WindowsScripts/Find_Suspicious_Files.vbs at main · harryeetsource/WindowsScripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
'*****************************************************
' Script Name: Find_Suspicious_Files.vbs
'     Version: 2.1
'      Author: Jason Fossen, Enclave Consulting LLC
'Last Updated: 3/28/02
'     Purpose: Search all fixed drives on a system for suspicious files, and,
'              optionally, attempt to delete them.
'       Usage: Edit array of aBadFiles, run script as System.
'       Notes: The structure of this script is deliberately modeled on the ILOVEYOU
'              virus in order to prepare for an analysis of the virus in seminar.
'       Legal: 0BSD.
'              Script provided "as is" without implied warranty or guarantees.  Use
'              at your own risk and only on networks with prior written permission.
'*****************************************************

'On Error Resume Next

'*****************************************************
' Create common objects and counters.
'*****************************************************
Set oFileSystem = WScript.CreateObject("Scripting.FileSystemObject")

Set oRegExp = New RegExp
oRegExp.IgnoreCase = True
oRegExp.Global = False  'One match is good enough.

Dim sResult             'The output of the script.
Dim iDeletedCounter     'Count of suspicious files deleted.


'*****************************************************
' Define array of suspicious files.  Edit as desired.
'*****************************************************
Dim aBadFiles(20) 'Set to largest integer in array variables, not total number of elements.

aBadFiles(0) =  "^root\.exe"
aBadFiles(1) =  "mslom"
aBadFiles(2) =  "lsaprivs"
aBadFiles(3) =  "pwdump"
aBadFiles(4) =  "readsmb"
aBadFiles(5) =  "^serv\.exe$"
aBadFiles(6) =  "readme\.eml"
aBadFiles(7) =  "l0pht"
aBadFiles(8) =  "LOVE-LETTER-FOR-YOU\.TXT\.vbs"
aBadFiles(9) =  "sex.*\.(?:jpg|gif)"
aBadFiles(10) = "secholed?\.exe"
aBadFiles(11) = "lsadump"
aBadFiles(12) = "brutusA2"
aBadFiles(13) = "getadmin"
aBadFiles(14) = "^nat\.exe"   'This pattern is too wide without the "^"!  False positives!
aBadFiles(15) = "rhino9"
aBadFiles(16) = "dsniff"
aBadFiles(17) = "mailsnarf"
aBadFiles(18) = "nb.+pro\.exe"
aBadFiles(19) = "toneloc"
aBadFiles(20) = "lomscan"


'*****************************************************
' Call procedures to do work of script.
'*****************************************************
Call ListDrives()
'Call DeleteBadFiles()  'CAUTION!!! Dangerous!!  See below!
Call GenerateReport()


'*****************************************************
' Procedures: ListDrives() and ListFolders()
' Purpose: These work together to recursively
'          enumerate entire file system.  Calling
'          SearchFiles() as they go.
'*****************************************************
Sub ListDrives()
    Const FixedDrive = 2
    Set cDrives = oFileSystem.Drives
    For Each oDrive in cDrives
        If oDrive.DriveType = FixedDrive Then
            Call SearchFiles(oDrive.Path) 'Search root of drive.
            Call ListFolders(oDrive.Path & "\") 'Search subfolders.
        End If
    Next
End Sub


'ListFolders() is called by ListDrives() and itself recursively.
Sub ListFolders(sFolderPath)
    On Error Resume Next    'Required in case permission denied, e.g., Recycle Bins.
    Dim cSubFolders         'The subfolders to be searched.
    Dim oSubFolder          'Current subfolder in For-Next loop.

    Set oFolder = oFileSystem.GetFolder(sFolderPath)
    Set cSubFolders = oFolder.SubFolders

    For Each oSubFolder In cSubFolders
        If Err.Number = 0 Then                  'Errors occur when permission denied.
            Call SearchFiles(oSubFolder.Path)
            Call ListFolders(oSubFolder.Path)   'Recursion -- procedure is calling itself.
        End If
        Err.Clear
    Next
End Sub


'*****************************************************
' Procedures: SearchFiles() and IsSuspicious()
'    Purpose: Called by ListDrives() and ListFolders(),
'             they do the pattern-matching.
'*****************************************************
Sub SearchFiles(sSubFolderPath)
    On Error Resume Next    'Required in case permission is denied to a file.
    Dim cFiles              'Collection of files in current folder.
    Dim oFile               'Current file being tested.

    Set oFolder = oFileSystem.GetFolder(sSubFolderPath)
    Set cFiles = oFolder.Files

    For Each oFile In cFiles
        If IsSuspicious(oFile.Name) Then
            sResult = sResult & sSubFolderPath & "\" & oFile.Name & vbCrLf
        End If
    Next
End Sub


'IsSuspicious() is invoked in SearchFiles().
Function IsSuspicious(sFileName)
    For Each sPattern In aBadFiles
        oRegExp.Pattern = sPattern
        If oRegExp.Test(sFileName) AND (sPattern <> "") Then
            IsSuspicious = True
            Exit Function
        End If
    Next
    IsSuspicious = False
End Function


'*****************************************************
' Procedures: DeleteBadFiles()
'    Purpose: Attempts to delete the suspicious files.
'    CAUTION! You must VERY CAREFULLY define your regular
'             expression patterns and conduct extensive
'             testing before using this procedure!
'*****************************************************
Sub DeleteBadFiles()
    On Error Resume Next
    Dim sReport

    aTargetFiles = Split(sResult,vbCrLf)
    If aTargetFiles(UBound(aTargetFiles))= "" Then
        ReDim Preserve aTargetFiles(UBound(aTargetFiles) - 1)
    End If

    For Each sFile In aTargetFiles
        Set oFile = oFileSystem.GetFile(sFile)
        'oFile.Delete True       'Uncomment to activate.  The True option will delete Read-Only files too.
        If Err.Number <> 0 Then
            sReport = sReport & "File NOT deleted: " &_
                      sFile & " (" & Err.Description & ")" & vbCrLf
            Err.Clear
        Else
            sReport = sReport & "File deleted: " & sFile & vbCrLf
            iDeletedCounter = iDeletedCounter + 1
        End If
    Next

    sReport = sReport & vbCrLf & iDeletedCounter & " files deleted." & vbCrLf
    WScript.Echo sReport
End Sub


'*****************************************************
' Procedures: GenerateReport()
'    Purpose: Easy-to-modify reporting procedure.
'*****************************************************
Sub GenerateReport()
    aSuspiciousFiles = Split(sResult,vbCrLf)
    iBadFiles = UBound(aSuspiciousFiles)
    WScript.Echo vbCrLf & iBadFiles & " suspicious files detected:" & vbCrLf
    WScript.Echo sResult
End Sub


'END OF SCRIPT ***************************************