Install procedure

Requirements

Windows 10 PC only

Powershell 5.1 or above

Administrator rights on your computer

Have an USB cable that works with data transfer (not all USB cable does work)

A smartphone for which USB debugging is activated (see below)

Installation of external tool on the PC

Install Android Debug Bridge (ADB) :

To download ADB tool in a standalone mode, go to https://developer.android.com/studio/releases/platform-tools

then click "SDK Platform-Tool for Windows"

Just download the latest ".zip" file, then

Enable "Display hidden files" in your windows explorer

Unzip "platform-tools_rXXXXX-windows.zip"

change directory to C:\Users\XXXXXX\AppData\Local

Create \Android

then \Android\sdk directories

Move "platform-tools" directory into C:\Users\XXXXXX\AppData\Local\Android\sdk

Installation procedure on the smartphone

You must activate the "debug mode" on your smartphone. This is typically done by entering "About phone" tab then pressing 7 (seven) times on "build number".

Then you go to Settings > Developer Options > USB Debugging and allow "USB debugging".

Please note that this procedure may vary depending on what version of android your smartphone runs

Then you can download the application on the google play store and just install it.

Additionnal settings on the smartphone

kill SDSKY app

Use the file explorer

Delete any file named /sdcard/sdsky

Create a DIRECTORY named /sdcard/SDSKY (case sensitive)

Check for App authorizations : Enable STORAGE if it's not already done

Installation of ADB Driver related to your smartphone (on your PC) [Optionnal]

ind correct OEM driver : https://developer.android.com/studio/run/oem-usb#Drivers

You must consider the manufacuter of your SMARTPHONE, not your PC.

Then you'll have to modify .INF file in the driver accordingly to your actual smartphone. Check https://stackoverflow.com/questions/15721778/adb-no-devices-found?rq=1

Note : I had to modify android_winusb.inf file to add the following lines into [Google.NTx86] and [Google.NTamd64] sections, accordingly to informations gathered while looking for 'Hardware ID' of the smartphone as seen thru USB :

;HM redmi Note 3

%SingleAdbInterface% = USB_Install, USB\VID_2717&PID_FF40&REV_0310

%CompositeAdbInterface% = USB_Install, USB\VID_2717&PID_FF40

I also had to deal with driver signature that was not present BUT requested by windows system. Google searches helped me to deactivate driver signature check temporarly.

Install new OEM driver :

Connect your Android device to your computer's USB port.

From Windows Explorer, open Computer Management.

In the Computer Management left pane, select Device Manager.

In the Device Manager right pane, locate and expand Portable Devices or Other Devices, depending on which one you see.

Right-click the name of the device you connected, and then select Update Driver Software.

In the Hardware Update wizard, select Browse my computer for driver software and click Next.

Click Browse and then locate the USB driver folder. For example, the Google USB Driver is located in C:\Users\XXXXXX\AppData\Local\Android\sdk\extras\google\usb_driver\.

Click Next to install the driver.

Installation of PowerShell script on your PC

Run Powershell as ADMINISTRATOR (right-click)

Run ONCE the following: Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force

Please copy the follownig text in a notepad and save it on C: drive (other drives may not work). When you write the file on disk, be aware of end of lines and character encoding that must be Windows compliant. The file must be named "transponder.ps1".

---------------------------- BEGIN of text to copy (excluding this line) ----------------------------------

.SYNOPSIS

Windows listener to abnormal situations

LOCAL version : all notifications stored locally AND display as notifications

#-----------------------------------------------------[Preparation (only once)]----------------------------------------------------

Put the script on C: drive ONLY (here I use C:\Users\cmillet\transponder\transponder_windows.ps1)

Run Powershell as ADMINISTRATOR (right-click)

Run the following: Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force

To prepare the proper shortcut :

- Create a shorcut to the ".ps1" script

- Edit the shortcut properties and add "powershell.exe" before the name of the script

- Then, and only then, you can check the "run as admin" in the "advanced tab"

- Also, check "Reduced Window" in the shortcut properties

# To "tail the log file, enter a second non-privilegied powershell, then :

# Get-Content -Path "C:\Users\cmillet\transponder\transponder_log.txt" -Wait

#----------------------------------------------------------[Declarations]----------------------------------------------------------

