{"id":8583,"date":"2017-08-04T11:10:29","date_gmt":"2017-08-04T19:10:29","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/04\/news-2356\/"},"modified":"2017-08-04T11:10:29","modified_gmt":"2017-08-04T19:10:29","slug":"news-2356","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/08\/04\/news-2356\/","title":{"rendered":"Learning PowerShell: basic programs"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Fri, 04 Aug 2017 18:00:35 +0000<\/strong><\/p>\n

In the previous posts we have looked at some elementary PowerShell concepts<\/a> and we have constructed some basic commands to export and compare data<\/a>.<\/p>\n

We did this by using an example of certificates being dumped in the \u201cUntrusted\u201d category by some malware. This time we will try to write a program that can undo these changes.<\/p>\n

Remember when running PowerShell scripts, unlike single commands, that you will have to remove any execution restrictions that are in place. This command will allow everything for the current session:<\/p>\n

Set-ExecutionPolicy Unrestricted<\/code><\/p>\n

Objectives<\/h2>\n

One of the basic skills in each scripting language is text manipulation. I will need a few of those manipulations, before I\u2019m able to use the html export we created last time, as a source for the list of registry keys that I need to remove. But we know they are all present in that export, so let\u2019s get to it.<\/p>\n

To read how we created the comparison.html file have a look at the previous post in this mini-series<\/a>. First we need to get rid of some unnecessary text that was added during the process of making tables and converting to HTML.<\/p>\n

\"html<\/p>\n

One of the lines we want to get rid off is the header. We could take the easy route and simply delete it, but I want to build in some extra safety, so I will try to remove all the lines that do NOT contain @{Thumbprint= <\/strong>since those are the entries we are interested in anyways.<\/p>\n

So how do we do that?<\/p>\n

Get-Content c:userspublicdesktopcomparison.html | Select-String -pattern \"@{Thumbprint=\" | Out-File C:certainceficates1.txt<\/code><\/p>\n

That command filters out all the lines that do not contain the @{Thumbprint= <\/strong>string and brings the html back to a text file, because txt files are a bit easier to work with.<\/p>\n

Now we will need a step to get rid of the table make-up.<\/p>\n

\"table<\/a><\/p>\n

click to enlarge<\/p>\n<\/div>\n

(Get-Content C:certainceficates1.txt) -replace \"<.*?>\",\"\" | Out-File C:certainceficates2.txt<\/code><\/p>\n

This one looks a bit more complicated because of the regular expression<\/a>. Regular expressions (regex) are worthy of a topic all by themselves, because of their complexity and usefulness. Maybe another day. This one looks for a \u201c<\u201d and deletes that and everything up to and including the closing \u201c>\u201d.\u00a0 That got rid of all the <tr>, <td>, <\/td>, and <\/tr> bits that were previously needed for the table. The Get-Content<\/em> call needs to be in parentheses or PowerShell would regard \u2013 replace<\/em> as an argument for that call and throw an error, as -replace<\/em> is not defined as an argument for that cmdlet.<\/p>\n

Now, just for good measure I want to delete all the SideIndicator<\/strong> arrows as well. Note that in the text file they look like this: =&gt; <\/strong>where \u201c&gt;\u201d is the html code for \u201c>\u201d.<\/p>\n

(Get-Content C:certaincertificates2.txt) -replace \"=&gt;\",\"\" | Out-File C:certaincertificates3.txt<\/code><\/p>\n

Now that we have cleaned up the file we can use the next loop to delete the registry keys. And with those keys we effectively delete the certificates.

$List = Get-Content certificates.txt
foreach ($Line in $List) {
$First, $Second, $Third = $Line -split ';'
$Thumbprint= $First -replace(\"@{Thumbprint=\",\"HKLM:SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates\")
If ($Thumbprint.length -eq 108) {
$path = $Thumbprint
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (\"Everyone\",\"FullControl\",\"Allow\")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path $path
Remove-Item \u2013Path $path
Write-Host ($path,\"removed\")
}
}
<\/code>
Explanation of what this loop does:<\/p>\n