The godly power of PowerShell

1

October 20, 2011 by globz

I recently became a lot more interested in PowerShell after reading the following ebook : “Learn Windows PowerShell in a month of Lunches it gave me a strong understanding of the true power of PowerShell and it also taught me to not always look for third party applications when you have to analyse/monitor Windows environment.

 

Learning PowerShell is quite easy, the basics are simple and easy to understand and within no time you can start scripting some useful tools to help you on your day to day jobs.

I decided to give it a shot and created a very basic script [ps-monitor] which let you take snapshots of your Windows environment/configuration, compare them with another set of snapshots and then display the output inside an html file.

By simply using basic commands I was able to quickly view any modifications made to my system.

The script take default snapshots of your system, only by using basics commands you can get a good overview of your system. By simply using the command “get-childitem” you can list all directories/sub-directories and store the information inside a txt file.

These snapshots are area considered *critical* with high chances of being hit by infected files/configuration.

The following snapshots are taken by default :

c:\\

c:\\windows\\System32

$env:temp

C:\\Windows\\System32\\drivers\\etc

$env:appdata

$env:allusersprofile + cd '.\Application data' (winxp)

$env:localappdata (win vista/7)

$env:programfiles

$env:windir

Get-WmiObject -Class Win32_NetworkAdapterConfiguration

get-service

get-process

Ok, basic stuff, we store the harvested information inside a txt file and then we can compare it against another set of snapshots when needed. The idea behind this is to take this kind of snapshots when you are running a “clean” Windows system so whenever something bad hit your computer, you can quickly take a new set of snapshots and compare them with the following command :

diff $(Get-Content root.txt) $(Get-Content diff.txt) | Where-Object { $_.SideIndicator -eq '=>' } | ConvertTo-HTML | Out-File root.html

diff will compare the content of both snapshots and list the differences inside root.html in this case, root is [c:\] so any changes related to this path since your first snapshot will be listed. If a nasty virus would hit your system and drop an exe at the root of your drive you could quickly spot it.

The other part of my script let you do some live monitoring on any given path and let you watch the output inside the Windows PowerShell console. You can also filter out unwanted noise.

This is the only lines of code needed to do this kind of monitoring…

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $searchPath
$watcher.Filter = $filter
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true



$changed = Register-ObjectEvent $watcher "Changed" -Action {
write-host "Changed: $($eventArgs.FullPath)"
}

$created = Register-ObjectEvent $watcher "Created" -Action {
write-host "Created: $($eventArgs.FullPath)"
}

$deleted = Register-ObjectEvent $watcher "Deleted" -Action {
write-host "Deleted: $($eventArgs.FullPath)"
}

$renamed = Register-ObjectEvent $watcher "Renamed" -Action {
write-host "Renamed: $($eventArgs.FullPath)"
}

 

File Monitoring could be useful for analazing how malwares spread inside your system, you could set the watcher to monitor [c:\] and apply *.exe as filter, as a result you would see where the malware is dropping is executable.There are many more scenario where this kind of monitoring would be useful but that is up to you to find one.

 

In conclusion, PowerShell can be very useful and could replace some third party applications when facing malware who are able to block such analyzing/monitoring tools.

 


1 comment

  1. avatar Ted says:

    Thanks for the share! Very useful info!

Sorry, comments are closed.