#Script Version

$ScriptVersion = "3.0D"

# Module loading for local notifications

[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

# Global variables

$WorkingPath = $env:USERPROFILE + "\transponder"

$ScriptLogFile = $WorkingPath + "\transponder_log.txt"

$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon

$objNotifyIcon.Icon = $WorkingPath + "\transponder.ico"

$OSInfo = ""

$NewData = New-Object System.Collections.ArrayList

$OldData = New-Object System.Collections.ArrayList

$global:ct_processes_total = 0

$global:outmsg_id = 0

$OSInfo = Get-WmiObject -class Win32_OperatingSystem

$ThisHostSerial = $OSInfo.SerialNumber

$ThisHostVersion = "W" + $OSInfo.Version

$ThisHostIP = netstat -r | select-string "0.0.0.0\s+0.0.0.0"

$ThisHostIP = $ThisHostIP -replace '\s+', ' '

$tmpip = $ThisHostIP -split ' '

$ThisHostIP = $tmpip[4]

$Macdata = get-wmiobject -class "Win32_NetworkAdapterConfiguration" |Where{$_.IpEnabled -Match "True"} |select IPAddress, MacAddress

$Macteststr = "$ThisHostIP"

foreach($MacObj in $Macdata) {

$MacStr = $MacObj.IPAddress

$MacLabel = $MacObj.MacAddress

if ($MacStr -match $Macteststr) {

$MacLabel = $MacLabel -replace '\s+', ' '

$ThisHostMac = $MacLabel

}

$global:ThisHostHostname = hostname

$ThisHostID = $ThisHostIP + "@" + $ThisHostMac

$CryptoTestFullFileName = "C:\important.docx"

"This is an important thing." > $CryptoTestFullFileName

# Local file buffer erased

$str = $WorkingPath + "\sdsky*.txt"

Remove-Item $str

#-----------------------------------------------------------[Functions]------------------------------------------------------------

Function Retrieve_IE_Favorites{

Get-ChildItem ([Environment]::GetFolderPath('Favorites')) -Include *.url -Recurse | ForEach {

$Name = $_.Name

$URL = ($_ | Select-String "^URL").Line.Trim("URL=")

$line = "IEFAV|$Name|$URL"

Add_NewData -Message "$line"

}

Function Retrieve_IE_Proxy{

$data = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings'

$tmp = $data -split '\;'

$line = "IEPROXY|Unknown"

foreach($Label in $tmp) {

if ($Label -like '*ProxyServer=*') {

$Label = $Label -replace '^\s+', ''

$Label = $Label -replace '=', '|'

$line = "IEPROXY|$Label"

}

if ($Label -like '*AutoConfigURL=*') {

$Label = $Label -replace '^\s+', ''

$Label = $Label -replace '.$', ''

$Label = $Label -replace '=', '|'

$line = "IEPROXY|$Label"

}

Add_NewData -Message "$line"

}

Function Retrieve_netstats {

$data = netstat -n | select-string -pattern ":" | select-string -notmatch -pattern "127.0.0.1" | sort-object

foreach($Label in $data) {

$Label = $Label -replace '^\s+', ''

$Label = $Label -replace '\s+', '|'

$line = "NETSTAT|$Label"

Add_NewData -Message "$line"

}

Function Retrieve_ARPTable {

$data = arp -a | select-string -pattern "-" | select-string -notmatch -pattern "nterface" | sort-object

foreach($Label in $data) {

$Label = $Label -replace '^\s+', ''

$Label = $Label -replace '\s+', '|'

$line = "ARP|$Label"

Add_NewData -Message "$line"

}

Function Retrieve_interfaces {

$data = get-wmiobject -class "Win32_NetworkAdapterConfiguration" |Where{$_.IpEnabled -Match "True"} |select Index,ServiceName,IPAddress | sort-object

foreach($Obj in $data) {

$Label1 = $Obj.Index | out-string

$Label2 = $Obj.ServiceName | out-string

$Label3 = $Obj.IPAddress | out-string

$Label = $Label1 + "|" + $Label2 + "|" + $Label3

$Label = $Label -replace '\r\n', ' '

