Posted by: kprestage Oct 2 2007, 07:34 PM
If anyone is interested, the below Lua script will use WMI to query the processes running on a target host and compare them against a text file that contains the exe process name, a description of the process, and a path that the exe should be running from. Below is an example of a file. The file should be placed on the INM server. Setting up the file can be a tedious task, to help speed things up, create a blank text file and use that as the parameter to the script, then run the script against a machine in the Lua IDE and you can copy and paste the result into the text file once you verify that all the processes are ok to be running.
NOTE: You need to be running at least version 3.3 to run this script. During testing of the beta, execution time was under 500ms when comparing against a list of 196 processes.
CODE
acrobat.exe Adobe Acrobat Reader C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
powerpnt.exe Microsoft PowerPoint C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
ipodservice.exe iTunes C:\Program Files\iPod\bin\iPodService.exe
wmplayer.exe Windows Media Player C:\Program Files\Windows Media Player\wmplayer.exe
mfpmp.exe Media Foundation Protected Pipeline DRM!!
wmiapsrv.exe Microsoft WMI Performance Adapter c:\windows\system32\wbem\wmiapsrv.exe
notepad.exe Notepad c:\windows\system32\notepad.exe
And now for the Lua Script.....
CODE
-----------------------------------------------------------------
-- Name: ProcessScan.lua
-- Author: Kevin Prestage
-- Required INM version: 3.3
-- Version: 1.0
-- Date: 2007-09-19
-- Description: This script will load a configuration file of
-- process names and execute a WMI query against the machine and
-- compare the resulting running processes against the processes
-- in the configuration file. It will also verify that the file
-- is running from the predetermined path specified in the
-- configuraiton file. The configuration file is a TAB delimited
-- text file on the INM host machine.
--
-- The format is:
-- ExeName (i.e explorer.exe) [TAB]
-- Description to help identify the processes [TAB]
-- Path the file should run from [NEW LINE]
--
-- iexplorer.exe Internet Explorer c:\Program Files\IE7\iexplorer.exe
--
-- Only the first column is required to run the script.
-- the Description and path are optional.
--
-- Arguments:
-- 1) Path to the configuration text file (relative to the INM host machine, NOT the object being monitored.
----------------------------------------------------------------------------------------------------------
--simple function to split a string into an array (table) based on a seperator.
function MakeTable2(str, sep)
fields = {};
string.gsub(str,"([^"..sep.."]*)"..sep, function(c) table.insert(fields, c) end);
return fields;
end
--Start a timer so we can monitor the performance of this script.
Timer = TLuaTimer();
Timer:Start();
result = ""; --this will store our result text
b = true; --this is the status of the script.
count = 0; --total number of processes running on the machine.
unknown = 0; --total number of unknown processes found.
--set the name of the file containing safe processes.
fn = GetArgument(0);
--open the file in the context of the INM host.
file = TLuaFile(true);
iLength = file:GetFileSize( fn );
iRet = file:Open(fn,false);
RawData = "";
RawData, iLength = file:Read(iLength);
file:Close();
--convert the file text to lower case for easier comparison.
RawData = string.lower(RawData);
--Query WMI for a list of all processes running on the machine.
Query = TLuaWMIQuery();
b = Query:Execute("Select * from Win32_Process");
--if the query failed, set the result.
if (b == false) then
result = "An error occurred querying WMI. " .. Query:GetErrorDescription();
end
--Loop through the results and check each process agains the file.
while (Query:NextInstance()) do
count = count + 1; --increment the process count.
--get the process name and path
bOk,exeName = Query:GetProperty("Description",exeName);
bOk,exePath = Query:GetProperty("ExecutablePath",exePath);
exeName = string.lower(exeName);
if (exePath == nil) then
exePath = "";
end
exePath = string.lower(exePath);
--check if this is a safe process.
iPos2 = string.find(RawData,exeName );
if (iPos2 == nil) then
result = result .. exeName .. "\tUnknown Process!\t" .. exePath .. "\n";
b = false;
unknown = unknown + 1;
else
--even if it is safe, we need to see if it is running in the correct location if provided.
iPos3 = string.find(RawData, "\n",iPos2);
x = string.sub(RawData,iPos2, iPos3);
x = MakeTable2(x,"\t");
okpath = x[3];
if (okpath == nil) then
okpath = "";
end
okpath = string.gsub(okpath,"\n","");
okpath = string.gsub(okpath,"\r","");
if (okpath ~= "") then
iPos2 = string.find(exePath,okpath);
if (iPos2 == nil) then
result = result .. exeName .. "\tWRONG PATH=" .. exePath .. "\tOK PATH=" .. okpath .. "\n";
b = false;
unknown = unknown + 1;
end
end
end
end
--Store the number of running processes on the machine
StoreStatisticalData(0,count,0,"Processes");
--Stroe the number of unknown processes running
StoreStatisticalData(1,unknown,0,"Unknown");
--Store the monitored safe processes
t = MakeTable2(RawData,"\n");
StoreStatisticalData(2,table.getn(t),0,"Safe");
--Store the execution time of the script.
mil = Timer:Stop();
StoreStatisticalData(3,mil,0,"Milliseconds");
--set the Exit status and message.
result = result .. "\n" .. count .. " processes running. " .. unknown .. " not on list of " .. table.getn(t) .. " safe processes. Test Completed in " .. mil .. " Milliseconds";
SetExitStatus(result,b);