curi0usJack/exeoutputsearch.ps1

## exeoutputsearch.ps1
$exepath = "c:\windows"
$searchstrings = @("/url", "/uri", "/wildcard", "/format", "/path")
$skip = @("logoff.exe", "mcrmgr.exe", "audit.exe")
$foundin = @()
$testedbins = @()

Function Execute-Command ($commandPath, $commandArguments)
{
    $pinfo = New-Object System.Diagnostics.ProcessStartInfo
    $pinfo.FileName = $commandPath
    $pinfo.RedirectStandardError = $true
    $pinfo.RedirectStandardOutput = $true
    $pinfo.UseShellExecute = $false
    $pinfo.Arguments = $commandArguments
    $p = New-Object System.Diagnostics.Process
    $p.StartInfo = $pinfo

    try {
        $p.Start() | Out-Null
        $p.WaitForExit(2000) | Out-Null
		if ($p.HasExited -eq $false) {$p.Kill()}
    }
    catch {
        $retstdout = ""
    }

    if ($p.StandardOutput) {
            $retstdout = $p.StandardOutput.ReadToEnd()
    } else {$retstdout = ""}

	$p.Dispose()

    [pscustomobject]@{
        stdout = $retstdout
        #stderr = $p.StandardError.ReadToEnd()
        ExitCode = $p.ExitCode
    }
}
Write-Output "Searching exes for $searchstrings"
$exes = gci -recurse -path $exepath -filter "*.exe" -erroraction silentlycontinue
foreach ($exe in $exes) {
    $fullpath = $exe.DirectoryName + "\" + $exe.Name
	$output = "[-] Testing... $fullpath"
    #Write-output $output
	Add-Content -Path "./exeout.log" -Value $output
	if ($skip -notcontains $exe.Name -and $testedbins -notcontains $exe.Name) {
		$exeout = Execute-Command $fullpath "/?"
		if ($exeout.stdout | select-string -pattern $searchstrings -quiet) {
			$output = "[+] Found in $fullpath"
			Write-Host $output -foreground Green
			Add-Content -Path "./exeout.log" -Value $output
			$foundin += $exe.Name
			Add-Content -Path "./exefulloutput.log" -Value $exe.name
			Add-Content -Path "./exefulloutput.log" -Value $exeout.stdout
		}
    }
	else {
		if ($foundin -contains $exe.Name) {
			$output = "[+] Duplicate Found binary: $fullpath"
			Write-Host $output -foreground yellow
			Add-Content -Path "./exeout.log" -Value $output
		}
	}

	$testedbins += $exe.Name
}
Write-Output "`n[-] Done!`n"
	$exepath = "c:\windows"
	$searchstrings = @("/url", "/uri", "/wildcard", "/format", "/path")
	$skip = @("logoff.exe", "mcrmgr.exe", "audit.exe")
	$foundin = @()
	$testedbins = @()

	Function Execute-Command ($commandPath, $commandArguments)
	{
	$pinfo = New-Object System.Diagnostics.ProcessStartInfo
	$pinfo.FileName = $commandPath
	$pinfo.RedirectStandardError = $true
	$pinfo.RedirectStandardOutput = $true
	$pinfo.UseShellExecute = $false
	$pinfo.Arguments = $commandArguments
	$p = New-Object System.Diagnostics.Process
	$p.StartInfo = $pinfo

	try {
	$p.Start() \| Out-Null
	$p.WaitForExit(2000) \| Out-Null
	if ($p.HasExited -eq $false) {$p.Kill()}
	}
	catch {
	$retstdout = ""
	}

	if ($p.StandardOutput) {
	$retstdout = $p.StandardOutput.ReadToEnd()
	} else {$retstdout = ""}

	$p.Dispose()

	[pscustomobject]@{
	stdout = $retstdout
	#stderr = $p.StandardError.ReadToEnd()
	ExitCode = $p.ExitCode
	}
	}
	Write-Output "Searching exes for $searchstrings"
	$exes = gci -recurse -path $exepath -filter "*.exe" -erroraction silentlycontinue
	foreach ($exe in $exes) {
	$fullpath = $exe.DirectoryName + "\" + $exe.Name
	$output = "[-] Testing... $fullpath"
	#Write-output $output
	Add-Content -Path "./exeout.log" -Value $output
	if ($skip -notcontains $exe.Name -and $testedbins -notcontains $exe.Name) {
	$exeout = Execute-Command $fullpath "/?"
	if ($exeout.stdout \| select-string -pattern $searchstrings -quiet) {
	$output = "[+] Found in $fullpath"
	Write-Host $output -foreground Green
	Add-Content -Path "./exeout.log" -Value $output
	$foundin += $exe.Name
	Add-Content -Path "./exefulloutput.log" -Value $exe.name
	Add-Content -Path "./exefulloutput.log" -Value $exeout.stdout
	}
	}
	else {
	if ($foundin -contains $exe.Name) {
	$output = "[+] Duplicate Found binary: $fullpath"
	Write-Host $output -foreground yellow
	Add-Content -Path "./exeout.log" -Value $output
	}
	}

	$testedbins += $exe.Name
	}
	Write-Output "`n[-] Done!`n"