hackoo

Processes_Services_Tasks_Startup.bat

Jun 6th, 2020 (edited)
1,440
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <# : Batch portion
  2. @rem # The previous line does nothing in Batch, but begins a multiline comment block
  3. @rem # in PowerShell.  This allows a single script to be executed by both interpreters.
  4. @echo off
  5. cls & color 9E & Mode 95,5
  6. Title Running Processes - Scheduled Tasks - Services - Startup items by Hackoo 2020
  7. If [%1] NEQ [Admin] Goto RunAsAdmin
  8.  
  9. echo(
  10. echo(                ===========================================================
  11. echo(                    Please wait a while ... Working is in progress....
  12. echo(                ===========================================================
  13.  
  14. Set "Filter_Ext=%Temp%\Filter_Ext"
  15. Call :GetFileNameWithDateTime MyDate
  16. Set "Log=%~dpn0_%Computername%_%MyDate%.txt"
  17. Set "Lnk_Target_Path_Log=%~dp0Lnk_Target_Path_Log.txt"
  18. Set "All_Users=%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
  19. Set "Current_User=%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
  20. set "Winlogonkey=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
  21. Set "ImageFileExec_Key=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
  22. Set StartupFolders="%All_Users%" "%Current_User%"
  23. If Exist "%Log%" Del "%Log%"
  24. Set "VbsFile=%Tmp%\%~n0.vbs"
  25. Call :Generate_VBS_File
  26.  
  27.   Powershell ^
  28.   Get-WmiObject Win32_Process ^
  29. | where commandline -NE $null ^
  30. | Select-Object ProcessID,Name,CommandLine ^
  31. | Out-String -Width 450 ^
  32. | Findstr /I /V "Admin" ^
  33. | Findstr /I /V "Get-WmiObject" ^
  34. | Out-File "%Log%" -Encoding  ASCII
  35.  
  36.   Powershell ^
  37.   Get-CimInstance Win32_StartupCommand ^
  38. | Select-Object Name,command,Location,user ^
  39. | Format-List ^
  40. | Out-File -Append "%Log%" -Encoding  ASCII
  41.  
  42. >"%Lnk_Target_Path_Log%" (
  43.     @For %%A in (%StartupFolders%) Do (
  44.         Call :Execute_VBS_File "%%~A"
  45.     )
  46. )
  47.  
  48. >> "%Log%" (Type "%Lnk_Target_Path_Log%")
  49.  
  50. > "%Filter_Ext%" (
  51.     echo .vbs
  52.     echo .vbe
  53.     echo .js
  54.     echo .jse
  55.     echo .bat
  56.     echo .cmd
  57.     echo .ps1
  58. )
  59.  
  60. @for /f "delims=" %%a in ('Type "%Lnk_Target_Path_Log%" ^| Findstr /I /G:"%Filter_Ext%"') do (
  61.     @for /f "tokens=2 delims==" %%b in ('echo %%a') do (
  62.         >> "%Log%" 2>&1 (
  63.             echo(
  64.             echo ===================================================================================
  65.             echo( Source code of TargetPath=%%b
  66.             echo ===================================================================================
  67.             Type %%b
  68.         )
  69.     )
  70. )
  71.  
  72. Del "%Filter_Ext%" /F >nul 2>&1
  73. Del "%Lnk_Target_Path_Log%" >nul 2>&1
  74. SetLocal EnableDelayedExpansion
  75. >> "%Log%" (
  76.     echo(
  77.     echo ****************************************************************************************************
  78.     echo(                                 No Microsoft Scheduled Tasks List
  79.     echo ****************************************************************************************************
  80.     @for /f "delims=" %%I in ('powershell -noprofile "iex (${%~f0}|out-string)"') do echo %%I
  81.     REM @For /F "tokens=2,9,17,19,20,21,22 delims=," %%a in ('SCHTASKS /Query /NH /FO CSV /V ^|find /I /V "Microsoft" ^|findstr /I /C:"VBS" /C:"EXE"') do (
  82.     REM Set TaskName=%%~a
  83.     REM Set TaskPath=%%~b
  84.     REM Call :Trim_Dequote !TaskName! TaskName
  85.     REM Call :Trim_Dequote !TaskPath! TaskPath
  86.     REM echo "!TaskName!"
  87.     REM echo "!TaskPath!"
  88.     REM echo %%c;%%d;%%f;%%g
  89.     REM echo( ---------------------------------------------------------------------------------------------------
  90.     REM )
  91. )
  92.  
