Jump to content
Sign in to follow this  
decoyboy

monitor of file copy to/from usb

Recommended Posts

decoyboy

Hey All,

New to the forum but been here as guest for awhile.

Here is the code I put together from others.

What this script does it is monitors for cdrom/usb, then when detected does a dir of the cdrom/usb and emails it to me, it alerts me when it is plugged in and disconnected.

I want to thank you for those who made the different parts of the code as I just put it together.

What I am looking to do is trigger an email if a file is copied to/from the usb/cdrom? Is there a wmi event or autoit event I can use?

Thanks in advance

decoyboy

CODE
;

;##################################

; Include

;##################################

#Include<file.au3>

;##################################

; Variables

;##################################

$SmtpServer = "192.168.1.1" ; address for the smtp-server to use - REQUIRED

$FromName = "usb/cdrom watcher" ; name from who the email was sent

$FromAddress = "admin@admin.com" ; address from where the mail should come

$ToAddress = "admin@admin.com" ; destination address of the email - REQUIRED

$Subject = @ComputerName & ' ' & @UserName ; subject from the email - can be anything you want it to be

$Body = "" ; the messagebody from the mail - can be left blank but then you get a blank mail

$AttachFiles = 'c:\' & @UserName & '-' & @ComputerName ; the file you want to attach- leave blank if not needed

$CcAddress = "" ; address for cc - leave blank if not needed

$BccAddress = "" ; address for bcc - leave blank if not needed

$Importance = "Normal" ; Send message priority: "High", "Normal", "Low"

$Username = "" ; username for the account used from where the mail gets sent - REQUIRED

$Password = "" ; password for the account used from where the mail gets sent - REQUIRED

$IPPort = 25 ; port used for sending the mail

$ssl = 0 ; enables/disables secure socket layer sending - put to 1 if using httpS

$strComputer = "."

$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")

$colEvents = $objWMIService.ExecNotificationQuery _

("Select * From __InstanceOperationEvent Within 5 Where " _

& "TargetInstance isa 'Win32_LogicalDisk'")

;~ $IPPort=465 ; GMAIL port used for sending the mail

;~ $ssl=1 ; GMAILenables/disables secure socket layer sending - put to 1 if using httpS

;##################################

; Script

;##################################

Global $oMyRet[2]

Global $oMyError = ObjEvent("AutoIt.Error", "MyErrFunc")

TraySetState(2)

;

While 1

$objEvent = $colEvents.NextEvent

If $objEvent.TargetInstance.DriveType = 2 Then

Select

Case $objEvent.Path_.Class()="__InstanceCreationEvent"

Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been added." & @CR)

RunWait(@ComSpec & " /c " & 'dir ' & $objEvent.TargetInstance.DeviceId & ' /s > c:\' & @UserName & '-' & @ComputerName & '-usb.txt', "", @SW_HIDE)

$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject & ' detected usb', $Body, $AttachFiles & '-usb.txt', $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

If @error Then

MsgBox(0, "Error sending message", "Error code:" & @error & " Description:" & $rc)

EndIf

Case $objEvent.Path_.Class()="__InstanceDeletionEvent"

Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been removed."& @CR)

$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject & ' ejected usb', $Body, $AttachFiles & '-usb.txt', $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

If @error Then

MsgBox(0, "Error sending message", "Error code:" & @error & " Description:" & $rc)

EndIf

RunWait(@ComSpec & " /c " & 'del c:\' & @UserName & '-' & @ComputerName & '-usb.txt', "", @SW_HIDE)

EndSelect

EndIf

If $objEvent.TargetInstance.DriveType = 5 Then

$drivestatus = DriveStatus( $objEvent.TargetInstance.DeviceId & "\" )

Select

Case $drivestatus="READY"

Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & " has cdrom." & @CR)

RunWait(@ComSpec & " /c " & 'dir ' & $objEvent.TargetInstance.DeviceId & ' /s > c:\' & @UserName & '-' & @ComputerName & '-cdrom.txt', "", @SW_HIDE)

$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject & ' detected cdrom', $Body, $AttachFiles & '-cdrom.txt', $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

If @error Then

MsgBox(0, "Error sending message", "Error code:" & @error & " Description:" & $rc)

EndIf

Case $drivestatus="NOTREADY"

Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & " has no cdrom."& @CR)

$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject & ' ejected cdrom', $Body, $AttachFiles & '-cdrom.txt', $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

If @error Then

MsgBox(0, "Error sending message", "Error code:" & @error & " Description:" & $rc)

EndIf

RunWait(@ComSpec & " /c " & 'del c:\' & @UserName & '-' & @ComputerName & '-cdrom.txt', "", @SW_HIDE)

EndSelect

EndIf

Consolewrite($objEvent.TargetInstance.DriveType & @CR)

WEnd

; The UDF

Func _INetSmtpMailCom($s_SmtpServer, $s_FromName, $s_FromAddress, $s_ToAddress, $s_Subject = "", $as_Body = "", $s_AttachFiles = "", $s_CcAddress = "", $s_BccAddress = "", $s_Importance="Normal", $s_Username = "", $s_Password = "", $IPPort = 25, $ssl = 0)

