include "GSI_Basic" typelib FS "Scripting.FileSystemObject" class MainClass { bool handles, sections, ports, strings, specificname,specificpid,UseAuditViewer,ChangePath,driveraudit,driversigaudit,rootkitaudit; String ProcessName, ProcessPID,AuditViewerDir,MemoryzeDir; String FindAuditFolder(String path){ FS::FileSystemObject fso; DateClass earliest; String auditpath; int i; i=0; if (fso.Create("")) { FS::IFolder audits = fso.GetFolder(path+"\\Audits\\"); FS::Folders sub = FS::Folders::TypeCast(audits.SubFolders()); FS::IFolder auditdir; foreach (FS::Folder f in sub){ Console.WriteLine("Machine Folder: " + f.Name()); FS::IFolder machine = fso.GetFolder(path+"\\Audits\\" + f.Name()); FS::Folders machinesub = FS::Folders::TypeCast(machine.SubFolders()); foreach(FS::Folder sb in machinesub){ if(i==0){ earliest.Set(sb.DateCreated().Year(),sb.DateCreated().Month(),sb.DateCreated().Day(),sb.DateCreated().Hour(),sb.DateCreated().Minute(),sb.DateCreated().Second()); auditdir = fso.GetFolder(sb.Path()); i++; } if(sb.DateCreated().Compare(earliest)>0){ earliest.Set(sb.DateCreated().Year(),sb.DateCreated().Month(),sb.DateCreated().Day(),sb.DateCreated().Hour(),sb.DateCreated().Minute(),sb.DateCreated().Second()); auditdir = fso.GetFolder(sb.Path()); } } Console.WriteLine("Earliest Date: " + earliest.GetString()); Console.WriteLine("Analysis Folder: " + auditdir.Path()); auditpath = auditdir.Path(); } } else Console.Write(SystemClass::LastError()); return auditpath; } class ProcessAudit: DialogClass { String Desc; ButtonClass _Help; GroupBoxClass processoptions; CheckBoxClass _Ports, _Handles,_Sections,_Strings,_SpecificName,_SpecificPID; StringEditClass _ProcessName,_ProcessPID; ProcessAudit(DialogClass parent, MainClass m): DialogClass(parent, "Process Audit"), Desc ("Memoryze Process Audit\n\n" "This audit will list processes found in memory along with\n" "assoicated metadata using Mandiant's Memoryze.\n" "The audit data will then be launched in Mandiant's Audit Viewer.\n\n" "Options\n\n" "-Ports-Analysis will list ports\n" "-Handles-List handles open in memory\n" "-Sections-Analysis will list memory sections\n" "-Strings-Acquire strings associated with each process\n\n" "Specify Process\n\n" "-Process Name-Only the proces name in this box will be analyzed for this audit.\n" "-PID-Only the process identifier will be executed\n\n" "\t\t\tQuestions or Bugs?\n\n" "\tkelcey.tietjen@mandiant.com or " "tietjenk@gmail.com"); _Help(this, "Help", START, START, DEFAULT, DEFAULT, 0), processoptions(this, "Process Audit Options", SAME, NEXT, 260, 25, 0), _Ports(this, "Ports", 15, 32, DEFAULT, DEFAULT, 0, m.ports), _Handles(this, "Handles", NEXT, SAME, DEFAULT, DEFAULT, 0, m.handles), _Sections(this, "Sections", NEXT, SAME, DEFAULT, DEFAULT, 0, m.sections), _Strings(this, "Strings", NEXT, SAME, DEFAULT, DEFAULT, 0, m.strings), _SpecificName(this, "Specific Name", 15, NEXT, DEFAULT, DEFAULT, 0, m.specificname), _SpecificPID(this, "Specific PID", NEXT, SAME, DEFAULT, DEFAULT, 0, m.specificpid), _ProcessName(this, "Process Name", 15, NEXT, 150, DEFAULT, 0, m.ProcessName, 20, 0), _ProcessPID(this, "PID", 15, NEXT, 50, DEFAULT, 0, m.ProcessPID, 20, 0) { } virtual void CheckControls() { _ProcessName.Enable(_SpecificName.GetValue()); _ProcessPID.Enable(_SpecificPID.GetValue()); if(_SpecificName.GetValue()==1){ _ProcessPID.Enable(0); _SpecificPID.SetValue(0); } if(_SpecificPID.GetValue()==1){ _ProcessName.Enable(0); _SpecificName.SetValue(0); } } virtual void ChildEvent(const EventClass &event) { if (_Help.Matches(event)) SystemClass::Message(SystemClass::MBOK, "Process Audit", Desc); DialogClass::ChildEvent(event); } } class DriverAudit: DialogClass { String Desc; ButtonClass _Help; CheckBoxClass _DriverAudit; DriverAudit(DialogClass parent, MainClass m): DialogClass(parent, "Driver Audit"), Desc ("Memoryze Driver Audit\n\n" "This audit will list drivers found in PsLoadedModuleList along with\n" "assoicated metadata using Mandiant's Memoryze.