添加 windows 登录事件 获取。

C#/DecryptPwd.csproj

@@ -46,6 +46,7 @@
     <Compile Include="Program.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="utils\FoxmailUtils.cs" />
+    <Compile Include="utils\LoginEvent.cs" />
   </ItemGroup>
   <ItemGroup>
     <None Include="App.config" />

C#/Program.cs

@@ -11,8 +11,31 @@ namespace DecryptPwd
     {
         static void Main(string[] args)
         {
-            String res=FoxmailUtils.decodePW(19, "fff");
-            System.Console.WriteLine(res);
+            Welcome();
+            if (args.Length == 0)
+            {
+                System.Console.WriteLine("Usage: DecryptPwd.exe -4624");
+                System.Console.WriteLine("       DecryptPwd.exe -4625");
+            }
+            if (args.Length == 1 && (args[0] == "-4624"))
+            {
+                LoginEvent.EventLog_4624();
+            }
+            if (args.Length == 1 && (args[0] == "-4625"))
+            {
+                LoginEvent.EventLog_4625();
+            }if (args.Length == 1 && (args[0] == "")) {
+                String res = FoxmailUtils.decodePW(19, "fff");
+                System.Console.WriteLine(res);
+            }
+        }
+
+       static void Welcome()
+        {
+            System.Console.WriteLine("");
+            System.Console.WriteLine("Author: liuyuqi");
+            System.Console.WriteLine("Email: liuyuqi.gov@msn.cn");
+            System.Console.WriteLine("");
         }
     }
 }

C#/utils/LoginEvent.cs

@@ -0,0 +1,93 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace DecryptPwd.utils
+{
+    class LoginEvent
+    {
+        /// <summary>
+        /// 查询登录事件，需要管理员权限，从注册表中查询。
+        /// </summary>
+        public static void EventLog_4624()
+        {
+            EventLog log = new EventLog("Security");
+            Console.WriteLine("\r\n========== SharpEventLog -> 4624 ==========\r\n");
+            var entries = log.Entries.Cast<EventLogEntry>().Where(x => x.InstanceId == 4624);
+            entries.Select(x => new
+            {
+                x.MachineName,
+                x.Site,
+                x.Source,
+                x.Message,
+                x.TimeGenerated
+            }).ToList();
+            foreach (EventLogEntry log1 in entries)
+            {
+                string text = log1.Message;
+                string ipaddress = MidStrEx(text, "	源网络地址:	", "	源端口:");
+                string username = MidStrEx(text, "新登录:", "进程信息:");
+                username = MidStrEx(username, "	帐户名:		", "	帐户域:		");
+                DateTime Time = log1.TimeGenerated;
+                if (ipaddress.Length >= 7)
+                {
+                    Console.WriteLine("\r\n-----------------------------------");
+                    Console.WriteLine("Time: " + Time);
+                    Console.WriteLine("Status: True");
+                    Console.WriteLine("Username: " + username.Replace("\n", "").Replace(" ", "").Replace("\t", "").Replace("\r", ""));
+                    Console.WriteLine("Remote ip: " + ipaddress.Replace("\n", "").Replace(" ", "").Replace("\t", "").Replace("\r", ""));
+                }
+            }
+        }
+
+        public static void EventLog_4625()
+        {
+            EventLog log = new EventLog("Security");
+            Console.WriteLine("\r\n========== SharpEventLog -> 4625 ==========\r\n");
+            var entries = log.Entries.Cast<EventLogEntry>().Where(x => x.InstanceId == 4625);
+            entries.Select(x => new
+            {
+                x.MachineName,
+                x.Site,
+                x.Source,
+                x.Message,
+                x.TimeGenerated
+            }).ToList();
+            foreach (EventLogEntry log1 in entries)
+            {
+                string text = log1.Message;
+                string ipaddress = MidStrEx(text, "	源网络地址:	", "	源端口:");
+                string username = MidStrEx(text, "新登录:", "进程信息:");
+                username = MidStrEx(username, "	帐户名:		", "	帐户域:		");
+                DateTime Time = log1.TimeGenerated;
+                if (ipaddress.Length >= 7)
+                {
+                    Console.WriteLine("\r\n-----------------------------------");
+                    Console.WriteLine("Time: " + Time);
+                    Console.WriteLine("Status: Flase");
+                    Console.WriteLine("Username: " + username.Replace("\n", "").Replace(" ", "").Replace("\t", "").Replace("\r", ""));
+                    Console.WriteLine("Remote ip: " + ipaddress.Replace("\n", "").Replace(" ", "").Replace("\t", "").Replace("\r", ""));
+                }
+            }
+        }
+
+        public static string MidStrEx(string sourse, string startstr, string endstr)
+        {
+            string result = string.Empty;
+            int startindex, endindex;
+            startindex = sourse.IndexOf(startstr);
+            if (startindex == -1)
+                return result;
+            string tmpstr = sourse.Substring(startindex + startstr.Length);
+            endindex = tmpstr.IndexOf(endstr);
+            if (endindex == -1)
+                return result;
+            result = tmpstr.Remove(endindex);
+
+            return result;
+        }
+    }
+}

README.md

@@ -4,6 +4,7 @@
 
 新增 Chrome，ssh 获取。
 
+新增 读取登录过本机的登录失败或登录成功的所有计算机信息，在内网渗透中快速定位运维管理人员。
 
 
 ## docs