Meterpreter Finder

1. #!/usr/bin/perl
2. # Meterpreter Finder
3. # This script takes the output from the Volatility Module 'dlllist'
4. # and searches for the two dlls rsaenh.dll and iphlpapi.dll.
5. # Blog: http://sketchymoose.blogspot.com/2012/02/another-fun-perl-script.html
6. # These two files are generally used by Meterpreter
7.  
8. # Created by Sketchymoose
9.  
10. print "Meterpreter Finder\n";
11.  
12. #Grab DLL List Module Output
13. print "Enter the path to the output fromm Volatility's DLL List module\n";
14. print "Path: ";
15. chomp($inputPath = <STDIN>);
16. #Enter output
17. print "Enter the output path you would like\n";
18. print "Output Path: ";
19. chomp ($outputPath = <STDIN>);
20. #Error Checking
21. open (INPUT, "$inputPath") ||
22. die "Input file location invalid...Quitting\n";
23. open (OUTPUT, ">$outputPath") ||
24. die "Output file could not be created!\n";
25.  
26. #Look for line with pid, output line
27. while (<INPUT>)
28. {
29. if (/pid/)
30. {
31. print OUTPUT "***************\n" . $_ . "\n";
32. }
33. if (/iphlpapi/)
34. {
35. print OUTPUT $_;
36. }
37. if (/rsaenh/)
38. {
39. print OUTPUT $_;
40. }
41. }
42.  
43. #close the files
44. close (INPUT);
45. close (OUTPUT);
46. print "\n";
47. print "*******************************\n";
48. print "Finished Processing\n";
49. print "Don't forget, iphlpapi.dll and rsaenh.dll are used\n";
50. print "normally by the following processes: \n";
51. print "\n";
52. print "explorer.exe\n";
53. print "ieexplorer.exe\n";
54. print "lsass.exe\n";
55. print "svchost.exe\n";
56. print "winlogon.exe\n";
57. print "\nSo look for outliers, but don't forget the smarter\n";
58. print "metepreter people will migrate to these processes\n"