Local $objEmail = ObjCreate("CDO.Message")

$objEmail.From = '"' & $s_FromName & '" <' & $s_FromAddress & '>'

$objEmail.To = $s_ToAddress

Local $i_Error = 0

Local $i_Error_desciption = ""

If $s_CcAddress <> "" Then $objEmail.Cc = $s_CcAddress

If $s_BccAddress <> "" Then $objEmail.Bcc = $s_BccAddress

$objEmail.Subject = $s_Subject

If StringInStr($as_Body, "<") And StringInStr($as_Body, ">") Then

$objEmail.HTMLBody = $as_Body

Else

$objEmail.Textbody = $as_Body & @CRLF

EndIf

If $s_AttachFiles <> "" Then

Local $S_Files2Attach = StringSplit($s_AttachFiles, ";")

For $x = 1 To $S_Files2Attach[0]

$S_Files2Attach[$x] = _PathFull($S_Files2Attach[$x])

ConsoleWrite('@@ Debug(62) : $S_Files2Attach = ' & $S_Files2Attach & @LF & '>Error code: ' & @error & @LF) ;### Debug Console

If FileExists($S_Files2Attach[$x]) Then

$objEmail.AddAttachment ($S_Files2Attach[$x])

Else

ConsoleWrite('!> File not found to attach: ' & $S_Files2Attach[$x] & @LF)

SetError(1)

Return 0

EndIf

Next

EndIf

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = $s_SmtpServer

If Number($IPPort) = 0 then $IPPort = 25

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = $IPPort

;Authenticated SMTP

If $s_Username <> "" Then

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusername") = $s_Username

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendpassword") = $s_Password

EndIf

If $ssl Then

$objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = True

EndIf

;Update settings

$objEmail.Configuration.Fields.Update

; Set Email Importance

Switch $s_Importance

Case "High"

$objEmail.Fields.Item ("urn:schemas:mailheader:Importance") = "High"

Case "Normal"

$objEmail.Fields.Item ("urn:schemas:mailheader:Importance") = "Normal"

Case "Low"

$objEmail.Fields.Item ("urn:schemas:mailheader:Importance") = "Low"

EndSwitch

$objEmail.Fields.Update

; Sent the Message

$objEmail.Send

If @error Then

SetError(2)

Return $oMyRet[1]

EndIf

$objEmail=""

EndFunc ;==>_INetSmtpMailCom

;

;

; Com Error Handler

Func MyErrFunc()

$HexNumber = Hex($oMyError.number, 8)

$oMyRet[0] = $HexNumber

$oMyRet[1] = StringStripWS($oMyError.description, 3)

ConsoleWrite("### COM Error ! Number: " & $HexNumber & " ScriptLine: " & $oMyError.scriptline & " Description:" & $oMyRet[1] & @LF)

SetError(1); something to check for when this function returns

Return

EndFunc ;==>MyErrFunc

Share this post


Link to post
Share on other sites
decoyboy

hey all,

I hope someone can assist me with translating this wmi to autoit,

WMI forums for Microsoft I got this.

This is an Example for a MOF File that Monitors File Creation in Drive E: (Assumed to be the USB Drive), and Send an SMTP Email Message each time a File is Being Created there (There is no Specific Filter for File Creation - This is a very Simple implementation, You can try to Modify it a little so it will be more relevant only to File Copy)

// 1. Change the context to Root\Subscription namespace

// All standard consumer classes are

// registered there.

#pragma namespace("\\\\.\\root\\subscription")

// 2. Create an instance of __EventFilter class

// and use it's Query property to store

// your WQL event query.

instance of __EventFilter as $EventFilter

{

Name = "File Copy Filter";

EventNamespace = "Root\\Cimv2";

Query = "SELECT * From __InstanceCreationEvent WITHIN 5 Where "

"TargetInstance ISA \"CIM_DATAFile\" And TargetInstnace.Drive=\"E:\" ";

QueryLanguage = "WQL";

};

// 3. Create an instance of __EventConsumer

// derived class. (ActiveScriptEventConsumer

// SMTPEventConsumer etc...)

instance of SMTPEventConsumer as $Consumer

{

Name = "File Copy SMTP Consumer";

FromLine = "Administrator@Domain.Com";

Message = "A File Named %TargetInstnace.FileName% Was Copied to Drive %TargetInstance.Drive%\n"

"Probably a USB Device";

SMTPServer = "SMTPSRV.Domain.Com";

Subject = "File Copy to USB on Computer %TargetInstance.CSName%";

ToLine = "SecurityTeam@Domain.Com";

};

// 4. Join the two instances by creating

// an instance of __FilterToConsumerBinding

// class.

instance of __FilterToConsumerBinding

{

Filter = $EventFilter;

Consumer = $Consumer;

}; Inorder to modify it or play with it a little I would check Changing the SMTPEventConsumer to an ActiveScriptEventConsumer and in the Filter Section Filter on File Modification (__InstanceModificationEvent) and then in the Consumer check the Previous File size of the file being modified,

if the Current Size is bigger then most chances that the file is being copied.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×