你小工具获取Windows系统最近文件列表,读取lnk文件里的相对路径,再配合type命令可看到文件内容

一款基于C#设计的敏感信息自查工具

一款基于C#设计的敏感信息自查工具

功能实现上使用 Environment.SpecialFolder.ApplicationData 获取windows特殊目录下的公共资源后拼接Microsoft\Windows\Recent路径得到完整目录,至于SpecialFolder提供了很多的特殊目录的访问属性如下

[ComVisible(true)]public enum SpecialFolder        {            ApplicationData = 26,            CommonApplicationData = 35,            LocalApplicationData = 28,            Cookies = 33,            Desktop = 0,            Favorites = 6,            History = 34,            InternetCache = 0x20,            Programs = 2,            MyComputer = 17,            MyMusic = 13,            MyPictures = 39,            MyVideos = 14,            Recent = 8,            SendTo = 9,            StartMenu = 11,            Startup = 7,            System = 37,            Templates = 21,            DesktopDirectory = 0x10,            Personal = 5,            MyDocuments = 5,            ProgramFiles = 38,            CommonProgramFiles = 43,            AdminTools = 48,            CDBurning = 59,            CommonAdminTools = 47,            CommonDocuments = 46,            CommonMusic = 53,            CommonOemLinks = 58,            CommonPictures = 54,            CommonStartMenu = 22,            CommonPrograms = 23,            CommonStartup = 24,            CommonDesktopDirectory = 25,            CommonTemplates = 45,            CommonVideos = 55,            Fonts = 20,            NetworkShortcuts = 19,            PrinterShortcuts = 27,            UserProfile = 40,            CommonProgramFilesX86 = 44,            ProgramFilesX86 = 42,            Resources = 56,            LocalizedResources = 57,            SystemX86 = 41,            Windows = 36        }

[ComVisible(true)]表示枚举列表对COM访问是可见的。