shadowbrokers-exploits/windows/Resources/Ep/Scripts/PSP/kaspersky_mp4.pl

185 lines
8.6 KiB
Perl
Raw Normal View History

#-----------------------------------------------------------------------------
# File: PSP\kaspersky_mp4.pl
# Description: Parses Kaspersky settinsg dump
#
# 2009-12-31 - First write to account for MP4 settings. OP ID 12345
#-----------------------------------------------------------------------------
use Data::Dumper;
$|=0;
my $file = $ARGV[0];
my $out = "";
open(IN, "<$file") or die "Error: $!\n";
my @lines = <IN>;
close(IN);
my $bbFlag = 0;
my $fmFlag = 0;
my $mode;
my $subMode = "";
my $dbFlag = 0;
my $injectFlag = 0;
my $hideFlag = 0;
my %data;
# rg - Registry Guard
# aaa - Application Activity Analyzer
# bb - Behavior Blocking
# fm - File Monitoring
# db - Dangerous Behavior
my $dump = {};
my $curTab = 0;
my $lastTab = 0;
my $curName = "";
my $thisHash = $dump;
my $lastHash = $dump;
my @hashChain; # push and pop names off the end of the hash chain as we go down....
for (my $i = 0; $i < scalar(@lines); $i++)
{
my $line = $lines[$i];
$line =~ s/\r//gi;
if ($line =~ m/^(\t*)\+\s(.*?)$/gi) {
$curName = $2;
my @tabs = split //, $1;
$curTab = scalar(@tabs); # count the tabs to know when to start a new hash ref
if ($curTab <= $lastTab) {
# Same or lower level, we need to pop one off (what we were just doing) the stack and create a new level.
$thisHash = retHashBase($dump, \@hashChain, $curTab); # need to get this at the appropriate level
# potential problem point with untested method.
for (my $n = 0; $n <= $lastTab - $curTab; $n++) { pop @hashChain; } # get rid of appropriate number of elements
}
push @hashChain, $curName;
$thisHash->{$curName} = {}; # create new hashref for this val
$thisHash = $thisHash->{$curName}; # set thishash to new hashref
$lastTab = $curTab; # update this tracking value
} else {
# this is a value, not a new level
$line =~ s/\t*//g;
my ($key, $val) = split /\s=\s/, $line;
$val =~ s/\s*$//g;
$thisHash->{$key} = $val;
}
}
# At this point, $dump contains a tree-like listing in memory of all the configuration file. Need to know a setting? Try this:
# my $regguard = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"regguard2"}->{"enabled"};
$data{"productName"} = $dump->{"Protection"}->{"settings"}->{"Ins_DisplayName"};
$data{"version"} = $dump->{"Protection"}->{"settings"}->{"SettingsVersion"};
$data{"productPath"} = $dump->{"Protection"}->{"settings"}->{"Ins_ProductPath"};
$data{"rgEnabled"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"regguard2"}->{"enabled"};
$data{"aicEnabled"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"pdm2"}->{"enabled"};
$data{"aaaEnabled"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"enabled"}; # Right now this is just a copy of BBenabled. What is it really supposed to be????
$data{"fmEnabled"} = $dump->{"Protection"}->{"subItems"}->{"File_Monitoring"}->{"enabled"};
$data{"fmLevel"} = $dump->{"Protection"}->{"subItems"}->{"File_Monitoring"}->{"level"};
$data{"fmScanPacked"} = $dump->{"Protection"}->{"subItems"}->{"File_Monitoring"}->{"settings"}->{"ScanPacked"};
$data{"fmScanAction"} = $dump->{"Protection"}->{"subItems"}->{"File_Monitoring"}->{"settings"}->{"ScanAction"};
$data{"fmDisinfect"} = $dump->{"Protection"}->{"subItems"}->{"File_Monitoring"}->{"settings"}->{"TryDisinfect"};
$data{"fmDelete"} = $dump->{"Protection"}->{"subItems"}->{"File_Monitoring"}->{"settings"}->{"TryDelete"};
$data{"fmDeleteContainer"} = $dump->{"Protection"}->{"subItems"}->{"File_Monitoring"}->{"settings"}->{"TryDeleteContainer"};
# In KAV 6.0 MP4, this is called "P2P Worm Like Activity", if we should be targetting "Trojan Like Activity" instead, change the set values to 0001
$data{"dbEnabled"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0000"}->{"bEnabled"};
print "\n\n****** $data{dbEnabled} ****** \n\n";
$data{"dbAction"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0000"}->{"Action"};
$data{"dbLog"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0000"}->{"bLog"};
