-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathusertemp.pl
110 lines (97 loc) · 2.44 KB
/
usertemp.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package usertemp;
#-----------------------------------------------------------
# usertemp - Plugin to parse through user profile Temp folder looking
# for suspicious files.
#
# XP/2003: Local Settings\Temp
# Vista+ : AppData\Local\Temp
#
# History
# 20120823 - renamed; was "localsettings.pl", changed to current name
# 20120822 - updated to current format
# 20100927 - created
#
# copyright 2012
# Author: H. Carvey, [email protected]
#-----------------------------------------------------------
use strict;
my %config = (hasShortDescr => 1,
category => "Malware",
shortDescr => "Parse users Local Settings\\Temp dirs for suspicious files",
type => "File",
class => 1,
output => "report",
osmask => 31,
version => 20120822);
sub getConfig{return \%config};
my $VERSION = $config{version};
sub getShortDescr {
return $config{shortDescr};
}
sub pluginmain {
my $class = shift;
my $parent = ::getConfig();
::logMsg("usertemp v.".$VERSION);
::rptMsg("-" x 60);
::rptMsg("usertemp v.".$VERSION);
::rptMsg(getShortDescr());
::rptMsg("Category: ".$config{category});
::rptMsg("");
my $profile = $parent->{userprofile};
::rptMsg("Profile: ".$profile);
$profile .= "\\" unless ($profile =~ m/\\$/);
my $temp;
if ($parent->{CurrentVersion} >= 6.0) {
$temp = $profile."AppData\\Local\\Temp\\";
}
else {
$temp = $profile."Local Settings\\Temp\\";
}
checkTmp($temp);
checkExe($temp);
}
sub checkTmp {
my $path = shift;
my $win = WinFile->new();
my @files;
opendir(DIR,$path);
@files = map{$path.$_}(grep(/\.tmp$/,readdir(DIR)));
closedir(DIR);
if (scalar @files > 0) {
foreach my $f (@files) {
if ($win->isMZSig($f)) {
::rptMsg("File with \.tmp extension and MZ signature:");
::rptMsg(" ".$f);
::rptMsg(" MD5: ".$win->getMD5($f));
::rptMsg("");
}
}
}
else {
::rptMsg("No files with \.tmp extension found.");
::rptMsg("");
}
}
sub checkExe {
my $path = shift;
my $win = WinFile->new();
my @files;
opendir(DIR,$path);
@files = map{$path.$_}(grep(/\.exe$/,readdir(DIR)));
closedir(DIR);
if (scalar @files > 0) {
foreach my $f (@files) {
if ($win->isMZSig($f)) {
::rptMsg("File with \.exe extension found:");
::rptMsg(" ".$f);
::rptMsg(" MD5: ".$win->getMD5($f));
::rptMsg("");
}
}
}
else {
::rptMsg("No files with a \.exe extension found.");
::rptMsg("");
}
}
1;