Monday, August 24, 2015

Another quick time saver script

Now that I've started using yara signature scanning in my memory forensics, I've found out that anti-virus processes come with an absurd number of false positives (makes sense, as they probably contain the same or similar signatures that yara is looking for). So, when I run the yara module, I cut out the offending pids with a whitelist approach. So, after about the third time I manually entered a command like the below

cat pslist.txt | awk {'print $3'} | grep -vi "pid1\|pid2\|pid3\|" | tr "\n" ", "

to then copy paste the 3-5 lines of pids into the command line (making a big ugly mess,) I decided it was high time to make things a little simpler (and cleaner).

I started out writing a script that prompted me for the pids I wanted to exclude, which would then just dump the entire mess into the command line, for me to still then copy/paste into the volatility command. Saves me a bit of typing, but wasn't quite as clean as I wanted. So, I figured it was high time I learn how to use options in bash. This is a simple but functional script so that instead of pasting a zillion pids into volatility's -p option, I can do something cleaner like

volcommandstuff -p $(getpid -p "pid1 pid2 pid3") and it'll dump the edited list in for me. I'm kind of proud of this one, probably for no good reason, but whatever.

Here's the script

#Script to pull all the PIDs from volatility pslist output stored in a text file, excluding specified PIDs supplied by the user
#This script assumes you're in a directory with the appropriate pslist.txt output file
set -e

#check to see if an option was entered
if [ $OPTIND -eq 0 ]; then
    echo 'Useage: -p "space seperated pid list"'
    exit 1

while getopts "p:" userInput; do
    case "$userInput" in
        "p") read -a pids <<< "${OPTARG}"
            for item in ${pids[@]}; do
            string=$(cat pslist.txt | awk {'print $3'} | tail -n +3 | grep -vi "$modString" | tr "\n" ",")
        *) echo 'Useage: getpid -p "space seperated pid list"'

echo $modString

No comments:

Post a Comment