PatchExtract Version 1.15 by Greg Linares (@Laughing_Mantis)

1. <#
2. ================
3. PATCHEXTRACT.PS1
4. =================
5. Version 1.15 Microsoft MSU Patch Extraction and Patch Organization Utility by Greg Linares (@Laughing_Mantis)
6.  
7. This Powershell script will extract a Microsoft MSU update file and then organize the output of extracted files and folders.
8.  
9. Organization of the output files is based on the patch's files and will organize them based on their archicture (x86, x64, or wow64)
10. as well as their content-type, ie: resource and catalog files will be moved to a JUNK subfolder and patch binaries and index files will
11. goto a PATCH folder.
12.  
13. This script was developed in order to aid reverse engineers in quickly organizing patches so they can be binary diffed faster and easier.
14. This was especially developed with the new bulk Microsoft Kernel patches in mind.
15.  
16. Example output folder structure ouput would be similar to this:
17.  
18. C:\PATCHES\MS15-XXX\PRE
19.     -x86
20.         - x86 Binary patched files
21.     -x64
22.         - x64 binary patched files
23.     -WOW64
24.         - syswow64 binary patched files
25.     -JUNK
26.         - resource, catalog, mum, and other non-binary based patched files
27.     -PATCH
28.         - original patch, cabs and xml files from the extraction
29.     -MSIL
30.         - MSIL .NET binary patched files ***New in Version 1.1***
31.  
32.     Directories will automagically be organized into filename-version to remove garbage filler folder names
33.        
34.        
35. =============
36. REQUIREMENTS
37. =============
38. 'expand.exe' to be present in %WINDIR%\SYSTEM32 (it is by default) - It will execute this file @ the current users permissions
39. A valid Microsoft MSU patch file to extract (PATCH variable)
40. Directory and File write/creation permissions to the PATH folder specified
41.        
42.    
43. =======    
44. USAGE
45. =======
46.  
47. Powershell -ExecutionPolicy Bypass -File PatchExtract.ps1 -Patch C:\Patches\Windows6.1-KB3088195-x64.msu -Path C:\Patches\MS15-XXX\POST\
48.  
49.  
50. This would extract the patch file C:\Patches\Windows6.1-KB3088195-x64.msu to the folder C:\Patches\MS15-XXX\POST\.
51. It will then create all the sub organization folders within C:\Patches\MS15-XXX\POST\ folder.
52.  
53. (Note: the optional Powershell parameters '-ExecutionPolicy Bypass' is necessary in some environments to overcome Powershell execution restrictions)
54.  
55. ==========
56. ARGUMENTS
57. ==========
58. -PATCH <STRING:Filename> [REQUIRED] [NO DEFAULT]
59.     Specifies the MSU file that will be extracted to the specified PATH folder and then organized into the x86, x64, WOW, JUNK, and BIN folders specified
60.     Extract command will be "expand -F:* <PATCH> <PATH>"
61.     Non MSU files have not been tested however if the extraction does not generate a CAB file of the same name (indicator of successful extraction of MSU files)
62.     the script assumes extraction failed.
63.    
64. -PATH <STRING:FolderPath> [REQUIRED] [NO DEFAULT]
65.     Specified the folder that the PATCH file will be extracted and organized into
66.     If the specified folders does not exist yet, the user will be prompted if they want to create it.
67.     Relative paths '.\POST' can be used but it has not extensively been tested.
68.  
69.     ***New in Version 1.1***
70.     The -PATH variable may be now omitted to expand to current directory
71.    
72.  
73. -x86 <STRING:Foldername> [OPTIONAL] [DEFAULT='x86']
74.  
75.     Specifies the folder name within $PATH to store x86 patch binaries
76.     example: -x86 32bit
77.    
78.    
79. -x64 <STRING:Foldername> [OPTIONAL] [DEFAULT='x64']
80.  
81.     Specifies the folder name within $PATH to store x64 patch binaries
82.     example: -x64 64bit
83.    
84. -WOW <STRING:Foldername> [OPTIONAL] [DEFAULT='WOW64']
85.  
86.     Specifies the folder name within $PATH to store wow64 type patch binaries
87.     example: -WOW sysWOW64
88.  
89. -MSIL <STRING:Foldername> [OPTIONAL] [DEFAULT='MSIL']
90.  
91.     *** New in Version 1.1***
92.     Specifies the folder name within $PATH to store .NET type patch binaries
93.     example: -MSIL DOTNET
94.    
