-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathadmin.malware.detector.vbs
215 lines (180 loc) · 8.18 KB
/
admin.malware.detector.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
' Minimal Malware Detection Script
' Use this when there is an urgent need to look on the C:\ drive
' for new malware programs reported by your agencies.
' It loops through the filename and hash list, searching drive C:\
' on a Windows computer and reports a file with the same MD5 hash.
'
' How to use:
' Poplate the NameAndHash array with multiple comma separated lines
' containing the file name and md5 signature hash.
' Run the file from an admin account with a double click and wait
' for warnings. The run.malware.detection.as.admin can be used if
' your current login does not have admin priviledge.
' Administrators can include this in a startup or shutdown script,
' running as admin to silently check for threats.
'
' Command Terminal
' Empty the NameAndHash array then use the command prompt window for
' a single file search, using cscript. You could leave array
' populated too and the manual entry will be appended to the list.
' Ex:
' cscript malware.detection.vbs "filename.ext" "MD5HASHSTRING"
'
' Progress reports
' If you have a long list of files, and want to know how it is
' going, change the "reportSearchProgress" variable to true. It
' will show a dialog box for each file as the search begins.
Dim reportSearchProgress
' Use true if you want notices of progress and problems.
' Use false if you only want a notice when a problem is found.
reportSearchProgress=false
Dim NameAndHash
' Add the malware filename and MD5 hash list here as comma separated strings.
' At least you need the name,hash fields. Please mind the format!
' * No extra quotes
' * ", _ at the end of multiple entries
' * only " _ at the end of the last entry
'
' The list below includes Filename, MD5, Bytes, Description
NameAndHash=Array( _
"malwaremd5.exe, 8D443F2E93A3F0B67F442E4F1D5A4D6D ,48000, Used to calculate md5 hashes", _
"badcat.exe, 1854f8385472cf2bo8596988515322ca,78848,fake entry for testing" _
)
'-------- Know where this script is located. ------------------
strPath = Wscript.ScriptFullName
Set objFSOa = CreateObject("Scripting.FileSystemObject")
Set objFilea = objFSOa.GetFile(strPath)
strFolder = objFSOa.GetParentFolderName(objFilea)
'-------- Declare additional variables ------------------------
Dim fileData, fileNameParts, foundFileHash, dotLocation, strCommand, i, inputArgs
fileNameParts = Array("","")
Dim FSO2
Set FSO2 = CreateObject("Scripting.FileSystemObject")
'------- If there are command line args, add them to the NameAndHash array
If WScript.Arguments.Count = 2 Then
Set args = WScript.Arguments
fileData = args.Item(0) & "," & args.Item(1)
ReDim Preserve NameAndHash(Ubound(NameAndHash)+1)
NameAndHash(Ubound(NameAndHash)) = fileData
End If
'------- If there is no input, quit. --------------------------
if Ubound(NameAndHash) = -1 Then
if reportSearchProgress = true then
MsgBox "Malware.Detection.vbs progress" & vbCrLf & _
"No, input. Will quit. " & vbCrLf & _
"Please add to the list in the script or a single file on the command line." &_
vbCrLf & "Command Line Usage: "& vbCrLf & vbCrLf & _
" cscript " & Wscript.ScriptName & " ""filename.ext"" ""MD5HASHSTRING"""
end if
Wscript.Quit
end if
'-------- Command objects will be used in the search ----------
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set oShortNameChanger = CreateObject("Scripting.FileSystemObject")
'-------- Needs the malwaremd5 tool to operate -----------------------
sCurPath = oShortNameChanger.GetFile(strFolder & "\malwaremd5.exe").ShortPath
If fileExists(sCurPath) = false Then
Wscript.Echo "Malware.Detection.vbs needs malwaremd5.exe to operate." & vbCrLf _
& vbCrLf & "File: " & sCurPath & " does not exist."
Wscript.Quit
End If
' It must also be the correct malwaremd5.exe
strCommand = "%comspec% /c " & sCurPath & " -n " & sCurPath
foundFileHash = fShellRun(strCommand)
if StrComp(foundFileHash,"8D443F2E93A3F0B67F442E4F1D5A4D6D",1) <> 0 then
WScript.Echo "Malware.Detection.vbs Danger Alert" & vbCrLf _
& vbCrLf & "File: " & sCurPath & vbCrLf & _
"MD5: " & foundFileHash & vbCrLf & _
"Does not match original MD5: 8D443F2E93A3F0B67F442E4F1D5A4D6D" & vbCrLf &_
"Do not close this window. " &_
"Contact your administrator immediately."
