我创建了一个小脚本来将特定的txt结构转换为CSV。输入看起来像这样,总是用虚线分隔(没有引号),两个文本级别重复任意次:
“---------------------------------------------- --------------------------------“
winlogon.exe pid:880
命令行:winlogon.exe
基本尺寸路径
0x000000008a7c0000 0xb1000 C:\ WINDOWS \ system32 \ winlogon.exe
已验证:Microsoft Windows
发布者:Microsoft Corporation
描述:Windows登录应用程序
产品:Microsoft®Windows®操作系统
版本:10.0.15063.608
档案版本:6.2.15063.608
创造时间:1979年9月17日01:47:05
0x000000005c830000 0x1db000 C:\ WINDOWS \ SYSTEM32 \ ntdll.dll
已验证:Microsoft Windows
发布者:Microsoft Corporation
描述:NT Layer DLL
产品:Microsoft®Windows®操作系统
版本:10.0.15063.608
档案版本:6.2.15063.608
创造时间:5月11日星期三01:39:23 203
“---------------------------------------------- --------------------------------“
lsass.exe pid:960
命令行:C:\ WINDOWS \ system32 \ lsass.exe
基本尺寸路径
0x00000000d2c30000 0x11000 C:\ WINDOWS \ system32 \ lsass.exe
已验证:Microsoft Windows Publisher
发布者:Microsoft Corporation
描述:本地安全机构进程
产品:Microsoft®Windows®操作系统
版本:10.0.15063.483
档案版本:6.2.15063.483
创造时间:Thu Jan 09 08:26:10 2048
0x000000005c830000 0x1db000 C:\ WINDOWS \ SYSTEM32 \ ntdll.dll
已验证:Microsoft Windows
发布者:Microsoft Corporation
描述:NT Layer DLL
产品:Microsoft®Windows®操作系统
版本:10.0.15063.608
档案版本:6.2.15063.608
创造时间:5月11日星期三01:39:23 2039
我的脚本是:
[IO.File]::ReadAllText("C:\users\rummaan\Downloads\ListDlls\listdlls.txt") |
Select-String -Pattern "(---------------------------------------...)[\s\S]*?(?=(---------------------------------------...)|($))" -AllMatches | % {$_.Matches} | % {$_.Value} |
% { `
@([PSCustomObject]@{
"pid" = Select-String -InputObject $_ -Pattern "(?<=pid: ).*?(?=\r)" |
% {$_.Matches} |
% {$_.Value};
"Command_line" = Select-String -InputObject $_ -Pattern "(?<=Command line: ).*?(?=\r)" |
% {$_.Matches} |
% {$_.Value};
"BaseSizePath" = Select-String -InputObject $_ -Pattern "(?<=Base Size Path ).*?(?=\r)" |
% {$_.Matches} |
% {$_.Value};
"Verified" = Select-String -InputObject $_ -Pattern "(?<= Verified: ).*?(?=\r)" | % {$_.Matches} |
% {$_.Value};
"Publisher" = Select-String -InputObject $_ -Pattern "(?<= Publisher: ).*?(?=\r)" | % {$_.Matches} |
% {$_.Value};
"Description" = Select-String -InputObject $_ -Pattern "(?<= Description: ).*?(?=\r)" | % {$_.Matches} |
% {$_.Value};
"Product" = Select-String -InputObject $_ -Pattern "(?<= Product: ).*?(?=\r)" | % {$_.Matches} |
% {$_.Value};
"Version" = Select-String -InputObject $_ -Pattern "(?<= Version: ).*?(?=\r)" | % {$_.Matches} |
% {$_.Value};
"File_version" = Select-String -InputObject $_ -Pattern "(?<= File version: ).*?(?=\r)" | % {$_.Matches} |
% {$_.Value};
"Create_time" = Select-String -InputObject $_ -Pattern "(?<= Create time: ).*?(?=\r)" | % {$_.Matches} |
% {$_.Value};
})} |
Select-Object -Property pid,Command_line,BaseSizePath,Verified,Publisher,Description,Product,Version,File_version,Create_time |
Export-Csv -Path C:\Users\Rummaan\Downloads\ListDlls\listdlls.csv -NoTypeInformation
出来的是没有子文章条目: [在此处输入图像说明] [2]
你能帮我纠正一下这个剧本吗?我需要一个普通的柱状扁平CSV,其中列将在同一级别上,如:pid,command_line,base,size,path,verified,publisher,description,product,version,file_version,create_time。
谢谢!
