Created
September 28, 2016 22:06
-
-
Save tfaris/cc47a8a4e9735d1de00650c32fd355fc to your computer and use it in GitHub Desktop.
[ArmedXpert Plugin] Programmatically Unblock a file that has been downloaded from the internet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
Removes the NTFS file stream that indicates that a file has been | |
downloaded from the internet untrusted zone. | |
Requires clrtype.py library (see https://raw.githubusercontent.com/IronLanguages/main/master/Languages/IronPython/Samples/ClrType/clrtype.py). | |
""" | |
import sys | |
import os | |
import clr | |
import clrtype | |
import System | |
from System.Runtime.InteropServices import ( | |
DllImportAttribute, PreserveSigAttribute, CharSet | |
) | |
DllImport = clrtype.attribute(DllImportAttribute) | |
PreserveSig = clrtype.attribute(PreserveSigAttribute) | |
class PInvoke(object): | |
__metaclass__ = clrtype.ClrClass | |
@staticmethod | |
@DllImport('kernel32', CharSet = CharSet.Ansi) | |
@PreserveSig() | |
@clrtype.accepts(System.String) | |
@clrtype.returns(System.Void) | |
def DeleteFile(name): raise Exception("this should not be called directly...") | |
# NOTE: The important part here is the extra ":Zone.Identifier" at the end of the filename. | |
clr.GetClrType(PInvoke).GetMethod('DeleteFile').Invoke( | |
None, | |
System.Array[object]([r'filename.dll:Zone.Identifier']) | |
) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment