Helpful Navigation Toolbar

Monday, September 21, 2015

Introducing Windows Live Response Collection modules...and how to write your own!



Hello again readers and welcome back. Today I am very happy to announce the public release of the latest round of updates to the Live Response Collection. This release focuses on the "modules" that I touched briefly on in the last update. The size of the six main scripts themselves has been greatly reduced and almost all of the code now resides in the folder "Scripts\Windows-Modules". This makes maintaining the code easier (since all six scripts share a large majority of the code, it only has to be edited once instead of six times) and allows even greater customization opportunities for end users. 

There are some small changes to the way the LRC handles data, including a built in check to ensure the date stamp does not have weird characters, which was seen on some UK based systems. The script now attempts to decipher that data properly but, in the event that it cannot, it tries to ensure that backslashes are removed from the date field so that way the output of the tools and system calls are stored properly. 



Writing your own module!!


The main focus of this update is demonstrating how easy it is to create your own module. I attempted to make this process as easy as possible, so if you want to write/add modules, you can do so very easily. Since it is written in batch, you can write your own module however you would like, but following this methodology should present the best results and ensure that the script will error out rather than possibly present bad data to you.

The first thing you have to do is choose an executable (or system call) that you would like to add. In this particular case, I decided that the "Wireless NetView" executable from nirsoft would be a good choice for the walk through. The first thing you have to do is to download the zip file from their website. Once that is done, navigate to the folder and unzip the file. Once that is done, you should see a folder like this. 


Contents of the folder "wirelessnetview"

Copy that folder to the "Tools" directory under the Windows Live Response folder. 


wirelessnetview folder under "Tools"

Once that is done, you are ready to begin writing your module!



Initial Steps of Module Creation

This version of the Live Response Collection contains a file in the "Windows-Modules" folder called "Windows-Module-Template.bat". Open that file in your favorite text editing program.


Contents of Windows-Module-Template.bat

Once you have it open, save it as the tool name that you would like to run. In this case, I would open the file "Windows-Module-Template.bat" and save it as "wirelessnetview.bat". 



Saving the template as our new module


Now you can begin to edit the "wirelessnetview.bat" module and add more functionality to the LRC! 


Writing the module



I tried to make it as easy as possible to do substitutions within the template, so really the only things you will have to do are:

1) Have an understanding of what command line arguments you need to give your executable file (or system command), and 
2) Be able to find and replace text within your new batch script

You should not have to change any of the environment and script variables, so I will not cover them in great detail, unless a specific request is made to do so. Here is a full listing of the items that you should replace (Ctrl + H in most cases):

YYYYMMDD - Four digit year, two digit month, and two digit day (19970829, 20150915)

DD - Date you wrote the module, with two digits (03, 11, 24, 31)

Month - Month you wrote the module (July, March, December)

YYYY - Year you wrote the module (2015, 2016, 4545)

[Your Name] - Your name, if you want to put it in there (Brian Moran, Leeroy Jenkins)

[you@emailaddress] - Your email address, if you want to put it in there (tony@starkindustries.com, info@mrrobot.com)

[Twitter name] - Your Twitter name, if you want to put it in there (Captain America, Star Wars)

[@Twitterhandle] - Your Twitter handle, if you want to put it in there (@captainamerica, @starwars)

[MODULENAME] - What you want to call your module. I prefer to use the tool name, so in this case WIRELESSNETVIEW

[Tool path] - This is the path, within the tools folder, of the folder name and the exe. In this case, it would be wirelessnetview\WirelessNetView.exe

[command line arguments] - This is where you have to do some testing of running your tool from the command line before you create the module. In this particular case, I am going to use what is listed on the web page as the command I want to run. The full command is 

WirelessNetView.exe /shtml "f:\temp\wireless.html", so our [command line arguments] in this case would be   /shtml

[Output folder] - The folder that you want to output the data to. Since this is network related, saving it under "NetworkInfo" seems like a good idea.

[Output file name and file extension] - The filename that you want to save the file as. Generally I make this the name of the tool, so I would call this one "Wirelessnetview.html".

[Tool name] - The name of the tool. (Wirelessnetview)

[Executable name] - The name of the executable (WirelessNetView.exe)

[Executable download location, if applicable] - The URL where you downloaded the tool from (in this case, http://www.nirsoft.net/utils/wireless_network_view.html)

And that is it!

**Please note that you can choose between modifying saving output directly, or saving output from the executable/command itself. It is best to refer to the executable or system command when trying to determine "how" you should save the output.**


So when we modify the wirelessnetview.bat file, we replace the following items with their value:

YYYYMMDD - is replaced with 20150917

DD - is replaced with 17

Month - is replaced with September

YYYY - is replaced with 2015

[Your Name] - is replaced with Brian Moran

[you@emailaddress] - is replaced with brian@brimorlabs.com

[Twitter name] - is replaced with BriMor Labs

[@Twitterhandle] - is replaced with @BriMorLabs

[MODULENAME] - is replaced with WIRELESSNETVIEW

[Tool path] - is replaced with wirelessnetview\WirelessNetView.exe

[command line arguments] - is replaced with /shtml

[Output folder] - is replaced with NetworkInfo

[Output file name and file extension] - is replaced with Wirelessnetview.html

[Tool name] - is replaced with Wirelessnetview

[Executable name] - is replaced with WirelessNetView.exe

[Executable download location, if applicable] - is replaced with http://www.nirsoft.net/utils/wireless_network_view.html



Screenshot of our new module, after replacing the text!

Now that our module is written, we have to add the module to whichever batch scripts we would like. I usually like to keep the modules that perform similar functions near each other, so in this case I am going to choose to add it after the PRCVIEWMODULE. The easiest way to do this is simply copy the five lines of text associated with the PRCVIEWMODULE entry, and paste it below it.


Selecting the code associated with PRCVIEWMODULE


Copying the code associated with PRCVIEWMODULE to create a new subroutine for our new module


Once you have it copied, change the line GOTO ....MODULE in the original module to the name of your new module. In this case, we would change it to GOTO WIRELESSNETVIEWMODULE.  Then change the name of the subroutine itself to the name of your module, in this case WIRELESSNETVIEWMODULE. 


Adding WIRELESSNETVIEWMODULE code

Finally, change the name of the batch script that is being called to the name of your newly created script, then save it. That is it, you are all done!


Our module is fully added!

It is best to run your module(s) on a test system before deploying it widely, just to ensure that everything works properly. Also ensure that you add the code for your new module to each of the six batch scripts, if you so desire. 


I hope that this tutorial has been helpful, please do not hesitate to contact me if you have any additional questions or comments as you create your own modules for the Live Response Collection!





LiveResponseCollection-Bambiraptor.zip - download here 

MD5: 8603e36be474e8b69c652e5dc86adc2e
SHA-256: ec79422ce2e7218a7bc57b0caf52a5eae2eca98810ac466dddac1115aade493e 

Updated: December 12, 2016