vm.common: add -iconLocation param to VM-Install-From-Zip function

mandiant · Dec 18, 2024 · 53e44d3 · 53e44d3
1 parent 87caee3
commit 53e44d3
Show file tree

Hide file tree

Showing 24 changed files with 179 additions and 84 deletions.
diff --git a/packages/capa-explorer-web.vm/capa-explorer-web.vm.nuspec b/packages/capa-explorer-web.vm/capa-explorer-web.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>capa-explorer-web.vm</id>
-    <version>1.0.0</version>
+    <version>1.0.0.20241218</version>
     <authors>Soufiane Fariss</authors>
     <description>Web interface for exploring and understanding capa results</description>
     <dependencies>

diff --git a/packages/capa-explorer-web.vm/tools/chocolateyinstall.ps1 b/packages/capa-explorer-web.vm/tools/chocolateyinstall.ps1
@@ -7,4 +7,5 @@ $zipUrl = 'https://github.com/mandiant/capa/raw/refs/heads/master/web/explorer/r
 $zipSha256 = '3a7cf6927b0e8595f08b685669b215ef779eade622efd5e8d33efefadd849025'
 
 $executableName = "index.html"
-VM-Install-From-Zip $toolName $category $zipUrl $zipSha256 -executableName $executableName -withoutBinFile -innerFolder $true
+$iconName = "favicon.ico"
+VM-Install-From-Zip $toolName $category $zipUrl $zipSha256 -executableName $executableName -iconLocation $iconName  -withoutBinFile -innerFolder $true
diff --git a/packages/common.vm/common.vm.nuspec b/packages/common.vm/common.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>common.vm</id>
-    <version>0.0.0.20241209</version>
+    <version>0.0.0.20241218</version>
     <description>Common libraries for VM-packages</description>
     <authors>Mandiant</authors>
   </metadata>

diff --git a/packages/common.vm/tools/vm.common/vm.common.psm1 b/packages/common.vm/tools/vm.common/vm.common.psm1
@@ -402,7 +402,9 @@ function VM-Install-From-Zip {
         # $powershellCommand = "Get-Content README.md"
         # $powershellCommand = "Import-Module module.ps1; Get-Help Main-Function"
         [Parameter(Mandatory=$false)]
-        [string] $powershellCommand
+        [string] $powershellCommand,
+        [Parameter(Mandatory=$false)]
+        [string] $iconLocation
     )
     try {
         $toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName
@@ -432,20 +434,20 @@ function VM-Install-From-Zip {
 
         if ($powershellCommand) {
             $executablePath = $toolDir
-            VM-Install-Shortcut -toolName $toolName -category $category -arguments $powershellCommand -executableDir $executablePath -powershell
+            VM-Install-Shortcut -toolName $toolName -category $category -arguments $powershellCommand -executableDir $executablePath -powershell -iconLocation $iconLocation
         }
         elseif ($withoutBinFile) { # Used when tool does not have an associated executable
             if (-Not $executableName) { # Tool is located in $toolDir (c3.vm for example)
                 $executablePath = $toolDir
             } else { # Tool is in a specific directory (pma-labs.vm for example)
                 $executablePath = Join-Path $toolDir $executableName -Resolve
             }
-            VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath
+            VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -iconLocation $iconLocation
         }
         else {
             if (-Not $executableName) { $executableName = "$toolName.exe" }
             $executablePath = Join-Path $toolDir $executableName -Resolve
-            VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $consoleApp -arguments $arguments
+            VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $consoleApp -arguments $arguments -iconLocation $iconLocation
             Install-BinFile -Name $toolName -Path $executablePath
         }
         return ,@($toolDir, $executablePath)
@@ -1828,6 +1830,7 @@ function VM-Create-Ico {
 # Delete extracted ZIPS after unzipping them.
 # Useful to extract zipped labs downloaded from GDrive keeping the folder structure.
 function VM-Unzip-Recursively {
+    $ErrorActionPreference = 'Continue'
     $desktop = Join-Path ${Env:UserProfile} "Desktop"
     $zip = Get-Item "$desktop\drive-download*.zip"
     if (-Not (Test-Path $zip)) {

diff --git a/packages/event-log-explorer.vm/event-log-explorer.vm.nuspec b/packages/event-log-explorer.vm/event-log-explorer.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>event-log-explorer.vm</id>
-    <version>5.5.2.20240908</version>
+    <version>5.6.0.20241212</version>
     <authors>FSPro Labs</authors>
     <description>Software solution for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs.</description>
     <dependencies>

diff --git a/packages/event-log-explorer.vm/tools/chocolateyinstall.ps1 b/packages/event-log-explorer.vm/tools/chocolateyinstall.ps1
@@ -5,7 +5,7 @@ $toolName = 'Event Log Explorer'
 $category = 'Forensic'
 
 $exeUrl = 'https://eventlogxp.com/download/elex_setup.exe'
-$exeSha256 = '8dc2c9d4a620bf421dac9c9bce2ab690798005edbf5d7ccb202717a14f8cc894'
+$exeSha256 = '5049c96130396f407197a74fa571f10e4106bd0c13858e717fc11c535fded678'
 
