Skip to content

Commit 7be7ad3

Browse files
authored
Merge pull request #1199 from mandiant/update-ez-tools
Use SigCheck w/ Zimmerman Tools
2 parents 65b5678 + 6d9e3e1 commit 7be7ad3

File tree

14 files changed

+73
-40
lines changed

14 files changed

+73
-40
lines changed

packages/common.vm/common.vm.nuspec

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
33
<metadata>
44
<id>common.vm</id>
5-
<version>0.0.0.20250124</version>
5+
<version>0.0.0.20250203</version>
66
<description>Common libraries for VM-packages</description>
77
<authors>Mandiant</authors>
88
</metadata>

packages/common.vm/tools/vm.common/vm.common.psm1

Lines changed: 42 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -404,6 +404,8 @@ function VM-Install-From-Zip {
404404
[Parameter(Mandatory=$false)]
405405
[string] $executableName, # Executable name, needed if different from "$toolName.exe"
406406
[Parameter(Mandatory=$false)]
407+
[switch] $verifySignature,
408+
[Parameter(Mandatory=$false)]
407409
[switch] $withoutBinFile, # Tool should not be installed as a bin file
408410
# Examples:
409411
# $powershellCommand = "Get-Content README.md"
@@ -417,17 +419,31 @@ function VM-Install-From-Zip {
417419
# Remove files from previous zips for upgrade
418420
VM-Remove-PreviousZipPackage ${Env:chocolateyPackageFolder}
419421

420-
# Download and unzip
421-
$packageArgs = @{
422-
packageName = ${Env:ChocolateyPackageName}
423-
unzipLocation = $toolDir
424-
url = $zipUrl
425-
checksum = $zipSha256
426-
checksumType = 'sha256'
427-
url64bit = $zipUrl_64
428-
checksum64 = $zipSha256_64
429-
}
430-
Install-ChocolateyZipPackage @packageArgs | Out-Null
422+
# We do not check hashes for tools that we use signature verification for
423+
if ($verifySignature) {
424+
# Download zip
425+
$packageArgs = @{
426+
packageName = $env:ChocolateyPackageName
427+
file = Join-Path ${Env:TEMP} $toolName
428+
url = $zipUrl
429+
}
430+
$filePath = Get-ChocolateyWebFile @packageArgs
431+
# Extract zip
432+
Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir
433+
}
434+
else { # Not verifying signature, so check if hash is as expected
435+
# Download and unzip
436+
$packageArgs = @{
437+
packageName = ${Env:ChocolateyPackageName}
438+
unzipLocation = $toolDir
439+
url = $zipUrl
440+
checksum = $zipSha256
441+
checksumType = 'sha256'
442+
url64bit = $zipUrl_64
443+
checksum64 = $zipSha256_64
444+
}
445+
Install-ChocolateyZipPackage @packageArgs | Out-Null
446+
}
431447
VM-Assert-Path $toolDir
432448

433449
# If $innerFolder is set to $true, after unzipping there should be only one folder
@@ -437,6 +453,21 @@ function VM-Install-From-Zip {
437453
$toolDir = Join-Path $toolDir $dirList[0].Name -Resolve
438454
}
439455

456+
if ($verifySignature) {
457+
# Check signature of all executable files individually
458+
Get-ChildItem -Path "$toolDir\*.exe" | ForEach-Object {
459+
try {
460+
# Check signature for each file
461+
VM-Assert-Signature $_.FullName
462+
} catch {
463+
# Remove the file with invalid signature
464+
Write-Warning "Removing file '$($_.FullName)' due to invalid signature"
465+
Remove-Item $_.FullName -Force -ea 0 | Out-Null
466+
VM-Write-Log-Exception $_
467+
}
468+
}
469+
}
470+
440471
if ($powershellCommand) {
441472
$executablePath = $toolDir
442473
VM-Install-Shortcut -toolName $toolName -category $category -arguments $powershellCommand -executableDir $executablePath -powershell