Wscript.Quit
end if
'------- Loop through the list of malware ---------------------
For Each elem In NameAndHash
fileData=split(elem,",")
'Trim all the elements of white space on the ends.
i = 0
For Each value In fileData
fileData(i) = Trim(value)
i = i + 1
Next
dotLocation = InStrRev(fileData(0),".")
if dotLocation > 0 Then
fileNameParts=split(fileData(0),".")
else
fileNameParts(0) = fileData(0)
fileNameParts(1) = "%" '% Use any extension
end if
'Let the search function look for the file and compare the hash
find_file fileNameParts(0), fileNameParts(1), fileData(1)
Next
'------- Alert the end of the search if requested --------------
if reportSearchProgress = true then
MsgBox "Malware.Detection.vbs progress" & vbCrLf & "Finished minimal malware scan. "
end if
'------- Function to get the md5 has of the files --------------
Function fShellRun(sCommandStringToExecute)
' This function will accept a string as a DOS command to execute.
' It will then execute the command in a shell, and capture the output into a file.
' That file is then read in and its contents are returned as the value the function returns.
Dim oShellObject, oFileSystemObject, sShellRndTmpFile
Dim oShellOutputFileToRead, iErr
Set oShellObject = CreateObject("Wscript.Shell")
Set oFileSystemObject = CreateObject("Scripting.FileSystemObject")
sShellRndTmpFile = oShellObject.ExpandEnvironmentStrings("%temp%") & "\" & oFileSystemObject.GetTempName
strCommandToRun = sCommandStringToExecute & " > " & sShellRndTmpFile
'wscript.echo strCommandToRun
On Error Resume Next
oShellObject.Run strCommandToRun, 0, True
iErr = Err.Number
On Error GoTo 0
If iErr <> 0 Then
fShellRun = ""
Exit Function
End If
'wscript.echo sshellrndtmpfile
fShellRun = oFileSystemObject.OpenTextFile(sShellRndTmpFile,1).ReadLine
oFileSystemObject.DeleteFile sShellRndTmpFile, True
End Function
'------ Looks for the file on the HD and pass to hash test --------
Function find_file(filename, extension, hash)
'------- Alert the progress per file if requested --------------
if reportSearchProgress = true then
WScript.Echo "Malware.Detection.vbs progress" & vbCrLf _
& vbCrLf & "Seaching for "& filename & "." & extension
end if
'Possible bug is that a virus loads up but somehow avoids registering
'with the WMI search service. (May or may not be an issue.)
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM CIM_DataFile " & _
"WHERE Drive = 'C:' AND FileName='" & filename & "' AND Extension LIKE '" & extension & "'",,48)
For Each objItem in colItems
shortFileName=oShortNameChanger.GetFile(objItem.Name).ShortPath
strCommand = "%comspec% /c " & sCurPath & " -n " & shortFileName
foundFileHash = fShellRun(strCommand)
if StrComp(foundFileHash,hash,1) = 0 then
WScript.Echo "Malware.Detection.vbs Danger Alert" & vbCrLf _
& vbCrLf & "File: " & objItem.Name & vbCrLf & _
"w/MD5: "& foundFileHash & vbCrLf & _
"appears to be a malicious program. Do not close this window. " &_
"Contact your administrator immediately."
end if
Next
End Function
Function FileExists(strFile)
if FSO2.fileExists(strFile) then
FileExists=true
else
FileExists=false
end if
end function
'Credits:
' find_file main idea: http://leereid.wordpress.com/2010/01/19/vbscript-find-a-file-and-delete-it/
' malwaremd5.exe tool: http://www.fourmilab.ch/md5/
' fShellRun: from: http://www.visualbasicscript.com/fShellRun-m42892.aspx
'Possible bug is that a virus loads up but somehow avoids registering
'with the WMI search service. (May or may not be an issue.)
' File Exists http://rosettacode.org/wiki/Check_that_file_exists#VBScript
' Use short path names http://www.visualbasicscript.com/Convert-long-path92filename-to-short-DOSstyle-name-m78126.aspx