diff --git a/packages/evtxecmd.vm/evtxecmd.vm.nuspec b/packages/evtxecmd.vm/evtxecmd.vm.nuspec index 7ad2b6e0c..9c7d57267 100644 --- a/packages/evtxecmd.vm/evtxecmd.vm.nuspec +++ b/packages/evtxecmd.vm/evtxecmd.vm.nuspec @@ -2,7 +2,7 @@ evtxecmd.vm - 1.5.0.20240826 + 1.5.0.20241211 Eric Zimmerman Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more! diff --git a/packages/evtxecmd.vm/tools/chocolateyinstall.ps1 b/packages/evtxecmd.vm/tools/chocolateyinstall.ps1 index 33ee10a1a..ac8098741 100644 --- a/packages/evtxecmd.vm/tools/chocolateyinstall.ps1 +++ b/packages/evtxecmd.vm/tools/chocolateyinstall.ps1 @@ -3,8 +3,43 @@ Import-Module vm.common -Force -DisableNameChecking $toolName = 'EvtxECmd' $category = 'Forensic' +$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName -$zipUrl = 'https://download.mikestammer.com/net6/EvtxECmd.zip' -$zipSha256 = 'e1b4a5f9b09eca3c057cdc2d0ed1a28fe0c24dc90f9f68b7e0572e373dce86a6' +try { + # Download zip + $packageArgs = @{ + packageName = $env:ChocolateyPackageName + file = Join-Path ${Env:TEMP} $toolName + url = 'https://download.mikestammer.com/net6/EvtxECmd.zip' + } + $filePath = Get-ChocolateyWebFile @packageArgs -VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true + # Extract zip + Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir + VM-Assert-Path $toolDir + + # Tool contains an inner folder + $dirList = Get-ChildItem (Join-Path ${Env:RAW_TOOLS_DIR} $toolName) -Directory + $toolDir = Join-Path $toolDir $dirList[0].Name -Resolve + + # Check signature of all executable files individually + Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object { + try { + # Check signature for each file + VM-Assert-Signature $_.FullName + } catch { + # Remove the file with invalid signature + Write-Warning "Removing file '$($_.FullName)' due to invalid signature" + Remove-Item $_.FullName -Force -ea 0 | Out-Null + VM-Write-Log-Exception $_ + } + } + + $executableName = "$toolName.exe" + $executablePath = Join-Path $toolDir $executableName -Resolve + VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true + Install-BinFile -Name $toolName -Path $executablePath + +} catch { + VM-Write-Log-Exception $_ +} diff --git a/packages/pecmd.vm/pecmd.vm.nuspec b/packages/pecmd.vm/pecmd.vm.nuspec index 68585f1b3..25d27657a 100644 --- a/packages/pecmd.vm/pecmd.vm.nuspec +++ b/packages/pecmd.vm/pecmd.vm.nuspec @@ -2,7 +2,7 @@ pecmd.vm - 1.5.0.20240826 + 1.5.0.20241211 Eric Zimmerman Prefetch parser diff --git a/packages/pecmd.vm/tools/chocolateyinstall.ps1 b/packages/pecmd.vm/tools/chocolateyinstall.ps1 index ec96e6a27..f8a1e3916 100644 --- a/packages/pecmd.vm/tools/chocolateyinstall.ps1 +++ b/packages/pecmd.vm/tools/chocolateyinstall.ps1 @@ -3,8 +3,40 @@ Import-Module vm.common -Force -DisableNameChecking $toolName = 'PECmd' $category = 'Forensic' +$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName -$zipUrl = 'https://download.mikestammer.com/net6/PECmd.zip' -$zipSha256 = 'e20254b2f813e66fe5295488e5a00e9675679c91841f99ddcc8d083299bb55d6' +try { + # Download zip + $packageArgs = @{ + packageName = $env:ChocolateyPackageName + file = Join-Path ${Env:TEMP} $toolName + url = 'https://download.mikestammer.com/net6/PECmd.zip' + } + $filePath = Get-ChocolateyWebFile @packageArgs + + # Extract zip + Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir + VM-Assert-Path $toolDir + + # Check signature of all executable files individually + Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object { + try { + # Check signature for each file + VM-Assert-Signature $_.FullName + } catch { + # Remove the file with invalid signature + Write-Warning "Removing file '$($_.FullName)' due to invalid signature" + Remove-Item $_.FullName -Force -ea 0 | Out-Null + VM-Write-Log-Exception $_ + } + } + + $executableName = "$toolName.exe" + $executablePath = Join-Path $toolDir $executableName -Resolve + VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true + Install-BinFile -Name $toolName -Path $executablePath + +} catch { + VM-Write-Log-Exception $_ +} -VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/recmd.vm/recmd.vm.nuspec b/packages/recmd.vm/recmd.vm.nuspec index bcbd5f63f..23fd2357d 100644 --- a/packages/recmd.vm/recmd.vm.nuspec +++ b/packages/recmd.vm/recmd.vm.nuspec @@ -2,7 +2,7 @@ recmd.vm - 2.0.0.20240908 + 2.0.0.20241211 Eric Zimmerman Powerful command line Registry tool searching, multi-hive support, plugins, and more diff --git a/packages/recmd.vm/tools/chocolateyinstall.ps1 b/packages/recmd.vm/tools/chocolateyinstall.ps1 index 360331ede..7d773ef06 100644 --- a/packages/recmd.vm/tools/chocolateyinstall.ps1 +++ b/packages/recmd.vm/tools/chocolateyinstall.ps1 @@ -3,8 +3,43 @@ Import-Module vm.common -Force -DisableNameChecking $toolName = 'RECmd' $category = 'Forensic' +$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName -$zipUrl = 'https://download.mikestammer.com/net6/RECmd.zip' -$zipSha256 = '90a1c5be877c3a50294a134b81fe26755980a70e6b9d914e444b43c1e205b0f3' +try { + # Download zip + $packageArgs = @{ + packageName = $env:ChocolateyPackageName + file = Join-Path ${Env:TEMP} $toolName + url = 'https://download.mikestammer.com/net6/RECmd.zip' + } + $filePath = Get-ChocolateyWebFile @packageArgs -VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true + # Extract zip + Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir + VM-Assert-Path $toolDir + + # Tool contains an inner folder + $dirList = Get-ChildItem (Join-Path ${Env:RAW_TOOLS_DIR} $toolName) -Directory + $toolDir = Join-Path $toolDir $dirList[0].Name -Resolve + + # Check signature of all executable files individually + Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object { + try { + # Check signature for each file + VM-Assert-Signature $_.FullName + } catch { + # Remove the file with invalid signature + Write-Warning "Removing file '$($_.FullName)' due to invalid signature" + Remove-Item $_.FullName -Force -ea 0 | Out-Null + VM-Write-Log-Exception $_ + } + } + + $executableName = "$toolName.exe" + $executablePath = Join-Path $toolDir $executableName -Resolve + VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true + Install-BinFile -Name $toolName -Path $executablePath + +} catch { + VM-Write-Log-Exception $_ +} diff --git a/packages/registry_explorer.vm/registry_explorer.vm.nuspec b/packages/registry_explorer.vm/registry_explorer.vm.nuspec index e3940b40e..ad43e482d 100644 --- a/packages/registry_explorer.vm/registry_explorer.vm.nuspec +++ b/packages/registry_explorer.vm/registry_explorer.vm.nuspec @@ -2,7 +2,7 @@ registry_explorer.vm - 2.0.0.20240826 + 2.0.0.20241211 Eric Zimmerman Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files diff --git a/packages/registry_explorer.vm/tools/chocolateyinstall.ps1 b/packages/registry_explorer.vm/tools/chocolateyinstall.ps1 index e0df31e44..ee271d56e 100644 --- a/packages/registry_explorer.vm/tools/chocolateyinstall.ps1 +++ b/packages/registry_explorer.vm/tools/chocolateyinstall.ps1 @@ -3,8 +3,43 @@ Import-Module vm.common -Force -DisableNameChecking $toolName = 'RegistryExplorer' $category = 'Registry' +$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName -$zipUrl = 'https://download.mikestammer.com/net6/RegistryExplorer.zip' -$zipSha256 = '50a11bd0a5e44dcea6469b8564eb3f010b9a8faf323ff6481222d391da26887e' +try { + # Download zip + $packageArgs = @{ + packageName = $env:ChocolateyPackageName + file = Join-Path ${Env:TEMP} $toolName + url = 'https://download.mikestammer.com/net6/RegistryExplorer.zip' + } + $filePath = Get-ChocolateyWebFile @packageArgs -VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true + # Extract zip + Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir + VM-Assert-Path $toolDir + + # Tool contains an inner folder + $dirList = Get-ChildItem (Join-Path ${Env:RAW_TOOLS_DIR} $toolName) -Directory + $toolDir = Join-Path $toolDir $dirList[0].Name -Resolve + + # Check signature of all executable files individually + Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object { + try { + # Check signature for each file + VM-Assert-Signature $_.FullName + } catch { + # Remove the file with invalid signature + Write-Warning "Removing file '$($_.FullName)' due to invalid signature" + Remove-Item $_.FullName -Force -ea 0 | Out-Null + VM-Write-Log-Exception $_ + } + } + + $executableName = "$toolName.exe" + $executablePath = Join-Path $toolDir $executableName -Resolve + VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true + Install-BinFile -Name $toolName -Path $executablePath + +} catch { + VM-Write-Log-Exception $_ +} diff --git a/packages/rla.vm/rla.vm.nuspec b/packages/rla.vm/rla.vm.nuspec index 3b0fafb6a..ea3a85ef8 100644 --- a/packages/rla.vm/rla.vm.nuspec +++ b/packages/rla.vm/rla.vm.nuspec @@ -2,7 +2,7 @@ rla.vm - 2.0.0.20240908 + 2.0.0.20241211 Eric Zimmerman Replay transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs diff --git a/packages/rla.vm/tools/chocolateyinstall.ps1 b/packages/rla.vm/tools/chocolateyinstall.ps1 index 120202bef..edca3100a 100644 --- a/packages/rla.vm/tools/chocolateyinstall.ps1 +++ b/packages/rla.vm/tools/chocolateyinstall.ps1 @@ -3,8 +3,39 @@ Import-Module vm.common -Force -DisableNameChecking $toolName = 'RLA' $category = 'Forensic' +$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName -$zipUrl = 'https://download.mikestammer.com/net6/rla.zip' -$zipSha256 = '1017f1d19d57665afd8fdfb13955a8280708931cb5cd75eca45ae28e23756b16' +try { + # Download zip + $packageArgs = @{ + packageName = $env:ChocolateyPackageName + file = Join-Path ${Env:TEMP} $toolName + url = 'https://download.mikestammer.com/net6/rla.zip' + } + $filePath = Get-ChocolateyWebFile @packageArgs -VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false + # Extract zip + Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir + VM-Assert-Path $toolDir + + # Check signature of all executable files individually + Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object { + try { + # Check signature for each file + VM-Assert-Signature $_.FullName + } catch { + # Remove the file with invalid signature + Write-Warning "Removing file '$($_.FullName)' due to invalid signature" + Remove-Item $_.FullName -Force -ea 0 | Out-Null + VM-Write-Log-Exception $_ + } + } + + $executableName = "$toolName.exe" + $executablePath = Join-Path $toolDir $executableName -Resolve + VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true + Install-BinFile -Name $toolName -Path $executablePath + +} catch { + VM-Write-Log-Exception $_ +} diff --git a/packages/sqlecmd.vm/sqlecmd.vm.nuspec b/packages/sqlecmd.vm/sqlecmd.vm.nuspec index 1389fbf7c..8f97ed210 100644 --- a/packages/sqlecmd.vm/sqlecmd.vm.nuspec +++ b/packages/sqlecmd.vm/sqlecmd.vm.nuspec @@ -2,7 +2,7 @@ sqlecmd.vm - 1.0.0.20240826 + 1.0.0.20241211 Eric Zimmerman Find and process SQLite files according to your needs with maps! diff --git a/packages/sqlecmd.vm/tools/chocolateyinstall.ps1 b/packages/sqlecmd.vm/tools/chocolateyinstall.ps1 index 4d21c2c09..f59691928 100644 --- a/packages/sqlecmd.vm/tools/chocolateyinstall.ps1 +++ b/packages/sqlecmd.vm/tools/chocolateyinstall.ps1 @@ -3,8 +3,43 @@ Import-Module vm.common -Force -DisableNameChecking $toolName = 'SQLECmd' $category = 'Forensic' +$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName -$zipUrl = 'https://download.mikestammer.com/net6/SQLECmd.zip' -$zipSha256 = '40a23c2bd6855753e5f39a7cb944cd2e13aecb70ae2c5b3db840c959225454be' +try { + # Download zip + $packageArgs = @{ + packageName = $env:ChocolateyPackageName + file = Join-Path ${Env:TEMP} $toolName + url = 'https://download.mikestammer.com/net6/SQLECmd.zip' + } + $filePath = Get-ChocolateyWebFile @packageArgs -VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true + # Extract zip + Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir + VM-Assert-Path $toolDir + + # Tool contains an inner folder + $dirList = Get-ChildItem (Join-Path ${Env:RAW_TOOLS_DIR} $toolName) -Directory + $toolDir = Join-Path $toolDir $dirList[0].Name -Resolve + + # Check signature of all executable files individually + Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object { + try { + # Check signature for each file + VM-Assert-Signature $_.FullName + } catch { + # Remove the file with invalid signature + Write-Warning "Removing file '$($_.FullName)' due to invalid signature" + Remove-Item $_.FullName -Force -ea 0 | Out-Null + VM-Write-Log-Exception $_ + } + } + + $executableName = "$toolName.exe" + $executablePath = Join-Path $toolDir $executableName -Resolve + VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true + Install-BinFile -Name $toolName -Path $executablePath + +} catch { + VM-Write-Log-Exception $_ +}