shadowbrokers-exploits/windows/Resources/Ep/Scripts/PSP/symantec_old.eps
2017-04-14 11:45:07 +02:00

349 lines
11 KiB
PostScript

#-------------------------------------------------------------------------------
# File: symantec.eps
# Created: 2/5/09
# Added generic functionality to determine symantec versions.
# Updated 3/11/10, Changed NAV_New() function to change the order of the PSPHelper metadata. This will remove lots of overhead from our script.
# Updated 3/17/10, Updated NAV_New() to get rid of non-PSP Symantec uninstall information.
#-------------------------------------------------------------------------------
@include "PSPHelpers.epm";
@include "PerlFunctions.epm";
int $i = 0;
int $j = 0;
string $skipped;
#------------------------------------
# Get all the subkeys under Uninstall
#------------------------------------
@echo off;
@record on;
`regquery -hive L -subkey "software\\microsoft\\windows\\currentversion\\uninstall"`;
@record off;
string $subkeys;
string $query;
string $version;
$subkeys = GetCmdData("subkey");
#----------------------------------------------------------------
# For each subkey (ie, each program that might be uninstalled)...
#----------------------------------------------------------------
@case-sensitive off;
while( $i < sizeof($subkeys) ) {
#-------------------------------------------------------------------------
# Ignore anything that might not be Symantec
#-------------------------------------------------------------------------
string $sym_keys = split("{",$subkeys[$i]);
if ($sym_keys[0] == "") {
$skipped[sizeof($skipped)] = $subkeys[$i];
$query = "software\\microsoft\\windows\\currentversion\\uninstall\\$subkeys[$i]";
if(NAV_New($query)) {
return true;
}
$i++;
continue;
}
if ($subkeys[$i] == "NAV") {
$query = "software\\microsoft\\windows\\currentversion\\uninstall\\$subkeys[$i]";
if(NAV_New($query)) {
return true;
}
$i++;
continue;
}
$sym_keys = split("Symantec",$subkeys[$i]);
if ($sym_keys[0] == "") {
$skipped[sizeof($skipped)] = $subkeys[$i];
$query = "software\\microsoft\\windows\\currentversion\\uninstall\\$subkeys[$i]";
if(NAV_New($query)) {
return true;
}
$i++;
continue;
}
$sym_keys = split("Norton",$subkeys[$i]);
if ($sym_keys[0] == "") {
$skipped[sizeof($skipped)] = $subkeys[$i];
$query = "software\\microsoft\\windows\\currentversion\\uninstall\\$subkeys[$i]";
if(NAV_New($query)) {
return true;
}
$i++;
continue;
}
$i++;
}
#####################
# Begin Legacy Block
#####################
if (`regquery -hive L -subkey "software\\symantec\\norton antivirus nt\\install\\7.50"`) {
echo "Current Version: Symantec Antivirus 7.5";
$version = "7.50";
NAV75($version);
} else if (`regquery -hive L -subkey "software\\symantec\\norton antivirus\\8.0"`) {
$version = "8.0";
NAV75($version);
} else if (`regquery -hive L -subkey "software\\symantec\\norton antivirus"`) {
reg_query("software\\symantec\\norton antivirus", "version", $version);
NAV($version);
} else if (`regquery -hive L -subkey "software\\symantec\\symantec antivirus nt\\install\\7.50"`) {
echo "Current Version: Symantec Antivirus 7.5";
$version = "7.50";
NAV75($version);
} else {
echo "Current Version: Unknown!";
# We don't know what it is lets default to safe mode
safety();
`background regquery -hive L -subkey "software\\symantec" -recursive`;
# Added for tracking purposes
NAV_UNK("Unknown");
}
@case-sensitive on;
##############################################
# Pulls recent product information from GUIDs
##############################################
sub NAV_New(IN string $query) {
@record on;
string $temp;
string $fullData;
string $fullVals;
string $searchVals;
$searchVals[0] = "Publisher";
$searchVals[1] = "DisplayVersion";
$searchVals[2] = "DisplayName";
$searchVals[3] = "InstallDate";
reg_query($query, $searchVals, $temp);
####################################
# Get things published by Symantec
####################################
ifnot($temp[0] == "Symantec Corporation" || $temp[0] == "Symantec" || $temp[0] == "Norton") {
return false;
}
#####################################################################
# Get rid of things published by Symantec that are clearly not PSP's
# We'll filter by "dirty words" that shouldn't be in PSP descriptions
# Todo: remove "Exchange Server Scanner" and "Symantec Mail Security for Microsoft Exchange"
# We do want to log these two if they are the real PSP we flagged in the process list, but otherwise not.
# Maybe fix the elist or checkPSP to be smarter about this?
#####################################################################
string $disps = split(" ", $temp[2]);
string $disp;
foreach $disp ($disps) {
if ($disp == "Ghost" || $disp == "Backup"|| $disp == "PartitionMagic" || $disp == "ccCommon" || $disp == "LiveUpdate" || $disp == "pcAnywhere") {
return false;
}
}
################################################
# Changed location of init(@metadata) info
################################################
metaData @metaData;
init(@metaData);
@metaData.$vendor = $temp[0];
safety();
