atomicshop 2.11.47__py3-none-any.whl → 3.10.5__py3-none-any.whl

atomicshop/wrappers/powershell_networking.py

@@ -0,0 +1,80 @@
+import json
+import subprocess
+from typing import List, Literal
+
+
+def get_interface_ips(
+    interface_name: str,
+    ip_type: Literal["virtual", "dynamic", "all"] = "virtual"
+) -> List[str]:
+    """
+    Return IPv4 addresses on an interface, filtered by 'mode'.
+
+    ip_type:
+      - "virtual": only static/virtual IPs (PrefixOrigin != 'Dhcp')
+      - "dynamic": only DHCP IPs (PrefixOrigin == 'Dhcp')
+      - "all":     all IPv4 IPs on the interface
+
+    If the interface does not exist or has no IPv4 addresses, returns [].
+    """
+
+    ps_script = f"""
+    try {{
+        Get-NetIPAddress -InterfaceAlias "{interface_name}" -AddressFamily IPv4 |
+            Select-Object IPAddress,
+                          @{{
+                              Name = 'PrefixOrigin';
+                              Expression = {{ [string]$_.PrefixOrigin }}
+                           }} |
+            ConvertTo-Json -Depth 3
+    }} catch {{
+        # Return empty JSON array if nothing found / interface missing
+        '[]'
+    }}
+    """
+
+    try:
+        result = subprocess.run(
+            ["powershell", "-NoProfile", "-Command", ps_script],
+            capture_output=True,
+            text=True,
+            check=True
+        )
+    except subprocess.CalledProcessError as e:
+        # If anything unexpected happens, raise a clearer error
+        msg = (e.stderr or e.stdout or "").strip()
+        raise RuntimeError(f"PowerShell Get-NetIPAddress failed: {msg}") from e
+
+    stdout = result.stdout.strip()
+    if not stdout:
+        return []
+
+    # At this point stdout should be valid JSON (list or single object)
+    data = json.loads(stdout)
+
+    if isinstance(data, dict):
+        data = [data]
+
+    ips: List[str] = []
+    ip_type = ip_type.lower()
+
+    for entry in data:
+        ip = entry.get("IPAddress")
+        origin_raw = entry.get("PrefixOrigin", "")
+        origin = str(origin_raw).lower()
+
+        if not ip:
+            continue
+
+        if ip_type == "virtual":
+            if origin != "dhcp":
+                ips.append(ip)
+        elif ip_type == "dynamic":
+            if origin == "dhcp":
+                ips.append(ip)
+        elif ip_type == "all":
+            ips.append(ip)
+        else:
+            raise ValueError(f"Unsupported mode: {ip_type!r}")
+
+    return ips

atomicshop/wrappers/psutilw/processes.py

@@ -0,0 +1,81 @@
+import os
+import time
+
+import psutil
+
+from ...print_api import print_api
+from ..ctyping import file_details_winapi
+
+
+def wait_for_process(pid: int):
+    """
+    Wait for the process with the given PID to finish.
+    :param pid: int, PID of the process to wait for.
+    :return:
+    """
+    try:
+        # Create a process object for the given PID
+        process = psutil.Process(pid)
+
+        # Wait for the process to terminate
+        while process.is_running():
+            print(f"Process with PID {pid} is still running...")
+            time.sleep(1)  # Sleep for 1 second before checking again
+
+        # Refresh process status and get the exit code
+        process.wait()
+        print(f"Process with PID [{pid}] has finished.")
+    except psutil.NoSuchProcess:
+        print(f"No process found with PID {pid}")
+    except psutil.AccessDenied:
+        print(f"Access denied to process with PID {pid}")
+
+
+def kill_process_by_pid(pid: int, print_kwargs: dict = None):
+    try:
+        print_api(f"Terminating process: {pid}.", **(print_kwargs or {}))
+        proc = psutil.Process(pid)
+        proc.terminate()  # or proc.kill() if you want to forcefully kill it
+        proc.wait(timeout=5)  # Wait up to 5 seconds for the process to terminate
+    except psutil.NoSuchProcess:
+        # print(f"No process found with PID {pid}.")
+        pass
+    except psutil.AccessDenied:
+        # print(f"Access denied to terminate process with PID {pid}.")
+        pass
+    except psutil.TimeoutExpired:
+        # print(f"Process {pid} did not terminate in time.")
+        pass
+
+
+def get_running_processes_with_exe_info() -> list[dict]:
+    """
+    Retrieve information about all running processes on the system.
+    """
+    processes_info: list[dict] = []
+
+    for proc in psutil.process_iter(attrs=["pid", "name", "exe"]):
+        try:
+            pid = proc.info["pid"]
+            name = proc.info["name"]
+            exe = proc.info["exe"]
+
+            if exe and os.path.isfile(exe):
+                # Get file properties
+                file_properties = file_details_winapi.get_file_properties(exe)
+
+                # Add process info to the list
+                processes_info.append({
+                    "PID": pid,
+                    "Name": name,
+                    "FilePath": exe,
+                    "FileDescription": file_properties["FileDescription"],
+                    "FileVersion": file_properties["FileVersion"],
+                    "ProductName": file_properties["ProductName"],
+                    "ProductVersion": file_properties["ProductVersion"],
+                })
+        except (psutil.AccessDenied, psutil.NoSuchProcess, psutil.ZombieProcess):
+            # Skip processes that cannot be accessed
+            continue
+
+    return processes_info

