I'm working on a project where we are remotely deploying software using a configuration management, part of which delivers PowerShell scripts to Windows servers, which are then executed in order to perform parts of our setup and/or configuration.
The current deployment method writes the scripts to disk, but doesn't close the file handle. This was done to make the script more "secure" by preventing any other process from tampering with the file prior to it being executed. In order to run the script, PowerShell must read it from stdin, since it doesn't run a script if it cannot get exclusive access. The invocation looks something like this:
powershell.exe -Command - < C:\temp\some_name.ps1
This has a number of drawbacks, primarily that I can't pass parameters to the script. Additionally, reading large scripts from stdin gets funky with bad characters, line returns, etc.
I'd like to invoke the scripts in a more traditional method, e.g.
powershell.exe -File C:\temp\some_name.ps1 -Param value ...
but also keep in the spirit of making sure nothing can tamper with the script prior to it being executed. To that end I want to sign the powershell script and run powershell with the "AllSigned" execution policy.
The issue lies is that I can't really sign the script on the target server, as it has the same issue as PowerShell running the script...I have to release the exclusive lock to let PowerShell sign the file, but it could get tampered with.
I then decided that if I could sign the script on the server that is delivering it to the target machine that would work much better. However, our configuration management software servers are all Linux, and I have been stumped trying to find some way of signing PowerShell scripts on Linux. Mono has support for Authenticode, but out of the box it's only for exes and dlls. I've tried digging into the PowerShell .Net functions but found they use Cryptui.dll, which is Windows-specific.
At this point I'm grasping for anyway I can get the signature added to the scripts, or else I'll have to fallback to some other way of running the scripts that isn't really native. If possible I'd like to be able to compute the signature in-memory on a string representation of the script, but I'll take a file-based method if that is all I can get.
Not sure if this will work for you, but any time I am getting signature errors, I just add this to the bottom of the script:
# SIG # Begin signature block
# SIG # End signature block
I know it looks benign, but this works for me.
What about compiling your script to .exe ?
ps2exe, or even some builtin .net calls can do that for you.
Related
Windows 10 has a new sandbox which is based on a very small and fast Hyper-V VM. With every start of the sandbox you get a "fresh" Windows and on every sandbox termination, all changes are discarded.
My question is: Is it possible to define in which state the sandbox starts? E.g. is it possible to start the VM with pre-installed reversing tools or a script that is automatically run, as soon as the system is booted?
Use case: Due to it's fast start-up time and "throw away" characteristics, the Windows 10 sandbox would be a dream for automated malware analysis.
You can somehow change the behavior of the sandbox. For example run a script at start up or disable network. See here for a how to: https://medium.com/#maarten.goet/how-windows-1903-makes-malware-analysis-easier-introducing-windows-sandbox-3ec791c8367
In general, sandbox startup can be controlled by a startup configuration file:
Windows Sandbox supports simple configuration files, which provide a
minimal set of customization parameters for Sandbox. ... Windows Sandbox
configuration files are formatted as XML and are associated with
Sandbox via the .wsb file extension.
The specific ability to execute a script upon sandbox startup is documented here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#logon-command
It says:
Logon command
Specifies a single command that will be invoked automatically after
the sandbox logs on. Apps in the sandbox are run under the container
user account. The container user account should be an administrator
account.
XML
<LogonCommand>
<Command>command to be invoked</Command>
</LogonCommand>
Command: A path to an executable or script inside the container that
will be executed after signing in.
Note
Although very simple commands will work (such as launching an
executable or script), more complicated scenarios involving multiple
steps should be placed into a script file. This script file may be
mapped into the container via a shared folder, and then executed via
the LogonCommand directive.
I want to open a website(say www.google.com) automatically whenever I am logon. This can be achieved through batch script and VBA macros but it can not be implemented on organisational level due to security concerns.
Is there any secure way to open a particular website using some piece of code.
Please let me know. Thanks in advance.