95. -JUNK <STRING:Foldername> [OPTIONAL] [DEFAULT='JUNK']
96.  
97.     Specifies the folder name within $PATH to store resource, catalog, and other generally useless for diffing patch binaries
98.     example: -JUNK res
99.    
100.    
101. -BIN <STRING:Foldername> [OPTIONAL] [DEFAULT='PATCH']
102.  
103.     Specifies the folder name within $PATH to store extraction xml and original patch msu and cab files
104.     example: -BIN bin
105.  
106.  
107. ================
108. VERSION HISTORY
109. ================
110. I originally wrote this as an ugly batch file sometime between 2014 and 2015 as a way to organize folders but it was incomplete and buggy
111.  
112. Oct 15, 2015 - Initial Public Release 1.0
113. Oct 20, 2016 - Version 1.1 Released
114.                 * Bug fixes handling new naming format for patch .cab files
115.                 * Added the ability to auto-extract to the same directory as current PATCH
116.                 * filtered output directory name format to aid in bindiffing
117.  
118. Oct 20, 2016 - Version 1.2 Released
119.                 * Bug fixes handling MSIL renaming issues and collisions in renaming patch folders
120.  
121. Oct 20, 2016 - Version 1.5 Released
122.                 * Handles various types of sub arch binaries in x86, amd64, and wow64  during folder renames
123.  
124. ==========
125. LICENSING
126. ==========
127. This script is provided free as beer.  It probably has some bugs and coding issues, however if you like it or find it useful please give me a shout out on twitter @Laughing_Mantis.  
128. Feedback is encouraged and I will be likely releasing new scripts and tools and training in the future if it is welcome.
129.  
130.  
131. -GLin
132.  
133. #>
134.  
135.  
136.  
137.  
138. Param
139. (
140.  
141.     [Parameter(ValueFromPipelineByPropertyName = $true)]
142.     [ValidateNotNullOrEmpty()]
143.     [string]$PATCH = "",
144.    
145.     [Parameter(ValueFromPipelineByPropertyName = $true)]
146.     [string]$PATH = "",
147.    
148.     [Parameter(ValueFromPipelineByPropertyName = $true)]
149.     [string]$x86 = "x86",
150.    
151.     [Parameter(ValueFromPipelineByPropertyName = $true)]
152.     [string]$x64 = "x64",
153.    
154.     [Parameter(ValueFromPipelineByPropertyName = $true)]
155.     [string]$WOW = "WOW64",
156.  
157.     [Parameter(ValueFromPipelineByPropertyName = $true)]
158.     [string]$MSIL = "MSIL",
159.    
160.     [Parameter(ValueFromPipelineByPropertyName = $true)]
161.     [string]$JUNK = "JUNK",
162.    
163.     [Parameter(ValueFromPipelineByPropertyName = $true)]
164.     [string]$BIN = "PATCH"
165.        
166. )
167.  
168. Clear-Host
169.  
170.  
171.  
172.  
173. if ($PATCH -eq "")
174. {
175.     Throw ("Error: No PATCH file specified.  Specify a valid Microsoft MSU Patch with the -PATCH argument")
176.    
177. }
178.  
179. if ((Split-Path $PATCH -Parent) -eq "")
180. {
181.     # First look in current working directory for the relative filename
182.     $CurrentDir = $(get-location).Path;
183.     $PATCH = $CurrentDir + "\" + $PATCH
184.  
185.     # if that doesnt work we look in the current script directory (less likely)
186.     # but hey we tried
187.     if (!(Test-Path $PATCH))
188.     {
189.         $scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
190.         $PATCH = $scriptDir + "\" + $PATCH
191.     }
192. }
193.  
194. if (!(Test-Path $PATCH))
195. {
196.     Throw ("Error: Specified PATCH file ($PATCH) does not exist.  Specify a valid Microsoft MSU Patch file with the -PATCH argument.")
197. }
198.  
199. if ($PATH -eq "")
200. {
201.     $PATH = Split-Path $PATCH -Parent
202.     write-Host ("PATH = $PATH")
203.     Write-Host ("No PATH folder specified.  Will extract to $PATH folder.")
204.    
205. }
206.  
207. #Bug Fix (Resolve-Path Error if invalid path was specified before the path was created)
208.  
209.  
210.  
211.  