atomicshop/wrappers/psutilw/psutil_networks.py

@@ -0,0 +1,85 @@
+from typing import Union
+import shlex
+import socket
+
+import psutil
+
+from ... import networks
+
+
+def get_process_using_port(ip_port: str) -> Union[dict, None]:
+    """
+    Function to find the process using the port.
+    :param ip_port: string, Listening IP and port number. Example: '192.168.0.1:443'
+    :return: dict['pid', 'name', 'cmdline'] or None.
+    """
+
+    ip_address, port = ip_port.split(':')
+    port = int(port)
+
+    for proc in psutil.process_iter(['pid', 'name', 'cmdline']):
+        try:
+            connections = proc.connections(kind='inet')
+            for conn in connections:
+                # if conn.laddr.port == port:
+                # Status LISTEN is for TCP sockets and NONE is for UDP sockets.
+                # Sometimes after socket close, the port will be in TIME_WAIT state.
+                if (conn.laddr.port == port and (conn.status == 'LISTEN' or conn.status == 'NONE')) and conn.laddr.ip == ip_address:
+                    cmdline = proc.info['cmdline']
+                    if not cmdline:
+                        cmdline = '<EMPTY: TRY RUNNING AS ADMIN>'
+                    else:
+                        cmdline = shlex.join(cmdline)
+                    return {
+                        'pid': proc.info['pid'],
+                        'name': proc.info['name'],
+                        'cmdline': cmdline
+                    }
+        except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
+            pass
+    return None
+
+
+def get_processes_using_port_list(ips_ports: list) -> Union[dict, None]:
+    """
+    Function to find the process using the port.
+    :param ips_ports: List of listening ips and port numbers. Example:
+        ['192.168.0.1:443', '192.168.0.2:443']
+    :return: dict[port: {'pid', 'name', 'cmdline'}] or None.
+    """
+    port_process_map = {}
+    for ip_port in ips_ports:
+        process_info = get_process_using_port(ip_port)
+        if process_info:
+            port_process_map[ip_port] = process_info
+
+    return port_process_map
+
+
+def get_default_connection_name() -> Union[dict, None]:
+    """
+    Function to get the default network interface.
+    :return: dict[interface_name: details] or None.
+    """
+    # Get all interfaces.
+    interfaces: dict = psutil.net_if_addrs()
+    default_ip_address: str = networks.get_default_internet_ipv4()
+
+    for interface, details in interfaces.items():
+        for address in details:
+            # Check if the address is an IPv4 address (AF_INET) and not a loopback (127.0.0.1)
+            if address.family == socket.AF_INET and not address.address.startswith('127.'):
+                # Check if the address is the default IP address.
+                if address.address == default_ip_address:
+                    return {interface: details}
+
+    return None
+
+
+def list_network_interfaces() -> list:
+    """
+    Function to list all network interfaces.
+    :return: list of interface names.
+    """
+    iface_names = list(psutil.net_if_addrs().keys())
+    return iface_names

atomicshop/wrappers/psutilw/psutilw.py

@@ -164,6 +164,15 @@ def filter_processes_with_present_connections(processes) -> list:
 
 
 class PsutilProcesses:
+    """
+    Class to get all the current processes.
+
+    Example get current running processes as dicts as
+    {'<pid'>: {'name': '<process_name>', 'cmdline': '<process_cmdline>'}}:
+        from atomicshop.wrappers.psutilw import psutilw
+        processes = psutilw.PsutilProcesses().get_processes_as_dict(
+            attrs=['pid', 'name', 'cmdline'], cmdline_to_string=True)
+    """
     def __init__(self):
         self.processes = None
 

