ray-bun · July 20, 2024 09:59
diff --git a/Find_Bitlocker_Key_Remove_C-00000291.ps1 b/Find_Bitlocker_Key_Remove_C-00000291.ps1
 # Get BIOS information for Serial Number
 $biosInfo = Get-CimInstance Win32_BIOS

 # Get network adapters information
 $networkAdapters = Get-CimInstance Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -eq $true }

 # Prepare the output object
 $hardwareInfo = [PSCustomObject]@{
    SerialNumber = $biosInfo.SerialNumber
    MACAddresses = @()
    IPAddresses = @()
    BitLockerKey1 = $null
    BitLockerKey2 = $null
    Status = $null
    DriveUnlockStatus = $null
    CrowdStrikeFileStatus = $null
 }

 # Add network adapter information
 foreach ($adapter in $networkAdapters) {
    $hardwareInfo.MACAddresses += $adapter.MACAddress
    $hardwareInfo.IPAddresses += $adapter.IPAddress
 }

 # Make GET request to bitlookup.net
 try {
    $url = "https://bitlookup.net/search/$($hardwareInfo.SerialNumber)"
    $response = Invoke-RestMethod -Uri $url -Method Get -ErrorAction Stop
    
    if ($response.PSObject.Properties.Name -contains "key_1" -and $response.PSObject.Properties.Name -contains "key_2") {
        $hardwareInfo.BitLockerKey1 = $response.key_1
        $hardwareInfo.BitLockerKey2 = $response.key_2
        $hardwareInfo.Status = "Success"
    } elseif ($response.PSObject.Properties.Name -contains "error" -and $response.error -eq "No matching entry found") {
        $hardwareInfo.Status = "No matching entry found"
    } else {
        $hardwareInfo.Status = "Unexpected response format"
    }
 } catch {
    $hardwareInfo.Status = "Error: $_"
 }

 # Function to unlock BitLocker drive
 function Unlock-BitLockerDrive {
    param (
        [string]$DriveLetter,
        [string]$RecoveryKey
    )

    try {
        $result = manage-bde -unlock ${DriveLetter} -RecoveryPassword $RecoveryKey
        if ($result -match "successfully unlocked") {
            return @{Success=$true; Message="Drive ${DriveLetter} successfully unlocked"}
        } else {
            return @{Success=$false; Message="Failed to unlock drive ${DriveLetter}: $result"}
        }
    } catch {
        return @{Success=$false; Message="Error unlocking drive ${DriveLetter}: $_"}
    }
 }

 # Attempt to unlock C drive if BitLocker keys were retrieved
 if ($hardwareInfo.BitLockerKey1 -or $hardwareInfo.BitLockerKey2) {
    $unlockResult = $null
    if ($hardwareInfo.BitLockerKey1) {
        $unlockResult = Unlock-BitLockerDrive -DriveLetter "C:" -RecoveryKey $hardwareInfo.BitLockerKey1
    }
    if (-not $unlockResult.Success -and $hardwareInfo.BitLockerKey2) {
        $unlockResult = Unlock-BitLockerDrive -DriveLetter "C:" -RecoveryKey $hardwareInfo.BitLockerKey2
    }
    $hardwareInfo.DriveUnlockStatus = $unlockResult.Message
 } else {
    $hardwareInfo.DriveUnlockStatus = "No BitLocker keys available to attempt unlock"
 }

 # Function to delete CrowdStrike file
 function Remove-CrowdStrikeFile {
    $crowdStrikePath = "C:\Windows\System32\drivers\CrowdStrike"
    $filePattern = "C-00000291*.sys"

    try {
        if (Test-Path $crowdStrikePath) {
            $files = Get-ChildItem -Path $crowdStrikePath -Filter $filePattern -ErrorAction Stop
            if ($files.Count -gt 0) {
                foreach ($file in $files) {
                    Remove-Item $file.FullName -Force -ErrorAction Stop
                }
                return "CrowdStrike file(s) successfully deleted"
            } else {
                return "No matching CrowdStrike files found"
            }
        } else {
            return "CrowdStrike directory not found"
        }
    } catch {
        return "Error deleting CrowdStrike file: $_"
    }
 }

 # Attempt to delete CrowdStrike file if drive was successfully unlocked
 if ($hardwareInfo.DriveUnlockStatus -match "successfully unlocked") {
    $hardwareInfo.CrowdStrikeFileStatus = Remove-CrowdStrikeFile
 } else {
    $hardwareInfo.CrowdStrikeFileStatus = "Drive unlock unsuccessful, CrowdStrike file deletion not attempted"
 }

