mirror of
https://github.com/ufrisk/MemProcFS-plugins.git
synced 2026-05-06 13:51:24 +08:00
MemProcFS v3.9 support
This commit is contained in:
ufrisk
@@ -19,7 +19,7 @@ _pypykatz_ for MemProcFS exposes mimikatz functionality in the folder `/py/secre
|
||||
3) Copy the _pypykatz_ for _MemProcFS_ plugin by copying all files from [`/files/plugins/pym_pypykatz`](https://github.com/ufrisk/MemProcFS-plugins/tree/master/files/plugins/pym_pypykatz) to corresponding folder in MemProcFS - overwriting any existing files there.
|
||||
4) Start MemProcFS.
|
||||
|
||||
#### Last updated: 2021-01-11
|
||||
#### Last updated: 2021-03-21
|
||||
|
||||
## pypykatz regsecrets
|
||||
|
||||
@@ -36,4 +36,4 @@ _regsecrets_ for MemProcFS exposes mimikatz functionality in the folder `/py/reg
|
||||
3) Copy the _pyregsecrets_ for _MemProcFS_ plugin by copying all files from [`/files/plugins/pym_regsecrets`](https://github.com/ufrisk/MemProcFS-plugins/tree/master/files/plugins/pym_regsecrets) to corresponding folder in MemProcFS - overwriting any existing files there.
|
||||
4) Start MemProcFS.
|
||||
|
||||
#### Last updated: 2021-01-11
|
||||
#### Last updated: 2021-03-21
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
# Author: Tamas Jos (@skelsec), info@skelsec.com
|
||||
#
|
||||
|
||||
from vmmpy import *
|
||||
import memprocfs
|
||||
from vmmpyplugin import *
|
||||
import json
|
||||
import traceback
|
||||
@@ -282,7 +282,7 @@ def List(pid, path):
|
||||
|
||||
|
||||
def Notify(fEvent, bytesData):
|
||||
if fEvent == VMMPY_PLUGIN_EVENT_TOTALREFRESH and not import_failed and not parsing_failed:
|
||||
if fEvent == memprocfs.PLUGIN_EVENT_TOTALREFRESH and not import_failed and not parsing_failed:
|
||||
global first_run
|
||||
first_run = True
|
||||
|
||||
@@ -290,7 +290,7 @@ def Notify(fEvent, bytesData):
|
||||
def Initialize(target_system, target_memorymodel):
|
||||
# Check that the operating system is 32-bit or 64-bit Windows. If it's not
|
||||
# then raise an exception to terminate loading of this module.
|
||||
if target_system != VMMPY_SYSTEM_WINDOWS_X64 and target_system != VMMPY_SYSTEM_WINDOWS_X86:
|
||||
if target_system != memprocfs.SYSTEM_WINDOWS_X64 and target_system != memprocfs.SYSTEM_WINDOWS_X86:
|
||||
raise RuntimeError("Only Windows is supported by the pym_pypykatz module.")
