Le but de ce script est de surveiller le branchement de clé USB inconnues. En cas de détection, les informations à propos de la clé et le listing de son contenue sera journalisé.
Une clé USB sera considérée comme de confiance lorsqu'elle aura été enregistrée grâce à la fonction [b]Add-Trusted-USB[/b] de ce script. Pour cela, il suffit d'initialiser la variable $ENROLL à 1, et la clé USB nouvellement insérée sera alors considérée comme clé connue et de confiance.
0x01. PRESENTATION
La liste des fonctions qui seront abordées :
Show-MsgBox Get-USB-Drives Umount-Disk($usb_data) Get-USB-Infos Add-Trusted-USB() Print-Info($USB_Drive_Letter,$HRSize,$Model,$Auth)
0x02. CODE
######################################################################################################################## # # Description # ######################################################################################################################## <# .SYNOPSIS Monitor USB mass storage events .DESCRIPTION Running in loop to monitor USB mass storage changes and notify if unknown key is plugged .AUTHOR Nicolas F. #> ######################################################################################################################## # # Paramètrage du script # ######################################################################################################################## $LOG = "c:/windows/USB.log" $TRUSTED_USB_KEYS_FILE = "c:/windows/system32/usb.trusted.cfg" $TRUSTED_USB_KEYS = $(Get-Content $TRUSTED_USB_KEYS_FILE) $ENROLL = 1 $SEPARATOR = " ======================================================================================================================== " ######################################################################################################################## # # Fonctions # ######################################################################################################################## function Show-MsgBox { <# # Fonction de notification # -------------------------------------------------------------------------------------------------------------------- .AUTHOR BigTeddy .RELEASE_DATE August 24, 2011 .SOURCE http://social.technet.microsoft.com/profile/bigteddy/. .SYNOPSIS Shows a graphical message box, with various prompt types available. .DESCRIPTION Emulates the Visual Basic MsgBox function. It takes four parameters, of which only the prompt is mandatory .INPUTS The parameters are:- Prompt (mandatory): Text string that you wish to display Title (optional): The title that appears on the message box Icon (optional). Available options are: Information, Question, Critical, Exclamation (not case sensitive) BoxType (optional). Available options are: OKOnly, OkCancel, AbortRetryIgnore, YesNoCancel, YesNo, RetryCancel (not case sensitive) DefaultButton (optional). Available options are: 1, 2, 3 .OUTPUTS Microsoft.VisualBasic.MsgBoxResult .EXAMPLE C:PS> Show-MsgBox Hello Shows a popup message with the text "Hello", and the default box, icon and defaultbutton settings. .EXAMPLE C:PS> Show-MsgBox -Prompt "This is the prompt" -Title "This Is The Title" -Icon Critical -BoxType YesNo ` -DefaultButton 2 Shows a popup with the parameter as supplied. .LINK http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.msgboxresult.aspx .LINK http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.msgboxstyle.aspx #> [CmdletBinding()] param( [Parameter(Position=0, Mandatory=$true)] [string]$Prompt, [Parameter(Position=1, Mandatory=$false)] [string]$Title ="", [Parameter(Position=2, Mandatory=$false)] [ValidateSet("Information", "Question", "Critical", "Exclamation")] [string]$Icon ="Information", [Parameter(Position=3, Mandatory=$false)] [ValidateSet("OKOnly", "OKCancel", "AbortRetryIgnore", ` "YesNoCancel", "YesNo", "RetryCancel")] [string]$BoxType ="OkOnly", [Parameter(Position=4, Mandatory=$false)] [ValidateSet(1,2,3)] [int]$DefaultButton = 1 ) [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.VisualBasic") | Out-Null switch ($Icon) { "Question" {$vb_icon = [microsoft.visualbasic.msgboxstyle]::Question } "Critical" {$vb_icon = [microsoft.visualbasic.msgboxstyle]::Critical} "Exclamation" {$vb_icon = [microsoft.visualbasic.msgboxstyle]::Exclamation} "Information" {$vb_icon = [microsoft.visualbasic.msgboxstyle]::Information} } switch ($BoxType) { "OKOnly" {$vb_box = [microsoft.visualbasic.msgboxstyle]::OKOnly} "OKCancel" {$vb_box = [microsoft.visualbasic.msgboxstyle]::OkCancel} "AbortRetryIgnore" {$vb_box = [microsoft.visualbasic.msgboxstyle]::AbortRetryIgnore} "YesNoCancel" {$vb_box = [microsoft.visualbasic.msgboxstyle]::YesNoCancel} "YesNo" {$vb_box = [microsoft.visualbasic.msgboxstyle]::YesNo} "RetryCancel" {$vb_box = [microsoft.visualbasic.msgboxstyle]::RetryCancel} } switch ($Defaultbutton) { 1 {$vb_defaultbutton = [microsoft.visualbasic.msgboxstyle]::DefaultButton1} 2 {$vb_defaultbutton = [microsoft.visualbasic.msgboxstyle]::DefaultButton2} 3 {$vb_defaultbutton = [microsoft.visualbasic.msgboxstyle]::DefaultButton3} } $popuptype = $vb_icon -bor $vb_box -bor $vb_defaultbutton $ans = [Microsoft.VisualBasic.Interaction]::MsgBox($prompt,$popuptype,$title) return $ans } #end function <# # Liste les clé USB ayant un lecteur (E:, F:, ...) attribué # -------------------------------------------------------------------------------------------------------------------- #> Function Get-USB-Drives { $Obj = (gwmi win32_diskdrive | ?{$_.interfacetype -eq "USB"} | %{ gwmi -Query "ASSOCIATORS OF {Win32_DiskDrive.DeviceID=`"$($_.DeviceID.replace('',''))`"} WHERE ` AssocClass = Win32_DiskDriveToDiskPartition" } | %{ gwmi -Query "ASSOCIATORS OF {Win32_DiskPartition.DeviceID=`"$($_.DeviceID)`"} WHERE AssocClass = ` Win32_LogicalDiskToPartition" } | %{ $_ }) return( $Obj ) } Function Umount-Disk($usb_data) { <# # Fonction de collecte des informations # -------------------------------------------------------------------------------------------------------------------- .SOURCE https://www.experts-exchange.com/questions/27513069/ ↵ powershell-command-to-identify-the-usb-device-id-based-upon-drive-letter-or-volume-name.html .AUTHOR Chris Dent #> $key_letter = $usb_data.DeviceID $driveEject = New-Object -comObject Shell.Application $driveEject.Namespace(17).ParseName($key_letter).InvokeVerb("Eject") # TODO: $usb_data.SetPowerState } Function Get-USB-Infos { <# # Fonction de collecte des informations # -------------------------------------------------------------------------------------------------------------------- .SOURCE https://www.experts-exchange.com/questions/27513069/ ↵ powershell-command-to-identify-the-usb-device-id-based-upon-drive-letter-or-volume-name.html .AUTHOR Chris Dent #> [CmdLetBinding(DefaultParameterSetName = "DriveLetter")] Param( [Parameter(Position = 1, Mandatory = $True, ParameterSetName = "DriveLetter")] [String]$DriveLetter, [Parameter(Mandatory = $True, ParameterSetName = "VolumeName")] [String]$VolumeName ) If ($PsCmdLet.ParameterSetName -eq "DriveLetter") { $Filter = "DeviceID LIKE '$DriveLetter%'" } Else { $Filter = "VolumeName LIKE '$VolumeName%'" } Get-WmiObject Win32_LogicalDisk -Filter $Filter | ForEach-Object { $Partition = Get-WmiObject -Query "ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='$($_.DeviceID)'} WHERE ` AssocClass = Win32_LogicalDiskToPartition" | Select-Object * -Exclude __* $PhysicalDisk = Get-WmiObject Win32_DiskDrive -Filter "Index=$($Partition.DiskIndex)" | ` Select-Object * -Exclude __* $PNPDevice = Get-WmiObject Win32_PNPEntity -Filter ("PNPDeviceID='$($PhysicalDisk.PNPDeviceID)'" ` -Replace '', '') $USBController = Get-WmiObject -Query "ASSOCIATORS OF {$($PNPDevice.__RELPATH)} WHERE ` AssocClass = Win32_USBControllerDevice" | ` Select-Object * -Exclude __* $DriveLetter = [String]$_.Name $VolumeName = [String]$_.VolumeName if( $VolumeName -eq "" ) { $VolumeName = "<Aucun nom>" } $USBInfos = @{ "Description" = [String]$_.Description "DeviceName" = [String]$_.Name "FreeSpace" = [String]$_.FreeSpace "PhysicalSerialNumber" = [String]$PhysicalDisk.SerialNumber "Model" = [String]$PhysicalDisk.Model "Size" = [String]$PhysicalDisk.Size "SystemName" = [String]$_.SystemName "USBPortDescription" = [String]$PhysicalDisk.Description "VolumeSerialNumber" = [String]$_.VolumeSerialNumber "PNPDeviceID" = [String]$PhysicalDisk.PNPDeviceID.Split(" ")[-1] "VolumeName" = $VolumeName } # # Toutes les informations accessibles : # # LogicalDisk # $_ | Select-Object * # # Physical Disk # $PhysicalDisk # # USB Controller # $USBController } # ForEach-Object return( $USBInfos ) } ######################################################################################################################## # # Traitement des clés de confiance # ######################################################################################################################## function Add-Trusted-USB() { "NE PAS débrancher les clés, processus d'enregistrement en cours ...