\n" "The audit data will then be launched in Mandiant's Audit Viewer.\n\n" "\t\tQuestions or Bugs?\n\n" "\t kelcey.tietjen@mandiant.com\n" "\t tietjenk@gmail.com"); _Help(this, "Help", START, START, DEFAULT, DEFAULT, 0), _DriverAudit(this, "Perform Driver Audit", 15, 32, DEFAULT, DEFAULT, 0, m.driveraudit) { } virtual void CheckControls() { } virtual void ChildEvent(const EventClass &event) { if (_Help.Matches(event)) SystemClass::Message(SystemClass::MBOK, "Driver Audit", Desc); DialogClass::ChildEvent(event); } } class DriverSigAudit: DialogClass { String Desc; ButtonClass _Help; CheckBoxClass _DriverSigAudit; DriverSigAudit(DialogClass parent, MainClass m): DialogClass(parent, "Driver Signature Audit"), Desc ("Memoryze Driver Signature Audit\n\n" "This audit will list drivers found in memory along with\n" "assoicated metadata using Mandiant's Memoryze.\n" "The audit data will then be launched in Mandiant's Audit Viewer.\n\n" "\t\tQuestions or Bugs?\n\n" "\t kelcey.tietjen@mandiant.com\n" "\t tietjenk@gmail.com"); _Help(this, "Help", START, START, DEFAULT, DEFAULT, 0), _DriverSigAudit(this, "Perform Driver Signature Audit", 15, 32, DEFAULT, DEFAULT, 0, m.driversigaudit) { } virtual void CheckControls() { } virtual void ChildEvent(const EventClass &event) { if (_Help.Matches(event)) SystemClass::Message(SystemClass::MBOK, "Help", Desc); DialogClass::ChildEvent(event); } } class RootkitAudit: DialogClass { String Desc; ButtonClass _Help; CheckBoxClass _DriverSigAudit; RootkitAudit(DialogClass parent, MainClass m): DialogClass(parent, "Rootkit Audit"), Desc ("Memoryze Rootkit Audit\n\n" "This audit will list hooks in the OS along with assoicated \n" "metadata using Mandiant's Memoryze. The audit\n" "data will then be launched in Mandiant's Audit Viewer.\n\n" "\t\tQuestions or Bugs?\n\n" "\t kelcey.tietjen@mandiant.com\n" "\t tietjenk@gmail.com"); _Help(this, "Help", START, START, DEFAULT, DEFAULT, 0), _DriverSigAudit(this, "Perform Rootkit Audit", 15, 32, DEFAULT, DEFAULT, 0, m.rootkitaudit) { } virtual void CheckControls() { } virtual void ChildEvent(const EventClass &event) { if (_Help.Matches(event)) SystemClass::Message(SystemClass::MBOK, "Help", Desc); DialogClass::ChildEvent(event); } } class Options: DialogClass { String Desc; ButtonClass _Help; GroupBoxClass options; CheckBoxClass _UseAuditViewer,_MemoryzeInstall; PathEditClass _AuditViewer,_MemoryzeDir; MainClass M; Options(DialogClass parent, MainClass m): DialogClass(parent, "Options"), Desc ("MemScript Options\n\n" "These options let you specify whether you want\n" "to launch the Audit Viewer or change install\n" "directories for Memoryze.\n\n" "\t Questions or Bugs?\n\n" "\t kelcey.tietjen@mandiant.com\n " "\t tietjenk@gmail.com"); _Help(this, "Help", START, START, DEFAULT, DEFAULT, 0), options(this, "Process Audit Options", SAME, NEXT, 260, 100, 0), _UseAuditViewer(this, "Launch Audit Viewer", 15, 35, DEFAULT, DEFAULT, 0, m.UseAuditViewer), _AuditViewer(this, "Audit Viewer Directory", 15, NEXT, 200, 12, 0, m.AuditViewerDir, PathEditClass::FOLDEROPEN), _MemoryzeInstall(this, "Change Install Directory", NEXT, SAME, DEFAULT, DEFAULT, 0, m.ChangePath), _MemoryzeDir(this, "Memoryze Install Directory", SAME, NEXT, 200, 12, 0, m.MemoryzeDir, PathEditClass::FOLDEROPEN), M=m { } virtual void CheckControls() { _AuditViewer.Enable(_UseAuditViewer.GetValue()); _MemoryzeDir.Enable(_MemoryzeInstall.GetValue()); } virtual void ChildEvent(const EventClass &event) { if (_Help.Matches(event)) SystemClass::Message(SystemClass::MBOK, "Help", Desc); DialogClass::ChildEvent(event); } virtual bool CanClose() { String memoryzedir; M.MemoryzeDir = _MemoryzeDir.GetText(); Console.WriteLine("Can Close DIR: "+ M.MemoryzeDir); return true; } } class MyDialog: DialogClass { MyDialog(MainClass m): DialogClass(null, "MemScript") { } virtual void CheckControls() { } virtual void ChildEvent(const EventClass &event) { } virtual bool