0

我很难弄清楚这段代码在哪里出错,以及为什么 Select-Object 没有返回所需的对象属性作为输出。非常感谢对这里发生的事情的任何输入,或任何潜在的修复。

我通过(单独的)处理程序脚本从 Sysmon 日志中收集所有唯一的 sha256 哈希值,然后处理程序脚本针对这些哈希值执行下面的脚本/代码。此处理程序脚本运行下面看到的代码,然后将其输出 (script.ps1 | export-csv) 输送到 Export-Csv 函数中。但是,我在 csv 输出中获取每个对象的数组,而不是带有列标题和所需对象属性的格式化 CSV 文件。

为了完整起见,运行此(下面的代码)script.ps1 文件的处理程序脚本是Kansa 

# VirusTotal API Key 
$apikeyVirusTotal = "ABC123MyFreeVirusTotalAPIKey" 

$hashArray = @() #Array to hold multiple objects 

# VirusTotal Function - API/URI 
Function SubmitVirusTotalURL($hash) {
    Write-Host "Sleeping to avoid rate control."
    Start-Sleep -Seconds 16
    Write-Verbose "Checking VirusTotal: $hash"    
    $response = Invoke-WebRequest -Uri "https://www.virustotal.com/vtapi/v2/file/report?apikey=$apikeyVirusTotal&resource=$hash" | ConvertFrom-Json
    return $response
}

# Import the CSV File and assign it to the variable $CSV
$CSV = Import-Csv -Path ".\test.csv"
#For each line in CSV get the column name value   
foreach ($line in $CSV){
    $hashCount = $line.ct 
    $hash = $line.sha256
    IF($hashCount -lt 2 -and (-not ([string]::IsNullOrEmpty($hash)))){
        $httpResponse = SubmitVirusTotalURL($hash)        
        #create a custom object to hold VT data
        $obj = [PSCustomObject]@{
            'hash' = $hash 
            'sha256'   = $httpResponse.sha256
            'Detections' = $httpResponse.positives
            'TotalScanners' = $httpResponse.total
            'VTReport' = $httpResponse.permalink
        }
        $hashArray += $obj
    }
}
$hashArray

示例输入文件 test.csv:

ct, sha256
3, A3CFFBD12ACDB85D24A13E3976B8795C5611DA05C2017755D87B5ECE38D50806
3, 0CD2F3CF62B768F4036605665E6DD888F431B8FEBDA77D07E852F12523072FFC
4, 405F03534BE8B45185695F68DEB47D4DAF04DCD6DF9D351CA6831D3721B1EFC4
1, FAKEHA534BE8B45185695F68DEB47D4DAF04DCD6DF9D351CA6831D3721B1EFC4

这会产生一个包含如下输出的 csv 文件: 

@{Sha256=0cd2f3cf62b768f4036605665e6dd888f431b8febda77d07e852f12523072ffc    Detections=0    TotalScanners=72    VTReport=https://www.virustotal.com/gui/file/0cd2f3cf62b768f4036605665e6dd888f431b8febda77d07e852f12523072ffc/detection/f-0cd2f3cf62b768f4036605665e6dd888f431b8febda77d07e852f12523072ffc-1589711909}
@{Sha256=7edc950ecfbbb043a62f31f01be2710892bb34455dd7ea435ce1346873d3f36f    Detections=0    TotalScanners=69    VTReport=https://www.virustotal.com/gui/file/7edc950ecfbbb043a62f31f01be2710892bb34455dd7ea435ce1346873d3f36f/detection/f-7edc950ecfbbb043a62f31f01be2710892bb34455dd7ea435ce1346873d3f36f-1572295279}
@{Sha256=8eaa83ed280a3d7d4f8dd3e4f8cbc28cb7fc74947cfca133fb627db0bc767f30    Detections=0    TotalScanners=71    VTReport=https://www.virustotal.com/gui/file/8eaa83ed280a3d7d4f8dd3e4f8cbc28cb7fc74947cfca133fb627db0bc767f30/detection/f-8eaa83ed280a3d7d4f8dd3e4f8cbc28cb7fc74947cfca133fb627db0bc767f30-1569383486}
@{Sha256=e871e48f75b213a51cf13a3a397c1b31b10b516cb4cfb5f0682c85387d3c5ed9    Detections=0    TotalScanners=72    VTReport=https://www.virustotal.com/gui/file/e871e48f75b213a51cf13a3a397c1b31b10b516cb4cfb5f0682c85387d3c5ed9/detection/f-e871e48f75b213a51cf13a3a397c1b31b10b516cb4cfb5f0682c85387d3c5ed9-1587296148}

为了增加我的困惑,我创建了一个功能几乎相同的测试脚本,减去添加 sha256Array @() 并且我能够毫无问题地将输出通过管道传输到 Format-Table。

这里发生了什么?为什么我会使用如此相似的代码得到两种不同类型的输出,我该如何纠正这些问题?

4

1 回答 1

1

正如上面所有的评论,避免构建你现在正在做的方式:

删除这一行:

$hashArray = @() #Array to hold multiple objects

现在使用:

#For each line in CSV get the column name value   
$CSV | ForEach-Object {
    $hashCount = $_.ct 
    $hash = $_.sha256
    If($hashCount -lt 2 -and (-not ([string]::IsNullOrEmpty($hash)))){
        $httpResponse = SubmitVirusTotalURL($hash)        
        #create a custom object to hold VT data
        [PSCustomObject]@{
            'hash' = $hash 
            'sha256'   = $httpResponse.sha256
            'Detections' = $httpResponse.positives
            'TotalScanners' = $httpResponse.total
            'VTReport' = $httpResponse.permalink
        }
    }
}

如上所述,如果这变成了字符串值,那么问题在于您如何通过管道$hasharray传输到 csv。您可以直接通过管道传输到 csv 或保存在变量中以检查对象:

$hasharray = $CSV | ForEach-Object {
    $hashCount = $_.ct 
    $hash = $_.sha256
    If($hashCount -lt 2 -and (-not ([string]::IsNullOrEmpty($hash)))){
        $httpResponse = SubmitVirusTotalURL($hash)        
        #create a custom object to hold VT data
        [PSCustomObject]@{
            'hash' = $hash 
            'sha256'   = $httpResponse.sha256
            'Detections' = $httpResponse.positives
            'TotalScanners' = $httpResponse.total
            'VTReport' = $httpResponse.permalink
        }
    }
}
$hasharray | Export-Csv -Path 'pathtocsv\csvname.csv' -NoTypeInformation
于 2020-05-20T19:28:33.263 回答