答案 0 :(得分:0)
试试这个脚本:
#Create template for structure of cut
$template=@"
{Row*:"------------------------------------------------------------------------------"
{Prog:lsass.exe} pid: {Pid:960}
Command line: {CommandLine:C:\WINDOWS\system32\lsass.exe}
Base Size Path
{BaseEXE:0x00000000d2c30000} {SizeEXE:0x11000} {PathEXE:C:\WINDOWS\system32\lsass.exe}
Verified: {VerifiedEXE:Microsoft Windows Publisher}
Publisher: {PublisherEXE:Microsoft Corporation}
Description: {DescriptionEXE:Local Security Authority Process}
Product: {ProductEXE:Microsoft® Windows® Operating System}
Version: {VersionEXE:10.0.15063.483}
File version: {FileVersionEXE:6.2.15063.483}
Create time: {CreateTimeEXE:Thu Jan 09 08:26:10 2048}
{BaseDLL:0x000000005c830000} {SizeDll:0x1db000} {PathDll:C:\WINDOWS\SYSTEM32\ntdll.dll}
Verified: {VerifiedDLL:Microsoft Windows}
Publisher: {PublisherDLL:Microsoft Corporation}
Description: {DescriptionDLL:NT Layer DLL}
Product: {ProductDLL:Microsoft® Windows® Operating System}
Version: {VersionDLL:10.0.15063.608}
File version: {FileVersionDLL:6.2.15063.608}
Create time: {CreateTimeDLL:Wed May 11 01:39:23 2039}}
{Row*:"------------------------------------------------------------------------------"
{Prog:lsass.exe} pid: {Pid:960}
Command line: {CommandLine:C:\WINDOWS\system32\lsass.exe}
Base Size Path
{BaseEXE:0x00000000d2c30000} {SizeEXE:0x11000} {PathEXE:C:\WINDOWS\system32\lsass.exe}
Verified: {VerifiedEXE:Microsoft Windows Publisher}
Publisher: {PublisherEXE:Microsoft Corporation}
Description: {DescriptionEXE:Local Security Authority Process}
Product: {ProductEXE:Microsoft® Windows® Operating System}
Version: {VersionEXE:10.0.15063.483}
File version: {FileVersionEXE:6.2.15063.483}
Create time: {CreateTimeEXE:Thu Jan 09 08:26:10 2048}
{BaseDLL:0x000000005c830000} {SizeDll:0x1db000} {PathDll:C:\WINDOWS\SYSTEM32\ntdll.dll}
Verified: {VerifiedDLL:Microsoft Windows}
Publisher: {PublisherDLL:Microsoft Corporation}
Description: {DescriptionDLL:NT Layer DLL}
Product: {ProductDLL:Microsoft® Windows® Operating System}
Version: {VersionDLL:10.0.15063.608}
File version: {FileVersionDLL:6.2.15063.608}
Create time: {CreateTimeDLL:Wed May 11 01:39:23 2039}}
"@
#explode data
$AllRow=gc "C:\temp\test.txt" | ConvertFrom-String -TemplateContent $template
#get all properties of object 'Row'
$AllProperties=($AllRow.Row | gm | where MemberType -eq "NoteProperty").Name
#Build properties for select
$props = @()
foreach ($field in $AllProperties) {
$props += @{n="$field";e=([Scriptblock]::Create("`$_.Row.$field"))}
}
#Select all properties and export to CSV
$AllRow | select $props | export-csv "c:\temp\resul.csv" -notype