 # Output the hardware information
 $hardwareInfo | ConvertTo-Json
	# Get BIOS information for Serial Number
	$biosInfo = Get-CimInstance Win32_BIOS

	# Get network adapters information
	$networkAdapters = Get-CimInstance Win32_NetworkAdapterConfiguration \| Where-Object { $_.IPEnabled -eq $true }

	# Prepare the output object
	$hardwareInfo = [PSCustomObject]@{
	SerialNumber = $biosInfo.SerialNumber
	MACAddresses = @()
	IPAddresses = @()
	BitLockerKey1 = $null
	BitLockerKey2 = $null
	Status = $null
	DriveUnlockStatus = $null
	CrowdStrikeFileStatus = $null
	}

	# Add network adapter information
	foreach ($adapter in $networkAdapters) {
	$hardwareInfo.MACAddresses += $adapter.MACAddress
	$hardwareInfo.IPAddresses += $adapter.IPAddress
	}

	# Make GET request to bitlookup.net
	try {
	$url = "https://bitlookup.net/search/$($hardwareInfo.SerialNumber)"
	$response = Invoke-RestMethod -Uri $url -Method Get -ErrorAction Stop

	if ($response.PSObject.Properties.Name -contains "key_1" -and $response.PSObject.Properties.Name -contains "key_2") {
	$hardwareInfo.BitLockerKey1 = $response.key_1
	$hardwareInfo.BitLockerKey2 = $response.key_2
	$hardwareInfo.Status = "Success"
	} elseif ($response.PSObject.Properties.Name -contains "error" -and $response.error -eq "No matching entry found") {
	$hardwareInfo.Status = "No matching entry found"
	} else {
	$hardwareInfo.Status = "Unexpected response format"
	}
	} catch {
	$hardwareInfo.Status = "Error: $_"
	}

	# Function to unlock BitLocker drive
	function Unlock-BitLockerDrive {
	param (
	[string]$DriveLetter,
	[string]$RecoveryKey
	)

	try {
	$result = manage-bde -unlock ${DriveLetter} -RecoveryPassword $RecoveryKey
	if ($result -match "successfully unlocked") {
	return @{Success=$true; Message="Drive ${DriveLetter} successfully unlocked"}
	} else {
	return @{Success=$false; Message="Failed to unlock drive ${DriveLetter}: $result"}
	}
	} catch {
	return @{Success=$false; Message="Error unlocking drive ${DriveLetter}: $_"}
	}
	}

	# Attempt to unlock C drive if BitLocker keys were retrieved
	if ($hardwareInfo.BitLockerKey1 -or $hardwareInfo.BitLockerKey2) {
	$unlockResult = $null
	if ($hardwareInfo.BitLockerKey1) {
	$unlockResult = Unlock-BitLockerDrive -DriveLetter "C:" -RecoveryKey $hardwareInfo.BitLockerKey1
	}
	if (-not $unlockResult.Success -and $hardwareInfo.BitLockerKey2) {
	$unlockResult = Unlock-BitLockerDrive -DriveLetter "C:" -RecoveryKey $hardwareInfo.BitLockerKey2
	}
	$hardwareInfo.DriveUnlockStatus = $unlockResult.Message
	} else {
	$hardwareInfo.DriveUnlockStatus = "No BitLocker keys available to attempt unlock"
	}

	# Function to delete CrowdStrike file
	function Remove-CrowdStrikeFile {
	$crowdStrikePath = "C:\Windows\System32\drivers\CrowdStrike"
	$filePattern = "C-00000291*.sys"

	try {
	if (Test-Path $crowdStrikePath) {
	$files = Get-ChildItem -Path $crowdStrikePath -Filter $filePattern -ErrorAction Stop
	if ($files.Count -gt 0) {
	foreach ($file in $files) {
	Remove-Item $file.FullName -Force -ErrorAction Stop
	}
	return "CrowdStrike file(s) successfully deleted"
	} else {
	return "No matching CrowdStrike files found"
	}
	} else {
	return "CrowdStrike directory not found"
	}
	} catch {
	return "Error deleting CrowdStrike file: $_"
	}
	}

	# Attempt to delete CrowdStrike file if drive was successfully unlocked
	if ($hardwareInfo.DriveUnlockStatus -match "successfully unlocked") {
	$hardwareInfo.CrowdStrikeFileStatus = Remove-CrowdStrikeFile
	} else {
	$hardwareInfo.CrowdStrikeFileStatus = "Drive unlock unsuccessful, CrowdStrike file deletion not attempted"
	}

	# Output the hardware information
	$hardwareInfo \| ConvertTo-Json
No results found