atomicshop/wrappers/pyopensslw.py

@@ -1,4 +1,4 @@
-import random
+from secrets import randbits
 from OpenSSL import crypto
 
 from .. import certificates
@@ -121,7 +121,14 @@ def generate_server_certificate_empty(
     """
 
     cert = crypto.X509()
-    cert.set_serial_number(random.randint(0, 2 ** 64 - 1))
+
+    # RFC 5280: serial must be positive and non-zero
+    # 1 … 2⁶⁴-1
+    cert.set_serial_number(randbits(64))
+    current_serial = cert.get_serial_number()
+    if current_serial <= 0:
+        raise RuntimeError(f"Refusing to create a certificate with non-positive serial: {str(current_serial)}")
+
     cert.get_subject().CN = certname
 
     cert.set_version(2)

atomicshop/wrappers/pywin32w/cert_store.py

@@ -0,0 +1,116 @@
+from typing import Literal
+import win32crypt as wcrypt
+
+from ...print_api import print_api
+from ... import certificates
+
+
+# lpszStoreProvider
+CERT_STORE_PROV_SYSTEM = 0x0000000A
+# dwFlags
+CERT_SYSTEM_STORE_LOCAL_MACHINE = 0x00020000
+CERT_SYSTEM_STORE_CURRENT_USER = 0x00010000
+CERT_CLOSE_STORE_FORCE_FLAG = 0x00000001
+CRYPT_STRING_BASE64HEADER = 0x00000000
+X509_ASN_ENCODING = 0x00000001
+CERT_STORE_ADD_REPLACE_EXISTING = 3
+
+
+STORE_LOCATION_TO_CERT_SYSTEM_STORE: dict = {
+    "ROOT": CERT_SYSTEM_STORE_LOCAL_MACHINE,
+    "CA": CERT_SYSTEM_STORE_LOCAL_MACHINE,
+    "MY": CERT_SYSTEM_STORE_CURRENT_USER
+}
+
+
+def delete_certificate_by_issuer_name(
+        issuer_name: str,
+        store_location: Literal[
+            "ROOT",
+            "CA",
+            "MY"] = "ROOT",
+        print_kwargs: dict = None
+):
+    """
+    NEED ADMIN RIGHTS.
+    The function will remove all certificates with the specified issuer name.
+    There can be several certificates with this name.
+
+    :param issuer_name: string, issuer name to search for.
+    :param store_location: string, store location to search in. Default is "ROOT".
+    :param print_kwargs: dict, print_api kwargs.
+    """
+
+    """
+    WinAPI doesn't like to do 2 actions in one iteration. So, first we will collect all certificates to remove,
+    and in the second iteration remove them.
+    
+    Full Explanation:
+    When you iterate with for cert in store.CertEnumCertificatesInStore(): and call 
+    cert.CertDeleteCertificateFromStore() inside that loop, you’re modifying the underlying certificate store 
+    while its internal enumeration is still active. This can lead to a segmentation fault (access violation 0xC0000005).
+    By collecting the certificates in the first pass, you freeze the iteration so the store 
+    doesn’t get mutated mid-enumeration.
+    In the second pass, when you actually remove them, you’re no longer in the middle of enumerating. 
+    This prevents the store’s pointer from becoming invalid.
+    
+    This approach should stop the Process finished with exit code -1073741819 (0xC0000005) issue.
+    """
+
+    store = wcrypt.CertOpenStore(
+        CERT_STORE_PROV_SYSTEM,
+        0,
+        None,
+        STORE_LOCATION_TO_CERT_SYSTEM_STORE[store_location],
+        store_location
+    )
+
+    # Collect all matching certificates in a list
+    certs_to_remove = []
+    for cert in store.CertEnumCertificatesInStore():
+        # Certificate properties.
+        # cert.CertEnumCertificateContextProperties()
+        subject_string: str = wcrypt.CertNameToStr(cert.Subject)
+        if subject_string == issuer_name:
+            # Remove the certificate.
+            certs_to_remove.append(cert)
+
+    # Remove all certificates from the list.
+    for cert in certs_to_remove:
+        cert.CertDeleteCertificateFromStore()
+        print_api(f"Removed the Certificate from store [{store_location}] with issuer [{issuer_name}]", **(print_kwargs or {}))
+
+    # There is an exception about store close.
+    # store.CertCloseStore()
+
+
+def install_certificate_file(
+        file_path: str,
+        store_location: Literal[
+            "ROOT", "CA", "MY"] = "ROOT",
+        print_kwargs: dict = None
+):
+    """
+    NEED ADMIN RIGHTS.
+    The function will install the certificate from the file to the specified store location.
+
+    :param file_path: string, full file path to the certificate file.
+    :param store_location: string, store location to install the certificate. Default is "ROOT".
+    :param print_kwargs: dict, print_api kwargs.
+    """
+
+    with open(file_path, 'r') as f:
+        certificate_string = f.read()
+
+    certificate_pem = certificates.get_pem_certificate_from_string(certificate_string)
+
+    certificate_bytes = wcrypt.CryptStringToBinary(certificate_pem, CRYPT_STRING_BASE64HEADER)[0]
+
+    store = wcrypt.CertOpenStore(
+        CERT_STORE_PROV_SYSTEM, 0, None, STORE_LOCATION_TO_CERT_SYSTEM_STORE[store_location], store_location)
+
+    store.CertAddEncodedCertificateToStore(X509_ASN_ENCODING, certificate_bytes, CERT_STORE_ADD_REPLACE_EXISTING)
+    store.CertCloseStore(CERT_CLOSE_STORE_FORCE_FLAG)
+
+    message = f"Certificate installed to the store: [{store_location}] from file: [{file_path}]"
+    print_api(message, **(print_kwargs or {}))

atomicshop/wrappers/pywin32w/console.py

@@ -0,0 +1,34 @@
+import win32api
+import win32con
+
+
+class ConsoleHandler:
+    """
+    This class is used to handle console events.
+    Currently used to handle the 'CTRL_CLOSE_EVENT' event - Meaning what to do when the user closes the console by
+    clicking on X in the top right corner.
+    """
+    def __init__(
+            self,
+            cleanup_action: callable = None,
+            args: tuple = None,
+            kwargs: dict = None
+    ):
+        """
+        :param cleanup_action: The action to run when user closes the console.
+        :param args: The arguments to pass to the cleanup action.
+        :param kwargs: The keyword arguments to pass to the cleanup action.
+        """
+        self.cleanup_action = cleanup_action
+        self.args = args
+        self.kwargs = kwargs
+
+    def _console_handler(self, event):
+        if event == win32con.CTRL_CLOSE_EVENT:
+            if self.cleanup_action and callable(self.cleanup_action):
+                self.cleanup_action(*self.args, **self.kwargs)
+            return True
+        return False
+
+    def register_handler(self):
+        win32api.SetConsoleCtrlHandler(self._console_handler, True)

atomicshop/wrappers/pywin32w/win_event_log/fetch.py

@@ -0,0 +1,174 @@
+import win32evtlog
+import win32security
+import win32con
+
+
+def get_latest_events(
+    server_ip: str = ".",
+    username: str = None,
+    password: str = None,
+    domain: str = ".",
+    log_name: str = "Security",
+    count: int = None,
+    event_id_list: list[int] | None = None
+):
+    """
+    Fetch latest `count` events from a Windows Event Log (local or remote) using pywin32.
+
+    - If username/password are None => use current security context.
+    - If server_ip is ".", "localhost", "127.0.0.1", "" or None => open local log.
+    - If count is None => return *all* events in the log.
+    - If event_id_list is not None => only return events whose EventID is in that list.
+
+    :param server_ip: IPv4/hostname of remote machine, or "." / None for local
+    :param username: Username to authenticate with (optional)
+    :param password: Password for the user (optional)
+    :param domain: Domain or computer name; ignored if username is None.
+                   If None and username is given, "." is used.
+    :param log_name: Log name (e.g. "Security", "System", "Application")
+    :param count: Number of most recent events to return, or None for all
+    :param event_id_list: List of Event IDs (low 16-bit) to include, or None for all
+    :return: List of dicts describing events (most recent first)
+    """
+
+    # Normalize server for OpenEventLog: None means "local machine"
+    normalized_server = server_ip
+    if server_ip in (None, "", ".", "localhost", "127.0.0.1"):
+        normalized_server = None
+
+    # Max events logic: None => infinite
+    max_events = float("inf") if count is None else count
+
+    # Precompute set of event IDs for fast membership checks
+    event_ids_set = set(event_id_list) if event_id_list is not None else None
+
+    # Decide whether we need impersonation
+    use_impersonation = username is not None and password is not None
+
+    h_user = None
+    events = []
+
+    try:
+        if use_impersonation:
+            if domain is None:
+                domain = "."
+
+            # Log on with explicit credentials and impersonate for the remote call
+            # LOGON32_LOGON_NEW_CREDENTIALS lets us use these creds for remote access
+            # while keeping the local token mostly unchanged.
+            h_user = win32security.LogonUser(
+                username,
+                domain,
+                password,
+                win32con.LOGON32_LOGON_NEW_CREDENTIALS,
+                win32con.LOGON32_PROVIDER_WINNT50,
+            )
+
+            win32security.ImpersonateLoggedOnUser(h_user)
+
+        # Connect to remote event log
+        # `server_ip` can be an IP or hostname; no need for leading "\\".
+        # local if normalized_server is None.
+        h_log = win32evtlog.OpenEventLog(normalized_server, log_name)
+
+        flags = (
+            win32evtlog.EVENTLOG_BACKWARDS_READ
+            | win32evtlog.EVENTLOG_SEQUENTIAL_READ
+        )
+
+        offset = 0  # not used with BACKWARDS_READ + SEQUENTIAL_READ, but kept for clarity
+
+        while len(events) < max_events:
+            records = win32evtlog.ReadEventLog(h_log, flags, offset)
+            if not records:
+                break
+
+            for ev in records:
+                # Low 16 bits are the actual Event ID
+                eid = ev.EventID & 0xFFFF
+
+                # If filtering by event IDs, skip others
+                if event_ids_set is not None and eid not in event_ids_set:
+                    continue
+
+                raw_strings = list(ev.StringInserts or [])
+                strings_dict = _parse_strings(eid, ev.SourceName, raw_strings)
+
+                evt = {
+                    "RecordNumber": ev.RecordNumber,
+                    "TimeGenerated": ev.TimeGenerated.Format(),  # string time
+                    "ComputerName": ev.ComputerName,
+                    "SourceName": ev.SourceName,
+                    # Low 16 bits are the actual Event ID
+                    "EventID": ev.EventID & 0xFFFF,
+                    "EventType": ev.EventType,
+                    "EventCategory": ev.EventCategory,
+                    "Strings": raw_strings,
+                    "StringsDict": strings_dict,
+                }
+                events.append(evt)
+
+                if len(events) >= max_events:
+                    break
+
+        win32evtlog.CloseEventLog(h_log)
+
+    finally:
+        # Clean up impersonation if we used it, Always revert impersonation and close handle
+        if use_impersonation and h_user is not None:
+            win32security.RevertToSelf()
+            h_user.Close()
+
+    # `events` is in newest to oldest already because of BACKWARDS_READ.
+    return events
+
+
+def _parse_strings(event_id: int, source_name: str, strings: list[str]) -> dict:
+    """
+    Convert the raw 'Strings' list into a dictionary with friendly field names
+    for specific event IDs. For unknown events, fall back to String1, String2, ...
+
+    Currently has a special mapping for:
+      - 5156 (Security log, WFP allowed connection)
+    """
+    if not strings:
+        return {}
+
+    # Normalize source name a bit
+    src = (source_name or "").lower()
+
+    # Special-case: Security 5156 (Windows Filtering Platform has permitted a connection)
+    # Insertion strings (in order) are:
+    #   1 Process ID
+    #   2 Application Name
+    #   3 Direction
+    #   4 Source Address
+    #   5 Source Port
+    #   6 Destination Address
+    #   7 Destination Port
+    #   8 Protocol
+    #   9 Filter Run-Time ID
+    #   10 Layer Name
+    #   11 Layer Run-Time ID
+    if event_id == 5156 and "security-auditing" in src:
+        keys_5156 = [
+            "Process ID",
+            "Application Name",
+            "Direction",
+            "Source Address",
+            "Source Port",
+            "Destination Address",
+            "Destination Port",
+            "Protocol",
+            "Filter Run-Time ID",
+            "Layer Name",
+            "Layer Run-Time ID",
+        ]
+        return {
+            key: strings[i]
+            for i, key in enumerate(keys_5156)
+            if i < len(strings)
+        }
+
+    # Default: generic mapping
+    return {f"String{i+1}": s for i, s in enumerate(strings)}