search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13k stars 3.5k forks source link

Feature Request: QueryPerformanceData #1677

Open ghost-ng opened 6 months ago

ghost-ng commented 6 months ago

This is a feature request to implement the nmap lua script functionality of https://[svn.nmap.org/nmap/scripts/smb-enum-processes.nse](https://svn.nmap.org/nmap/scripts/smb-enum-processes.nse)

This will display the running processes etc from the registry performance data counters.

Right now, rrp only has a way to open the performance data registry. Please implement a way to query AND parse the results.

# Open Performance Data
        openhkpd_result = rrp.hOpenPerformanceData(self.dce, samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS | rrp.KEY_QUERY_VALUE)
        #openhkpd_result.dump()
        ans = rrp.hBaseRegQueryValue(self.dce, openhkpd_result['phKey'], lpValueName="Counter 009")
        result['title-database'] = parse_perf_title_data(ans[1])
        counter_ID = result['title-database']['Process']  # 230
        queryvalue_result = rrp.hBaseRegQueryValue(self.dce, openhkpd_result['phKey'], lpValueName=str(counter_ID))

The above hangs, the below has a not found error:

queryvalue_result = rrp.hBaseRegQueryValue(self.dce, openhkpd_result['phKey'], lpValueName="Counter " + str(counter_ID))

There is a very high chance I am not doing this the right.

ghost-ng commented 5 months ago

figured it out when the perf objects have multiple instances - so i can now get the remote processes, still having issues if instances are 0.

https://github.com/ghost-ng/slinger

src/slingerpkg/lib/winreg.py |---- def show_process_list(self, args): src/slingerpkg/lib/dcetransport.py |---- def _hQueryPerformaceData(self, object_num, arch=64): src/slingerpkg/lib/msrpcperformance.py