$Label = $Label -replace '\s+', ' '

$Label = $Label -replace '\s+\|', '|'

if ($Label) {

$line = "NETIF|$Label"

Add_NewData -Message "$line"

}

Function Get_Processes {

$data = get-wmiobject -class "Win32_process" | select ProcessId,Name,ExecutablePath,CommandLine | sort-object

$global:ct_processes_total = 0

foreach($Obj in $data) {

$Label1 = $Obj.ProcessId | out-string

$Label2 = $Obj.Name | out-string

$Label3 = $Obj.ExecutablePath | out-string

$Label4 = $Obj.CommandLine | out-string

$Label = $Label1 + "|" + $Label2 + "|" + $Label3 + "|" + $Label4

$Label = $Label -replace '\r\n', ' '

$Label = $Label -replace '\s+', ' '

$Label = $Label -replace '\s+\|', '|'

if ($Label) {

$line = "SYSPROC|$Label"

Add_NewData -Message "$line"

}

$global:ct_processes_total++

}

Function Get_Services {

$data = get-service | select Status,Name | sort-object

foreach($Obj in $data) {

$Label1 = $Obj.Name | out-string

$Label2 = $Obj.Status | out-string

$Label = $Label1 + "|" + $Label2

$Label = $Label -replace '\r\n', ' '

$Label = $Label -replace '\s+', ' '

$Label = $Label -replace '\s+\|', '|'

if ($Label) {

$line = "SYSSERV|$Label"

Add_NewData -Message "$line"

}

Function Get_Last_Security_Events {

$data = get-eventlog security -newest 50 | select Index,EntryType,Message | select-string -notmatch -pattern "SuccessAudit" | sort-object

foreach($Label in $data) {

$Label = $Label -replace '\r\n', ' '

$Label = $Label -replace ';\s+', '|'

$Label = $Label -replace '@{', ''

$Label = $Label -replace '}', ''

$Label = $Label -replace '\|\w+=', '|'

$Label = $Label -replace '^\w+=', ''

$Label = $Label -replace '\s+', ' '

$line = "SECEVT|$Label"

Add_NewData -Message "$line"

}

Function Get_Last_System_Events {

$data = get-eventlog system -newest 50 | select Index,EntryType,Message | sort-object

foreach($Label in $data) {

$Label = $Label -replace '\r\n', ' '

$Label = $Label -replace ';\s+', '|'

$Label = $Label -replace '@{', ''

$Label = $Label -replace '}', ''

$Label = $Label -replace '\|\w+=', '|'

$Label = $Label -replace '^\w+=', ''

$Label = $Label -replace '\s+', ' '

$line = "SYSEVT|$Label"

Add_NewData -Message "$line"

}

Function Get_Processes_Old {

$data = get-process | group-object processname | select name,count | sort-object

foreach($Label in $data) {

$Label = $Label -replace ';\s+', '|'

$Label = $Label -replace '@{', ''

$Label = $Label -replace '}', ''

$Label = $Label -replace '\|\w+=', '|'

$Label = $Label -replace '^\w+=', ''

$line = "SYSPROC|$Label"

Add_NewData -Message "$line"

}

Function Check_CryptoFile {

$data = (Get-Item $CryptoTestFullFileName).LastWriteTime | select-string -pattern ":"

foreach($Label in $data) {

$Label = $Label -replace ';\s+', '|'

$line = "CRYPTOFILE|$Label"

Add_NewData -Message "$line"

}

Function Get_OSInfo {

$OSInfo = Get-WmiObject -class Win32_OperatingSystem

$Label = $OSInfo.Caption + "|" + $OSInfo.OSArchitecture + "|" + $OSInfo.Version + "|" + $OSInfo.SerialNumber

$line = "OSINFO|$Label"

Add_NewData -Message "$line"