Regards,
Shrikant Salunke
There are lots of ways to do this, but I'm not sure exactly when you mean by "whenever I am logon".
Basically, if you want the most portable, multilingual way to open a web page with a program you are going to be passing a shell command that looks like this (following your example)
open https://www.google.com
This will open the specified URL (I think it must be a complete URL - including scheme) on the default browser.
Now the "when I am logon" part is what could make things complicated.
If by "when I am logon" you mean whenever you open your browser, then you don't even need to do this you can just reset your browser's homepage.
If you mean whenever you logon to your proxy, you just have to make sure that the first proxy request you send contains the correct request URI. In the case of google the correct URI would be google.com:443. The URI will have the format <hostname>:<portnumber>. The default HTTPS port number is 443. The default HTTP port number is 80.
If you mean whenever you logon to your system then you just need to execute the command open https://www.google.com within a login shell script. Login scripts are system dependent but you may refer to this post if you use a Unix-like or Posix compliant OS. If you use Windows I don't know how to help you but I'm sure there's a way to do it.
If you mean whenever you log into some program you wrote then things get really easy. You just have to make a call to that open command. Almost every language has a built in method for interacting with a shell. You just have to find that method in whatever platform you're using.
I honestly don't know if this will be helpful but good luck!
Edit
How to Run a Batch Shell Script Securely
What you need to do is run the script with a different trustlevel. Since you're using Batch you can do this by executing your script using the runas command (docs). This command allows you to adjust the trustlevel under which the script is executed without changing users. By changing the privileges of the executable, you can prevent it doing anything malicious. All it needs is enough "trust" to execute the open command.
If you need this fully automated throughout your organization, you can wrap your Batch file in a second Batch file that will call the runas command. This wrapper script will not run with reduced privileges but it also won't interact with the internet so you don't have to worry about it as much. You would be able to execute the wrapper script as a login script, and then everything should work.
Honestly I'm not a Windows person but I hope this helps!
I am trying find a problem with my program that is hooking into a game. This is
vc++. Basically I launch the program and then hook into it using SDL. When I run the code from VS2010, all works fine. But when I try to run from command prompt, my program can launch the game, but after that the game crashes immediately.
I was viewing windows event logs, and it appears that there is an access violation. 0xc000005
How can I log any further details about the program that crashes? I tried "procdump" but that is not useful as I cannot INDIRECTLY target the hooked game from console. Rather it can only target my application that hooks.
Anyway of getting detailed dumps is highly appreciated in this case.
Thanks!
You can perform postmortem debugging by using a combination of the WER registry keys/values to trap any dump that is produced. I’ve used this method to prevent the WER system from collecting the dump file (.dmp). I’ve also written about this in another similar post. To accomplish this, you will need to create a registry key under
Software\Microsoft\Windows\Windows Error Reporting
if one does not already exist. The key should be
LocalDumps\your application.exe
Once that’s done, modify these keys/values to meet your needs:
DumpCount, DumpFolder, DumpType
You’ll need Administrator rights to create and modify the keys, and, you should reset everything you’ve modified when you’re done debugging.
this is my first time on such a prestidigious site, so please welcome me by assisting me. I am doing independent development and am primarily a music designer. So that is why I may not sound like a real pro coder but nevertheless truly love creating my music through automative processes.
My present issue is this:
Windows 8.1 Pro
AutoHotkey 1.0.48.5 32bit (running as Admin)
Everytime I attempt to use the command 'RUN' with an .ahk target, I get the expected result except that the .ahk residing folder is opened by MS Explorer. I suspect that something like the fact that AutoHokey is an unsigned app, windows does not want it to run flawlessly. I am now trying a number of Administrative Tool Services disabling, but with no success yet.
RUN C\:XZN\Mecanisms\AnyAHK_script.ahk
;;or
RUN AnyAHK_script.ahk, C\:XZN\Mecanisms
;;or
RUN C\:XZN\Mecanisms\BactchfileLaunchingAboveScript.bat
;;or
RUN AnyAHK_script.ahk, C\:XZN\Mecanisms
Would there be a workaround this at the OS settings level or another way to run/start an .ahk file?