`r`n" foreach( $USB_Drive in Get-USB-Drives ) { $USB_Infos = Get-USB-Infos $USB_Drive.DeviceID if( $TRUSTED_USB_KEYS -and $TRUSTED_USB_KEYS -match $CurrentUSBInfos ) { "Clé déjà enregistrée" } else { "Lecteur : " + $USB_Drive "Modèle : " + $USB_Infos["Model"] "Taille : " + $USB_Infos["Size"] $Date_Enroll = (Get-Date|Out-String).Split("`r`n")[2] $TxtInfos = $Date_Enroll + ";" + $USB_Infos["VolumeSerialNumber"] + ";" + ` $USB_Infos["PhysicalSerialNumber"] + ";" $TxtInfos >> $TRUSTED_USB_KEYS_FILE } } } function Print-Info($USB_Drive_Letter,$HRSize,$Model,$Auth) { if( $Auth -eq "OK" ) { $color = "Green" Write-Host "Clé autorisée ......... : " -nonewline } if( $Auth -eq "KO" ) { $color = "Red" Write-Host "Clé non autorisée ..... : " -nonewline } Write-Host $USB_Drive_Letter -nonewline -foregroundcolor $color Write-Host " ($HRSize)" -nonewline Write-Host " [" -nonewline Write-Host "$Model" -nonewline -foregroundcolor $color Write-Host "]" } ######################################################################################################################## # # Process d'enregistrement # ######################################################################################################################## if( $ENROLL -eq 1 ) { foreach( $USB_Drive_Letter in Get-USB-Drives ) { Add-Trusted-USB $USB_Drive_Letter.DeviceID } exit } ######################################################################################################################## # # Boucle de monitoring # ######################################################################################################################## while( $True ) { "En attente de clé USB ..." foreach( $USB_Drive in Get-USB-Drives ) { $USB_Drive_Letter = $USB_Drive.DeviceID $USB_Infos = Get-USB-Infos $USB_Drive_Letter $CurrentUSBInfos = ";" + $USB_Infos["VolumeSerialNumber"] + ";" + $USB_Infos["PhysicalSerialNumber"] + ";" $HRSize = [Int64]$USB_Infos["Size"] $HRSize = $HRSize / (1000*1000*1000) $HRSize = [String]$HRSize $HRSize = $HRSize.Split(".")[0] $HRSize = $HRSize + "Go " $Model = $USB_Infos["Model"] if( $TRUSTED_USB_KEYS -notmatch $CurrentUSBInfos ) { try { Get-ChildItem $USB_Drive_Letter > $Null } catch { continue } Print-Info $USB_Drive_Letter $HRSize $Model "KO" $SEPARATOR >> $LOG $Date = Get-Date $Date_Enroll = "Date de l'évènement " + $Date >> $LOG $USB_Infos >> $LOG "`r`n" >> $LOG "Contenu de la clé : --------------------------------------------------------------------------------------------↵ ---------------------------------------------" >> $LOG # Get-ChildItem $USB_Drive_Letter >> $LOG "Mode | Attributs | Date de création | Date d'accès ↵ | Fichier " >> $LOG "-------+----------------------------+---------------------------------------+----------------------------------↵ -----+---------------------------------------" >> $LOG (Get-ChildItem $USB_Drive_Letter ) | % { #$msg = + " " + + " " + printf("%-5s | %-25s | %-35s | %-35s | %s",[String]$_.Mode,[String]$_.Attributes,` [String]$_.CreationTime,[String]$_.LastAccessTime,[String]$_.FullName) >> $LOG } "----------------------------------------------------------------------------------------------------------------↵ ---------------------------------------------" >> $LOG sleep 1 Umount-Disk $USB_Drive Show-Msgbox "Clé USB inconnue détectée. Information et contenu à sa racine listés et journalisé." "Système" "Critical" } else { $msg = "Clé autorisée ......... : " + [String]$USB_Drive_Letter + " (" + $HRSize + ")" + " [" + $USB_Infos["Model"] + "] " Print-Info $USB_Drive_Letter $HRSize $Model "OK" } } # foreach sleep 1 }
=> Écrit par : Nicolas, le 04 juillet 2017
powershell