Description of this Hybrid code : Scan4Shortcuts.bat
This is a script that scans a user-selected folder for shortcut files with suspicious target paths.
The script is executed as a batch file and PowerShell script hybrid, allowing it to be run by both interpreters.
When executed, the script prompts the user to select a folder to scan for shortcuts.
It then searches for all shortcut files in the selected folder and its subfolders that end with the .lnk extension.
For each shortcut file found, the script extracts the target path and creation date, and concatenates any arguments included in the shortcut.
It then checks if the target path contains any of the specified suspicious strings.
If a suspicious string is found in the target path, the shortcut file name, path, target path, and creation date are recorded in a dictionary.
The script also creates two CSV files:
one containing all the shortcut files found in the selected folder and its subfolders, and another containing only the shortcut files with suspicious target paths.
The file paths are stored on the user's desktop.
If the script finds any shortcut files with suspicious target paths, it opens the suspicious paths CSV file automatically.
Finally, the script displays the results in a pop-up window using Out-GridView.
This allows the user to interact with the results, search for specific values, and sort them.
The user can analyze the results further using the CSV files created by the script.
Just copy and paste this code into your notepad or notepad++ and save it as
Scan4Shortcuts.bat
<# : Batch Script Section
@rem # The previous line does nothing in Batch, but begins a multiline comment block in PowerShell. This allows a single script to be executed by both interpreters.
@echo off
Title Scan For Suspicious Shortcuts Targets On %COMPUTERNAME% by Hackoo 2023 & Mode 80,8
setlocal
cd /d "%~dp0"
Color 1E & echo( & Echo(
Echo( Choose a folder to Scan for shortcuts targets On %COMPUTERNAME% ...
Powershell -executionpolicy bypass -Command "Invoke-Expression $([System.IO.File]::ReadAllText('%~f0'))"
EndLocal
goto:eof
#>
# Powershell Script Section begin here...
# Here we execute our powershell commands...
Clear-Host
Add-Type -AssemblyName System.Windows.Forms
$folderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog
$folderBrowser.RootFolder = [System.Environment+SpecialFolder]::Desktop
$folderBrowser.Description = "Select a Folder to search for shortcuts on it"
$folderBrowser.ShowNewFolderButton = $false # Hide "New Folder" button
if ($folderBrowser.ShowDialog() -eq 'OK') {
$folderPath = $folderBrowser.SelectedPath
} else {
Write-Host "Folder selection cancelled."
exit
}
Write-Host "Please Wait a While ... Scanning is in Progress ..." -ForegroundColor Cyan
$shortcutFiles = Get-ChildItem -Recurse "$folderPath\*.lnk" -ErrorAction SilentlyContinue
if (!$shortcutFiles) {
Write-Host "No shortcut files found in the selected folder."
exit
}
cls
if ($folderPath.Length -EQ 3) {
$driveLetter = $folderPath.Substring(0,1)
$csvPath = "$env:UserProfile\desktop\SuspectPaths_$driveLetter.csv"
$ALL = "$env:UserProfile\desktop\ALL_Shortcuts_$driveLetter.csv"
} else {
$csvPath = "$env:UserProfile\desktop\SuspectPaths_$($folderPath.Split('\')[-1]).csv"
$ALL = "$env:UserProfile\desktop\ALL_Shortcuts_$($folderPath.Split('\')[-1]).csv"
}
$totalFiles = $shortcutFiles.Count
$currentFile = 0
$suspectPaths = @{}
$results = foreach ($shortcutFile in $shortcutFiles) {
$currentFile++
$percentComplete = ($currentFile / $totalFiles) * 100
$percentComplete = [math]::Round($percentComplete)
$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut($shortcutFile.FullName)
$targetPath = $shortcut.TargetPath
$creationDate = $shortcutFile.CreationTime
$Name = $shortcutFile.Name
$arguments = $shortcut.Arguments
if ($arguments -ne $null -and $arguments -ne '') {
$targetPath = "$targetPath $arguments"
}
$statusText = "Processing file $currentFile of $totalFiles ... $percentComplete%"
Write-Progress -Activity "Processing shortcuts" -PercentComplete $percentComplete -Status $statusText
# Check if the target path contains suspicious strings
$suspectStrings = @("SKYPEE", "GOOGLEUPDATE.A3X","cmd","powershell","bat","vbs")
$isSuspect = $false
foreach ($suspectString in $suspectStrings) {
if ($targetPath -like "*$suspectString*") {
$isSuspect = $true
$suspectPaths[$Name] = @{
Path = $targetPath
CreationDate = $creationDate
ShortcutFile = $shortcutFile.FullName
}
break
}
}
[PSCustomObject]@{
ShortcutName = $Name
'Shortcut File' = $shortcutFile.FullName
TargetPath = $targetPath
'Creation Date' = $creationDate
}
}
if ($suspectPaths.Count -gt 0) {
$csvData = @()
foreach ($name in $suspectPaths.Keys) {
$csvData += [PSCustomObject]@{
ShortcutName = $name
ShortcutFile = $suspectPaths[$name].ShortcutFile
TargetPath = $suspectPaths[$name].Path
CreationDate = $suspectPaths[$name].CreationDate
}
}
$csvData | Export-Csv -Path $csvPath -NoTypeInformation -Encoding UTF8
}
$results | Export-Csv -Path $All -NoTypeInformation -Encoding UTF8
$results | Out-GridView -Title "Results" -Wait
If (Test-path $csvPath) {ii $csvPath}
