def parse_minidump_buffer(buff):
minidump = MinidumpFile.parse_buff(buff)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
def parse_minidump_file(filename):
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = katz(reader, sysinfo)
mimi.start()
return mimi
def parse_minidump_buffer(buff, packages=['all']):
"""
Parses LSASS minidump file which contents are in a bytes buffer
buff: io.BytesIO object
"""
minidump = MinidumpFile.parse_buff(buff)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start(packages)
return mimi
def parse_minidump_bytes(data, packages=['all']):
"""
Parses LSASS minidump file bytes.
data needs to be bytearray
"""
minidump = MinidumpFile.parse_bytes(data)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start(packages)
return mimi
def parse_minidump_file(filename):
try:
from minidump.minidumpfile import MinidumpFile
except ImportError:
raise ImportError('You need to install minidump dependency')
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
def parse_minidump_external(handle):
"""
Parses LSASS minidump file based on the file object.
File object can really be any object as longs as
it implements read, seek, tell functions with the
same parameters as a file object would.
handle: file like object
"""
minidump = MinidumpFile.parse_external(handle)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
mimi = pypykatz(reader, sysinfo)
mimi.start()
return mimi
def parse_minidump_file(filename, rdp_module, chunksize = 10*1024):
try:
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader(segment_chunk_size=chunksize)
sysinfo = KatzSystemInfo.from_minidump(minidump)
except Exception as e:
logger.exception('Minidump parsing error!')
raise e
try:
mimi = RDPCredParser(None, reader, sysinfo, rdp_module)
mimi.start()
except Exception as e:
logger.info('Credentials parsing error!')
raise e
return [mimi]
def parse_minidump_file(filename):
try:
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader()
sysinfo = KatzSystemInfo.from_minidump(minidump)
except Exception as e:
logger.exception('Minidump parsing error!')
raise e
try:
mimi = pypykatz(reader, sysinfo)
mimi.start()
except Exception as e:
#logger.info('Credentials parsing error!')
mimi.log_basic_info()
raise e
return mimi
def parse_minidump_file(filename, packages = ['all'], chunksize = 10*1024):
try:
minidump = MinidumpFile.parse(filename)
reader = minidump.get_reader().get_buffered_reader(segment_chunk_size=chunksize)
sysinfo = KatzSystemInfo.from_minidump(minidump)
except Exception as e:
logger.exception('Minidump parsing error!')
raise e
try:
mimi = pypykatz(reader, sysinfo)
mimi.start(packages)
except Exception as e:
#logger.info('Credentials parsing error!')
mimi.log_basic_info()
raise e
return mimi
def __init__(self, widget, args):
# Load configuration
self.config_file = os.path.join(self.get_temp_dir(), "pe_tree_minidump.ini")
super(MinidumpRuntime, self).__init__(widget, args)
# Exported symbols table
self.exports = {}
# Initialise minidump
try:
self.mf = MinidumpFile.parse(self.args.filename.name)
except:
print("Not a valid Minidump file?")