  93. >> "%Log%" (
  94.     echo(
  95.     echo ****************************************************************************************************
  96.     echo(                                 No Microsoft Services List
  97.     echo ****************************************************************************************************
  98. @for /f "tokens=*" %%a in (
  99.     'WMIC service where "Not PathName like '%%Micro%%' AND Not PathName like '%%Windows%%'" get Name^,DisplayName^,PathName^,Status'
  100.     ) do (
  101.         @for /f "delims=" %%b in ("%%a") do (
  102.             echo %%b
  103.             )
  104.     )
  105. )
  106.  
  107. >> "%Log%" (
  108.     echo(
  109.     echo ****************************************************************************************************
  110.     echo %Winlogonkey%
  111.     Reg Query "%Winlogonkey%" | find /I "userinit"
  112.     @for /f "delims=" %%a in ('Reg Query "%ImageFileExec_Key%" /f "*.exe" ^|findstr /I /V ":"') do (
  113.         @for /f "delims=" %%b in ('Reg Query "%%~a" /s /f "Debugger" ^|findstr /I /V "0" ^|findstr /I /V "1"') do (
  114.             echo %%b
  115.         )
  116.     )
  117. )
  118.  
  119. Call :ExtractCmdLine_Hashes
  120. If Exist "%Log%" Start /MAX "Log" "%Log%" & Exit
  121. ::-----------------------------------------------------------------------------------
  122. :Trim_Dequote <Var> <NewVar>
  123. (
  124.     echo    Wscript.echo Trim_Dequote("%~1"^)
  125.     echo    Function Trim_Dequote(S^)
  126.     echo    If Left(S, 1^) = """" And Right(S, 1^) = """" Then Trim_Dequote = Trim(Mid(S, 2, Len(S^) - 2^)^) Else Trim_Dequote = Trim(S^)
  127.     echo    End Function
  128. )>"%VbsFile%"
  129. for /f "delims=" %%a in ('Cscript //nologo "%VbsFile%"') do (
  130.     set "%2=%%a"
  131. )
  132. Del "%VbsFile%" /F >nul 2>&1
  133. exit /b
  134. REM ------------------------------------------------------------------------------
  135. :GetFileNameWithDateTime <FileName>
  136. for /f "skip=1" %%x in ('wmic os get localdatetime') do if not defined MyDate set "MyDate=%%x"
  137. set "%1=%MyDate:~0,4%-%MyDate:~4,2%-%MyDate:~6,2%-%MyDate:~8,2%-%MyDate:~10,2%"
  138. Exit /B
  139. REM -----------------------------------------------------------------------------
  140. :Generate_VBS_File
  141. >"%VbsFile%" (
  142.     echo    Option Explicit
  143.     echo    Dim Ws,objStartFolder,objFSO,objFolder,colFiles
  144.     echo    Dim objFile,strFilePath,Lnk,Title
  145.     echo    Title = "Extracting Target Path from .lnk and .url files by Hackoo 2020"
  146.     echo    Set Ws = CreateObject("Wscript.Shell"^)
  147.     echo    If WSH.Arguments.Count = 0 Then MsgBox "Missing Arguments",vbExclamation,Title : Wscript.Quit(1^)
  148.     echo    objStartFolder = WSH.Arguments(0^)
  149.     echo    Set objFSO = CreateObject("Scripting.FileSystemObject"^)
  150.     echo    Set objFolder = objFSO.GetFolder(objStartFolder^)
  151.     echo    Set colFiles = objFolder.Files
  152.     echo    For Each objFile in colFiles
  153.     echo    strFilePath = objFile.Path
  154.     echo      If Ucase(objFSO.GetExtensionName(strFilePath^)^) = "LNK"_
  155.     echo       Or Ucase(objFSO.GetExtensionName(strFilePath^)^) = "URL" Then
  156.     echo          Call ExtractTargetPath(strFilePath^)
  157.     echo      End If
  158.     echo    Next
  159.     echo    '-------------------------------------------------------------
  160.     echo    Sub ExtractTargetPath(Lnk^)
  161.     echo    set Lnk = Ws.Createshortcut(Lnk^)
  162.     echo    WScript.echo "Link="^& DblQuote(Lnk^) ^& vbcrlf ^&_
  163.     echo    "Target="^& DblQuote(Lnk.TargetPath^) ^& vbcrlf ^&_
  164.     echo    String(100,"-"^)
  165.     echo    End Sub
  166.     echo    '-------------------------------------------------------------
  167.     echo    Function DblQuote(Str^)
  168.     echo        DblQuote = Chr(34^) ^& Str ^& Chr(34^)
  169.     echo    End Function
  170.     echo    '-------------------------------------------------------------
  171. )
  172. Exit /B
  173. REM -----------------------------------------------------------------------------
  174. :Execute_VBS_File
  175. cscript //nologo "%VbsFile%" "%~1"
  176. Exit /B
  177. REM -----------------------------------------------------------------------------
  178. :RunAsAdmin
  179. cls & color 9E & Mode 95,5
  180. echo(
  181. echo(               ===========================================================
  182. echo(                    Please wait a while ... Running as Admin ....