I tried the 'Comspec' approach as well as running an .ahk from within a batchfile, but the .ahk always get intercepted whenever it contains a 'RUN' command requesting an .ahk target.
Thanks.
You are using outdated version of AutoHotkey which is more than 5 years old. Always use AutoHotkey and its documenatation from http://ahkscript.org/ (current uptodate version, new official website)! AutoHotkey and its documentation from autohotkey.com is outdated and you may have some problems using them!
One thing to try if you only have this problem on win 8 is to Enable interaction with administrative programs http://www.autohotkey.com/board/topic/70449-enable-interaction-with-administrative-programs/
That script modifies the executable file's embedded manifest, then creates and installs a self-signed certificate and uses it to sign the file. The executable will not run on any other system, unless you install the certificate used to sign the file.
But lets see some script code that way we have something to test with and can better help you out...
I have been looking at an issue for a week straight and have been unable to figure it out and I am desperate for the fix.
On a client site, we have two environments: UAT and PROD. UAT works perfect (Please keep this in mind). We are now trying to deploy the solution to PROD but certain parts of the solution are not working.
We have developed an asp.net application that we provide to clients to allow them to invoke SSIS packages (there are a couple of drop downs that they first select then click a button named "invoke").
When the user clicks the Invoke button, a batch file named InvokeSSIS.bat is called that assembles a command line call to dtexec with the appropriate parameters.
I'm having a problem with a particular package that is responsible for calling an executable which generates a spreadsheet that i will be importing into my system.
The executable is on an mapped H:\ drive.
I have modified the InvokeSSIS.bat batch file to capture the command the batch file is generating. If I execute this command from the command line, it works perfectly. From the webapp Invoker, it executes the package but the tasks responsible for calling the executable doesn't execute as the entire package takes only 1 second to complete (whereas it should take about a minute.)
The executable DOES have a GUI, but it is NOT interactive. This is because when you call the GUI with specific parameters, it automatically runs in batch mode and executes a macro used to generate the desired spreadsheet.
I know this is ok because it works on the UAT server AND it works from the command line!
I have checked the permissions on the executable (bu right-clicking the executable and clicking properties.) I have granted Full Control on the executable to the same user specified as the identity tab of the application pool i am using.
Can someone please help me? As I said I am dying over here!
Please let me know if you have any ideas or what other info you need.
Environment (both UAT and PROD)
OS: Windows Server 2003
IIS 6
asp.net 2.0
SQL Server 2008
Thanks!
Steve
You can't use a mapped drive with IIS.
You must use the \\servername syntax to reach files on other systems.
I agree with user544284 that this is at least in part a mapping issue. I'll ignore for a minute the complete insanity of having a web application call a batch file to start an executable that's on a remote network drive through a drive letter mapping.
Most likely the UAT box has something set up that maps that drive letter for you which Prod is missing.
The only other possibility is a security violation is occurring. Running .exe's from a network drive is generally frowned on. Do the two environments have the exact same version of windows? Are they configured the same with regards to UAC? Any differences here are going to be important.
Which brings up an interesting thought. I wonder if someone logged in to the UAT server using the same account credentials the app pool is using and added the ip address of the machine where the exe lives to the list of "Local Intranet" sites... Or, if they installed SSIS on the UAT server itself.
Just because YOU can log in to the server and run it on the command line means nothing. You have to find out if the drive letter is mapped at all for the user that the web app is running under and whether that user has the required security bits and whether the local OS will allow it regardless.
Okay, I can't ignore it: hairbrained is the nicest adjective I can come up with for this "architecture". Do yourself a favor and go back to the drawing board on this one. It has the word "brittle" written all over it, as you have already found. Instead of building out a batch file to call dtexec, just do it directly either by something like this or this.