-
Notifications
You must be signed in to change notification settings - Fork 2
/
WMIHAnalyzer.ps1
111 lines (94 loc) · 3.09 KB
/
WMIHAnalyzer.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
param(
[Parameter()]
[string]$evidence_dir
)
if ($evidence_dir) {
} else {
$evidence_dir = Get-Location
}
function GetEvidenceArray {
$data_files = @(Get-ChildItem -Path $evidence_dir -Filter *.csv -Name)
$known_list = @(
'installed_services.csv',
'running_processes.csv',
'installed_software.csv',
'loggedon_users.csv',
'network_connections.csv',
'network_shares.csv',
'remote_netcons.csv',
'scheduled_tasks.csv',
'server_connections.csv',
'server_sessions.csv',
'startup_items.csv',
'system_accounts.csv'
)
ForEach ($f in $data_files){
if (-not $known_list.Contains($f)){
$data_files = $data_files -ne $f
}
}
return $data_files
}
function Main {
$Global:evidence_array = GetEvidenceArray
ForEach ($file in $evidence_array) {
Write-Host "Found File: "$file
}
BuildGUI
}
function LoadToArray ([string]$name) {
#Loading Data
Write-Host $name
$data_path = "$evidence_dir\$name"
$array = New-Object System.Collections.ArrayList
$data = @(Import-CSV -Path "$data_path")
$array.AddRange($data)
return [System.Collections.ArrayList]$array
}
function running_processes.csv {
$current_dir = Get-Location
$temp_array = ""
foreach ($item in $evidence_array){
$temp_array += $item+","
}
start-process -FilePath 'powershell.exe' -ArgumentList `"$current_dir\analyzers\running_processes.ps1`",'-evidence_array',$temp_array,'-evidence_dir',`"$evidence_dir`"
}
function network_connections.csv {
$current_dir = Get-Location
$temp_array = ""
foreach ($item in $evidence_array){
$temp_array += $item+","
}
start-process -FilePath 'powershell.exe' -ArgumentList `"$current_dir\analyzers\network_connections.ps1`",'-evidence_array',$temp_array,'-evidence_dir',`"$evidence_dir`"
}
function BuildGUI {
Add-Type -AssemblyName System.Windows.Forms
$bold_font = New-Object System.Drawing.Font("Microsoft Sans Serif", 10, [System.Drawing.FontStyle]::Bold)
$G = New-Object System.Windows.Forms.Form
$G.ClientSize = '225,300'
$G.text = 'WMIH Analyzer'
$G.BackColor = "#ffffff"
$data_title = New-Object System.Windows.Forms.Label
$data_title.text = "Evidence Found"
$data_title.width = 120
$data_title.height = 20
$data_title.Location = New-Object System.Drawing.Point(50, 20)
$data_title.Font = $bold_font
$G.controls.Add($data_title)
# i starts at 2 because we want to start at 40 Y position
$i = 2
ForEach ($file in $evidence_array) {
#Write-Host "Making Button for: "$file
$thisButton = $null
$thisButton = New-Object System.Windows.Forms.Button
$thisButton.Location = New-Object System.Drawing.Point(10, $(20*$i))
$thisButton.Size = New-Object System.Drawing.Size(200, 20)
$thisButton.Text = $file
$thisButton.Font = New-Object System.Drawing.Font('Microsoft Sans Serif', 10)
$thisButton.Add_Click([scriptblock]::Create("$file"))
$G.Controls.Add($thisButton)
$i += 1
}
[void]$G.ShowDialog()
}
Main