Vynae can be found on my GitHub.
Vynae is a fleshed-out version of the original project, PidHunter. PidHunter was written for use in the Collegiate Cyber Defense Competition for tracing process IDs and gathering simple information about processes running in Windows Server environments. It started as a lightweight script that could be deployed on multiple servers and return consistent results. Mainly, it was used to detect Crowd Strike beacons after we discovered one of our servers had a beacon running on it. I wanted a way to pull up process and network information on the fly without needing to run multiple commands or tools. As such, it was hyper-specific to the situation I was in. While I originally tried to expand PidHunter to be useful in normal operations, it never really took off and was abandoned.
Cue summer semester 2022 where I found I had a good amount of extra time before classes started in earnest. I needed to take a break from some other projects, and as I'm taking an IR class this summer, I wanted to work on a project related to that. As I was digging through some older projects, I came across PidHunter and decided to roll with it. I very quickly realized that PidHunter was not something that could be updated without fully restarting it from bottom to top. To begin with, it relied entirely on WMI instead of CIM and used conversions to take the PowerShell objects and convert them into string variables for output formatting. This cut out a lot of functionality and advantage that PowerShell has when working with objects, and heavily reflected the inexperience I had writing PowerShell code at the time.
A little side note, Windows Management Framework is a Microsoft version of the open-source standard Common Information Model. CIM provides the same access as WMI, while also being more secure to use, and having more future-proofing as Microsoft is deprecating WMIC and likely WMI at some point. They seem to have been moving away from WMI to the more secure WinRM.
Moving on, after I decided to start from scratch on Vynae, I also wanted to create a more distinct output that was easier to understand at a glance. Unfortunately, I originally decided on re-writing the process tracing and information gathering functions of PidHunter, so I stuck with hardcoded Write-Host output formatting. As feature creep rose, the viability of this solution sunk greatly. One of the future updates will pass all formatting to a special function, allowing the actual process handling functions better readability. Regardless, I made the choice to have the most important information output in green and, in the case of a bad result, red. This allowed a break in the standard white on blue and made parsing through the results visually, easier.
Regarding feature creep, Vynae added network connection filtering, hashing, improved PPID tracing, and process spawn tracing. PidHunter only supported the display of certain process information and filtering by name or ID. As these features came to mind, they were added to the code without much planning or thought. This led the code to be rather redundant, leaving each function self-contained. The code then is somewhat lacking in readability and conciseness. This is something to be addressed at some point in the future but isn't a large issue for the moment.
Keeping in mind the intended features and the outcome goals (Using CIM and output formatting), I decided to use parameters instead of relying purely on arguments as PidHunter had. I hadn't used parameters in PowerShell scripts before, and a lot of the earlier code reflects that. Instead of directly using the values of the parameters in individual functions, I tended to pass them as variables and then use the value of the passed variable within the function. While this isn't a terrible issue, it does lead some functions to have redundant code and extra lines.
Vynae is the first 'completed' project I've done, in the sense that it meets all the original design goals and features. Typically, I draft something out and then leave it sitting, not moving forward with the project. As such, I've gone all out with it, and plan on keeping it updated for some time, adding improvements and optimizations over time. It isn't necessarily solving any great problem in tech, but I do think that it's a nifty little script that can be used in the day-to-day to get process information without running multiple commands.
Vynae is a fleshed-out version of the original project, PidHunter. PidHunter was written for use in the Collegiate Cyber Defense Competition for tracing process IDs and gathering simple information about processes running in Windows Server environments. It started as a lightweight script that could be deployed on multiple servers and return consistent results. Mainly, it was used to detect Crowd Strike beacons after we discovered one of our servers had a beacon running on it. I wanted a way to pull up process and network information on the fly without needing to run multiple commands or tools. As such, it was hyper-specific to the situation I was in. While I originally tried to expand PidHunter to be useful in normal operations, it never really took off and was abandoned.
Cue summer semester 2022 where I found I had a good amount of extra time before classes started in earnest. I needed to take a break from some other projects, and as I'm taking an IR class this summer, I wanted to work on a project related to that. As I was digging through some older projects, I came across PidHunter and decided to roll with it. I very quickly realized that PidHunter was not something that could be updated without fully restarting it from bottom to top. To begin with, it relied entirely on WMI instead of CIM and used conversions to take the PowerShell objects and convert them into string variables for output formatting. This cut out a lot of functionality and advantage that PowerShell has when working with objects, and heavily reflected the inexperience I had writing PowerShell code at the time.
A little side note, Windows Management Framework is a Microsoft version of the open-source standard Common Information Model. CIM provides the same access as WMI, while also being more secure to use, and having more future-proofing as Microsoft is deprecating WMIC and likely WMI at some point. They seem to have been moving away from WMI to the more secure WinRM.
Moving on, after I decided to start from scratch on Vynae, I also wanted to create a more distinct output that was easier to understand at a glance. Unfortunately, I originally decided on re-writing the process tracing and information gathering functions of PidHunter, so I stuck with hardcoded Write-Host output formatting. As feature creep rose, the viability of this solution sunk greatly. One of the future updates will pass all formatting to a special function, allowing the actual process handling functions better readability. Regardless, I made the choice to have the most important information output in green and, in the case of a bad result, red. This allowed a break in the standard white on blue and made parsing through the results visually, easier.
Regarding feature creep, Vynae added network connection filtering, hashing, improved PPID tracing, and process spawn tracing. PidHunter only supported the display of certain process information and filtering by name or ID. As these features came to mind, they were added to the code without much planning or thought. This led the code to be rather redundant, leaving each function self-contained. The code then is somewhat lacking in readability and conciseness. This is something to be addressed at some point in the future but isn't a large issue for the moment.
Keeping in mind the intended features and the outcome goals (Using CIM and output formatting), I decided to use parameters instead of relying purely on arguments as PidHunter had. I hadn't used parameters in PowerShell scripts before, and a lot of the earlier code reflects that. Instead of directly using the values of the parameters in individual functions, I tended to pass them as variables and then use the value of the passed variable within the function. While this isn't a terrible issue, it does lead some functions to have redundant code and extra lines.
Vynae is the first 'completed' project I've done, in the sense that it meets all the original design goals and features. Typically, I draft something out and then leave it sitting, not moving forward with the project. As such, I've gone all out with it, and plan on keeping it updated for some time, adding improvements and optimizations over time. It isn't necessarily solving any great problem in tech, but I do think that it's a nifty little script that can be used in the day-to-day to get process information without running multiple commands.
Comments
Post a Comment