|
||||
VmmPyPlugin_FileRegisterDirectory(None, 'secrets', List)
|
||||
|
||||
@@ -11,7 +11,8 @@
|
||||
from pypykatz.commons.common import KatzSystemArchitecture, KatzSystemInfo
|
||||
from .sysinfo_helpers import *
|
||||
|
||||
from vmmpy import *
|
||||
import memprocfs
|
||||
from vmmpyplugin import *
|
||||
import copy
|
||||
|
||||
class Module:
|
||||
@@ -31,9 +32,9 @@ class Module:
|
||||
|
||||
def parse(data, timestamp = None):
|
||||
m = Module()
|
||||
m.name = data['name']
|
||||
m.baseaddress = data['va']
|
||||
m.size = data['size']
|
||||
m.name = data.name
|
||||
m.baseaddress = data.base
|
||||
m.size = data.image_size
|
||||
m.endaddress = m.baseaddress + m.size
|
||||
|
||||
m.timestamp = timestamp
|
||||
@@ -50,7 +51,6 @@ class Page:
|
||||
self.AllocationProtect = None
|
||||
self.RegionSize = None
|
||||
self.EndAddress = None
|
||||
|
||||
self.data = None
|
||||
|
||||
@staticmethod
|
||||
@@ -74,7 +74,7 @@ class Page:
|
||||
return p
|
||||
|
||||
def read_data(self, pid):
|
||||
self.data = VmmPy_MemRead(pid, self.BaseAddress, self.RegionSize)
|
||||
self.data = vmm.process(pid).memory.read(self.BaseAddress, self.RegionSize)
|
||||
|
||||
def inrange(self, addr):
|
||||
return self.BaseAddress <= addr < self.EndAddress
|
||||
@@ -82,7 +82,7 @@ class Page:
|
||||
def search(self, pattern, pid):
|
||||
if len(pattern) > self.RegionSize:
|
||||
return []
|
||||
data = VmmPy_MemRead(pid, self.BaseAddress, self.RegionSize)
|
||||
data = vmm.process(pid).memory.read(self.BaseAddress, self.RegionSize)
|
||||
fl = []
|
||||
offset = 0
|
||||
while len(data) > len(pattern):
|
||||
@@ -104,7 +104,7 @@ class MemProcFsReader:
|
||||
self.filename = filename
|
||||
self.process_name = process_name
|
||||
self.sysinfo = None
|
||||
self.process_pid = None
|
||||
self.process = None
|
||||
self.current_position = None
|
||||
self.modules = []
|
||||
|
||||
@@ -115,16 +115,16 @@ class MemProcFsReader:
|
||||
self.sysinfo = KatzSystemInfo()
|
||||
|
||||
#print('[+] Getting BuildNumer')
|
||||
self.sysinfo.buildnumber = VmmPy_ConfigGet(VMMDLL_OPT_WIN_VERSION_BUILD)
|
||||
self.sysinfo.buildnumber = vmm.get_config(memprocfs.OPT_WIN_VERSION_BUILD)
|
||||
#print('[+] Found BuildNumber %s' % self.sysinfo.buildnumber)
|
||||
|
||||
#print('[+] Getting msv_dll_timestamp')
|
||||
self.sysinfo.msv_dll_timestamp = int(PEGetFileTime(self.process_pid, self.process_name))
|
||||
self.sysinfo.msv_dll_timestamp = int(PEGetFileTime(self.process, self.process_name))
|
||||
#print('[+] Found msv_dll_timestamp %s' % self.sysinfo.msv_dll_timestamp)
|
||||
|
||||
#print('[+] Getting arch')
|
||||
val = VmmPy_ConfigGet(VMMPY_OPT_CORE_SYSTEM)
|
||||
if val == VMMPY_SYSTEM_WINDOWS_X64:
|
||||
val = vmm.get_config(memprocfs.OPT_CORE_SYSTEM)
|
||||
if val == memprocfs.SYSTEM_WINDOWS_X64:
|
||||
self.sysinfo.architecture = KatzSystemArchitecture.X64
|
||||
else:
|
||||
self.sysinfo.architecture = KatzSystemArchitecture.X86
|
||||
@@ -139,17 +139,17 @@ class MemProcFsReader:
|
||||
VmmPy_Initialize(["-device", self.filename,'-vv'])
|
||||
|
||||
#print('[+] Searching LSASS')
|
||||
self.process_pid = VmmPy_PidGetFromName(self.process_name)
