96 lines
2.8 KiB
PostScript
96 lines
2.8 KiB
PostScript
#-----------------------------------------------------------------------------
|
|
# File: process.eps
|
|
#
|
|
# Attempts to associate processes with their relative directories and dlls
|
|
#
|
|
#-----------------------------------------------------------------------------
|
|
|
|
############################################################################################
|
|
# Convert a string to lowercase #
|
|
############################################################################################
|
|
sub lc(IN string $string, OUT string $ret) {
|
|
@record on; @echo off;
|
|
`log local run -command "perl -e \\"\$a='$string';\$a=~tr/A-Z/a-z/;print \$a\\"" -redirect`;
|
|
@record off; @echo on;
|
|
$ret = GetCmdData("output");
|
|
}
|
|
############################################################################################
|
|
|
|
string $SYSPATH = GetEnv("SYSPATH");
|
|
string $SYSTEMROOT = GetEnv("SYSTEMROOT");
|
|
|
|
@echo off;
|
|
@record on;
|
|
ifnot (`log processlist`) {
|
|
echo "Couldn't get Processlist";
|
|
return false;
|
|
}
|
|
@record off;
|
|
|
|
int $ids = GetCmdData("id");
|
|
string $names = GetCmdData("name");
|
|
|
|
@record on;
|
|
ifnot (`getdirectory -scripts`) {
|
|
echo "Couldn't get directory";
|
|
return false;
|
|
}
|
|
@record off;
|
|
string $scripts_path = GetCmdData("dir");
|
|
string $knowns;
|
|
string $bads;
|
|
ReadFile("$scripts_path..\\good_processes.txt",$knowns);
|
|
ReadFile("$scripts_path..\\bad_processes.txt",$bads);
|
|
|
|
int $i=0;
|
|
while ($i < sizeof($ids)) {
|
|
string $bad;
|
|
bool $skip = false;
|
|
foreach $bad ($bads) {
|
|
if($names[$i] == $bad) {
|
|
echo "$ids[$i]:\t$names[$i]";
|
|
echo "Not running 'log processinfo -id $ids[$i].' It might get caught.\r\n";
|
|
$skip = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
@record on;
|
|
ifnot( $skip) {
|
|
ifnot (`log processinfo -id $ids[$i]`) {
|
|
echo "$ids[$i]:\t$names[$i]\t\tCouldn't Get Processinfo\r\n";
|
|
} else {
|
|
string $mod_name = GetCmdData("module_name");
|
|
echo "$ids[$i]:\t$names[$i]\r\n\t$mod_name\r\n";
|
|
|
|
######################################################
|
|
# Check common processes against good paths
|
|
######################################################
|
|
string $known;
|
|
foreach $known ($knowns) {
|
|
string $line = Split(",",$known);
|
|
string $path;
|
|
if($line[1] == "SYSPATH"){
|
|
$path = $SYSPATH;
|
|
}
|
|
if($line[1] == "SYSTEMROOT") {
|
|
$path = $SYSTEMROOT;
|
|
}
|
|
if ($names[$i] == $line[0]) {
|
|
string $good_name = "$path\\$line[0]";
|
|
lc($mod_name,$mod_name);
|
|
lc($good_name,$good_name);
|
|
ifnot ($mod_name == $good_name) {
|
|
echo "***************** ABOVE $line[0] MAY BE MALWARE *********************";
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
@record off;
|
|
$i++;
|
|
}
|
|
echo "calling freshstep";
|
|
`background script FreshStep.eps`;
|
|
return true;
|
|
|