Last active
December 24, 2020 14:13
-
-
Save u1735067/1b7bbeb3c78ca7c73439d7a29b63a519 to your computer and use it in GitHub Desktop.
This script scan files for the Zone.Identifier stream (ADS : Alternate Data Streams) and prints the referrer + host URLs if available
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# Help with Powershell encoding: | |
# [Console]::InputEncoding = [Console]::OutputEncoding = [Text.UTF8Encoding]::new() | |
# $env:PYTHONIOENCODING="utf-8" | |
import argparse, pathlib | |
parser = argparse.ArgumentParser(description='This script scan files for the Zone.Identifier stream (ADS : Alternate Data Streams) and prints the referrer + host URLs if available') | |
parser.add_argument('path', metavar='PATH', type=pathlib.Path, help='Path (file or directory) to scan') | |
parser.add_argument('-r', '--recurse', action='store_true', help='Recurse subdirectories') | |
parser.add_argument('-ia', '--include-about', action='store_true', help='Include about:client, about:internet entries') | |
args = parser.parse_args() | |
if args.path.is_file(): | |
file_list = (args.path,) | |
elif args.path.is_dir(): | |
file_list = args.path.glob('**/*' if args.recurse else '*') | |
else: | |
parser.error('PATH should point to a file or directory') | |
for file in file_list: | |
try: | |
with file.with_name(file.name + ':Zone.Identifier').open('r') as z: | |
infos = [] | |
for line in z.readlines(): | |
if any(s in line for s in {'ReferrerUrl', 'HostUrl'}): | |
line = line.strip() | |
if not args.include_about and line in {'ReferrerUrl=about:client', 'HostUrl=about:internet'}: | |
continue | |
infos.append(line) | |
if infos: | |
print('-- {}\n{}\n'.format( | |
file.relative_to(args.path), | |
'\n'.join(infos) | |
)) | |
except: | |
pass |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment