Use SigCheck w/ Zimmerman Tools

mandiant · Dec 12, 2024 · 8a98353 · 8a98353
1 parent 5fe6f9d
commit 8a98353
Show file tree

Hide file tree

Showing 12 changed files with 227 additions and 24 deletions.
diff --git a/packages/evtxecmd.vm/evtxecmd.vm.nuspec b/packages/evtxecmd.vm/evtxecmd.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>evtxecmd.vm</id>
-    <version>1.5.0.20240826</version>
+    <version>1.5.0.20241211</version>
     <authors>Eric Zimmerman</authors>
     <description>Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!</description>
     <dependencies>

diff --git a/packages/evtxecmd.vm/tools/chocolateyinstall.ps1 b/packages/evtxecmd.vm/tools/chocolateyinstall.ps1
@@ -3,8 +3,43 @@ Import-Module vm.common -Force -DisableNameChecking
 
 $toolName = 'EvtxECmd'
 $category = 'Forensic'
+$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName
 
-$zipUrl = 'https://download.mikestammer.com/net6/EvtxECmd.zip'
-$zipSha256 = 'e1b4a5f9b09eca3c057cdc2d0ed1a28fe0c24dc90f9f68b7e0572e373dce86a6'
+try {
+  # Download zip
+  $packageArgs      = @{
+    packageName     = $env:ChocolateyPackageName
+    file            = Join-Path ${Env:TEMP} $toolName
+    url             = 'https://download.mikestammer.com/net6/EvtxECmd.zip'
+  }
+  $filePath = Get-ChocolateyWebFile @packageArgs
 
-VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true
+  # Extract zip
+  Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir
+  VM-Assert-Path $toolDir
+
+  # Tool contains an inner folder
+  $dirList = Get-ChildItem (Join-Path ${Env:RAW_TOOLS_DIR} $toolName) -Directory
+  $toolDir = Join-Path $toolDir $dirList[0].Name -Resolve
+
+  # Check signature of all executable files individually
+  Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object {
+    try {
+        # Check signature for each file
+        VM-Assert-Signature $_.FullName
+    } catch {
+        # Remove the file with invalid signature
+        Write-Warning "Removing file '$($_.FullName)' due to invalid signature"
+        Remove-Item $_.FullName -Force -ea 0 | Out-Null
+        VM-Write-Log-Exception $_
+    }
+  }
+
+  $executableName = "$toolName.exe"
+  $executablePath = Join-Path $toolDir $executableName -Resolve
+  VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true
+  Install-BinFile -Name $toolName -Path $executablePath
+
+} catch {
+  VM-Write-Log-Exception $_
+}
diff --git a/packages/pecmd.vm/pecmd.vm.nuspec b/packages/pecmd.vm/pecmd.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>pecmd.vm</id>
-    <version>1.5.0.20240826</version>
+    <version>1.5.0.20241211</version>
     <authors>Eric Zimmerman</authors>
     <description>Prefetch parser</description>
     <dependencies>

diff --git a/packages/pecmd.vm/tools/chocolateyinstall.ps1 b/packages/pecmd.vm/tools/chocolateyinstall.ps1
@@ -3,8 +3,40 @@ Import-Module vm.common -Force -DisableNameChecking
 
 $toolName = 'PECmd'
 $category = 'Forensic'
+$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName
 
-$zipUrl = 'https://download.mikestammer.com/net6/PECmd.zip'
-$zipSha256 = 'e20254b2f813e66fe5295488e5a00e9675679c91841f99ddcc8d083299bb55d6'
+try {
+  # Download zip
+  $packageArgs      = @{
+    packageName     = $env:ChocolateyPackageName
+    file            = Join-Path ${Env:TEMP} $toolName
+    url             = 'https://download.mikestammer.com/net6/PECmd.zip'
+  }
+  $filePath = Get-ChocolateyWebFile @packageArgs
+
+  # Extract zip
+  Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir
+  VM-Assert-Path $toolDir
+
+  # Check signature of all executable files individually
+  Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object {
+    try {
+        # Check signature for each file
+        VM-Assert-Signature $_.FullName
+    } catch {
+        # Remove the file with invalid signature
+        Write-Warning "Removing file '$($_.FullName)' due to invalid signature"
+        Remove-Item $_.FullName -Force -ea 0 | Out-Null
+        VM-Write-Log-Exception $_
+    }
+  }
+
+  $executableName = "$toolName.exe"
+  $executablePath = Join-Path $toolDir $executableName -Resolve
+  VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true
+  Install-BinFile -Name $toolName -Path $executablePath
+
+} catch {
+  VM-Write-Log-Exception $_
+}
 
-VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false
diff --git a/packages/recmd.vm/recmd.vm.nuspec b/packages/recmd.vm/recmd.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>recmd.vm</id>
-    <version>2.0.0.20240908</version>
+    <version>2.0.0.20241211</version>
     <authors>Eric Zimmerman</authors>
     <description>Powerful command line Registry tool searching, multi-hive support, plugins, and more</description>
     <dependencies>

diff --git a/packages/recmd.vm/tools/chocolateyinstall.ps1 b/packages/recmd.vm/tools/chocolateyinstall.ps1
@@ -3,8 +3,43 @@ Import-Module vm.common -Force -DisableNameChecking
 
 $toolName = 'RECmd'
 $category = 'Forensic'
+$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName
 
-$zipUrl = 'https://download.mikestammer.com/net6/RECmd.zip'
-$zipSha256 = '90a1c5be877c3a50294a134b81fe26755980a70e6b9d914e444b43c1e205b0f3'
+try {
+  # Download zip
+  $packageArgs      = @{
+    packageName     = $env:ChocolateyPackageName
+    file            = Join-Path ${Env:TEMP} $toolName
+    url             = 'https://download.mikestammer.com/net6/RECmd.zip'
+  }
+  $filePath = Get-ChocolateyWebFile @packageArgs
 
-VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true
+  # Extract zip
+  Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir
+  VM-Assert-Path $toolDir
+
+  # Tool contains an inner folder
+  $dirList = Get-ChildItem (Join-Path ${Env:RAW_TOOLS_DIR} $toolName) -Directory
+  $toolDir = Join-Path $toolDir $dirList[0].Name -Resolve
+
+  # Check signature of all executable files individually
+  Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object {
+    try {
+        # Check signature for each file
+        VM-Assert-Signature $_.FullName
+    } catch {
+        # Remove the file with invalid signature
+        Write-Warning "Removing file '$($_.FullName)' due to invalid signature"
+        Remove-Item $_.FullName -Force -ea 0 | Out-Null
+        VM-Write-Log-Exception $_
+    }
+  }
+
+  $executableName = "$toolName.exe"
+  $executablePath = Join-Path $toolDir $executableName -Resolve
+  VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true
+  Install-BinFile -Name $toolName -Path $executablePath
+
+} catch {
+  VM-Write-Log-Exception $_
+}
diff --git a/packages/registry_explorer.vm/registry_explorer.vm.nuspec b/packages/registry_explorer.vm/registry_explorer.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>registry_explorer.vm</id>
-    <version>2.0.0.20240826</version>
+    <version>2.0.0.20241211</version>
     <authors>Eric Zimmerman</authors>
     <description>Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files</description>
     <dependencies>

diff --git a/packages/registry_explorer.vm/tools/chocolateyinstall.ps1 b/packages/registry_explorer.vm/tools/chocolateyinstall.ps1
@@ -3,8 +3,43 @@ Import-Module vm.common -Force -DisableNameChecking
 
 $toolName = 'RegistryExplorer'
 $category = 'Registry'
+$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName
 
-$zipUrl = 'https://download.mikestammer.com/net6/RegistryExplorer.zip'
-$zipSha256 = '50a11bd0a5e44dcea6469b8564eb3f010b9a8faf323ff6481222d391da26887e'
+try {
+  # Download zip
+  $packageArgs      = @{
+    packageName     = $env:ChocolateyPackageName
+    file            = Join-Path ${Env:TEMP} $toolName
+    url             = 'https://download.mikestammer.com/net6/RegistryExplorer.zip'
+  }
+  $filePath = Get-ChocolateyWebFile @packageArgs
 
-VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true
+  # Extract zip
+  Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir
+  VM-Assert-Path $toolDir
+
+  # Tool contains an inner folder
+  $dirList = Get-ChildItem (Join-Path ${Env:RAW_TOOLS_DIR} $toolName) -Directory
+  $toolDir = Join-Path $toolDir $dirList[0].Name -Resolve
+
+  # Check signature of all executable files individually
+  Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object {
+    try {
+        # Check signature for each file
+        VM-Assert-Signature $_.FullName
+    } catch {
+        # Remove the file with invalid signature
+        Write-Warning "Removing file '$($_.FullName)' due to invalid signature"
+        Remove-Item $_.FullName -Force -ea 0 | Out-Null
+        VM-Write-Log-Exception $_
+    }
+  }
+
+  $executableName = "$toolName.exe"
+  $executablePath = Join-Path $toolDir $executableName -Resolve
+  VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true
+  Install-BinFile -Name $toolName -Path $executablePath
+
+} catch {
+  VM-Write-Log-Exception $_
+}
diff --git a/packages/rla.vm/rla.vm.nuspec b/packages/rla.vm/rla.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>rla.vm</id>
-    <version>2.0.0.20240908</version>
+    <version>2.0.0.20241211</version>
     <authors>Eric Zimmerman</authors>
     <description>Replay transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs</description>
     <dependencies>

