Another one from the vaults. Its a good security practice when runing external executables against a list of servers to know in advance that that external executable you are running has not become compromised.
#
#
# \\\\ ////
# \\ - - //
# @ @
# ---oOOo-( )-oOOo---
#
# PowerShell Script: CheckSum.ps1
# Author: Kevin Criss
#
###################################
# Script Block $Failsafe #
###################################
#
# Calc-Hash.ps1
# From David Mohundro's web site.
# A PowerShell script to calculate file hashes
# Thursday, December 28, 2006
# http://www.mohundro.com/blog/PermaLink,guid,b3e7081f-8249-4e37-a777-9afdfd0d9b3d.aspx
#
# $FailSafe was addapted from Calc-Hash.ps1
#
# We will digest uptime.exe before each use to minimize our attack surface.
#
# The risk: Running a command or executable against a list of servers using an account with *sufficient privileges* to do so
# may be risky business even if your Powershell script has been digitially signed. In this example we are using Microsoft's
# uptime.exe executable against a list of servers. Your digitially signed powershell script will not execute if it becomes compromised.
# You should also take measures to ensure the commands files that you are also executing are not compromised as well.
#
# Therefore in this example Microsoft's uptime.exe executable must not become compromised. We will store known
# digest values for uptime.exe within constant script variables that are locked inside of our
# digitally signed script and then compare these against the pre-runtime values of uptime.exe
# before each server query's use of uptime.exe. The script will not function if it ever becomes
# altered after signing. The script is also programmed not to run uptime.exe if its sums do not
# check out.
#
# This is a double fail-safe feature. Our PowerShell script only touches servers within its input file
# via Microsoft's uptime.exe.
#
# 500 MD5 and SHA1 Digests of uptime.exe only takes 00:00:05.3593750 seconds to generate
#
# Tested 01-14-2007 - Coments: I think it works! Might have some issues releasing uptime.exe from
# the Powershell environment until I close the PoweShell session.
# Scheduling this script as a .bat file should remedy this though.
#
$FailSafe =
{
# ############################
#### The MD5 Digest MEthod #
#############################
$script:UptimeMD5constant = "415EDA8D64E4B487A78218212F5DB282" # Uptime.exe
$global:MD5provider = New-Object System.Security.Cryptography.MD5CryptoServiceProvider
# $infile = "c:\program files\scripts\working.htm"
$infile = "C:\windows\system32\uptime.exe"
$inFileInfo = New-Object System.IO.FileInfo($infile)
if (-not $inFileInfo.Exists)
{
$Script:BadUptimeCheckSum = "True"
Throw "Failsafe Script Block: Can't find $inFileInfo"
}
$global:inStream = $inFileInfo.OpenRead()
$global:MD5hashBytes = $MD5provider.ComputeHash($inStream)
$global:MD5chunk = ""
$global:MD5result = ""
foreach ($byte in $MD5hashBytes)
{
# Write-Host -NoNewLine $byte.ToString("X2")
$global:MD5chunk = $byte.ToString("X2")
$global:MD5result = $global:MD5result+$global:MD5chunk
}
# Write-Host
# "$MD5result = MD5 Digest for file $infile" | Out-host
If ($MD5result -ne $script:UptimeMD5constant)
{
$Script:BadUptimeCheckSum = "True"
Throw "Failsafe Script Block: MD5 CheckSum Failure"
}
[void] $inStream.Close()
trap
{
if ($instream -ne $null)
{
[void] $instream.Close()
}
break
}
#
##############################
#### The SHA1 Digest Method #
##############################
$script:UptimeSHA1constant = "B565A5B717497950B2B96B8A1EF809F2509F754E" # Uptime.exe
$SHA1provider = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
# $infile = "c:\program files\scripts\working.htm"
$infile = "C:\windows\system32\uptime.exe"
$SHA1provider = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
$inFileInfo = New-Object System.IO.FileInfo($infile)
if (-not $inFileInfo.Exists)
{
$Script:BadUptimeCheckSum = "True"
Throw "Failsafe Script Block: Can't find $inFileInfo"
}
$inStream = $inFileInfo.OpenRead()
$SHA1hasbytes = $SHA1provider.ComputeHash($inStream)
$inStream = $inFileInfo.OpenRead()
$global:SHA1chunk = ""
$global:SHA1result = ""
$SHA1hashBytes = $SHA1provider.ComputeHash($inStream)
foreach ($byte in $SHA1hashBytes)
{
# Write-Host -NoNewLine $byte.ToString("X2")
$global:SHA1chunk = $byte.ToString("X2")
$global:SHA1result = $global:SHA1result+$global:SHA1chunk
}
# Write-Host
# "$SHA1result = SHA1 Digest for file $infile" | Out-host
If ($SHA1result -ne $script:UptimeSHA1constant)
{
$Script:BadUptimeCheckSum = "True"
Throw "Failsafe Script Block: SHA1 CheckSum Failure"
}
[void] $inStream.Close()
trap
{
if ($instream -ne $null)
{
[void] $instream.Close()
}
break
}
}
#
###################################
# Script Block Time 500 FailSafes #
###################################
#
$FiveHundredFailSafes =
{
$DigestTImeCheck = Get-Date
for ($digestCntr=0; $digestCntr -lt 500; $DigestCntr++) {&$FailSafe}
$span = [TimeSpan]((get-date) - $DigestTimeCheck)
$DigestGenerationtime=$global:span.tostring()
"$digestCntr Digests of uptime.exe takes $DigestGenerationtime seconds to generate" | Out-host
}
#
##################################
# Main Routine #
##################################
&$FailSafe
If ($BadUptimeCheckSum -eq "True") { Throw "GetUptime Script Block: Uptime.exe checksum error" }