Tuesday, September 6, 2011

Muxing System.Diagnostics.Process with System.Security.AccessControl

# three functions that produce filepath,Owner,Access,SDDL
# for the binaries listed by ps ("get-process")
# All rights reserved Ryan M. Ferris @ RMF Network Security
# Version r5:21 PM 9/6/2011

function Get-PSACL
{
ps | get-acl -ea 0 | Select pschildname,owner,AccessToString,Sddl
}

function Get-PEX
{
[array]$global:ps_list=ps
[array]$global:acl_list=$ps_list | get-acl -ea 0
$acl_list | Select @{label="FilePath"; Expression={ls $_.PsPath}},Owner,AccessToString,Sddl
}

function Get-PIDACL 
{
foreach ($id in $(ps)) 
    {$id | Select Name,ID,
    @{Label="Owner";Expression={get-acl $id.Path | % {$_.Owner}}},
    @{Label="Access";Expression={get-acl $id.Path | % {$_.AccessToString}}},
    @{Label="SDDL";Expression={get-acl $id.Path | % {$_.SDDL}}}
    }
}

Get-PSACL
Get-PEX
Get-PIDACL



Two other functions as well:
function FindSDDL
{
foreach ($i in (ls)) {$i|  % {
  $_.getaccesscontrol()} | 
  Select @{name="Path";Expression={$i | % {$_.Name}}},
  @{name="Type";Expression={$i | % {$_.gettype().Name}}},
  Owner,
  Access,
   SDDL }
}
 
function RecurseSDDL
{
foreach ($i in (ls -recurse)) {$i|  % {
  $_.getaccesscontrol()} | 
  Select @{name="Name";Expression={$i | % {$_.Name}}},
  @{name="Path";Expression={$i | % {$_.PSParentPath}}},
  @{name="Type";Expression={$i | % {$_.gettype().Name}}},
  Owner,
  Access,
   SDDL }
} 
(or maybe better): 
function FindSDDL
{
foreach ($i in (ls)) {$i.getaccesscontrol() | 
  Select -property  Owner,Access,SDDL,
  @{name="Path";Expression={$i.Name}},
  @{name="Type";Expression={$i.gettype().Name}}
  }
}

function RecurseSDDL
{
$lsr=ls -recurse
foreach ($i in $lsr) {$i.getaccesscontrol() | 
Select -property Owner,Access,SDDL,
  @{name="Name";Expression={$i.Name}},
  @{name="Path";Expression={$i.PSParentPath}},
  @{name="Type";Expression={$i.gettype().Name}}
}
} 

No comments:

Post a Comment