# No value for this in MP4....
$data{"dbQuarantine"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0000"}->{"bQuarantine"};
# In KAV 6.0 MP4, this is called "Keyloggers"
$data{"keyboardEnabled"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0007"}->{"bEnabled"};
$data{"keyboardAction"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0007"}->{"Action"};
$data{"keyboardLog"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0007"}->{"bLog"};
# No value for this in MP4....
$data{"keyboardQuarantine"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0007"}->{"bQuarantine"};
# In KAV 6.0 MP4, this is called "Hidden Process"
$data{"hideEnabled"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0006"}->{"bEnabled"};
$data{"hideAction"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0006"}->{"Action"};
$data{"hideLog"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0006"}->{"bLog"};
# No value for this in MP4....
$data{"hideQuarantine"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0006"}->{"bQuarantine"};
# In KAV 6.0 MP4, this is called "Intrusion Into Process" 0009
$data{"injectEnabled"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0009"}->{"bEnabled"};
$data{"injectAction"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0009"}->{"Action"};
$data{"injectLog"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0009"}->{"bLog"};
# No value for this in MP4....
$data{"injectQuarantine"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"subItems"}->{"pdm2"}->{"settings"}->{"Set"}->{"0009"}->{"bQuarantine"};
$data{"protection"} = $dump->{"Protection"}->{"enabled"};
$data{"bbEnabled"} = $dump->{"Protection"}->{"subItems"}->{"Behavior_Blocking2"}->{"enabled"};
print $data{"productName"} . "\t"; #0
print $data{"version"} . "\t"; #1
print $data{"productPath"} . "\t"; #2
print $data{"protection"} . "\t"; #3
print $data{"bbEnabled"} . "\t"; #4
print $data{"dbEnabled"} . "\t"; #5
print $data{"dbAction"} . "\t"; #6
print $data{"dbLog"} . "\t"; #7
print $data{"dbQuarantine"} . "\t"; #8
print $data{"injectEnabled"} . "\t"; #9
print $data{"injectAction"} . "\t"; #10
print $data{"injectLog"} . "\t"; #11
print $data{"injectQuarantine"} . "\t"; #12
print $data{"hideEnabled"} . "\t"; #13
print $data{"hideAction"} . "\t"; #14
print $data{"hideLog"} . "\t"; #15
print $data{"hideQuarantine"} . "\t"; #16
print $data{"keyboardEnabled"} . "\t"; #17
print $data{"keyboardAction"} . "\t"; #18
print $data{"keyboardLog"} . "\t"; #19
print $data{"keyboardQuarantine"} . "\t"; #20
print $data{"rgEnabled"} . "\t"; #21
print $data{"aaaEnabled"} . "\t"; #22
print $data{"fmEnabled"} . "\t"; #23
print $data{"fmLevel"} . "\t"; #24
print $data{"fmScanPacked"} . "\t"; #25
print $data{"fmScanAction"} . "\t"; #26
print $data{"fmDisinfect"} . "\t"; #27
print $data{"fmDelete"} . "\t"; #28
print $data{"fmDeleteContainer"} . "\t"; #29
print $data{"aicEnabled"} . "\t"; #30
# return the hash base given the aboslute base plus the chain of keys that got us there.
sub retHashBase() {
my ($hash, $elements, $num) = @_;
return false unless ($hash && $elements);
if (!$num) {
$num = scalar(@{$elements});
}
my $key = "";
my $arr = copyArrayRef($elements); # make a working copy and store it in $arr
my $curLevel = $hash;
#for (my $i = 0; $i < scalar(@{$arr}); $i++) {
for (my $i = 0; $i < $num; $i++) {
$key = $arr->[$i];
$curLevel = $curLevel->{"$key"};
}
return $curLevel;
}
# Copies an array ref so we have a working copy to mutilate
sub copyArrayRef() {
my ($src) = @_;
return false unless ($src);
my $dst = [];
for (my $i = 0; $i < scalar(@{$src}); $i++) {
push @{$dst}, $src->[$i];
}
return $dst;
}