}

Function Check_Antivirus {

$AVInfo = Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

$ProductState = "Unknown"

switch ($AVInfo.productState) {

"262144" {$ProductState = "DISABLED|Up to date"}

"262160" {$ProductState = "DISABLED|Out of date"}

"266240" {$ProductState = "ENABLED|Up to date"}

"266256" {$ProductState = "ENABLED|Out of date"}

"393216" {$ProductState = "DISABLED|Up to date"}

"393232" {$ProductState = "DISABLED|Out of date"}

"393488" {$ProductState = "DISABLED|Out of date"}

"397312" {$ProductState = "ENABLED|Up to date"}

"397328" {$ProductState = "ENABLED|Out of date"}

"397584" {$ProductState = "ENABLED|Out of date"}

"397568" {$ProductState = "ENABLED|Up to date"}

"393472" {$ProductState = "DISABLED|Up to date"}

}

$Label = $AVInfo.displayName + "|" + $ProductState

$line = "AVINFO|$Label"

Add_NewData -Message "$line"

}

Function Check_Firewall {

$data = netsh advfirewall show all state | select-string -pattern "tat"

$Label = $data

$Label = $Label -replace '\r\n', ' '

$Label = $Label -replace '[^\x30-\x39\x41-\x5A\x61-\x7A]+', '|'

$Label = $Label -replace '\|tat', ''

$Label = "Status Domaine/Prive/Public" + $Label

$line = "FWINFO|$Label"

Add_NewData -Message "$line"

}

Function calc_stats_counters {

$ct_sessions_total = netstat -n | select-string -pattern "127.0.0.1" -notmatch | Measure-Object –Line | ft -HideTableHeaders | out-string

$ct_sessions_total = $ct_sessions_total -replace '[^\x30-\x39]+'

$ct_sessions_active = $ct_sessions_active -replace '[^\x30-\x39]+'

$tmps1 = $ct_processes_total | out-string

$tmps1 = $tmps1 -replace '[^\x30-\x39]+'

# Retrieve CPU temperature

$t = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi"

foreach ($temp in $t)

{

$tn = $temp.InstanceName

if ($tn -match "ACPI\\ThermalZone\\CPUZ_0") {

$currentTempKelvin = $temp.CurrentTemperature / 10

$currentTempCelsius = $currentTempKelvin - 273.15

$CPUCurrentTemperature = [int]$currentTempCelsius | out-string

$currentTempKelvin = $temp.CriticalTripPoint / 10

$currentTempCelsius = $currentTempKelvin - 273.15

$CPUCriticalTemperature = [int]$currentTempCelsius | out-string

}

$Label = $ct_sessions_total + "|" + $ct_sessions_active + "|" + $tmps1 + "|" + $CPUCurrentTemperature + "|" + $CPUCriticalTemperature

# $Label = $Label -replace '[^\x30-\x39]+', ''

$line = "COUNTERS|$Label"

$line = $line -replace '\r\n', ''

Add_NewData -Message "$line"

}

Function Add_NewData($Message){

$Message = $Message.subString(0, [System.Math]::Min(240, $Message.Length))

$NewData.add($Message) > $null

#write-output "DEBUG NEW DATA: $Message"

}

Function Send($Status, $Message){

$MyDate = get-Date -format u

# Local storage of data

# $line | Out-File -Append $ScriptLogFile -Encoding UTF8

# Local Display

# Notification -Status $Status -Message "$line"

Send-adb -Message "$line"

Start-Sleep -s 2

}

Function Notification($Status, $Message) {

$label = $Message

# $Label = $Label -replace '.ED\|', 'Â§'

$Label = $Label -replace "$Status\|", 'Â§'

$tmpmsg = $Label -split 'Â§'

$line = $tmpmsg[1]

$lineTip = $MyDate + "-" + $Status

if ($Status -match 'CREATED') { $objNotifyIcon.BalloonTipIcon = "Error" }

if ($Status -match 'CHANGED') { $objNotifyIcon.BalloonTipIcon = "Warning" }

if ($Status -match 'REMOVED') { $objNotifyIcon.BalloonTipIcon = "Info" }

$objNotifyIcon.BalloonTipText = $line

$objNotifyIcon.BalloonTipTitle = $lineTip

$objNotifyIcon.Visible = $True

$objNotifyIcon.ShowBalloonTip(10000)

}

Function Send-syslog($Message){

$Port = 514

$IP = "192.168.56.144"

