shadowbrokers-exploits/windows/Resources/Ep/Scripts/processdeep.eps
2017-04-14 11:45:07 +02:00

96 lines
2.8 KiB
PostScript

#-----------------------------------------------------------------------------
# File: process.eps
#
# Attempts to associate processes with their relative directories and dlls
#
#-----------------------------------------------------------------------------
############################################################################################
# Convert a string to lowercase #
############################################################################################
sub lc(IN string $string, OUT string $ret) {
@record on; @echo off;
`log local run -command "perl -e \\"\$a='$string';\$a=~tr/A-Z/a-z/;print \$a\\"" -redirect`;
@record off; @echo on;
$ret = GetCmdData("output");
}
############################################################################################
string $SYSPATH = GetEnv("SYSPATH");
string $SYSTEMROOT = GetEnv("SYSTEMROOT");
@echo off;
@record on;
ifnot (`log processlist`) {
echo "Couldn't get Processlist";
return false;
}
@record off;
int $ids = GetCmdData("id");
string $names = GetCmdData("name");
@record on;
ifnot (`getdirectory -scripts`) {
echo "Couldn't get directory";
return false;
}
@record off;
string $scripts_path = GetCmdData("dir");
string $knowns;
string $bads;
ReadFile("$scripts_path..\\good_processes.txt",$knowns);
ReadFile("$scripts_path..\\bad_processes.txt",$bads);
int $i=0;
while ($i < sizeof($ids)) {
string $bad;
bool $skip = false;
foreach $bad ($bads) {
if($names[$i] == $bad) {
echo "$ids[$i]:\t$names[$i]";
echo "Not running 'log processinfo -id $ids[$i].' It might get caught.\r\n";
$skip = true;
break;
}
}
@record on;
ifnot( $skip) {
ifnot (`log processinfo -id $ids[$i]`) {
echo "$ids[$i]:\t$names[$i]\t\tCouldn't Get Processinfo\r\n";
} else {
string $mod_name = GetCmdData("module_name");
echo "$ids[$i]:\t$names[$i]\r\n\t$mod_name\r\n";
######################################################
# Check common processes against good paths
######################################################
string $known;
foreach $known ($knowns) {
string $line = Split(",",$known);
string $path;
if($line[1] == "SYSPATH"){
$path = $SYSPATH;
}
if($line[1] == "SYSTEMROOT") {
$path = $SYSTEMROOT;
}
if ($names[$i] == $line[0]) {
string $good_name = "$path\\$line[0]";
lc($mod_name,$mod_name);
lc($good_name,$good_name);
ifnot ($mod_name == $good_name) {
echo "***************** ABOVE $line[0] MAY BE MALWARE *********************";
}
}
}
}
}
@record off;
$i++;
}
echo "calling freshstep";
`background script FreshStep.eps`;
return true;