shadowbrokers-exploits/windows/Resources/Ep/Scripts/malware.eps

123 lines
3.3 KiB
PostScript
Raw Permalink Normal View History

@echo on;
string $doneBefore = GetEnv("doneMalScript");
SetEnv("doneMalScript", "true");
if ($doneBefore == "true") {
ifnot (prompt "It appears you might have already run the malware script. You probably don't want to run handle, etc. twice (remember you can run each subscript seperately). Continue?") {
return false;
}
}
string $system32 = GetEnv("SYSPATH");
`cd $system32`;
string $offendingFile = GetInput("What is the full path to the offending file? (\"none\" for no binary)");
# int $offendingPID = GetInput("What is the PID for the offending process? (\"-1\" for no pid)");
if ($offendingFile != "none") {
if (prompt "Do you want to try to get this file? (types of gets will be offered)") {
`script malget.eps $offendingFile`;
}
}
if (prompt "Do you want to run handle on the target?") {
`script handle.eps`;
}
if (prompt "Do you want to run promiscdetect on the target?") {
`script promiscdetect.eps`;
}
if (prompt "Do you want to do a recursive regquery of the services key?") {
`background regquery -hive L -subkey "system\\CurrentControlSet\\Services" -recursive`;
}
int $major = GetEnv("OSMAJOR");
int $minor = GetEnv("OSMINOR");
bool $askPortmap = true;
bool $askFport = false;
if (($major >= 6) || ($major == 5 && $minor >= 1)) {
if (prompt "Do you want to run \"netstat -ano\" (will pop on process list for a second)?\nIf you say no you can choose portmap next.") {
`run -command "netstat -ano" -redirect netstat`;
$askPortmap = false;
$askFport = false;
}
}
if ($askPortmap) {
if (prompt "Do you want to run portmap?") {
#do these checksums first so that we have data if it bounces
`checksum -mask win32k.sys`;
`checksum -mask user32.dll`;
if (`portmap -maxports 750 -handlememory 2048000`) {
$askFport = false;
}
}
}
# if ($askFport) {
# if (prompt "Do you want to run Fport?") {
# `script fport.eps`;
# }
# }
if ($offendingFile != "none") {
if (prompt "Do you want to do a full dir on the box for files within a day of the modified time of the offending file?") {
if (`dir $offendingFile`) {
string $date = GetInput("Enter the date of the file in MM/DD/YYYY format. \"quit\" to quit.");
if ($date == "quit") {
return false;
}
string $parts = Split("/",$date);
int $dayStart = <int>$parts[1];
$dayStart--;
int $dayEnd = <int>$parts[1];
$dayEnd++;
`background dir * -path * -max 0 -recursive -after $parts[0]/$dayStart/$parts[2] -before $parts[0]/$dayEnd/$parts[2]`;
} else {
echo "file not found.";
}
}
}
if (prompt "Do you want to do a dir of the malware's directory?") {
string $fileParts = SplitPath($offendingFile);
`background dir * -path $fileParts[0] -max 0`;
}
if (prompt "Do you want to do a dir of the Windows directory?") {
string $windowsDir = GetEnv("SYSTEMROOT");
`background dir * -path $windowsDir -max 0`;
}
if (prompt "Do you want to do a dir of the system32 directory?") {
string $windowsSysDir = GetEnv("SYSPATH");
`background dir * -path $windowsSysDir -max 0`;
}
if (prompt "Do you want to do a dir of the drivers directory?") {
string $windowsSysDir = GetEnv("SYSPATH");
`background dir * -path $windowsSysDir\\drivers -max 0`;
}
if (prompt "Do you want to do a full tree of the system?") {
`background tree -path * -max 0`;
}
return true;