CanClose() { return true; } } void EditStorage(uint options){ StorageClass MyStorage("Memoryze", options); MyStorage.Value("InstallDir", MemoryzeDir); MyStorage.Value("AuditViewerLoc", AuditViewerDir); MyStorage.Value("AuditViewerUse", UseAuditViewer); MyStorage.Value("MemoryzeDirchange", ChangePath); } bool DumpFlatFile(EntryClass targetDevice, String exportPath) { TraceClass::Debug("[DEBUG]\tDumping Physical Memory from " +targetDevice.Name()); LocalFileClass lf(); lf.SetCodePage(CodePageClass::ANSI); EntryFileClass ef(); ef.SetCodePage(CodePageClass::ANSI); if (ef.Open(targetDevice)) { if (LocalMachine.CreateFolder(exportPath, ConnectionClass::CREATEFOLDERALL)) { exportPath += "\\" +targetDevice.Name() +".bin"; if (lf.Open(exportPath, FileClass::WRITE)) { if (lf.WriteBuffer(ef)) return true; else TraceClass::Warn("[WARN]\t" +"Could not write out " +exportPath); } else TraceClass::Warn("[WARN]\t" +"Could not open " +exportPath); lf.Close(); ef.Close(); } else TraceClass::Warn("[WARN]\t" +"Unable to create " +exportPath); } else TraceClass::Warn("[WARN]\t" +"Could not open EntryFileClass on " +targetDevice.Name()); return false; } MyDialog dialogbox; MainClass(): dialogbox(this) { } void Main(CaseClass c) { int diddump; ProcessAudit p1(dialogbox, this); DriverAudit p2(dialogbox, this); DriverSigAudit p3(dialogbox, this); RootkitAudit p4(dialogbox, this); Options p5(dialogbox, this); String auditlocation,export; EditStorage(0); if(dialogbox.Execute() == SystemClass::OK){ EditStorage(StorageClass::WRITE); forall(EntryClass e in c.EntryRoot()) { if(e.IsSelected()){ if(e.OriginalPath()==""){ diddump = DumpFlatFile(e, c.ExportFolder() +"\\" + e.Name()); export = c.ExportFolder() +"\\" + e.Name() + "\\"+ e.Name() +".bin"; } else{ export = e.OriginalPath(); diddump =1; } if(diddump) { ExecuteClass exec(), exec2(); LocalFileClass lf(); String name,cmdline, xports, xhandles, xsections, xstrings,pid, memoryzeinstalldir,auditviewerdir; //set enviromental parameters if(ChangePath) { memoryzeinstalldir = MemoryzeDir; Console.WriteLine("Memoryze Dir:"+ memoryzeinstalldir); } else{ memoryzeinstalldir = "C:\\Program Files\\Mandiant\\Memoryze\\"; Console.WriteLine("Memoryze Dir:" + memoryzeinstalldir); } if(UseAuditViewer) { auditviewerdir = AuditViewerDir; } name = c.ExportFolder() +"\\ProcessAuditMemory.batch.xml"; xports = "false"; xhandles = "false"; xsections = "false"; xstrings = "false"; pid = "4294967295"; //set xml parameters for process audit memory if(ports) xports = "true"; if(handles) xhandles = "true"; if(sections) xsections = "true"; if(strings) xstrings = "true"; if(specificpid) pid = ProcessPID; //create audits file lf.Open(name, FileClass::WRITE); lf.SetCodePage(1252); lf.Write("\n" ""); lf.Close(); Console.WriteLine("File to analyze: " + export); exec.SetApplication("cmd.exe"); exec.SetFolder("C:\\WINDOWS\\system32\\"); Console.WriteLine(exec.Folder()); Console.WriteLine(exec.Application()); cmdline = "/c \"cd "+ memoryzeinstalldir + " && Memoryze.exe -o \""+ c.ExportFolder() + "\" -script \""+ c.ExportFolder() +"\\ProcessAuditMemory.batch.xml\" -encoding none\""; exec.SetCommandLine(cmdline); Console.WriteLine("Command Args: "+ cmdline); exec.SetShow(true); if(exec.Start(LocalMachine, -1)){ Console.WriteLine(exec.Output()); Console.WriteLine("Worked"); if(UseAuditViewer){ exec2.SetApplication("cmd.exe"); exec2.SetFolder("C:\\WINDOWS\\system32\\"); Console.WriteLine(exec2.Folder()); Console.WriteLine(exec2.Application()); auditlocation = FindAuditFolder(c.ExportFolder()); cmdline = "/c \"cd "+ auditviewerdir + " && AuditViewer.py \""+ auditlocation +"\" \""+export+"\""; exec2.SetCommandLine(cmdline); Console.WriteLine("Command Args: "+ cmdline); exec2.SetShow(true); if(exec2.Start(LocalMachine, -1)){ Console.WriteLine(exec2.Output()); Console.WriteLine("Worked"); } } } else Console.WriteLine("Could Not Start Memoryze"); } else Console.WriteLine("Could Not Start Memoryze"); } } } } }