$IP = "192.168.1.11"

$Facility = "local4"

$Severity = "informational"

$sourcehostname = "nwr.local"

switch -regex ($Facility)

{

'kern' {$Facility = 0 * 8 ; break }

'user' {$Facility = 1 * 8 ; break }

'mail' {$Facility = 2 * 8 ; break }

'system' {$Facility = 3 * 8 ; break }

'auth' {$Facility = 4 * 8 ; break }

'syslog' {$Facility = 5 * 8 ; break }

'lpr' {$Facility = 6 * 8 ; break }

'news' {$Facility = 7 * 8 ; break }

'uucp' {$Facility = 8 * 8 ; break }

'cron' {$Facility = 9 * 8 ; break }

'authpriv' {$Facility = 10 * 8 ; break }

'ftp' {$Facility = 11 * 8 ; break }

'ntp' {$Facility = 12 * 8 ; break }

'logaudit' {$Facility = 13 * 8 ; break }

'logalert' {$Facility = 14 * 8 ; break }

'clock' {$Facility = 15 * 8 ; break }

'local0' {$Facility = 16 * 8 ; break }

'local1' {$Facility = 17 * 8 ; break }

'local2' {$Facility = 18 * 8 ; break }

'local3' {$Facility = 19 * 8 ; break }

'local4' {$Facility = 20 * 8 ; break }

'local5' {$Facility = 21 * 8 ; break }

'local6' {$Facility = 22 * 8 ; break }

'local7' {$Facility = 23 * 8 ; break }

default {$Facility = 23 * 8 } #Default is local7

}

switch -regex ($Severity)

{

'^em' {$Severity = 0 ; break } #Emergency

'^a' {$Severity = 1 ; break } #Alert

'^c' {$Severity = 2 ; break } #Critical

'^er' {$Severity = 3 ; break } #Error

'^w' {$Severity = 4 ; break } #Warning

'^n' {$Severity = 5 ; break } #Notice

'^i' {$Severity = 6 ; break } #Informational

'^d' {$Severity = 7 ; break } #Debug

default {$Severity = 5 } #Default is Notice

}

$pri = "<" + ($Facility + $Severity) + ">"

# Note that the timestamp is local time on the originating computer, not UTC.

if ($(get-date).day -lt 10) { $timestamp = $(get-date).tostring("MMM d HH:mm:ss") } else { $timestamp = $(get-date).tostring("MMM dd HH:mm:ss") }

# Hostname does not have to be in lowercase, and it shouldn't have spaces anyway, but lowercase is more traditional.

# The name should be the simple hostname, not a fully-qualified domain name, but the script doesn't enforce this.

$header = $timestamp + " " + $sourcehostname.tolower().replace(" ","").trim() + " "

#Cannot have non-alphanumerics in the TAG field or have it be longer than 32 characters.

if ($tag -match '[^a-z0-9]') { $tag = $tag -replace '[^a-z0-9]','' } #Simply delete the non-alphanumerics

if ($tag.length -gt 32) { $tag = $tag.substring(0,31) } #and truncate at 32 characters.

$msg = $pri + $header + $tag + ": " + $Message

# Convert message to array of ASCII bytes.

$bytearray = $([System.Text.Encoding]::ASCII).getbytes($msg)

# RFC3164 Section 4.1: "The total length of the packet MUST be 1024 bytes or less."

# "Packet" is not "PRI + HEADER + MSG", and IP header = 20, UDP header = 8, hence:

if ($bytearray.count -gt 996) { $bytearray = $bytearray[0..995] }

# Send the message...

$UdpClient = New-Object System.Net.Sockets.UdpClient

$UdpClient.Connect($IP,$Port)

$UdpClient.Send($ByteArray, $ByteArray.length) | out-null

$UdpClient.close()

}

Function Send-adb($Message){

$global:outmsg_id = $global:outmsg_id + 1

if ($global:outmsg_id -ge 100) {$global:outmsg_id = 1}

$msgnum = "{0:0##}" -f $global:outmsg_id

$filename = "sdsky-in-" + $msgnum + ".txt"

