Merge pull request #2 from Idov31/dev

Version 1.0
Idov31 · Apr 17, 2022 · 4efceb5 · 4efceb5
2 parents 38297c0 + 21d584f
commit 4efceb5
Show file tree

Hide file tree

Showing 6 changed files with 348 additions and 21 deletions.
diff --git a/Modules/Files.psm1 b/Modules/Files.psm1
@@ -10,13 +10,40 @@ function Clear-Files {
         $user,
 
         [Boolean]
-        $runAsUser
+        $runAsUser,
+
+        [String[]]
+        $exclusions
     )
+    $res = $true
+
+    if (-not $exclusions.Contains("pshistory")) {
+        Clear-Powershell $encodedPowershellHistory $user
+    }
+
+    if (-not $exclusions.Contains("inetcache")) {
+        Clear-InetCache $time $user
+    }
+
+    if (-not $exclusions.Contains("windowshistory")) {
+        Clear-WindowsHistory $time $user
+    }
+
+    if (-not $exclusions.Contains("officehistory")) {
+        Clear-OfficeHistory $time $user
+    }
 
-    if (!$runAsUser) {
-        Clear-Prefetches $time
+    if (-not $exclusions.Contains("cryptnetcache")) {
+        Clear-CryptNetUrlCache $time $user
+    }
+
+    if (!$runAsUser -and -not $exclusions.Contains("prefetch")) {
+        if ($(Clear-Prefetches $time) -eq $false) {
+            $res = $false
+        }
     }
-    Clear-Powershell $encodedPowershellHistory $user
+
+    return $res
 }
 
 function Clear-Powershell {
@@ -59,6 +86,139 @@ function Clear-Prefetches {
     }
     else {
         Write-Host "[-] Couldn't remove prefetch artifacts, rerun as admin or delete manually." -ForegroundColor Yellow
+        return $false
+    }
+
+    return $true
+}
+
+function Clear-InetCache {
+    param (
+        [DateTime]
+        $time,
+
+        [String]
+        $user
+    )
+
+    $inetCacheFolders = Get-ChildItem "C:\Users\$($user)\AppData\Local\Microsoft\Windows\INetCache" -Force -Directory
+
+    if ($inetCacheFolders) {
+
+        foreach ($inetCacheFolder in $inetCacheFolders) {
+
+            if ($inetCacheFolder.Name -eq "Content.IE5") {
+                continue
+            }
+            $inetCache = Get-ChildItem $inetCacheFolder.FullName -Recurse -Force -File
+
+            # Iterating inet cache.
+            foreach ($inet in $inetCache) {
+                if ($inet.Name -eq "container.dat") {
+                    continue
+                }
+                $delta = $inet.CreationTime - $time
+
+                # If the inet cache file created within the range of the wanted timespan. - remove it.
+                if ($delta -gt 0) {
+                    Remove-Item $inet.FullName -Force
+                }
+            }
+        }
+
+        Write-Host "[+] Removed inet cache artifacts!" -ForegroundColor Green
+    }
+}
+
+function Clear-OfficeHistory {
+    param (
+        [DateTime]
+        $time,
+
+        [String]
+        $user
+    )
+
+    $officeHistoryPath = "C:\Users\$($user)\AppData\Roaming\Microsoft\Office\Recent"
+
+    if (-not $(Test-Path $officeHistoryPath)) {
+        return
+    }
+
+    $officeHistory = Get-ChildItem $officeHistoryPath
+
+    if ($officeHistory) {
+
+        # Iterating office history.
+        foreach ($file in $officeHistory) {
+
+            if ($file.Name -eq "index.dat") {
+                continue
+            }
+
+            $delta = $file.CreationTime - $time
+
+            # If the office history file created within the range of the wanted timespan. - remove it.
+            if ($delta -gt 0) {
+                Remove-Item $file.FullName
+            }
+        }
+
+        Write-Host "[+] Removed office history artifacts!" -ForegroundColor Green
+    }
+}
+
+function Clear-WindowsHistory {
+    param (
+        [DateTime]
+        $time,
+
+        [String]
+        $user
+    )
+
+    $windowsHistory = Get-ChildItem "C:\Users\$($user)\AppData\Roaming\Microsoft\Windows\Recent" -File -Recurse
+
+    if ($windowsHistory) {
+
+        # Iterating windows history.
+        foreach ($file in $windowsHistory) {
+            $delta = $file.CreationTime - $time
+
+            # If the windows history file created within the range of the wanted timespan. - remove it.
+            if ($delta -gt 0) {
+                Remove-Item $file.FullName
+            }
+        }
+
+        Write-Host "[+] Removed windows history artifacts!" -ForegroundColor Green
+    }
+}
+
+function Clear-CryptNetUrlCache {
+    param (
+        [DateTime]
+        $time,
+
+        [String]
+        $user
+    )
+
+    $cryptNetUrlCache = Get-ChildItem "C:\Users\$($user)\AppData\LocalLow\Microsoft\CryptnetUrlCache" -File -Recurse -Force
+
+    if ($cryptNetUrlCache) {
+
+        # Iterating cryptnet url cache.
+        foreach ($file in $cryptNetUrlCache) {
+            $delta = $file.CreationTime - $time
+
+            # If the cryptnet url cache file created within the range of the wanted timespan. - remove it.
+            if ($delta -gt 0) {
+                Remove-Item $file.FullName -Force
+            }
+        }
+
+        Write-Host "[+] Removed cryptnet url cache artifacts!" -ForegroundColor Green
     }
 }
 

diff --git a/Modules/Registry.psm1 b/Modules/Registry.psm1
@@ -8,11 +8,18 @@ function Clear-Registry {
         $users,
 
         [Boolean]
-        $runAsUser
+        $runAsUser,
+
+        [String[]]
+        $exclusions
     )
     $result = $true
 
-    if (!$runAsUser) {
+    if (-not $exclusions.Contains("userassist")) {
+        Clear-UserAssist $time $users
+    }
+
+    if (!$runAsUser -and -not $exclusions.Contains("bamkey")) {
         if (!$(Clear-BamKey $time $users)) {
             $result = $false
         }
@@ -65,4 +72,56 @@ function Clear-BamKey {
     return $true
 }
 
+function Clear-UserAssist {
+    param (
+        [DateTime]
+        $time,
+
+        [String[]]
+        $users
+    )
+
+    # Registring the HKEY_USERS hive.
+    New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
+    $userAssistKeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"
+
+    foreach ($user in $users) {
+        $sid = $(New-Object System.Security.Principal.NTAccount($user)).Translate([System.Security.Principal.SecurityIdentifier]).Value
+
+        # Checking if the user has user assist key.
+        if (!(Test-Path "HKU:\$($sid)\$($userAssistKeyPath)")) {
+            continue
+        }
+        $userAssistKey = Get-Item "HKU:\$($sid)\$($userAssistKeyPath)"
+
+        # Searching for values created within the range of the timespan.
+        foreach ($subKeyName in $userAssistKey.GetSubKeyNames()) {
+            $currentUserAssistKey = Get-Item "HKU:\$($sid)\$($userAssistKeyPath)\$($subKeyName)\Count"
+
+            foreach ($valueName in $currentUserAssistKey.GetValueNames()) {
+                if ($valueName -eq "HRZR_PGYFRFFVBA") {
+                    continue
+                }
+
+                $rawTimestamp = $currentUserAssistKey.GetValue($valueName)
+
+                # To cover the Windows 7 and Windows 7 and onwards versions.
+                if ($rawTimestamp.Length -gt 68) {
+                    $timestamp = Get-Date ([DateTime]::FromFileTime([bitconverter]::ToInt64($rawTimestamp,60)))
+                }
+                else {
+                    $timestamp = Get-Date ([DateTime]::FromFileTime([bitconverter]::ToInt64($rawTimestamp,8)))
+                }
+
+                $delta = $timestamp - $time
+
+                if ($delta -gt 0) {
+                    Remove-ItemProperty -Path "HKU:\$($sid)\$($userAssistKeyPath)\$($subKeyName)\Count" -Name $valueName
+                }
+            }
+        }
+    }
+    Write-Host "[+] Removed user assist artifacts!" -ForegroundColor Green
+}
+
 Export-ModuleMember -Function Clear-Registry