Thursday, May 7, 2015

Another horribly inelegant script, but one I also definitely don't want to have to rewrite (took a lot more trial and error than it should have.) A little specific to my environment, and I'd like to find a better tool to leverage over Redline for this style of dump, but... For now this works and will save me a fair bit of time =)

set -e

#Script to copy over the necessary files and take a memory dump from a target computer

if [ $# -ne 2 ]
        echo "Useage: memorydump //host destinationFileName"
        #This mounts the necessary folders
        read -s -p "Please enter your AD password: " pass
        echo "Mounting drives..."

        if mountpoint -q /mount/cshare
                umount /mount/cshare
        mount -t cifs -o "user=username,password=$pass" "$1/C$" /mount/cshare #hardcoded in my username
        #Copy over the necessary files
        echo "Copying the Redline folder to target..."
        cp -r /root/misc/Redline /mount/cshare/Temp

        #Execute the script
        echo "Executing script..."
        winexe -U "domain/username%$pass" $1 'cmd.exe /c C:\Temp\Redline\RunRedlineAudit.bat' #hardcoded my domain and username in on this one also
        sleep 5

        #Dynamicallay assign the folder and files created to move once completed
        dir=$(ls -A /mount/cshare/Temp/Redline/Sessions/AnalysisSession1/Audits)
        dir+="/"$(ls -A /mount/cshare/Temp/Redline/Sessions/AnalysisSession1/Audits/$dir)
        file=$(ls -A /mount/cshare/Temp/Redline/Sessions/AnalysisSession1/Audits/$dir | grep w32memory-ac | grep -v issues)

        sleep 3m #Was trying to do this dynamically when the file was done, but it appears impossible over a cifs share. 3 minutes is a sufficient sleep time for it to finish.

        echo "Copying memory image to /root/ramdumps/$2, this may take a while..."
        if [ ! -d /root/randumps/$(echo $2 | awk -F "-" {'print $1'}) ] #This assumes the file names I use, username-mm-dd-yy.memdump
                mkdir /root/ramdumps/$(echo $2 | awk -F "-" {'print $1'})
        cp /mount/cshare/Temp/Redline/Sessions/AnalysisSession1/Audits/$dir/$file /root/ramdumps/$(echo $2 | awk -F "-" {'print $1'})/$2

        #Unmount the drives now that they're no longer in use
        echo "Dismounting the network drives..."
        umount /mount/cshare

No comments:

Post a Comment