212. if (!($PATCH.ToUpper().EndsWith(".MSU")))
213. {
214.     Do
215.     {
216.         $Attempt = Read-Host ("Warning: Specified PATCH file ($PATCH) is not a MSU file type. Do you still want to attempt extraction? [Y] or [N]")
217.     }
218.     Until ('Y', 'y', 'n', 'N' -ccontains $Attempt)
219.     if ($Attempt.ToUpper() -eq 'N')
220.     {
221.         Write-Host ("Exiting...")
222.         Exit
223.     }
224. }
225.  
226. if (!(Test-Path $PATH))
227. {
228.     Do
229.     {
230.         $Attempt = Read-Host ("Warning: Specified PATH folder ($PATH) does not exist. Do you want to create it? [Y] or [N]")
231.     }
232.     Until ('Y', 'y', 'n', 'N' -ccontains $Attempt)
233.     if ($Attempt.ToUpper() -eq 'N')
234.     {
235.         Write-Host ("Exiting...")
236.         Exit
237.     }
238.     else
239.     {
240.         New-Item $PATH -Force -ItemType Directory
241.         Write-Host "Created $PATH Folder" -ForegroundColor Green
242.     }
243. }
244.  
245. $PATCH = Resolve-Path $PATCH
246. $PATH = Resolve-Path $PATH
247.  
248. Write-Host "Patch to Extract: $PATCH"
249. Write-Host "Extraction Path: $PATH"
250. Write-Host "x86 File Storage Folder Name: $x86"
251. Write-Host "x64 File Storage Folder Name: $x64"
252. Write-Host "WOW64 File Storage Folder Name: $WOW"
253. Write-Host "MSIL File Storage Folder Name: $MSIL"
254. Write-Host "Junk File Storage Folder Name: $JUNK"
255. Write-Host "Orignal Patch File Storage Folder Name: $BIN"
256.  
257. $SYSPATH = Join-Path -path (get-item env:\windir).Value -ChildPath "system32"
258.  
259. $EXPAND = Join-Path -path $SYSPATH -ChildPath "expand.exe"
260.  
261.  
262. if (!(Test-Path $EXPAND))
263. {
264.     Throw ("Error: Cannot find 'Expand.exe' in the $SYSPATH folder.")
265. }
266.  
267. $ARG = '-F:* ' + '"' + $PATCH + '" ' + '"' + $PATH + '"'
268.  
269. Write-Host "Executing the following command: $EXPAND $ARG" -ForegroundColor Green
270.  
271. Start-Process -File $EXPAND -ArgumentList $ARG -Wait
272.  
273.  
274.  
275. $CAB = Join-Path -path $PATH -ChildPath $((Get-ChildItem $PATCH).Basename + ".CAB")
276.  
277. if ((!(Test-Path $CAB)) -or ($CAB -eq ""))
278. {
279.     Write-Host "PATH = $PATH"
280.     Write-Host (Get-ChildItem -Path $PATH -Filter *.cab)
281.     ### Look for first existing CAB file in the directory as backup
282.     $CAB = (Get-ChildItem -Path $PATH -Filter *.cab | Select-Object -First 1)
283.     Write-Host "CAB = $CAB"
284.     if (!(Test-Path $CAB))
285.     {
286.         Throw "Error: Patch .CAB File could not be located.  Patch Extraction failed - please send notification of this error to @Laughing_Mantis."
287.     }
288. }
289. <# Microsoft newer patches do not follow this formula - likely an attempt to prevent
290. auto extraction so we need to handle scenarios where patch cab does not have the same
291. name as the container MSP #>
292.  
293.  
294.  
295. $ARG = '-F:* ' + '"' + $CAB + '" ' + '"' + $PATH + '"'
296.  
297. Write-Host "Executing the following command: $EXPAND $ARG" -ForegroundColor Green
298.  
299. Start-Process -File $EXPAND -ArgumentList $ARG -Wait
300.  
301.  
302. $PATCHx86 = Join-Path -path $PATH -ChildPath $x86
303. $PATCHx64 = Join-Path -path $PATH -ChildPath $x64
304. $PATCHWOW = Join-Path -path $PATH -ChildPath $WOW
305. $PATCHMSIL = Join-Path -path $PATH -ChildPath $MSIL
306. $PATCHJUNK = Join-Path -path $PATH -ChildPath $JUNK
307. $PATCHCAB = Join-Path -path $PATH -ChildPath $BIN
308.  
309.  