|
||||
#print('[+] Found LSASS on PID %s' % self.process_pid)
|
||||
self.process = vmm.process(self.process_name)
|
||||
#print('[+] Found LSASS on PID %s' % self.process.pid)
|
||||
|
||||
self.get_sysinfo()
|
||||
|
||||
#print('[+] Getting modules info')
|
||||
for moduleinfo in VmmPy_ProcessGetModuleMap(self.process_pid):
|
||||
for module in self.process.module_list():
|
||||
#print('moduleinfo: %s' % str(moduleinfo))
|
||||
m = Module.parse(moduleinfo)
|
||||
m = Module.parse(module)
|
||||
try:
|
||||
for pageinfo in VmmPy_ProcessGetSections(self.process_pid, m.name):
|
||||
for pageinfo in module.maps.sections():
|
||||
#print('pageinfo: %s' % str(pageinfo))
|
||||
m.pages.append(Page.parse(pageinfo, m))
|
||||
|
||||
@@ -157,7 +157,7 @@ class MemProcFsReader:
|
||||
except:
|
||||
#module is paged out, hoping that it's not a module that is needed
|
||||
pass
|
||||
|
||||
|
||||
#print('[+] Got modules info')
|
||||
|
||||
|
||||
@@ -192,7 +192,7 @@ class MemProcFsReader:
|
||||
"""
|
||||
Searches for all occurrences of a pattern in the current memory segment, returns all occurrences as a list
|
||||
"""
|
||||
data = VmmPy_MemRead(self.process_pid, start, end - start)
|
||||
data = self.process.memory.read(start, end - start)
|
||||
pos = []
|
||||
for p in MemProcFsReader.find_all_pattern(data, pattern):
|
||||
pos.append( p + start)
|
||||
@@ -242,7 +242,7 @@ class MemProcFsReader:
|
||||
return data
|
||||
|
||||
def read(self, size = -1):
|
||||
data = VmmPy_MemRead(self.process_pid, self.current_position, size)
|
||||
data = self.process.memory.read(self.current_position, size)
|
||||
self.current_position += size
|
||||
return data
|
||||
|
||||
|
||||
@@ -5,13 +5,13 @@
|
||||
#
|
||||
# https://github.com/ufrisk/
|
||||
#
|
||||
# (c) Ulf Frisk, 2019
|
||||
# (c) Ulf Frisk, 2019-2021
|
||||
# Author: Ulf Frisk, pcileech@frizk.net
|
||||
#
|
||||
|
||||
from io import BytesIO
|
||||
from dissect import cstruct
|
||||
from vmmpy import *
|
||||
import memprocfs
|
||||
|
||||
PE_STRUCT_DEFINITIONS = """
|
||||
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
|
||||
@@ -49,9 +49,9 @@ PE_STRUCT_DEFINITIONS = """
|
||||
} IMAGE_FILE_HEADER;
|
||||
"""
|
||||
|
||||
def PEGetFileTime(pid, module):
|
||||
mz_va = VmmPy_ProcessGetModuleFromName(pid, module)['va']
|
||||
mz_bytes = VmmPy_MemRead(pid, mz_va, 0x1000)
|
||||
def PEGetFileTime(process, module):
|
||||
mz_va = process.module(module).base
|
||||
mz_bytes = process.memory.read(mz_va, 0x1000)
|
||||
mz_stream = BytesIO(mz_bytes)
|
||||
# Set up dissect.cstruct
|
||||
pestruct = cstruct.cstruct()
|
||||
|
||||
@@ -1 +1 @@
|
||||
1.2.0
|
||||
1.3.0
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
# Author: Ulf Frisk (@UlfFrisk), pcileech@frizk.net
|
||||
#
|
||||
|
||||
from vmmpy import *
|
||||
import memprocfs
|
||||
from vmmpyplugin import *
|
||||
import traceback
|
||||
|
||||
@@ -76,8 +76,8 @@ class MemProcFS_RegReader:
|
||||
This class provides buffer-like reader interface which can be delegated to AIOWinreg's HIVE classes.
|
||||
Emulates reading and seeking capablities of a buffer but actually calling the underlying MemProcFS API.
