mirror of
https://github.com/tennc/webshell
synced 2024-11-23 03:33:03 +00:00
122 lines
3.7 KiB
PowerShell
122 lines
3.7 KiB
PowerShell
#Requires -Version 3
|
|
|
|
<#
|
|
.SYNOPSIS
|
|
Nishang script which checks running processes for malwares.
|
|
|
|
.DESCRIPTION
|
|
This script uses takes md5 hashes of running processes (the correspondibg executable)
|
|
on the target system and search the hashes in the Virustotal database using the Public API.
|
|
|
|
.PARAMETER APIKEY
|
|
THe APIKEY provided when someone registers to virustotal
|
|
|
|
.EXAMPLE
|
|
PS > Prasadhak 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0
|
|
|
|
.LINK
|
|
http://www.labofapenetrationtester.com/2013/01/introducing-prasadhak.html
|
|
https://github.com/samratashok/nishang
|
|
|
|
.Notes
|
|
The word Prasadhak means purifier in Sanskrit language.
|
|
#>
|
|
|
|
|
|
|
|
|
|
function Prasadhak
|
|
{
|
|
[CmdletBinding()] Param(
|
|
[Parameter(Position = 0, Mandatory = $True)]
|
|
[String]
|
|
$apikey
|
|
)
|
|
|
|
function post_http($url,$parameters)
|
|
{
|
|
$http_request = New-Object -ComObject Msxml2.XMLHTTP
|
|
$http_request.open("POST", $url, $false)
|
|
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
|
|
$http_request.setRequestHeader("Content-length", $parameters.length);
|
|
$http_request.setRequestHeader("Connection", "close")
|
|
$http_request.send($parameters)
|
|
$script:response = $http_request.responseText
|
|
}
|
|
|
|
|
|
|
|
function check
|
|
{
|
|
|
|
$res = $response | ConvertFrom-JSON
|
|
foreach ($code in $res)
|
|
{
|
|
#$proc1[$track]
|
|
if ($code.response_code -eq 0)
|
|
{
|
|
Write-Host "Not found in VT database. " #+ $proc1[$track]
|
|
}
|
|
|
|
elseif (($code.response_code -eq 1) -and ($code.positives -ne 0))
|
|
{
|
|
Write-Host "Something malicious is found. " -ForegroundColor Red # $proc1[$track]
|
|
$code.Permalink
|
|
}
|
|
|
|
elseif (($code.response_code -eq 1))
|
|
{
|
|
Write-Host "This is reported clean. " -ForegroundColor Green # $proc1[$track]
|
|
|
|
}
|
|
|
|
elseif ($res.response_code -eq -2)
|
|
{
|
|
"File queued for analysis. " #+ $proc1[$track]
|
|
$code.Permalink
|
|
}
|
|
#$track++
|
|
}
|
|
}
|
|
|
|
|
|
$ErrorActionPreference = "SilentlyContinue"
|
|
$iteration = 0
|
|
$count = 0
|
|
$reqcount = 0
|
|
[String[]]$hash = @()
|
|
#[String[]]$procname = @()
|
|
"Reading Processes and determining executables."
|
|
Start-Sleep -Seconds 3
|
|
$procs = (Get-Process).path
|
|
$procnumber = Get-Process | Measure-Object -line
|
|
"Total Processes detected: " + $procnumber.lines
|
|
"Total Processes for which executables were detected: " + $procs.length
|
|
Start-Sleep -Seconds 3
|
|
|
|
|
|
foreach ($proc in $procs)
|
|
{
|
|
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider #http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell
|
|
$hash = $hash + "," + [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($proc))).Replace("-", "").ToLower()
|
|
#$procname = $procname + $proc
|
|
if ((($count -eq 25) -and (($procs.length - 25) -ge 0)) -or ($procs.Length -lt 25) -or (($iteration -ge 1) -and ((($procs.length - (25 * $iteration)) - 1) -eq $count)))
|
|
{
|
|
Post_http "https://www.virustotal.com/vtapi/v2/file/report" "resource=$hash&apikey=$apikey"
|
|
check
|
|
$hash = 0
|
|
$count = 0
|
|
$reqcount++
|
|
$iteration++
|
|
}
|
|
if ($reqcount -eq 4)
|
|
{
|
|
"Waiting for one minute as VT allows only 4 requests per minute."
|
|
Start-Sleep -seconds 60
|
|
$reqcount = 0
|
|
}
|
|
|
|
$count++
|
|
}
|
|
}
|
|
|