-
Notifications
You must be signed in to change notification settings - Fork 4
/
find-log4j-windows.ps1
53 lines (42 loc) · 2.03 KB
/
find-log4j-windows.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Finds log4j resources on Windows machines
# by Christian Blechert <[email protected]>
Add-Type -assembly "system.io.compression.filesystem"
Write-Host "detected = reliable detection of log4j2"
Write-Host "guess = log4j1, the bundle version field from the manifest"
Write-Host "unsure = the implementation version field from the manifest"
Write-Host ""
# Iterate disk drives
gwmi win32_volume | where-object { $_.filesystem -match "ntfs" -and $_.name -match "^[A-Z]:" } | sort { $_.name } | foreach-object {
# find all *.jar files
Get-ChildItem $_.name -File -Recurse -erroraction 'silentlycontinue' |
Where-Object { $_.Name -match '\.jar$' } |
Select-Object -ExpandProperty FullName |
Foreach-Object {
$folder = $_
# open and look for log4j
$zip = [io.compression.zipfile]::OpenRead($folder)
$containsLog = ($zip.Entries |
Where-Object { $_.FullName -match "^org/apache/(log4j|logging/log4j)" }).Length
if ( $containsLog -gt 0 ) {
# extract version from manifest
$metaInf = $zip.Entries | Where-Object { $_.FullName -eq "META-INF/MANIFEST.MF" }
[System.IO.Compression.ZipFileExtensions]::ExtractToFile($metaInf[0], "$PSScriptRoot\_MANIFEST.MF", $true)
$version = "Version unknown"
if (((get-content "$PSScriptRoot\_MANIFEST.MF" | where-object { $_ -match "^Log4jReleaseVersion:" }) -match '^[^:]+:\s*(.*)$')) {
$version = "$($Matches[1]) (detected log4j2)"
} elseif (((get-content "$PSScriptRoot\_MANIFEST.MF" | where-object { $_ -match "^Bundle-Version:" }) -match '^[^:]+:\s*(.*)$')) {
$version = "$($Matches[1]) (guess log4j1)"
} elseif (((get-content "$PSScriptRoot\_MANIFEST.MF" | where-object { $_ -match "^Implementation-Version:" }) -match '^[^:]+:\s*(.*)$')) {
$version = "$($Matches[1]) (unsure)"
}
# print hit
Write-Host "$version`t$($folder)"
}
}
}
# pause when script was opened by double click
if ((Get-WmiObject Win32_Process -Filter "ProcessID=$pid").CommandLine -notmatch '\\powershell\.exe"\s*$') {
Write-Host ""
pause
}
# eof