310. if (!(Test-Path $PATCHx86 -pathType Container))
311. {
312.     New-Item $PATCHx86 -Force -ItemType Directory
313.     Write-Host "Making $PATCHx86 Folder" -ForegroundColor Green
314. }
315.  
316. if (!(Test-Path $PATCHx64 -pathType Container))
317. {
318.     New-Item $PATCHx64 -Force -ItemType Directory
319.     Write-Host "Making $PATCHx64 Folder" -ForegroundColor Green
320. }
321.  
322. if (!(Test-Path $PATCHWOW -pathType Container))
323. {
324.     New-Item $PATCHWOW -Force -ItemType Directory
325.     Write-Host "Making $PATCHWOW Folder" -ForegroundColor Green
326. }
327.  
328. if (!(Test-Path $PATCHMSIL -pathType Container))
329. {
330.     New-Item $PATCHMSIL -Force -ItemType Directory
331.     Write-Host "Making $PATCHMSIL Folder" -ForegroundColor Green
332. }
333.  
334. if (!(Test-Path $PATCHJUNK -pathType Container))
335. {
336.     New-Item $PATCHJUNK -Force -ItemType Directory
337.     Write-Host "Making $PATCHJUNK Folder" -ForegroundColor Green
338. }
339.  
340. if (!(Test-Path $PATCHCAB -pathType Container))
341. {
342.     New-Item $PATCHCAB -Force -ItemType Directory
343.     Write-Host "Making $PATCHCAB Folder" -ForegroundColor Green
344. }
345.  
346.  
347. $PATCHFolders = Get-ChildItem -Path $PATH -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'}
348.  
349. foreach ($folder in $PATCHFolders)
350. {
351.     if ($folder.Name.Contains(".resources_"))
352.     {
353.         Move-Item $folder.FullName $PATCHJUNK -Force
354.         Write-Host "Moving $folder to $PATCHJUNK" -ForegroundColor Green
355.         Continue
356.     }
357.     else
358.     {
359.         if ($folder.Name.StartsWith("x86_"))
360.         {
361.             Move-Item $folder.FullName $PATCHx86 -Force
362.             Write-Host "Moving $folder to $PATCHx86" -ForegroundColor Green
363.             Continue
364.         }
365.        
366.         if ($folder.Name.StartsWith("amd64_"))
367.         {
368.             Move-Item $folder.FullName $PATCHx64 -Force
369.             Write-Host "Moving $folder to $PATCHx64" -ForegroundColor Green
370.             Continue
371.         }
372.        
373.         if ($folder.Name.StartsWith("wow64_"))
374.         {
375.             Move-Item $folder.FullName $PATCHWOW -Force
376.             Write-Host "Moving $folder to $PATCHWOW" -ForegroundColor Green
377.             Continue
378.         }
379.  
380.         if ($folder.Name.StartsWith("msil_"))
381.         {
382.             Move-Item $folder.FullName $PATCHMSIL -Force
383.             Write-Host "Moving $folder to $PATCHMSIL" -ForegroundColor Green
384.             Continue
385.         }
386.     }
387. }
388.  
389. <# PRETTY BINDIFF OUTPUT - changes folder names from x86-microsoft-windows-filename-hash-version-garbage to filename-version #>
390.  
391. $PATCHFolders = Get-ChildItem -Path $PATCHx86 -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'}
392.  
393. foreach ($folder in $PATCHFolders)
394. {
395.     if ($folder -like "x86_microsoft-windows-*")
396.     {
397.         $newfolder = $folder.Name.Replace("x86_microsoft-windows-", "")
398.         $newname = $newfolder.Split("_")[0]
399.         $version = $newfolder.Split("_")[2]
400.         $newname = $newname + "_" + $version
401.         Write-Host ("Renaming $folder to $newname") -ForegroundColor Green
402.         Rename-Item -path $folder.FullName -newName ($newname)
403.     }
404.     elseif ($folder -like "x86_*")
405.     {
406.         $newfolder = $folder.Name.Replace("x86_", "")
407.         $newname = $newfolder.Split("_")[0]
408.         $version = $newfolder.Split("_")[2]
409.         $newname = $newname + "_" + $version
410.         Write-Host ("Renaming $folder to $newname") -ForegroundColor Green
411.         Rename-Item -path $folder.FullName -newName ($newname)
412.     }
413. }
414.  
415. $PATCHFolders = Get-ChildItem -Path $PATCHx64 -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'}
416.  
