Invoke-SysInternals.ps1
|
<#PSScriptInfo .VERSION 1.0.1 .GUID 4f32a59d-1cc5-4d06-a762-c7fc5028f662 .AUTHOR Kalichuza .COMPANYNAME .COPYRIGHT .TAGS SysInternals Admin Security Live .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .DESCRIPTION Run SysInternals in memory. Use the -List flag to list all tools as they are mapped or the -DriveLetter flag to change the defaul from the Z: drive. Cleans itself upon close of PS session. #> Param() function Invoke-SysInternals { param ( [string]$DriveLetter = "Z", [switch]$List ) # Define SysInternals Tools $tools = @( "accesschk", "accesschk64", "AccessEnum", "ADExplorer", "ADExplorer64", "ADInsight", "ADInsight64", "adrestore", "adrestore64", "Autologon", "Autologon64", "Autoruns", "Autoruns64", "autorunsc", "autorunsc64", "Bginfo", "Bginfo64", "Cacheset", "Cacheset64", "Clockres", "Clockres64", "Contig", "Contig64", "Coreinfo", "Coreinfo64", "CPUSTRES", "CPUSTRES64", "ctrl2cap", "Dbgview", "Dbgview64", "Desktops", "Desktops64", "disk2vhd", "disk2vhd64", "diskext", "diskext64", "Diskmon", "Diskmon64", "DiskView", "DiskView64", "du", "du64", "efsdump", "FindLinks", "FindLinks64", "handle", "handle64", "hex2dec", "hex2dec64", "junction", "junction64", "ldmdump", "Listdlls", "Listdlls64", "livekd", "livekd64", "LoadOrd", "LoadOrd64", "LoadOrdC", "LoadOrdC64", "logonsessions", "logonsessions64", "movefile", "movefile64", "notmyfault", "notmyfault64", "notmyfaultc", "notmyfaultc64", "ntfsinfo", "ntfsinfo64", "pendmoves", "pendmoves64", "pipelist", "pipelist64", "portmon", "procdump", "procdump64", "procexp", "procexp64", "procmon", "procmon64", "PsExec", "PsExec64", "psfile", "psfile64", "PsGetsid", "PsGetsid64", "PsInfo", "PsInfo64", "pskill", "pskill64", "pslist", "pslist64", "PsLoggedon", "PsLoggedon64", "psloglist", "psloglist64", "pspasswd", "pspasswd64", "psping", "psping64", "PsService", "PsService64", "PsShutdown", "PsShutdown64", "pssuspend", "pssuspend64", "RAMMap", "RAMMap64", "RDCMan", "RegDelNull", "RegDelNull64", "Reghide", "regjump", "RootkitRevealer", "sdelete", "sdelete64", "ShareEnum", "ShareEnum64", "ShellRunas", "sigcheck", "sigcheck64", "streams", "streams64", "strings", "strings64", "sync", "sync64", "Sysmon", "Sysmon64", "tcpvcon", "tcpvcon64", "tcpview", "tcpview64", "Testlimit", "Testlimit64", "Vmmap", "Vmmap64", "Volumeid", "Volumeid64", "whois", "whois64", "Winobj", "Winobj64", "ZoomIt", "ZoomIt64" ) # If -List is used, display tools and exit immediately if ($List) { Write-Host "`n[+] Available SysInternals Tools:" $tools | Sort-Object | ForEach-Object { Write-Host " $_" } return } # Check if the drive is already mapped if (Test-Path "$DriveLetter`:") { Write-Host "[!] SysInternals drive already mapped as $DriveLetter`:. Skipping..." } else { # Map SysInternals Live Share in the current session only Write-Host "[+] Mapping SysInternals Live to $DriveLetter`:" New-PSDrive -Name $DriveLetter -PSProvider FileSystem -Root "\\live.sysinternals.com\tools" -Persist:$false -Scope Global | Out-Null if (Test-Path "$DriveLetter`:\") { Write-Host "[+] Successfully mapped SysInternals Live." } else { Write-Host "[!] Failed to map SysInternals Live. Check network connectivity." return } } # Temporarily Add SysInternals to Path for this session $sysinternalsPath = "$DriveLetter`:\" $env:Path = "$env:Path;$sysinternalsPath" # Create Hardcoded Aliases for Each Tool foreach ($tool in $tools) { Set-Alias -Name $tool -Value "$DriveLetter`:\$tool.exe" -Scope Global -ErrorAction SilentlyContinue } Write-Host "[+] Hardcoded SysInternals tools are now accessible globally." # Cleanup Function: Unmap drive on session close $cleanupScript = { param($DriveLetter) if (Test-Path "$DriveLetter`:") { Remove-PSDrive -Name $DriveLetter -Force -ErrorAction SilentlyContinue Write-Host "[+] SysInternals drive $DriveLetter`: has been unmapped." } } # Register Cleanup Event Register-EngineEvent -SourceIdentifier PowerShell.Exiting -Action { & $cleanupScript $using:DriveLetter } | Out-Null } # Run function with arguments Invoke-SysInternals @args |