packages/evtxecmd.vm/evtxecmd.vm.nuspec

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,14 @@
22
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
33
<metadata>
44
<id>evtxecmd.vm</id>
5-
<version>1.5.0.20240826</version>
5+
<version>1.5.0.20241212</version>
66
<authors>Eric Zimmerman</authors>
77
<description>Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!</description>
88
<dependencies>
9-
<dependency id="common.vm" version="0.0.0.20240411" />
9+
<dependency id="common.vm" version="0.0.0.20250203" />
1010
<dependency id="dotnet-6.vm" />
11+
<!-- vcbuildtools.vm installs signtool.exe needed by VM-Assert-Signature -->
12+
<dependency id="vcbuildtools.vm" />
1113
</dependencies>
1214
</metadata>
1315
</package>

packages/evtxecmd.vm/tools/chocolateyinstall.ps1

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,6 @@ Import-Module vm.common -Force -DisableNameChecking
33

44
$toolName = 'EvtxECmd'
55
$category = 'Forensic'
6-
76
$zipUrl = 'https://download.mikestammer.com/net6/EvtxECmd.zip'
8-
$zipSha256 = 'e1b4a5f9b09eca3c057cdc2d0ed1a28fe0c24dc90f9f68b7e0572e373dce86a6'
97

10-
VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true
8+
VM-Install-From-Zip $toolName $category $zipUrl -consoleApp $true -innerFolder $true -verifySignature

packages/pecmd.vm/pecmd.vm.nuspec

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,14 @@
22
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
33
<metadata>
44
<id>pecmd.vm</id>
5-
<version>1.5.0.20240826</version>
5+
<version>1.5.0.20241212</version>
66
<authors>Eric Zimmerman</authors>
77
<description>Prefetch parser</description>
88
<dependencies>
9-
<dependency id="common.vm" version="0.0.0.20240411" />
9+
<dependency id="common.vm" version="0.0.0.20250203" />
1010
<dependency id="dotnet-6.vm" />
11+
<!-- vcbuildtools.vm installs signtool.exe needed by VM-Assert-Signature -->
12+
<dependency id="vcbuildtools.vm" />
1113
</dependencies>
1214
</metadata>
1315
</package>

packages/pecmd.vm/tools/chocolateyinstall.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,4 +7,4 @@ $category = 'Forensic'
77
$zipUrl = 'https://download.mikestammer.com/net6/PECmd.zip'
88
$zipSha256 = 'e20254b2f813e66fe5295488e5a00e9675679c91841f99ddcc8d083299bb55d6'
99

10-
VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false
10+
VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false -verifySignature

packages/recmd.vm/recmd.vm.nuspec

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,14 @@
22
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
33
<metadata>
44
<id>recmd.vm</id>
5-
<version>2.0.0.20240908</version>
5+
<version>2.0.0.20241212</version>
66
<authors>Eric Zimmerman</authors>
77
<description>Powerful command line Registry tool searching, multi-hive support, plugins, and more</description>
88
<dependencies>
9-
<dependency id="common.vm" version="0.0.0.20240411" />
9+
<dependency id="common.vm" version="0.0.0.20250203" />
1010
<dependency id="dotnet-6.vm" />
11+
<!-- vcbuildtools.vm installs signtool.exe needed by VM-Assert-Signature -->
12+
<dependency id="vcbuildtools.vm" />
1113
</dependencies>
1214
</metadata>
1315
</package>

packages/recmd.vm/tools/chocolateyinstall.ps1

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,6 @@ Import-Module vm.common -Force -DisableNameChecking
33

44
$toolName = 'RECmd'
55
$category = 'Forensic'
6-
76
$zipUrl = 'https://download.mikestammer.com/net6/RECmd.zip'
8-
$zipSha256 = '90a1c5be877c3a50294a134b81fe26755980a70e6b9d914e444b43c1e205b0f3'
97