  183. echo(               ===========================================================
  184. Powershell start -verb runas '%0' Admin & Exit
  185. REM -----------------------------------------------------------------------------
  186. :ExtractCmdLine_Hashes
  187. Rem Killing all Process that have a status not responding
  188. Taskkill /f /fi "status eq not responding">nul 2>&1
  189. Set "LogScan=%~dp0Log_Scan"
  190. If Not Exist %LogScan%\ MD %LogScan%
  191. Set "Abs_cmdline=%LogScan%\%~n0_Abs_cmdline.txt"
  192. Set "Tmp_cmdline=%LogScan%\%~n0_Tmp_cmdline.txt
  193. Set "cmdline=%LogScan%\%~n0_cmdline.txt
  194. Set "TmpHashes=%LogScan%\%~n0_TmpHashes.txt"
  195. Set "Hashes=%LogScan%\%~n0_Hashes.txt"
  196. Set "Hash2Check_VirusTotal=%LogScan%\Hash2Check_VirusTotal.txt"
  197. For %%a in ("%Abs_cmdline%" "%Tmp_cmdline%" "%TmpHashes%" "%Hash2Check_VirusTotal%") Do If Exist "%%a" Del "%%a"
  198. Set ProcessNames="wscript.exe" "cmd.exe" "powershell.exe" "cscript.exe" "svchost.exe"
  199. SetLocal EnableDelayedExpansion
  200. for %%A in (%ProcessNames%) Do (
  201.     REM echo(
  202.     REM echo Please Wait a while ... Looking for any instance of %%A ...
  203.     Call :GetCommandLine %%A>nul 2>&1
  204. )
  205. Timeout /T 1 /NoBreak>nul
  206. Call :Extract "%Abs_cmdline%" "%Tmp_cmdline%"
  207. for /f "delims=" %%a in ('Type "%Tmp_cmdline%"') do (
  208.     for /f "skip=1 delims=" %%H in ('CertUtil -hashfile "%%~a" SHA256 ^| findstr /i /v "CertUtil"') do set "H=%%H"
  209.         REM echo %%a=!H: =!
  210.         echo %%a=!H: =! >> "%TmpHashes%"
  211. )
  212.  
  213. Call :RemoveDuplicateEntry %TmpHashes% %Hashes%
  214. Call :RemoveDuplicateEntry %Tmp_cmdline% %cmdline%
  215. If exist "%TmpHashes%" Del "%TmpHashes%" & If exist "%Tmp_cmdline%" Del "%Tmp_cmdline%"
  216.  
