Learning PowerShell: basic programs

In the previous posts we have looked at some elementary PowerShell concepts and we have constructed some basic commands to export and compare data.
We did this by using an example of certificates being dumped in the “Untrusted” category by some malware. This time we will try to write a program that can undo these changes.
Remember when running PowerShell scripts, unlike single commands, that you will have to remove any execution restrictions that are in place. This command will allow everything for the current session:
Set-ExecutionPolicy Unrestricted
Objectives
One of the basic skills in each scripting language is text manipulation. I will need a few of those manipulations, before I’m able to use the html export we created last time, as a source for the list of registry keys that I need to remove. But we know they are all present in that export, so let’s get to it.
To read how we created the comparison.html file have a look at the previous post in this mini-series. First we need to get rid of some unnecessary text that was added during the process of making tables and converting to HTML.

One of the lines we want to get rid off is the header. We could take the easy route and simply delete it, but I want to build in some extra safety, so I will try to remove all the lines that do NOT contain @{Thumbprint= since those are the entries we are interested in anyways.
So how do we do that?
Get-Content c:userspublicdesktopcomparison.html | Select-String -pattern “@{Thumbprint=” | Out-File C:certainceficates1.txt
That command filters out all the lines that do not contain the @{Thumbprint= string and brings the html back to a text file, because txt files are a bit easier to work with.
Now we will need a step to get rid of the table make-up.
click to enlarge
(Get-Content C:certainceficates1.txt) -replace “”,”” | Out-File C:certainceficates2.txt
This one looks a bit more complicated because of the regular expression. Regular expressions (regex) are worthy of a topic all by themselves, because of their complexity and usefulness. Maybe another day. This one looks for a “”.  That got rid of all the , , , and bits that were previously needed for the table. The Get-Content call needs to be in parentheses or PowerShell would regard – replace as an argument for that call and throw an error, as -replace is not defined as an argument for that cmdlet.
Now, just for good measure I want to delete all the SideIndicator arrows as well. Note that in the text file they look like this: => where “>” is the html code for “>”.
(Get-Content C:certaincertificates2.txt) -replace “=>”,”” | Out-File C:certaincertificates3.txt
Now that we have cleaned up the file we can use the next loop to delete the registry keys. And with those keys we effectively delete the certificates.
$List = Get-Content certificates.txt
foreach ($Line in $List) {
$First, $Second, $Third = $Line -split ‘;’
$Thumbprint= $First -replace(“@{Thumbprint=”,”HKLM:SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates”)
If ($Thumbprint.length -eq 108) {
$path = $Thumbprint
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (“Everyone”,”FullControl”,”Allow”)
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path $path
Remove-Item –Path $path
Write-Host ($path,”removed”)
}
}
Explanation of what this loop does:
It reads the text file line by line and splits each line up using the “;” as a delimiter.
The first part of each line contains the Thumbprint, so we can ignore the rest and use only the first part.
We replace the text added by the Get-ChildItem ( which is “@{Thumbprint=”) by the path to the registry key that we need (“HKCR:SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates”)
As an extra security measure we check if the length of the string equals 108 (the length of the key including the Thumbprint. We do not want to delete random registry keys because of some fluke in the text-files. As an exercise: think what could happen if someone used the “
Click here for best antivirus and antispyware software

Powered by WPeMatico

This entry was posted in Antivirus. Bookmark the permalink.