10-
VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true
8+
VM-Install-From-Zip $toolName $category $zipUrl -consoleApp $true -innerFolder $true -verifySignature

packages/registry_explorer.vm/registry_explorer.vm.nuspec

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,14 @@
22
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
33
<metadata>
44
<id>registry_explorer.vm</id>
5-
<version>2.0.0.20240826</version>
5+
<version>2.0.0.20241212</version>
66
<authors>Eric Zimmerman</authors>
77
<description>Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files</description>
88
<dependencies>
9-
<dependency id="common.vm" version="0.0.0.20240411" />
9+
<dependency id="common.vm" version="0.0.0.20250203" />
1010
<dependency id="dotnet-6.vm" />
11+
<!-- vcbuildtools.vm installs signtool.exe needed by VM-Assert-Signature -->
12+
<dependency id="vcbuildtools.vm" />
1113
</dependencies>
1214
</metadata>
1315
</package>

packages/registry_explorer.vm/tools/chocolateyinstall.ps1

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,6 @@ Import-Module vm.common -Force -DisableNameChecking
33

44
$toolName = 'RegistryExplorer'
55
$category = 'Registry'
6-
76
$zipUrl = 'https://download.mikestammer.com/net6/RegistryExplorer.zip'
8-
$zipSha256 = '50a11bd0a5e44dcea6469b8564eb3f010b9a8faf323ff6481222d391da26887e'
97

10-
VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true
8+
VM-Install-From-Zip $toolName $category $zipUrl -consoleApp $false -innerFolder $true -verifySignature

packages/rla.vm/rla.vm.nuspec

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,14 @@
22
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
33
<metadata>
44
<id>rla.vm</id>
5-
<version>2.0.0.20240908</version>
5+
<version>2.0.0.20241212</version>
66
<authors>Eric Zimmerman</authors>
77
<description>Replay transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs</description>
88
<dependencies>
9-
<dependency id="common.vm" version="0.0.0.20240411" />
9+
<dependency id="common.vm" version="0.0.0.20250203" />
1010
<dependency id="dotnet-6.vm" />
11+
<!-- vcbuildtools.vm installs signtool.exe needed by VM-Assert-Signature -->
12+
<dependency id="vcbuildtools.vm" />
1113
</dependencies>
1214
</metadata>
1315
</package>

packages/rla.vm/tools/chocolateyinstall.ps1

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,6 @@ Import-Module vm.common -Force -DisableNameChecking
33

44
$toolName = 'RLA'
55
$category = 'Forensic'
6-
76
$zipUrl = 'https://download.mikestammer.com/net6/rla.zip'
8-
$zipSha256 = '1017f1d19d57665afd8fdfb13955a8280708931cb5cd75eca45ae28e23756b16'
97

10-
VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false
8+
VM-Install-From-Zip $toolName $category $zipUrl -consoleApp $true -innerFolder $false -verifySignature

packages/sqlecmd.vm/sqlecmd.vm.nuspec

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,14 @@
22
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
33
<metadata>
44
<id>sqlecmd.vm</id>
5-
<version>1.0.0.20240826</version>
5+
<version>1.0.0.20241212</version>
66
<authors>Eric Zimmerman</authors>
77
<description>Find and process SQLite files according to your needs with maps!</description>
88
<dependencies>
9-
<dependency id="common.vm" version="0.0.0.20240411" />
9+
<dependency id="common.vm" version="0.0.0.20250203" />
1010
<dependency id="dotnet-6.vm" />
11+
<!-- vcbuildtools.vm installs signtool.exe needed by VM-Assert-Signature -->
12+
<dependency id="vcbuildtools.vm" />
1113
</dependencies>
1214
</metadata>
1315
</package>

packages/sqlecmd.vm/tools/chocolateyinstall.ps1

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,6 @@ Import-Module vm.common -Force -DisableNameChecking
33

44
$toolName = 'SQLECmd'
55
$category = 'Forensic'
6-
76
$zipUrl = 'https://download.mikestammer.com/net6/SQLECmd.zip'
8-
$zipSha256 = '40a23c2bd6855753e5f39a7cb944cd2e13aecb70ae2c5b3db840c959225454be'
97

10-
VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true
8+
VM-Install-From-Zip $toolName $category $zipUrl -consoleApp $true -innerFolder $true -verifySignature

0 commit comments

Comments
 (0)