Collect autorun records from running system
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
test
.gitignore
LICENSE
README.md
autoruns.go
autoruns_darwin.go
autoruns_freebsd.go
autoruns_linux.go
autoruns_windows.go

README.md

go-autoruns

Collect records of programs registered for persistence on the running system. It currently supports Linux, Mac, Windows and FreeBSD. The coverage on the different platforms may vary. Contributions for extended support are very welcome.

Usage

Invoke the Autoruns() function, which will return a slice of Autorun structs with the following properties:

type Autorun struct {
	Type		string `json:"type"`
	Location	string `json:"location"`
	ImagePath	string `json:"image_path"`
	ImageName	string `json:"image_name"`
	Arguments	string `json:"arguments"`
	MD5 		string `json:"md5"`
	SHA1		string `json:"sha1"`
	SHA256		string `json:"sha256"`
}

The values are:

  • Type: a description of the type of autorun record (e.g. "run_key" or "services").
  • Location: either a registry key or a file path where the record is stored.
  • ImagePath: the file path to the executable registered for persistence.
  • ImageName: just the file name of the executable.
  • Arguments: any arguments passed to the executable.
  • MD5: MD5 hash of the executable.
  • SHA1: SHA1 hash of the executable.
  • SHA256: SHA256 hash of the executable.

Following is a working example:

package main

import (
	"fmt"
	"github.com/botherder/go-autoruns"
)

func main() {
	autoruns := autoruns.Autoruns()

	for _, autorun := range(autoruns) {
		fmt.Println(autorun.Type)
		fmt.Println(autorun.Location)
		fmt.Println(autorun.ImagePath)
		fmt.Println(autorun.Arguments)
		fmt.Println("")
	}
}

TODO

  • Extend support for other autorun records on all platforms.