exit()
self.reader = self.mf.get_reader()
def main():
dmp = MinidumpFile.parse(r"D:\Data\minecraft\bedrock_memory\1.18.DMP")
dmp_reader = dmp.get_reader()
biomes = {}
biome_data_locations = dmp_reader.search(b"\x68\x7F\xFF\x06")
for index in biome_data_locations:
biome_name = get_string(dmp_reader.read(index + 4, 64))
if id_chrs.fullmatch(biome_name) is None:
biome_name_index = struct.unpack("<I",
dmp_reader.read(index + 4, 4))[0]
try:
data = dmp_reader.read(biome_name_index, 64)
except Exception:
continue
biome_name = get_string(data)
biome_name = biome_name.decode("utf-8")
biome_id = dmp_reader.read(index + 0x6C, 1)[0]
if biome_name in biomes:
assert biome_id == biomes[biome_name]
else:
biomes[biome_name] = biome_id
for biome_name, biome_id in sorted(biomes.items(), key=lambda x: x[1]):
print(biome_id, biome_name)
def run():
import argparse
parser = argparse.ArgumentParser(
description='A parser for minidumnp files')
parser.add_argument('minidumpfile',
help='path to the minidump file of lsass.exe')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('--modules', action='store_true', help='List modules')
parser.add_argument('--threads', action='store_true', help='List threads')
parser.add_argument('--memory', action='store_true', help='List memory')
parser.add_argument('--sysinfo', action='store_true', help='Show sysinfo')
parser.add_argument('--comments',
action='store_true',
help='Show comments')
parser.add_argument('--handles', action='store_true', help='List handles')
parser.add_argument('--misc', action='store_true', help='Show misc info')
parser.add_argument('--all', action='store_true', help='Show all info')
parser.add_argument(
'-r',
'--read-addr',
type=lambda x: int(x, 0),
help='Dump a memory region from the process\'s addres space')
parser.add_argument(
'-s',
'--read-size',
type=lambda x: int(x, 0),
default=0x20,
help='Dump a memory region from the process\'s addres space')
args = parser.parse_args()
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
else:
logging.basicConfig(level=1)
mf = MinidumpFile.parse(args.minidumpfile)
reader = mf.get_reader()
if args.all or args.threads:
if mf.threads is not None:
print(str(mf.threads))
if mf.threads_ex is not None:
print(str(mf.threads_ex))
if mf.thread_info is not None:
print(str(mf.thread_info))
if args.all or args.modules:
if mf.modules is not None:
print(str(mf.modules))
if mf.unloaded_modules is not None:
print(str(mf.unloaded_modules))
if args.all or args.memory:
if mf.memory_segments is not None:
print(str(mf.memory_segments))
if mf.memory_segments_64 is not None:
print(str(mf.memory_segments_64))
if mf.memory_info is not None:
print(str(mf.memory_info))
if args.all or args.sysinfo:
if mf.sysinfo is not None:
print(str(mf.sysinfo))
if args.all or args.comments:
if mf.comment_a is not None:
print(str(mf.comment_a))
if mf.comment_w is not None:
print(str(mf.comment_w))
if args.all or args.handles:
if mf.handles is not None:
print(str(mf.handles))
if args.all or args.misc:
if mf.misc_info is not None:
print(str(mf.misc_info))
if args.read_addr:
buff_reader = reader.get_buffered_reader()
buff_reader.move(args.read_addr)
data = buff_reader.peek(args.read_size)
print(hexdump(data, start=args.read_addr))
parser.add_argument('--comments',
action='store_true',
help='Show comments')
parser.add_argument('--handles', action='store_true', help='List handles')
parser.add_argument('--misc', action='store_true', help='Show misc info')
parser.add_argument('--all', action='store_true', help='Show all info')
args = parser.parse_args()
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
else:
logging.basicConfig(level=1)
mf = MinidumpFile.parse(args.minidumpfile)
reader = mf.get_reader()
if args.all or args.threads:
if mf.threads is not None:
print(str(mf.threads))
if mf.threads_ex is not None:
print(str(mf.threads_ex))
if mf.thread_info is not None:
print(str(mf.thread_info))
if args.all or args.modules:
if mf.modules is not None:
print(str(mf.modules))
if mf.unloaded_modules is not None:
print(str(mf.unloaded_modules))
if args.all or args.memory:
else:
logging.basicConfig(level=1)
if args.directory:
dir_fullpath = os.path.abspath(args.minidumpfile)
file_pattern = '*.dmp'
if args.recursive == True:
globdata = os.path.join(dir_fullpath, '**', file_pattern)
else:
globdata = os.path.join(dir_fullpath, file_pattern)
results = {}
logging.info('Parsing folder %s' % dir_fullpath)
for filename in glob.glob(globdata, recursive=args.recursive):
logging.info('Parsing file %s' % filename)
try:
mf = MinidumpFile.parse(filename)
mimi = pypykatz(mf)
mimi.start()
results[filename] = mimi
except Exception as e:
results[filename] = 'ERROR IN PARSING!'
logging.warning(e )
pass
if args.outfile and args.json:
with open(args.outfile, 'w') as f:
json.dump(results, f, cls = UniversalEncoder, indent=4, sort_keys=True)
elif args.outfile:
with open(args.outfile, 'w') as f:
for result in results:
def setup(self):
if MinidumpFile is None:
raise Exception("Need to have working minidump module !")
self.obj = MinidumpFile.parse(self.source)
self._reader = self.obj.get_reader()