417. foreach ($folder in $PATCHFolders)
418. {
419.     if ($folder -like "amd64_microsoft-windows-*")
420.     {
421.         $newfolder = $folder.Name.Replace("amd64_microsoft-windows-", "")
422.         $newname = $newfolder.Split("_")[0]
423.         $version = $newfolder.Split("_")[2]
424.         $newname = $newname + "_" + $version
425.         Write-Host ("Renaming $folder to $newname") -ForegroundColor Green
426.         Rename-Item -path $folder.FullName -newName ($newname)
427.     }
428.     elseif ($folder -like "amd64_*")
429.     {
430.         $newfolder = $folder.Name.Replace("amd64_", "")
431.         $newname = $newfolder.Split("_")[0]
432.         $version = $newfolder.Split("_")[2]
433.         $newname = $newname + "_" + $version
434.         Write-Host ("Renaming $folder to $newname") -ForegroundColor Green
435.         Rename-Item -path $folder.FullName -newName ($newname)
436.     }
437. }
438.  
439. $PATCHFolders = Get-ChildItem -Path $PATCHWOW -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'}
440.  
441. foreach ($folder in $PATCHFolders)
442. {
443.     if ($folder -like "wow64_microsoft-windows-*")
444.     {
445.         $newfolder = $folder.Name.Replace("wow64_microsoft-windows-", "")
446.         $newname = $newfolder.Split("_")[0]
447.         $version = $newfolder.Split("_")[2]
448.         $newname = $newname + "_" + $version
449.         Write-Host ("Renaming $folder to $newname") -ForegroundColor Green
450.         Rename-Item -path $folder.FullName -newName ($newname)
451.     }
452.     elseif ($folder -like "wow64_*")
453.     {
454.         $newfolder = $folder.Name.Replace("wow64_", "")
455.         $newname = $newfolder.Split("_")[0]
456.         $version = $newfolder.Split("_")[2]
457.         $newname = $newname + "_" + $version
458.         Write-Host ("Renaming $folder to $newname") -ForegroundColor Green
459.         Rename-Item -path $folder.FullName -newName ($newname)
460.     }
461. }
462.  
463. $PATCHFolders = Get-ChildItem -Path $PATCHMSIL -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'}
464.  
465. foreach ($folder in $PATCHFolders)
466. {
467.     if ($folder -like "msil_*")
468.     {
469.         $newfolder = $folder.Name.Replace("msil_", "")
470.         $newname = $newfolder.Split("_")[0]
471.         $version = $newfolder.Split("_")[2]
472.         $newname = $newname + "_" + $version
473.         Write-Host ("Renaming $folder to $newname") -ForegroundColor Green
474.         Rename-Item -path $folder.FullName -newName ($newname)
475.     }
476.  
477. }
478.  
479. $Junkfiles = Get-ChildItem -Path $PATH -Force -ErrorAction SilentlyContinue
480.  
481.  
482. foreach ($JunkFile in $Junkfiles)
483. {
484.    
485.     try
486.     {
487.         if (($JunkFile.Name.EndsWith(".manifest")) -or ($JunkFile.Name.EndsWith(".cat")) -or ($JunkFile.Name.EndsWith(".mum")))
488.         {
489.             Move-Item $JunkFile.FullName $PATCHJUNK -Force -ErrorAction SilentlyContinue
490.             Write-Host "Moving $JunkFile to $PATCHJUNK" -ForegroundColor Green
491.             Continue
492.         }
493.        
494.         if (($JunkFile.Name.EndsWith(".cab")) -or ($JunkFile.Name.EndsWith(".xml")) -or ($JunkFile.Name.EndsWith(".msu")) -or ($JunkFile.Name.EndsWith("pkgProperties.txt")))
495.         {
496.             Move-Item $JunkFile.FullName $PATCHCAB -Force -ErrorAction SilentlyContinue
497.             Write-Host "Moving $JunkFile to $PATCHCAB" -ForegroundColor Green
498.             Continue
499.         }
500.         if ($JunkFile.Name -eq "patch")
501.         {
502.             Move-Item $JunkFile.FullName $PATCHCAB -Force -ErrorAction SilentlyContinue
503.             Write-Host "Moving $JunkFile to $PATCHCAB" -ForegroundColor Green
504.             Continue
505.         }
506.     }
507.     catch
508.     {
509.         Write-Host "Error Processing ($JunkFile.Fullname)" -ForegroundColor Red
510.     }
511. }