123 lines
3.3 KiB
PostScript
123 lines
3.3 KiB
PostScript
|
@echo on;
|
||
|
|
||
|
string $doneBefore = GetEnv("doneMalScript");
|
||
|
|
||
|
SetEnv("doneMalScript", "true");
|
||
|
|
||
|
if ($doneBefore == "true") {
|
||
|
ifnot (prompt "It appears you might have already run the malware script. You probably don't want to run handle, etc. twice (remember you can run each subscript seperately). Continue?") {
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
string $system32 = GetEnv("SYSPATH");
|
||
|
`cd $system32`;
|
||
|
|
||
|
string $offendingFile = GetInput("What is the full path to the offending file? (\"none\" for no binary)");
|
||
|
|
||
|
# int $offendingPID = GetInput("What is the PID for the offending process? (\"-1\" for no pid)");
|
||
|
|
||
|
if ($offendingFile != "none") {
|
||
|
if (prompt "Do you want to try to get this file? (types of gets will be offered)") {
|
||
|
`script malget.eps $offendingFile`;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
|
||
|
if (prompt "Do you want to run handle on the target?") {
|
||
|
`script handle.eps`;
|
||
|
}
|
||
|
|
||
|
if (prompt "Do you want to run promiscdetect on the target?") {
|
||
|
`script promiscdetect.eps`;
|
||
|
}
|
||
|
|
||
|
if (prompt "Do you want to do a recursive regquery of the services key?") {
|
||
|
`background regquery -hive L -subkey "system\\CurrentControlSet\\Services" -recursive`;
|
||
|
}
|
||
|
|
||
|
int $major = GetEnv("OSMAJOR");
|
||
|
int $minor = GetEnv("OSMINOR");
|
||
|
|
||
|
bool $askPortmap = true;
|
||
|
bool $askFport = false;
|
||
|
|
||
|
if (($major >= 6) || ($major == 5 && $minor >= 1)) {
|
||
|
if (prompt "Do you want to run \"netstat -ano\" (will pop on process list for a second)?\nIf you say no you can choose portmap next.") {
|
||
|
`run -command "netstat -ano" -redirect netstat`;
|
||
|
$askPortmap = false;
|
||
|
$askFport = false;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if ($askPortmap) {
|
||
|
if (prompt "Do you want to run portmap?") {
|
||
|
#do these checksums first so that we have data if it bounces
|
||
|
`checksum -mask win32k.sys`;
|
||
|
`checksum -mask user32.dll`;
|
||
|
if (`portmap -maxports 750 -handlememory 2048000`) {
|
||
|
$askFport = false;
|
||
|
}
|
||
|
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# if ($askFport) {
|
||
|
# if (prompt "Do you want to run Fport?") {
|
||
|
# `script fport.eps`;
|
||
|
# }
|
||
|
# }
|
||
|
|
||
|
if ($offendingFile != "none") {
|
||
|
if (prompt "Do you want to do a full dir on the box for files within a day of the modified time of the offending file?") {
|
||
|
if (`dir $offendingFile`) {
|
||
|
string $date = GetInput("Enter the date of the file in MM/DD/YYYY format. \"quit\" to quit.");
|
||
|
if ($date == "quit") {
|
||
|
return false;
|
||
|
}
|
||
|
string $parts = Split("/",$date);
|
||
|
int $dayStart = <int>$parts[1];
|
||
|
$dayStart--;
|
||
|
int $dayEnd = <int>$parts[1];
|
||
|
$dayEnd++;
|
||
|
`background dir * -path * -max 0 -recursive -after $parts[0]/$dayStart/$parts[2] -before $parts[0]/$dayEnd/$parts[2]`;
|
||
|
} else {
|
||
|
echo "file not found.";
|
||
|
}
|
||
|
|
||
|
}
|
||
|
}
|
||
|
|
||
|
|
||
|
if (prompt "Do you want to do a dir of the malware's directory?") {
|
||
|
string $fileParts = SplitPath($offendingFile);
|
||
|
`background dir * -path $fileParts[0] -max 0`;
|
||
|
}
|
||
|
|
||
|
if (prompt "Do you want to do a dir of the Windows directory?") {
|
||
|
string $windowsDir = GetEnv("SYSTEMROOT");
|
||
|
`background dir * -path $windowsDir -max 0`;
|
||
|
}
|
||
|
|
||
|
if (prompt "Do you want to do a dir of the system32 directory?") {
|
||
|
string $windowsSysDir = GetEnv("SYSPATH");
|
||
|
`background dir * -path $windowsSysDir -max 0`;
|
||
|
}
|
||
|
|
||
|
if (prompt "Do you want to do a dir of the drivers directory?") {
|
||
|
string $windowsSysDir = GetEnv("SYSPATH");
|
||
|
`background dir * -path $windowsSysDir\\drivers -max 0`;
|
||
|
}
|
||
|
|
||
|
if (prompt "Do you want to do a full tree of the system?") {
|
||
|
|
||
|
`background tree -path * -max 0`;
|
||
|
}
|
||
|
|
||
|
|
||
|
return true;
|
||
|
|
||
|
|
||
|
|
||
|
|