  217. for /f "tokens=1,2 delims==" %%a in ('Type "%Hashes%"') do (
  218.     If /I "%%~xa"==".vbs" MD %LogScan%\VBS>nul 2>&1 & Type "%%a" > "%LogScan%\VBS\%%~nxa.txt"
  219.     If /I "%%~xa"==".vbe" MD %LogScan%\VBE>nul 2>&1 & Type "%%a" > "%LogScan%\VBE\%%~nxa.txt"
  220.     If /I "%%~xa"==".js"  MD %LogScan%\JS>nul  2>&1 & Type "%%a" > "%LogScan%\JS\%%~nxa.txt"
  221.     If /I "%%~xa"==".jse" MD %LogScan%\JSE>nul 2>&1 & Type "%%a" > "%LogScan%\JSE\%%~nxa.txt"
  222.     If /I "%%~xa"==".bat" MD %LogScan%\BAT>nul 2>&1 & Type "%%a" > "%LogScan%\BAT\%%~nxa.txt"
  223.     If /I "%%~xa"==".cmd" MD %LogScan%\CMD>nul 2>&1 & Type "%%a" > "%LogScan%\CMD\%%~nxa.txt"
  224.     If /I "%%~xa"==".ps1" MD %LogScan%\PS1>nul 2>&1 & Type "%%a" > "%LogScan%\PS1\%%~nxa.txt"
  225.     If /I "%%~xa"==".wsf" MD %LogScan%\WSF>nul 2>&1 & Type "%%a" > "%LogScan%\WSF\%%~nxa.txt"
  226.     Set "Hash=%%b"
  227.     Set "Hash=!Hash: =!
  228.     IF {!Hash!} NEQ {!CMD_HASH!} (
  229.         IF {!Hash!} NEQ {!PS_HASH!} (
  230.             echo https://www.virustotal.com/#/file/%%b>>"%Hash2Check_VirusTotal%"
  231.             Start "Chek SHA256 on VIRUSTOTAL" "https://www.virustotal.com/old-browsers/file/%%b"
  232.         )
  233.     )
  234. )
  235. ::Start "" /MAX "%Hashes%"
  236. ::Start "" /MAX "%cmdline%"
  237. Exit /B
  238. ::********************************************************************************************************
  239. :GetCommandLine <ProcessName>
  240. Set "ProcessCmd="
  241. for /f "tokens=2 delims==" %%P in ('wmic process where caption^="%~1" get commandline /format:list ^| findstr /I "%~1" ^| find /I /V "%~nx0" 2^>nul') do (
  242.     Set "ProcessCmd=%%P"
  243.     REM echo !ProcessCmd!
  244.     echo !ProcessCmd! >> "%Abs_cmdline%"
  245. )
  246. Exit /b
  247. ::********************************************************************************************************
  248. :Extract <InputData> <OutPutData>
  249. (
  250. echo Data = WScript.StdIn.ReadAll
  251. echo Data = Extract(Data,"(^?^!.*(\x22\w\W^)^).*(\.ps1^|\.vbs^|\.vbe^|\.js^|\.jse^|\.cmd^|\.bat^|\.wsf^|\.exe^)(^?^!.*(\x22\w\W^)^)"^)
  252. echo WScript.StdOut.WriteLine Data
  253. echo Function Extract(Data,Pattern^)
  254. echo    Dim oRE,oMatches,Match,Line
  255. echo    set oRE = New RegExp
  256. echo    oRE.IgnoreCase = True
  257. echo    oRE.Global = True
  258. echo    oRE.Pattern = Pattern
  259. echo    set oMatches = oRE.Execute(Data^)
  260. echo    If not isEmpty(oMatches^) then
  261. echo        For Each Match in oMatches  
  262. echo            Line = Line ^& Trim(Match.Value^) ^& vbcrlf
  263. echo        Next
  264. echo        Extract = Line
  265. echo    End if
  266. echo End Function
  267. )>"%tmp%\%~n0.vbs"
  268. cscript /nologo "%tmp%\%~n0.vbs" < "%~1" > "%~2"
  269. If Exist "%tmp%\%~n0.vbs" Del "%tmp%\%~n0.vbs"
  270. exit /b
  271. ::****************************************************
  272. ::----------------------------------------------------
  273. :RemoveDuplicateEntry <InputFile> <OutPutFile>
  274. Powershell  ^
  275. $Contents=Get-Content '%1';  ^
  276. $LowerContents=$Contents.ToLower(^);  ^
  277. $LowerContents ^| select -unique ^| Out-File '%2'
  278. Exit /b
  279. ::----------------------------------------------------
  280. : end Batch / begin PowerShell hybrid code #>
  281. Function getTasks($path) {
  282.    $out = @()
  283.    # Get root tasks
  284.    $schedule.GetFolder($path).GetTasks(0) | % {
  285.        $xml = [xml]$_.xml
  286.        $out += New-Object psobject -Property @{
  287.            "Name" = $_.Name
  288.            "Path" = $_.Path
  289.            "LastRunTime" = $_.LastRunTime
  290.            "NextRunTime" = $_.NextRunTime
  291.            "Actions" = ($xml.Task.Actions.Exec | % { "$($_.Command) $($_.Arguments)" }) -join "`n"
  292. "==============" = "===================================================================================="
  293.        }
  294.    }
  295.    # Get tasks from subfolders
  296.    $schedule.GetFolder($path).GetFolders(0) | % {
  297.        $out += getTasks($_.Path)
  298.    }
  299.    #Output
  300.    $out
  301. }
  302. $tasks = @()
  303. $schedule = New-Object -ComObject "Schedule.Service"
  304. $schedule.Connect()
  305. # Start inventory
  306. $tasks += getTasks("\")
  307. # Close com
  308. [System.Runtime.Interopservices.Marshal]::ReleaseComObject($schedule) | Out-Null
  309. Remove-Variable schedule
  310.  
  311. # To show All No Microsoft Scheduled Tasks
  312. $tasks | ? { $_.Path -notmatch "Micro*" } | Out-String -Width 450
RAW Paste Data