Here it is folks, I have decided to try and give something back to the community via this script. I would not call it groundbreaking in the slightest-- but if it makes someone's job out there a tad easier than I am happy :)
This was tested on Windows 7 and 2008. I assume it would work on Vista too, please let me know if it doesnt! Also if you guys would want to see any additions or make any suggestions just email me at icanhazblog[at]gmail[dot]com and I can see what I can do. Like I said I am new to the Powershell world and was blown away at its capabilities so I am sure I am missing some cool tricks.
So now I know there are some blatant issues with this, its using your own system tools which could have been subverted by whatever badness is on the machine. Plus there could be a rootkit which hooks these System Calls so you are not getting correct information--- these have been taken into consideration and I will figure something out :)
You can grab the script code from my Pastebin page, just put into your own ps1 file on your machine.
.
More Info: Each section is put into its own txt file in a folder called ‘output’ located in the directory where the script is ran. You need to be administrator to run some of the scripts on this, and you need to modify your security settings to run it on your system (try ‘Set-ExecutionPolicy unrestricted’ ....just make sure you switch it back when done to be safe! To see what it is first type 'Get-ExecutionPolicy)
What its Grabbing:
This was tested on Windows 7 and 2008. I assume it would work on Vista too, please let me know if it doesnt! Also if you guys would want to see any additions or make any suggestions just email me at icanhazblog[at]gmail[dot]com and I can see what I can do. Like I said I am new to the Powershell world and was blown away at its capabilities so I am sure I am missing some cool tricks.
So now I know there are some blatant issues with this, its using your own system tools which could have been subverted by whatever badness is on the machine. Plus there could be a rootkit which hooks these System Calls so you are not getting correct information--- these have been taken into consideration and I will figure something out :)
You can grab the script code from my Pastebin page, just put into your own ps1 file on your machine.
-- About the Tool --
How to Run: Just invoke from a Powershell was running as Admin..
More Info: Each section is put into its own txt file in a folder called ‘output’ located in the directory where the script is ran. You need to be administrator to run some of the scripts on this, and you need to modify your security settings to run it on your system (try ‘Set-ExecutionPolicy unrestricted’ ....just make sure you switch it back when done to be safe! To see what it is first type 'Get-ExecutionPolicy)
Upcoming Additions: I would like to add dumping the contents of the
recyclebin too, just trying to figure out how to add it nicely.
--FILE LOCATIONS --
TEMP (as directed in SystemEnvironment Variables)
C:\TEMP
C:\WINDOWS\Temp
Application Data Directory
System32 (dll, sys, and exe files)
C:\ (exe files)
Prefetch files
--INTERNET FILES --
Internet Explorer
Mozilla (I only detect if it exists, need to view via another program for now)
--SYSTEM INFO --
Services (sorted by State)
Tasklist (processes associated with a service)
Tasklist (dlls associated with a process)
--REGISTRY--
hklm\software\microsoft\
hklm\software\microsoft\
hkcu\SOFTWARE\Microsoft\
hkcu\SOFTWARE\Microsoft\
hklm\SOFTWARE\Microsoft\
HKCU\Software\Microsoft\
HKLM\Software\Microsoft\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
--NETWORK INFO --
DNS cache
Netstat -anob
3 comments:
good stuff!
Thanks man. Tested it on Win7 x64 and runs like a charm. Already copied it in my Windows live response toolbox.
Thank you! Works as advertised.
Post a Comment