 $toolDir = Join-Path ${Env:ProgramFiles(x86)} $toolName
 $executablePath = Join-Path $toolDir "elex.exe"

diff --git a/packages/fakenet-ng.vm/fakenet-ng.vm.nuspec b/packages/fakenet-ng.vm/fakenet-ng.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
   <metadata>
     <id>fakenet-ng.vm</id>
-    <version>3.3</version>
+    <version>3.3.0.20241124</version>
     <description>FakeNet-NG is a dynamic network analysis tool.</description>
     <authors>Mandiant</authors>
     <dependencies>

diff --git a/packages/fakenet-ng.vm/tools/default.ini b/packages/fakenet-ng.vm/tools/default.ini
@@ -114,7 +114,7 @@ DefaultUDPListener:    ProxyUDPListener
 # NOTE: This setting is only honored when 'RedirectAllTraffic' is enabled.
 
 BlackListPortsTCP: 139
-BlackListPortsUDP: 67, 68, 137, 138, 443, 1900, 5355, 53
+BlackListPortsUDP: 67, 68, 137, 138, 443, 1900, 5355
 
 # Specify processes to ignore when diverting traffic. Windows example used
 # here.
@@ -275,6 +275,7 @@ Listener:    HTTPListener
 UseSSL:      No
 Webroot:     defaultFiles/
 Timeout:     10
+#ProcessBlackList: dmclient.exe, OneDrive.exe, svchost.exe, backgroundTaskHost.exe, GoogleUpdate.exe, chrome.exe
 DumpHTTPPosts: Yes
 DumpHTTPPostsFilePrefix: http
 Hidden:      False
@@ -345,5 +346,4 @@ Port:        110
 Protocol:    TCP
 Listener:    POPListener
 UseSSL:      No
-Hidden:      False
-
+Hidden:      False
diff --git a/packages/ida.plugin.capa.vm/ida.plugin.capa.vm.nuspec b/packages/ida.plugin.capa.vm/ida.plugin.capa.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>ida.plugin.capa.vm</id>
-    <version>7.0.1.20240425</version>
+    <version>8.0.1</version>
     <description>capa explorer is an IDAPython plugin that integrates capa with IDA Pro.</description>
     <authors>@mike-hunhoff, @williballenthin, @mr-tz</authors>
     <dependencies>

diff --git a/packages/ida.plugin.capa.vm/tools/chocolateyinstall.ps1 b/packages/ida.plugin.capa.vm/tools/chocolateyinstall.ps1
@@ -3,19 +3,20 @@ Import-Module vm.common -Force -DisableNameChecking
 
 try {
     # Install dependency: capa Python library
-    VM-Pip-Install "flare-capa"
+    $version = "8.0.1"
+    VM-Pip-Install "flare-capa==$version"
 
     # Install plugin
     $pluginName = "capa_explorer.py"
-    $pluginUrl = "https://raw.githubusercontent.com/mandiant/capa/v7.0.1/capa/ida/plugin/capa_explorer.py"
-    $pluginSha256 = "a9a60d9066c170c4e18366eb442f215009433bcfe277d3c6d0c4c9860824a7d3"
+    $pluginUrl = "https://raw.githubusercontent.com/mandiant/capa/v$version/capa/ida/plugin/capa_explorer.py"
+    $pluginSha256 = "bf6c9a0e5fd2c75a93bb3c19e0221c36cda441c878af3c23ea3aafef4fecf3e9"
     VM-Install-IDA-Plugin -pluginName $pluginName -pluginUrl $pluginUrl -pluginSha256 $pluginSha256
 
 
     # Download capa rules
     $pluginsDir = VM-Get-IDA-Plugins-Dir
-    $rulesUrl = "https://github.com/mandiant/capa-rules/archive/refs/tags/v7.0.1.zip"
-    $rulesSha256 = "f4ed60bcf342007935215ea76175dddfbcbfb3f97d95387543858e0c1ecf8bcd"
+    $rulesUrl = "https://github.com/mandiant/capa-rules/archive/refs/tags/v$version.zip"
+    $rulesSha256 = "7c5f932b1da4e18eed50add117e7fc55c14dc51487495cb31e33e0b44c522fbc"
     $packageArgs = @{
         packageName    = ${Env:ChocolateyPackageName}
         unzipLocation  = $pluginsDir
@@ -24,7 +25,7 @@ try {
         checksumType   = 'sha256'
     }
     Install-ChocolateyZipPackage @packageArgs
-    $rulesDir = Join-Path $pluginsDir "capa-rules-7.0.1" -Resolve
+    $rulesDir = Join-Path $pluginsDir "capa-rules-$version" -Resolve
 