diff --git a/packages/rla.vm/tools/chocolateyinstall.ps1 b/packages/rla.vm/tools/chocolateyinstall.ps1
@@ -3,8 +3,39 @@ Import-Module vm.common -Force -DisableNameChecking
 
 $toolName = 'RLA'
 $category = 'Forensic'
+$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName
 
-$zipUrl = 'https://download.mikestammer.com/net6/rla.zip'
-$zipSha256 = '1017f1d19d57665afd8fdfb13955a8280708931cb5cd75eca45ae28e23756b16'
+try {
+  # Download zip
+  $packageArgs      = @{
+    packageName     = $env:ChocolateyPackageName
+    file            = Join-Path ${Env:TEMP} $toolName
+    url             = 'https://download.mikestammer.com/net6/rla.zip'
+  }
+  $filePath = Get-ChocolateyWebFile @packageArgs
 
-VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false
+  # Extract zip
+  Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir
+  VM-Assert-Path $toolDir
+
+  # Check signature of all executable files individually
+  Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object {
+    try {
+        # Check signature for each file
+        VM-Assert-Signature $_.FullName
+    } catch {
+        # Remove the file with invalid signature
+        Write-Warning "Removing file '$($_.FullName)' due to invalid signature"
+        Remove-Item $_.FullName -Force -ea 0 | Out-Null
+        VM-Write-Log-Exception $_
+    }
+  }
+
+  $executableName = "$toolName.exe"
+  $executablePath = Join-Path $toolDir $executableName -Resolve
+  VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true
+  Install-BinFile -Name $toolName -Path $executablePath
+
+} catch {
+  VM-Write-Log-Exception $_
+}
diff --git a/packages/sqlecmd.vm/sqlecmd.vm.nuspec b/packages/sqlecmd.vm/sqlecmd.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>sqlecmd.vm</id>
-    <version>1.0.0.20240826</version>
+    <version>1.0.0.20241211</version>
     <authors>Eric Zimmerman</authors>
     <description>Find and process SQLite files according to your needs with maps!</description>
     <dependencies>

diff --git a/packages/sqlecmd.vm/tools/chocolateyinstall.ps1 b/packages/sqlecmd.vm/tools/chocolateyinstall.ps1
@@ -3,8 +3,43 @@ Import-Module vm.common -Force -DisableNameChecking
 
 $toolName = 'SQLECmd'
 $category = 'Forensic'
+$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName
 
-$zipUrl = 'https://download.mikestammer.com/net6/SQLECmd.zip'
-$zipSha256 = '40a23c2bd6855753e5f39a7cb944cd2e13aecb70ae2c5b3db840c959225454be'
+try {
+  # Download zip
+  $packageArgs      = @{
+    packageName     = $env:ChocolateyPackageName
+    file            = Join-Path ${Env:TEMP} $toolName
+    url             = 'https://download.mikestammer.com/net6/SQLECmd.zip'
+  }
+  $filePath = Get-ChocolateyWebFile @packageArgs
 
-VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true
+  # Extract zip
+  Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir
+  VM-Assert-Path $toolDir
+
+  # Tool contains an inner folder
+  $dirList = Get-ChildItem (Join-Path ${Env:RAW_TOOLS_DIR} $toolName) -Directory
+  $toolDir = Join-Path $toolDir $dirList[0].Name -Resolve
+
+  # Check signature of all executable files individually
+  Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object {
+    try {
+        # Check signature for each file
+        VM-Assert-Signature $_.FullName
+    } catch {
+        # Remove the file with invalid signature
+        Write-Warning "Removing file '$($_.FullName)' due to invalid signature"
+        Remove-Item $_.FullName -Force -ea 0 | Out-Null
+        VM-Write-Log-Exception $_
+    }
+  }
+
+  $executableName = "$toolName.exe"
+  $executablePath = Join-Path $toolDir $executableName -Resolve
+  VM-Install-Shortcut -toolName $toolName -category $category -executablePath $executablePath -consoleApp $true
+  Install-BinFile -Name $toolName -Path $executablePath
+
+} catch {
+  VM-Write-Log-Exception $_
+}