- 该文件用于打包成主程序 - USBLogSrv.exe
# 获取通过USB总线连接的所有移动盘# Get-Disk | Where-Object {$_.Bustype -eq "USB"}# 获取磁盘号# $disk_num = (Get-Disk | Where-Object {$_.Bustype -eq "USB"}).number# 查看值的数据类型# echo $disk_num.GetType()# 获取移动盘盘符function GetDrive {# 获取磁盘号$num = (Get-Disk | Where-Object {$_.Bustype -eq "USB"}).number# 磁盘信息# ($num | ForEach-Object{(Get-Disk -Number $_) |Format-list number,FriendlyName,SerialNumber,@{name='Size(GB)';expression={$_.Size / 1GB -as [int]}}} | Out-String).Trim()if($num.count -ne 0){# 获取对应的盘符$drive = $num | ForEach-Object{((Get-Partition -DiskNumber $_) | ?{!$_.IsHidden}).DriveLetter}return $drive}}# 获取移动盘分区剩余大小function DriveSize {$drv = GetDriveif($drv.count -ne 0){$disk_remain_size = (Get-Volume -DriveLetter $drv).SizeRemainingreturn $disk_remain_size}}# 获取本机物理网卡IPfunction ip{$macadd = (Get-NetAdapter -Physical | ? Status -EQ "Up").MacAddress$address = foreach($address in (ipconfig /all) -like '*地址*') { ($address -split ' : ')[-1]}# $macadd使用ForEach-Object,是考虑到PC有多个物理网卡$macadd | ForEach-Object{# 将$_赋值给$macadd, 是为了和$address的$_做区分$macadd = $_$address | ForEach-Object{if($_ -like '*首选*'){$index = [array]::IndexOf($address, $_)$host_mac = $address[$($index-1)]if($host_mac -eq $macadd){$ip = ($_ -split '\(')[0]return $ip}}}}}# 钉钉报警function ddalert($ipfun, $info){$time = (Get-Date).ToShortTimeString()# 接收定义的ip函数作为参数传入$ip = Invoke-Command $ipfun#在15:41过去5分钟内,主机DN2D-00088,IP地址10.2.234.13,拷贝 50.91 MB大小数据到 F 移动盘$content = $time + " 主机" + $env:COMPUTERNAME + ",IP地址" + $ip + "," + $info$par = @{msgtype = "text";text = @{content = $content;};}$parjson = $par | ConvertTo-Json# 内网告警群#$ddhook = "https://oapi.dingtalk.com/robot/send?access_token=xxxxxx"# 深圳告警群$ddhook = "https://oapi.dingtalk.com/robot/send?access_token=xxxxx"# 使Json支持中文$PostData = [System.Text.Encoding]::UTF8.GetBytes($parjson)$Header = @{"Content-Type" = "application/json;charset=utf-8"}# 参数UseBasicParsing对URI只进行简单解析,可提高效率Invoke-WebRequest -Uri $ddhook -Method Post -Body $PostData -Headers $Header -UseBasicParsing | Out-Null# 输出日志到本地msg $content}# 输出日志信息到本地function msg($message){$date = (Get-Date).GetDateTimeFormats()[1]$folder = Test-Path $env:PUBLIC\USBLogsif($folder -eq $false){New-Item -Path "$env:PUBLIC\" -Name "USBLogs" -ItemType "directory" | Out-Null}$message >> $env:PUBLIC\USBLogs\$date.log}while(1){if(GetDrive){$before = DriveSize# 间隔1分钟检测一次sleep 60$after = DriveSize# 判断是否拷贝数据$len = $after.Countfor($i=0;$i -lt $len;$i++){$b = $before[$i]$a = $after[$i]if($a -lt $b){# {0:N2}保留两位小数点$filesize = "{0:N2}" -f $(($b - $a) / 1MB)# 获取拷贝数据的移动盘具体分区盘符$drive = (Get-Volume (GetDrive) | ?{$_.SizeRemaining -eq $a}).DriveLetter$info = "拷贝 $filesize MB大小数据到 $drive 移动盘"#$message = $time + " 主机" + $env:COMPUTERNAME + ",IP地址" + (ip) + "," + $info# 输出日志到钉钉机器人( 将${function:ip}函数ip作为参数,传递给函数ddalert )ddalert ${function:ip} $info#ddalert $message $info$before = $after}elseif($a -gt $b){$before = $after}}}$time = (Get-Date).ToShortTimeString()if($time -eq "12:30"){$path = "$env:PUBLIC\USBLogSrv"# update.ps1存放路径powershell -noprofile -command "&{ start-process powershell -ArgumentList '-noprofile -file $path\update.ps1' -verb RunAs -WindowStyle Hidden}"# 若未sleep,且在当前时间内没有插入移动盘,会持续执行update,以产生多个powershell进程sleep 60}}
若有收获,就点个赞吧
0 人点赞
