Home > Net >  How can I detect the autorun process with powershell?
How can I detect the autorun process with powershell?

Time:07-27

I'm going to check the PC using powershell. The purpose is to detect automatic execution malware. If there is a new process after execution, it shows a new process. Then, I want to create a code that allows users to identify and detect whether it is a malicious process.

Function Reg {
$key_1 = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$key_2 = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
$key_3 = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$key_4 = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

$p1 = Get-Item -Path $key_1 | Select-Object -ExpandProperty Property
$p2 = Get-Item -Path $key_2 | Select-Object -ExpandProperty Property
$p3 = Get-Item -Path $key_3 | Select-Object -ExpandProperty Property
$p4 = Get-Item -Path $key_4 | Select-Object -ExpandProperty Property

$result = $p1   $p2   $p3   $p4
$result
}

Function Check {
$file = "C:\study\project\PC_Check\result.txt"
if ( -not (Test-Path $file)) {
    Reg | Out-File -FilePath "C:\study\project\PC_Check\result.txt"
}
else {
    if ((Reg) -eq (Get-Content $file)) {
        Write-Host "No new process."
    }
    else {
        Write-Host "New process detected."
        Reg | Out-File -FilePath "C:\study\project\PC_Check\result.txt"
    }
  }
}

Check

The problem with my code is that there is no comparison between the executed output and the contents of the first file. I want to print out a new process while comparing the current outputs and file contents.

(Reg) -eq (Get-Content $file)

I think this compare part is wrong, how should I correct it?

Thank you for your time to read this and Have a nice day!

CodePudding user response:

As per my comment. One way to refactor this is as follows. Teak as needed.

Clear-Host

# Refactor to get all Autorun details
Function Get-AutorunDetail 
{
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce',
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' | 
    ForEach-Object {(Get-Item -Path $PSitem).Property}
}

Get-AutorunDetail | 
Out-Null

Function Write-AutorunResultsFile
{
    # Check if file path exists
    $AutorunResultsFile = 'D:\study\project\PC_Check'

    # If not, create the path and the new file
    if ( -not (Test-Path -Path "$AutorunResultsFile\AutorunResultsFile.txt")) 
    {
        New-Item -Path $AutorunResultsFile -ItemType File -Name 'AutorunResultsFile.txt' -Force | 
        Out-Null

        # Add the Autorun detail to the new file
        Get-AutorunDetail | 
        ForEach-Object {Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value $PSitem}
    }
    else 
    {
        if (Compare-Object -ReferenceObject {Get-AutorunDetail} -DifferenceObject (Get-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt"))
        {Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value 'No new process.'}
        else 
        {
            'New process detected.'
            Get-AutorunDetail | 
            ForEach-Object {Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value $PSitem}
        }
    }
}

Write-AutorunResultsFile

Again, this is just one way, there are always more and/or better ways - but I'll leave them to you to research or others to chime in.

Updated

Clear-Host

# Refactor to get all Autorun details
Function Get-AutorunDetail 
{
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce',
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' | 
    ForEach-Object {(Get-Item -Path $PSitem).Property}
}

Get-AutorunDetail | 
Out-Null

Function Write-AutorunResultsFile
{
    # Check if file path exists
    $AutorunResultsFile = 'D:\study\project\PC_Check'

    # If not, create the path and the new file
    if ( -not (Test-Path -Path "$AutorunResultsFile\AutorunResultsFile.txt")) 
    {
        New-Item -Path $AutorunResultsFile -ItemType File -Name 'AutorunResultsFile.txt' -Force | 
        Out-Null

        # Add the Autorun detail to the new file
        Get-AutorunDetail | 
        ForEach-Object {Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value $PSitem}
    }
    else 
    {
        if ($AutorunDetails = (Compare-Object -ReferenceObject (Get-AutorunDetail) -DifferenceObject (Get-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt")) -match '<=')
        {
            Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value 'New process detected.'
            Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value ($AutorunDetails.InputObject | Select-Object -Last 1)
        }
        else 
        {Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value 'No new process detected.'}
    }
}

Write-AutorunResultsFile

# Results when altering the registry key
<#
Security...
Tablet...
Display...
ms...
OneDrive
Micros...
CiscoM...
...
Docker Desktop
GoToMeeting
No new process detected.
New process detected.
test
No new process detected.
New process detected.
test1
No new process detected.
New process detected.
test2
#>

Page link:https//www.codepudding.com/net/489388.html

Prev:Tuple nuances in PowerShell
Next:Set callback in intent BACKGROUND Location Android Studio Java
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding