Merge pull request #383 from twosixlabs/phil-docs-update2

Phil docs update2

bin/windows-build.bat

@@ -2,10 +2,9 @@
 @ECHO Configuring execution environment . . .
 SET WORKDIR=%SystemDrive%\app
 SET TEMP=%SystemDrive%\SaviorTemp
-SET PYTHONUNBUFFERED=0
-SET PYTHONVER=3.6.5
 SET POWERSHELL=powershell -NoProfile -ExecutionPolicy Bypass 
 SET WINVIRTUE=%SystemDrive%\WinVirtUE
+SET PYTHONVER=3.6.5
 
 MKDIR %WORKDIR%
 MKDIR %TEMP%
@@ -16,15 +15,8 @@ MKDIR %WINVIRTUE%
 %TEMP%\vs_BuildTools.exe --quiet --wait --add Microsoft.VisualStudio.Workload.MSBuildTools --add Microsoft.VisualStudio.Component.VC.140 --add Microsoft.VisualStudio.Component.VC.Redist.14.Latest --includeRecommended 
 DEL /F /Q %TEMP%\vs_BuildTools.exe
 
-@ECHO Download and Install python . . . 
-%POWERSHELL% [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri "https://www.python.org/ftp/python/%PYTHONVER%/python-%PYTHONVER%.exe" -OutFile %TEMP%\python-%PYTHONVER%.exe 
-%TEMP%\python-%PYTHONVER%.exe /quiet InstallAllUsers=1 PrependPath=1 TargetDir=%SystemDrive%\Python%PYTHONVER% CompileAll=1 -Wait 
-DEL /F /Q %TEMP%\python-%PYTHONVER%.exe
-SET PATH=%SystemDrive%\Python%PYTHONVER%\Scripts;%SystemDrive%\Python%PYTHONVER%;%PATH%
-python -m pip install --upgrade pip
-
 @ECHO Installing ntfltmgr
-python -m pip install sensors\ntfltmgr
+pip install sensors\ntfltmgr
 
 @ECHO Go to the windows target directory from .\savior
 PUSHD targets\win-target
@@ -47,14 +39,13 @@ RMDIR /q /s  .\app
 POPD
 
 RMDIR /Q /S %TEMP%
-copy /y c:\Python%PYTHONVER%\Lib\site-packages\pywin32_system32\pywintypes36.dll c:\Python%PYTHONVER%\lib\site-packages\win32
 
-SET PYTHONPATH=%SystemDrive%\
-PUSHD %SystemDrive%\
+copy /y c:\Python%PYTHONVER%\Lib\site-packages\pywin32_system32\pywintypes36.dll c:\Python%PYTHONVER%\lib\site-packages\win32
+PUSHD %WINVIRTUE%
 sc config WinVirtue start=auto
-python .\WinVirtUE\service_winvirtue.py --startup=auto install
+python %SystemDrive%\WinVirtUE\service_winvirtue.py --startup=auto install
 sc config "WinVirtUE Service" depend=WinVirtUE
-python .\WinVirtUE\service_winvirtue.py start
+python %SystemDrive%\WinVirtUE\service_winvirtue.py start
 sc failure "WinVirtUE Service" reset=1 actions=restart/100
 POPD
 

bin/windows-update.bat

@@ -2,17 +2,14 @@
 @ECHO Configuring execution environment . . .
 SET WORKDIR=%SystemDrive%\app
 SET TEMP=%SystemDrive%\SaviorTemp
-SET PYTHONUNBUFFERED=0
-SET PYTHONVER=3.6.5
 SET POWERSHELL=powershell -NoProfile -ExecutionPolicy Bypass 
 SET WINVIRTUE=%SystemDrive%\WinVirtUE
+SET PYTHONVER=3.6.5
 
 MKDIR %WORKDIR%
 MKDIR %TEMP%
 MKDIR %WINVIRTUE%
 
-SET PATH=%SystemDrive%\Python%PYTHONVER%\Scripts;%SystemDrive%\Python%PYTHONVER%;%PATH%
-
 python -m pip install --upgrade pip
 
 @ECHO Go to the windows target directory from .\savior
@@ -37,14 +34,12 @@ POPD
 
 RMDIR /Q /S %TEMP%
 
-SET PYTHONPATH=%SystemDrive%\
 copy /y c:\Python%PYTHONVER%\Lib\site-packages\pywin32_system32\pywintypes36.dll c:\Python%PYTHONVER%\lib\site-packages\win32
-
-PUSHD %SystemDrive%\
+PUSHD %WINVIRTUE%
 sc config WinVirtue start=auto
-python .\WinVirtUE\service_winvirtue.py --startup=auto install
+python %SystemDrive%\WinVirtUE\service_winvirtue.py --startup=auto install
 sc config "WinVirtUE Service" depend=WinVirtUE
-python .\WinVirtUE\service_winvirtue.py start
+python %SystemDrive%\WinVirtUE\service_winvirtue.py start
 sc failure "WinVirtUE Service" reset=1 actions=restart/100
 POPD
 

targets/win-target/README.md

@@ -1,3 +1,85 @@
+# Windows Sensors - Windows User Space Sensor Installation and Run Instructions
+
+## Commandline Installation
+1. Spin up an AWS m4.large instance using the `ami-05d864f01373c854a` AMI, this is a clean Windows 10 machine with SSH Host installed using the `vrtu` key for access.
+
+2. Connect to the new instance via
+`ssh -i <PATH/TO/vrtu> virtue-admin@<ipaddress>`
+
+3. Once connected, run the following commands to install git and python. Note that the later batch files **depend** on Python 3.6.5 being located in `c:\Python3.6.5`.
+
+```cmd
+@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"```
+```
+```cmd
+refreshenv
+choco install git -y
+```
+```
+choco install python3 --version 3.6.5 --install-arguments="TargetDir=C:\Python3.6.5 InstallAllUsers=1 PrependPath=1 CompileAll=1" --force -y
+```
+```
+refreshenv
+```
+
+4. Download this repo to the virtue-admin directory
+```cmd
+cd %userprofile%
+git clone https://twosix-savior:[email protected]/twosixlabs/savior.git
+```
+
+5. Enter the /savior subdirectory and run the python sensor install script
+```Cmd
+cd savior
+python bin\install_sensors.py
+```
+
+6. Execute the windows build batch to install necessary Visual Studio components, build the sensors, and configure the Winvirtue service to autostart
+```Cmd
+bin\windows-build.bat
+```
+
+7. Install the Windows Sensor Driver. The latest file is located on the [Releases Page](https://github.com/twosixlabs/savior/releases), scroll down to find the Windows Driver download. You can download v1.0-rc1-win via the following curl command. Note that because the driver is unsigned, it cannot be installed via commandline and must be done via RDP (step 8).
+```Cmd
+curl -O -J -L -H "Accept: application/octet-stream"  https://[email protected]/repos/twosixlabs/savior/releases/assets/11033641
+```
+
+8. RDP into the Windows system, extract the zip file, enter the folder, right click on WinVirtUE.inf and select `Install`, then Yes to the prompt to allow the driver to install. **Reboot** the Windows system.
+
+9. Verify the driver and sensor are active, either with the following command line queries, or by checking `services.msc` via RDP and looking for `Windows Virtue Service` in the list. The service should be `Started` and the driver should be loaded, the service cannot start without the driver present.
+```Cmd
+sc query winvirtue
+sc query "winvirtue service"
+```
+Output should be
+```
+virtue-admin@DESKTOP-IO0F0I9 C:\Users\virtue-admin>sc query winvirtue
+
+SERVICE_NAME: winvirtue
+        TYPE               : 2  FILE_SYSTEM_DRIVER
+        STATE              : 4  RUNNING
+                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
+        WIN32_EXIT_CODE    : 0  (0x0)
+        SERVICE_EXIT_CODE  : 0  (0x0)
+        CHECKPOINT         : 0x0
+        WAIT_HINT          : 0x0
+
+virtue-admin@DESKTOP-IO0F0I9 C:\Users\virtue-admin>sc query "winvirtue service"
+
+SERVICE_NAME: winvirtue service
+        TYPE               : 10  WIN32_OWN_PROCESS
+        STATE              : 4  RUNNING
+                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+        WIN32_EXIT_CODE    : 0  (0x0)
+        SERVICE_EXIT_CODE  : 0  (0x0)
+        CHECKPOINT         : 0x0
+        WAIT_HINT          : 0x0
+```
+
+# Updating Sensors (if required)
+1. Stop all sensors by killing the pythonservices.exe running winvirtue service (Task Manager, Advanced, Processes, pythonservices.exe, End Task)
+2. From the .\savior directory, pull all changes
+=======
 # Windows User Space Sensor Installation and Run Instructions
 
 ## Bootstrap a Windows 2016 Server AWS Instance
@@ -32,6 +114,7 @@ bin\windows-update.bat
 # Updating Sensors (if required)
 1. Stop all sensors by stopping the Winvirtue Service, either from `services.msc` or killing it from Task Manager.
 2. From the \savior directory, pull all changes
+
 ```Cmd
 git pull -v
 ```
@@ -41,7 +124,7 @@ bin\windows-update.bat
 ```
 
 
-# Basic Windows Sensors
+## Windows Sensors Monitor:
 1. Process Creation and Destruction.  
 
 2. Module load (and optional signature analysis)