$localfile = $WorkingPath + "\" + $filename

$remotefile = "/sdcard/SDSKY"

# Preparing local file

$Message | Out-File -Append $localfile -Encoding UTF8

# Checking if phone is connected

$adbres = C:\Users\cmillet\AppData\Local\Android\sdk\platform-tools\adb -d get-serialno

$adbres = "!" + $adbres + "!"

if ($adbres -eq "!!") {

# We display a connection error as windows notification

$objNotifyIcon.BalloonTipIcon = "Error"

$objNotifyIcon.BalloonTipText = "Phone monitoring device not found"

$objNotifyIcon.BalloonTipTitle = "SDSKY USB CONNECTION ERROR"

$objNotifyIcon.Visible = $True

$objNotifyIcon.ShowBalloonTip(2000)

C:\Users\cmillet\AppData\Local\Android\sdk\platform-tools\adb -d kill-server

} else {

# We can send the file

C:\Users\cmillet\AppData\Local\Android\sdk\platform-tools\adb -d push $localfile $remotefile

}

# XXXXXXXXXX

}

Function Refresh_data {

if ($NewData.count -gt 0) {

$NewData.RemoveRange(0,$NewData.Count)

}

Retrieve_IE_Favorites

Retrieve_IE_Proxy

Get_OSInfo

Retrieve_netstats

Retrieve_interfaces

Get_Last_Security_Events

Get_Last_System_Events

Get_Processes

Get_Services

Retrieve_ARPTable

Check_CryptoFile

calc_stats_counters

Check_Antivirus

Check_Firewall

}

Function Diff_data {

$PossibleMatch = ""

foreach ($OneNewData in $NewData) {

# write-output "DEBUG 165 OneNewData=$OneNewData!"

if ($OneNewData -ne "SECEVT|") {

$tmp = $OneNewData -split '\|'

$teststr = ""

if ($tmp[0] -eq "OSINFO") {$teststr = $tmp[0] + "|*"}

if ($tmp[0] -eq "IEFAV") {$teststr = $tmp[0] + "|" + $tmp[1] + "|*"}

if ($tmp[0] -eq "NETSTAT") {$teststr = $tmp[0] + "|" + $tmp[1] + "|" + $tmp[2] + "|" + $tmp[3] + "|*"}

if ($tmp[0] -eq "NETIF") {$teststr = $tmp[0] + "|" + $tmp[1] + "|*"}

if ($tmp[0] -eq "SECEVT") {$teststr = $tmp[0] + "|" + $tmp[1] + "|*"}

if ($tmp[0] -eq "SYSEVT") {$teststr = $tmp[0] + "|" + $tmp[1] + "|*"}

if ($tmp[0] -eq "SYSPROC") {$teststr = $tmp[0] + "|" + $tmp[1] + "|*"}

if ($tmp[0] -eq "SYSSERV") {$teststr = $tmp[0] + "|" + $tmp[1] + "|*"}

if ($tmp[0] -eq "ARP") {$teststr = $tmp[0] + "|" + $tmp[1] + "|*"}

if ($tmp[0] -eq "CRYPTOFILE") {$teststr = $tmp[0] + "|*"}

if ($tmp[0] -eq "AVINFO") {$teststr = $tmp[0] + "|*"}

if ($tmp[0] -eq "FWINFO") {$teststr = $tmp[0] + "|*"}

if ($tmp[0] -eq "COUNTERS") {$teststr = $tmp[0] + "|*"}

if ($tmp[0] -eq "IEPROXY") {$teststr = $tmp[0] + "|*"}

if ($teststr) {

$PossibleMatch = $OldData -like $teststr | Select-Object -First 1

if ($OldData.Count -gt 0) {

if ($PossibleMatch) {

if ($PossibleMatch -ne $OneNewData) {

Send -Status "CHANGED" -Message "$OneNewData"

}

} else {

Send -Status "CREATED" -Message "$OneNewData"

}

} else {

Send -Status "CREATED" -Message "$OneNewData"

}

# REMOVED Data

foreach ($OneOldData in $OldData) {

if ($OneOldData -ne "SECEVT|") {

$tmp = $OneOldData -split '\|'