Easy Removeable Drive Detection with AutoIT

Week 2 of "Isn't AutoIT Cool' is a brief one. More of a code snippet than the last post. It's something that I figured out when I was looking into exfiltrating data from a target machine. The idea was this: plug a flash drive into a PC, have it automatically run an exe (this was back in the autoexec.bat days so the theory was that you'd call said exe from autoexec.bat) and copy a bunch of interesting files to itself and then prepare for removal. This was back before the days of the USB Rubber Ducky as well (I think the USB Switchblade was the new hotness at that point). I'll eventually get into my full script for this process, as it wound up being quite useful. Nothing quite as useful as the LEDs on the Bash Bunny or anything but this was many years before the Hak5 crew had those for sale.

The script is fairly simple so I've posted it at the bottom of this post but there's also a link to a gist should you require it.

Line 1 executes an AutoIT built in function to iterate over all of the drives in the machine that are marked as 'REMOVABLE.' This did become an issue with certain SanDisk drives that showed up in Windows as HDD-style drives but my way around that was to buy a different flash drive...

The loop that makes up the rest of the snippet moves through that array and searches for a drive named 'COPY.' You can, of course, change this to the name of your device, whatever that ends up being. When that's found, the $drive_letter variable is set to the letter of the drive. Therefore, you can use that to point your file copies at. More on this when the full script is up.

$drive_arr = DriveGetDrive("REMOVABLE")

For $i = 0 to $drive_arr[0]
   If DriveGetLabel($drive_arr[$i]) = "COPY" Then
	  $drive_letter = $drive_arr[$i]
   EndIf
Next

Gist for the curious...