     # Set capa rules in the capa plugin
     $registryPath = 'HKCU:\SOFTWARE\IDAPython\IDA-Settings\capa'

diff --git a/packages/ida.plugin.capa.vm/tools/chocolateyuninstall.ps1 b/packages/ida.plugin.capa.vm/tools/chocolateyuninstall.ps1
@@ -8,8 +8,8 @@ $pluginPath = Join-Path $pluginsDir "capa_explorer.py"
 Remove-Item $pluginPath
 
 # Delete capa rules
-$rulesDir = Join-Path $pluginsDir "capa-rules-6.1.0"
-Remove-Item $rulesDir
+$rulesDir = Get-ChildItem "$pluginsDir\capa-rules-*"
+Remove-Item $rulesDir -Recurse
 
 # Delete registry information
 Remove-Item 'HKCU:\SOFTWARE\IDAPython\IDA-Settings\capa'
diff --git a/packages/ida.plugin.xrefer.vm/ida.plugin.xrefer.vm.nuspec b/packages/ida.plugin.xrefer.vm/ida.plugin.xrefer.vm.nuspec
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>ida.plugin.xrefer.vm</id>
+    <version>1.0.0</version>
+    <description>Custom navigation interface within IDA.</description>
+    <authors>Muhammad Umair</authors>
+    <dependencies>
+      <dependency id="common.vm" version="0.0.0.20241029"/>
+      <dependency id="libraries.python3.vm" version="0.0.0.20241213"/>
+      <dependency id="openjdk.vm" />
+    </dependencies>
+  </metadata>
+</package>
diff --git a/...ra.python3.vm/tools/chocolateyinstall.ps1 → ...gin.xrefer.vm/tools/chocolateyinstall.ps1 b/...ra.python3.vm/tools/chocolateyinstall.ps1 → ...gin.xrefer.vm/tools/chocolateyinstall.ps1
@@ -4,6 +4,12 @@ Import-Module vm.common -Force -DisableNameChecking
 try {
     $dependencies = "asciinet,bs4,flare_capa,langchain,langchain_google_genai,langchain_openai,networkx,python-statemachine,requests,tabulate,tenacity"
     VM-Pip-Install $dependencies
+
+    $pluginName = 'xrefer.py'
+    $pluginUrl = 'https://github.com/mandiant/xrefer/archive/refs/tags/v1.0.0.zip'
+    $pluginSha256 = '8c1b5cee59674e104e0bac20f908e9b3cf17af25b18b3ed80a845b62b257e7f1'
+
+    VM-Install-IDA-Plugin -pluginName $pluginName -pluginUrl $pluginUrl -pluginSha256 $pluginSha256
 } catch {
     VM-Write-Log-Exception $_
 }
diff --git a/packages/ida.plugin.xrefer.vm/tools/chocolateyuninstall.ps1 b/packages/ida.plugin.xrefer.vm/tools/chocolateyuninstall.ps1
@@ -0,0 +1,5 @@
+$ErrorActionPreference = 'Continue'
+Import-Module vm.common -Force -DisableNameChecking
+
+$pluginName = 'xrefer.py'
+VM-Uninstall-IDA-Plugin -pluginName $pluginName
diff --git a/packages/internet_detector.vm/internet_detector.vm.nuspec b/packages/internet_detector.vm/internet_detector.vm.nuspec
@@ -2,13 +2,13 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>internet_detector.vm</id>
-    <version>1.0.0.20241112</version>
+    <version>1.0.0.20241217</version>
     <authors>Elliot Chernofsky and Ana Martinez Gomez</authors>
     <description>Tool that changes the background and a taskbar icon if it detects internet connectivity</description>
     <dependencies>
       <dependency id="common.vm" version="0.0.0.20241029" />
       <dependency id="libraries.python3.vm" version="0.0.0.20240726" />
-      <dependency id="fakenet-ng.vm" version="3.2.0.20240902" />
+      <dependency id="fakenet-ng.vm" version="3.3" />
     </dependencies>
   </metadata>
 </package>
diff --git a/packages/internet_detector.vm/tools/chocolateyinstall.ps1 b/packages/internet_detector.vm/tools/chocolateyinstall.ps1
@@ -21,10 +21,9 @@ Start-Process -FilePath 'cmd.exe' -WorkingDirectory $toolDir -ArgumentList "/c p
 $imagesPath = Join-Path $packageToolDir "images"
 Copy-Item "$imagesPath\*" ${Env:VM_COMMON_DIR} -Force
 
-VM-Install-Shortcut -toolName $toolName -category $category -executablePath "$toolDir/$toolName.exe"
+VM-Install-Shortcut -toolName $toolName -category $category -executablePath "$toolDir\$toolName.exe"
 
-# TODO - Uncomment when FakeNet BlackList for DNS is fixed/addressed. https://github.com/mandiant/flare-fakenet-ng/issues/190
-# # Create scheduled task for tool to run every 2 minutes.
-# $action = New-ScheduledTaskAction -Execute $rawToolPath
-# $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 2)
-# Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'Internet Detector' -Force
+# Create scheduled task for tool to run every 2 minutes.
+$action = New-ScheduledTaskAction -Execute "$toolDir\$toolName.exe"
+$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1)
+Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'Internet Detector' -Force