################################################
# This can be cleaned up here a little more.
################################################
@metaData.$version = $temp[1];
@metaData.$product = $temp[2];
@metaData.$installDate = $temp[3];
if(@metaData.$history){
if(checkConfig("symantec:@metaData.$version",@metaData)){
echo "\r\rNo change in PSP configs.\r\r";
}else{
echo "\r\r!!!Changed PSP configs since last time!!!\r\r";
}
}
@record off;
if(writeMetaData(@metaData)) {
echo "Writing PSP Metadata information to pspInformation.txt";
} else {
echo "ERROR: Could not write meta data to disk.";
}
echo "Current Version: @metaData.$product (@metaData.$version)";
return true;
}
#######################################
# For Norton AV 9.0, 12.0, 14.0, 15.0
# Tested: 9.0, 12.0, 14.0, 15.0
#######################################
sub NAV(IN string $version) {
@record on;
#The struct is defined in PSPHelpers.epm
metaData @metaData;
#initialize the struct
init(@metaData);
# Some of these could be bad so lets run in safe mode
safety();
if(@metaData.$history){
if(checkConfig("symantec:$version",@metaData)){
echo "\r\rNo change in PSP configs.\r\r";
}else{
echo "\r\r!!!Changed PSP configs since last time!!!\r\r";
}
}
# Pulling some metadata as best as I can
echo "Writing PSP Metadata information to pspInformation.txt";
@metaData.$vendor = "Symantec";
if (`regquery -hive L -subkey "software\\symantec\\norton antivirus" -value "ProductName"`) {
@metaData.$product = GetCmdData("value_data");
} else if (`regquery -hive L -subkey "software\\symantec\\symsetup\\norton antivirus" -value "ProductName"`) {
@metaData.$product = GetCmdData("value_data");
}
@metaData.$version = $version;
# TODO: Can we get this information?
#@metaData.$installDate;
`regquery -hive L -subkey "software\\symantec\\norton antivirus\\liveupdate\\cmdlines\\cmdline1" -value "ProductVersion"`;
@metaData.$defUpdates = GetCmdData("value_data");
if (`regquery -hive L -subkey "software\\symantec\\installedapps" -value "CommonClient Data"`) {
@metaData.$logFile = GetCmdData("value_data");
} else if (`regquery -hive L -subkey "software\\symantec\\installedapps" -value "Common Client Data"`) {
@metaData.$logFile = GetCmdData("value_data");
}
if (`regquery -hive L -subkey "software\\symantec\\norton antivirus\\Quarantine" -value QuarantinePath`) {
@metaData.$quarantine = GetCmdData("value_data");
} else if (`regquery -hive L -subkey "software\\symantec\\installedapps" -value SRTSPQuarantine`) {
@metaData.$quarantine = GetCmdData("value_data");
}
# None needed....
#@metaData.$information;
@record off;
if(writeMetaData(@metaData)) {
echo "Wrote meta data to disk";
} else {
echo "ERROR: Could not write meta data to disk.";
}
echo "Current Version: @metaData.$product (@metaData.$version)";
}
sub NAV75(IN string $version) {
@record on;
#The struct is defined in PSPHelpers.epm
metaData @metaData;
#initialize the struct
init(@metaData);
if(@metaData.$history){
if(checkConfig("symantec:$version",@metaData)){
echo "\r\rNo change in PSP configs.\r\r";
}else{
echo "\r\r!!!Changed PSP configs since last time!!!\r\r";
}
}
echo "Writing PSP Metadata information to pspInformation.txt";
# Don't have much to put here at the moment...
@metaData.$vendor = "Symantec";
@metaData.$product = "Norton Antivirus";
@metaData.$version = $version;
@record off;
if(writeMetaData(@metaData)) {
echo "Wrote meta data to disk";
} else {
echo "ERROR: Could not write meta data to disk.";
}
echo "Current Version: @metaData.$product (@metaData.$version)";
}
sub NAV_UNK(IN string $version) {
@record on;
#The struct is defined in PSPHelpers.epm
metaData @metaData;
#initialize the struct
init(@metaData);
if(@metaData.$history){
if(checkConfig("symantec:$version",@metaData)){
echo "\r\rNo change in PSP configs.\r\r";
}else{
echo "\r\r!!!Changed PSP configs since last time!!!\r\r";
}
}
echo "Writing PSP Metadata information to pspInformation.txt";
# Don't have much to put here at the moment...
@metaData.$vendor = "Symantec";
@metaData.$product = "Unknown";
@metaData.$version = $version;
@record off;
if(writeMetaData(@metaData)) {
echo "Wrote meta data to disk";
} else {
echo "ERROR: Could not write meta data to disk.";
}
echo "Current Version: @metaData.$product (@metaData.$version)";
}
#----------------------------------------------------------------
# Runs a reg query searching for a specific subkey and returning
# a value.
# values = the values from the subkey that you are looking for
# ret = return values (in an array)
# error = do you want to halt on query errors
# returns true if found and false if it doesn't find the key
#----------------------------------------------------------------
sub reg_query(IN string $subkey, IN string $search_values, OUT string $ret)
{
string $values;
string $value;
string $value_data;
int $i=0;
int $j=0;
@record on;
if(`regquery -hive L -subkey "$subkey"`)
{
$values = GetCmdData("value");
$value_data = GetCmdData("value_data");
string $search_value;
foreach $search_value ($search_values)
{
$j = 0;
foreach $value ($values)
{
if($value == $search_value)
{
$ret[$i] = $value_data[$j];
}
$j++;
}
$i++;
}
ifnot(defined($ret)) {
$ret = "NTR";
}
return true;
} else {
return false;
}
}
sub safety() {
SetEnv("NOPROCINFO", "TRUE");
}