|
||||
"""
|
||||
def __init__(self, va_hive):
|
||||
self.va_hive = va_hive
|
||||
def __init__(self, hive):
|
||||
self.hive = hive
|
||||
self.position = 0
|
||||
self.firstread = True
|
||||
|
||||
@@ -87,7 +87,7 @@ class MemProcFS_RegReader:
|
||||
elif count == 0:
|
||||
return None
|
||||
|
||||
data = VmmPy_WinReg_HiveRead(self.va_hive, self.position, count, flags = 0)
|
||||
data = self.hive.memory.read(self.position, count, 0)
|
||||
self.position += count
|
||||
return data
|
||||
|
||||
@@ -102,27 +102,27 @@ class MemProcFS_RegReader:
|
||||
raise Exception('Cant seek from the end!')
|
||||
|
||||
def list_hives():
|
||||
for x in VmmPy_WinReg_HiveList():
|
||||
for x in vmm.reg_hive_list():
|
||||
yield x
|
||||
|
||||
|
||||
|
||||
def get_hive_va(hive_name, hive_name_short):
|
||||
def get_hive(hive_name, hive_name_short):
|
||||
for hiveinfo in list_hives():
|
||||
if 'name' in hiveinfo and hiveinfo['name'].endswith(hive_name):
|
||||
return hiveinfo['va_hive']
|
||||
if hiveinfo.name.endswith(hive_name):
|
||||
return hiveinfo
|
||||
for hiveinfo in list_hives():
|
||||
if 'name' in hiveinfo and hive_name_short in hiveinfo['name']:
|
||||
return hiveinfo['va_hive']
|
||||
if hive_name_short in hiveinfo.name:
|
||||
return hiveinfo
|
||||
return None
|
||||
|
||||
|
||||
|
||||
def create_hive(hive_name, hive_name_short):
|
||||
hive_va = get_hive_va(hive_name, hive_name_short)
|
||||
reader = MemProcFS_RegReader(hive_va)
|
||||
hive = get_hive(hive_name, hive_name_short)
|
||||
reader = MemProcFS_RegReader(hive)
|
||||
hroot = NTRegistryHbin.read(reader)
|
||||
reader = MemProcFS_RegReader(hive_va)
|
||||
reader = MemProcFS_RegReader(hive)
|
||||
return AIOWinRegHive(reader, hroot, is_file = False)
|
||||
|
||||
|
||||
@@ -272,7 +272,7 @@ def List(pid, path):
|
||||
|
||||
|
||||
def Notify(fEvent, bytesData):
|
||||
if fEvent == VMMPY_PLUGIN_EVENT_TOTALREFRESH and not import_failed and not parsing_failed:
|
||||
if fEvent == memprocfs.PLUGIN_EVENT_TOTALREFRESH and not import_failed and not parsing_failed:
|
||||
global is_initialized
|
||||
is_initialized = False
|
||||
|
||||
@@ -281,6 +281,6 @@ def Notify(fEvent, bytesData):
|
||||
def Initialize(target_system, target_memorymodel):
|
||||
# Check that the operating system is 32-bit or 64-bit Windows. If it's not
|
||||
# then raise an exception to terminate loading of this module.
|
||||
if target_system != VMMPY_SYSTEM_WINDOWS_X64 and target_system != VMMPY_SYSTEM_WINDOWS_X86:
|
||||
if target_system != memprocfs.SYSTEM_WINDOWS_X64 and target_system != memprocfs.SYSTEM_WINDOWS_X86:
|
||||
raise RuntimeError("Only Windows is supported by the pym_regsecrets module.")
|
||||
VmmPyPlugin_FileRegisterDirectory(None, 'regsecrets', List)
|
||||
|
||||
@@ -1 +1 @@
|
||||
1.1.0
|
||||
1.2.0
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
pypykatz 1.2.0
|
||||
regsecrets 1.1.0
|
||||
pypykatz 1.3.0
|
||||
regsecrets 1.2.0
|
||||
|
||||
Reference in New Issue
Block a user