def run(self, args): files_with_error = [] results = {} ###### Rekall if args.cmd == 'rekall': if args.kerberos_dir is not None and 'all' not in args.packages: args.packages.append('ktickets') mimi = pypykatz.parse_memory_dump_rekall(args.memoryfile, args.timestamp_override, packages=args.packages) results['rekall'] = mimi ###### Minidump elif args.cmd == 'minidump': if args.directory: dir_fullpath = os.path.abspath(args.memoryfile) file_pattern = '*.dmp' if args.recursive == True: globdata = os.path.join(dir_fullpath, '**', file_pattern) else: globdata = os.path.join(dir_fullpath, file_pattern) logger.info('Parsing folder %s' % dir_fullpath) for filename in glob.glob(globdata, recursive=args.recursive): logger.info('Parsing file %s' % filename) try: if args.kerberos_dir is not None and 'all' not in args.packages: args.packages.append('ktickets') mimi = pypykatz.parse_minidump_file( filename, packages=args.packages) results[filename] = mimi if args.halt_on_error == True and len(mimi.errors) > 0: raise Exception('Error in modules!') except Exception as e: files_with_error.append(filename) logger.exception('Error parsing file %s ' % filename) if args.halt_on_error == True: raise e else: pass else: logger.info('Parsing file %s' % args.memoryfile) try: if args.kerberos_dir is not None and 'all' not in args.packages: args.packages.append('ktickets') mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages) results[args.memoryfile] = mimi if args.halt_on_error == True and len(mimi.errors) > 0: raise Exception('Error in modules!') except Exception as e: logger.exception('Error while parsing file %s' % args.memoryfile) if args.halt_on_error == True: raise e else: traceback.print_exc() self.process_results(results, files_with_error, args)
def parse_minidump_file(filename, rdp_module, chunksize = 10*1024): try: minidump = MinidumpFile.parse(filename) reader = minidump.get_reader().get_buffered_reader(segment_chunk_size=chunksize) sysinfo = KatzSystemInfo.from_minidump(minidump) except Exception as e: logger.exception('Minidump parsing error!') raise e try: mimi = RDPCredParser(None, reader, sysinfo, rdp_module) mimi.start() except Exception as e: logger.info('Credentials parsing error!') raise e return [mimi]
async def parse_minidump_file(filename, packages = ['all'], chunksize=10*1024): try: minidump = await AMinidumpFile.parse(filename) reader = minidump.get_reader().get_buffered_reader(chunksize) sysinfo = KatzSystemInfo.from_minidump(minidump) except Exception as e: logger.exception('Minidump parsing error!') raise e try: mimi = apypykatz(reader, sysinfo) await mimi.start(packages) except Exception as e: #logger.info('Credentials parsing error!') mimi.log_basic_info() raise e return mimi
def parse_minidump_file(filename): try: minidump = MinidumpFile.parse(filename) reader = minidump.get_reader().get_buffered_reader() sysinfo = KatzSystemInfo.from_minidump(minidump) except Exception as e: logger.exception('Minidump parsing error!') raise e try: mimi = pypykatz(reader, sysinfo) mimi.start() except Exception as e: #logger.info('Credentials parsing error!') mimi.log_basic_info() raise e return mimi
def get_lsa(self): #trying with automatic template detection try: lsa_dec_template = LsaTemplate.get_template(self.sysinfo) lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo) logger.debug(lsa_dec.dump()) except: logger.exception( 'Failed to automatically detect correct LSA template!') lsa_dec = self.get_lsa_bruteforce() if lsa_dec is None: raise Exception('All detection methods failed.') return lsa_dec else: return lsa_dec
async def run(self, args): files_with_error = [] results = {} ###### Minidump if args.cmd == 'minidump': if args.directory: dir_fullpath = os.path.abspath(args.memoryfile) file_pattern = '*.dmp' if args.recursive == True: globdata = os.path.join(dir_fullpath, '**', file_pattern) else: globdata = os.path.join(dir_fullpath, file_pattern) logger.info('Parsing folder %s' % dir_fullpath) for filename in glob.glob(globdata, recursive=args.recursive): logger.info('Parsing file %s' % filename) try: mimi = await apypykatz.parse_minidump_file( filename, packages=args.packages) results[filename] = mimi except Exception as e: files_with_error.append(filename) logger.exception('Error parsing file %s ' % filename) if args.halt_on_error == True: raise e else: pass else: logger.info('Parsing file %s' % args.memoryfile) try: mimi = await apypykatz.parse_minidump_file( args.memoryfile, packages=args.packages) results[args.memoryfile] = mimi except Exception as e: logger.exception('Error while parsing file %s' % args.memoryfile) if args.halt_on_error == True: raise e else: traceback.print_exc() self.process_results(results, files_with_error, args)