#!/usr/bin/perl
# Meterpreter Finder
# This script takes the output from the Volatility Module 'dlllist'
# and searches for the two dlls rsaenh.dll and iphlpapi.dll.
# Blog: http://sketchymoose.blogspot.com/2012/02/another-fun-perl-script.html
# These two files are generally used by Meterpreter
# Created by Sketchymoose
print "Meterpreter Finder\n";
#Grab DLL List Module Output
print "Enter the path to the output fromm Volatility's DLL List module\n";
print "Path: ";
chomp($inputPath = <STDIN>);
#Enter output
print "Enter the output path you would like\n";
print "Output Path: ";
chomp ($outputPath = <STDIN>);
#Error Checking
open (INPUT, "$inputPath") ||
die "Input file location invalid...Quitting\n";
open (OUTPUT, ">$outputPath") ||
die "Output file could not be created!\n";
#Look for line with pid, output line
while (<INPUT>)
{
if (/pid/)
{
print OUTPUT "***************\n" . $_ . "\n";
}
if (/iphlpapi/)
{
print OUTPUT $_;
}
if (/rsaenh/)
{
print OUTPUT $_;
}
}
#close the files
close (INPUT);
close (OUTPUT);
print "\n";
print "*******************************\n";
print "Finished Processing\n";
print "Don't forget, iphlpapi.dll and rsaenh.dll are used\n";
print "normally by the following processes: \n";
print "\n";
print "explorer.exe\n";
print "ieexplorer.exe\n";
print "lsass.exe\n";
print "svchost.exe\n";
print "winlogon.exe\n";
print "\nSo look for outliers, but don't forget the smarter\n";
print "metepreter people will migrate to these processes\n"