atomicshop 2.11.47__py3-none-any.whl → 3.10.5__py3-none-any.whl

atomicshop/wrappers/pywin32w/win_event_log/subscribe.py

@@ -0,0 +1,212 @@
+import win32evtlog
+import xml.etree.ElementTree as Et
+import time
+import threading
+import queue
+from typing import Union
+import binascii
+
+
+class EventLogSubscriber:
+    """
+    Class for subscribing to Windows Event Log events.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log import subscribe
+
+        event_log_subscriber = subscribe.EventLogSubscriber('Security', 4688)
+        event_log_subscriber.start()
+
+        while True:
+            event = event_log_subscriber.emit()
+            print(event)
+    """
+    def __init__(self, log_channel: str, event_id: int = None, provider: str = None):
+        """
+        :param log_channel: The name of the event log channel to subscribe to. Examples:
+            Security, System, Application, etc.
+        :param event_id: The ID of the event to subscribe to.
+            Example: 4688 for process creation events in "Security" channel.
+            You can only subscribe by event ID or provider, not both.
+        :param provider: The name of the provider to subscribe to.
+            You can only subscribe by event ID or provider, not both.
+        """
+
+        if event_id is None and provider is None:
+            raise ValueError("You must specify either an event ID or provider name to subscribe to.")
+        elif event_id and provider:
+            raise ValueError("You can only subscribe by event ID or provider, not both.")
+
+        self.log_channel: str = log_channel
+        self.provider: str = provider
+
+        if event_id:
+            self.event_id: str = str(event_id)
+        else:
+            self.event_id = event_id
+
+        self._event_queue = queue.Queue()
+        self._subscription_thread = None
+
+    def start(self):
+        """Start the subscription process."""
+        self._subscription_thread = threading.Thread(
+            target=start_subscription, args=(self.log_channel, self._event_queue, self.event_id, self.provider)
+        )
+        self._subscription_thread.daemon = True
+        self._subscription_thread.start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        if self._subscription_thread:
+            self._subscription_thread.join()
+            self._subscription_thread = None
+
+    def emit(self, timeout: float = None) -> Union[dict, None]:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data, or None if no event is available.
+        """
+        try:
+            return self._event_queue.get(timeout=timeout)
+        except queue.Empty:
+            return None
+
+
+def _parse_event_xml(event_xml):
+    root = Et.fromstring(event_xml)
+    data = {}
+
+    # Helper function to strip namespace
+    def strip_namespace(tag):
+        return tag.split('}')[-1]  # Remove namespace
+
+    # Iterate over all elements
+    for elem in root.iter():
+        # Extract elements with text content
+        if elem.text and elem.text.strip():
+            tag = elem.tag.split('}')[-1]  # Remove namespace
+            data[tag] = elem.text.strip()
+
+        # Extract elements with attributes
+        for attr_name, attr_value in elem.attrib.items():
+            tag = elem.tag.split('}')[-1]  # Remove namespace
+            data[f"{tag}_{attr_name}"] = attr_value
+
+        # Handle Binary data
+        if elem.tag.split('}')[-1] == 'Binary':
+            try:
+                data['BinaryReadable'] = binascii.unhexlify(elem.text.strip())
+            except (TypeError, binascii.Error) as e:
+                print(f"Error decoding binary data: {e}")
+                data['BinaryReadable'] = elem.text.strip()
+
+    # Extract system-specific data
+    system_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}System")
+    if system_data is not None:
+        for system_elem in system_data:
+            tag = strip_namespace(system_elem.tag)
+            if system_elem.attrib:
+                for attr_name, attr_value in system_elem.attrib.items():
+                    data[f"{tag}_{attr_name}"] = attr_value
+            if system_elem.text and system_elem.text.strip():
+                data[tag] = system_elem.text.strip()
+
+    # Extract event-specific data
+    event_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}EventData")
+    if event_data is not None:
+        for data_elem in event_data:
+            if strip_namespace(data_elem.tag) == 'Data' and 'Name' in data_elem.attrib:
+                data[data_elem.attrib['Name']] = data_elem.text.strip()
+
+    # Extract user data if available
+    user_data = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}UserData")
+    if user_data is not None:
+        for user_elem in user_data:
+            tag = strip_namespace(user_elem.tag)
+            if user_elem.attrib:
+                for attr_name, attr_value in user_elem.attrib.items():
+                    data[f"{tag}_{attr_name}"] = attr_value
+            if user_elem.text and user_elem.text.strip():
+                data[tag] = user_elem.text.strip()
+
+    # Extract rendering info (additional details like the message)
+    rendering_info = root.find(".//{http://schemas.microsoft.com/win/2004/08/events/event}RenderingInfo")
+    if rendering_info is not None:
+        for info_elem in rendering_info:
+            tag = strip_namespace(info_elem.tag)
+            if info_elem.text and info_elem.text.strip():
+                data[f"RenderingInfo_{tag}"] = info_elem.text.strip()
+
+    return data
+
+
+def _handle_event(event, event_queue):
+    # Render event as XML
+    event_xml = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
+    data = None
+    try:
+        data = _parse_event_xml(event_xml)
+    except Et.ParseError as e:
+        print(f"Error parsing event XML: {e}")
+    except Exception as e:
+        print(f"Error getting rendered message: {e}")
+
+    event_queue.put(data)
+
+
+def _event_callback(action, context, event):
+    event_queue = context['event_queue']
+    if action == win32evtlog.EvtSubscribeActionDeliver:
+        _handle_event(event, event_queue)
+
+
+def start_subscription(
+        log_channel: str,
+        event_queue,
+        event_id: str = None,
+        provider: str = None
+):
+    """
+    Start listening for events in the specified log channel with the given event ID.
+
+    :param log_channel: The name of the event log channel to subscribe to. Examples:
+        Security, System, Application, etc.
+    :param event_queue: A queue to store the received events
+    :param event_id: The ID of the event to subscribe to.
+        Example: 4688 for process creation events in "Security" channel.
+        You can only subscribe by event ID or provider, not both.
+    :param provider: The name of the provider to subscribe to.
+        You can only subscribe by event ID or provider, not both.
+    """
+
+    if event_id is None and provider is None:
+        raise ValueError("You must specify either an event ID or provider name to subscribe to.")
+    elif event_id and provider:
+        raise ValueError("You can only subscribe by event ID or provider, not both.")
+
+    # This selects the System node within each event.
+    # The System node contains metadata about the event, such as the event ID, provider name, timestamp, and more.
+    xpath_query = None
+    if provider:
+        xpath_query = f"*[System/Provider[@Name='{provider}']]"
+    elif event_id:
+        xpath_query = f"*[System/EventID={event_id}]"
+
+    subscription = win32evtlog.EvtSubscribe(
+        log_channel,
+        win32evtlog.EvtSubscribeToFutureEvents,
+        SignalEvent=None,
+        Query=xpath_query,
+        Callback=_event_callback,
+        Context={'event_queue': event_queue}
+    )
+
+    try:
+        while True:
+            time.sleep(1)
+    except KeyboardInterrupt:
+        print("Stopped listening for events.")

atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_create.py

@@ -0,0 +1,57 @@
+from .. import subscribe
+from .... import win_auditw
+
+
+LOG_CHANNEL: str = 'Security'
+EVENT_ID: int = 4688
+
+
+class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process creation.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import process_create
+
+        process_create_subscriber = process_create.ProcessCreateSubscriber()
+        process_create_subscriber.start()
+
+        while True:
+            event = process_create_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__(log_channel=LOG_CHANNEL, event_id=EVENT_ID)
+
+    def start(self):
+        """Start the subscription process."""
+        win_auditw.enable_audit_process_creation()
+        win_auditw.enable_command_line_auditing()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+
+        data = super().emit(timeout=timeout)
+
+        data['NewProcessIdInt'] = int(data['NewProcessId'], 16)
+        data['ParentProcessIdInt'] = int(data['ProcessId'], 16)
+
+        # if user_sid != "Unknown":
+        #     try:
+        #         user_name, domain, type = win32security.LookupAccountSid(None, user_sid)
+        #     except Exception as e:
+        #         print(f"Error looking up account SID: {e}")
+
+        return data

atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_terminate.py

@@ -0,0 +1,49 @@
+from .. import subscribe
+from .... import win_auditw
+
+
+LOG_CHANNEL: str = 'Security'
+EVENT_ID: int = 4689
+
+
+class ProcessTerminateSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process termination.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import process_terminate
+
+        process_terminate_subscriber = process_terminate.ProcessTerminateSubscriber()
+        process_terminate_subscriber.start()
+
+        while True:
+            event = process_terminate_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__(log_channel=LOG_CHANNEL, event_id=EVENT_ID)
+
+    def start(self):
+        """Start the subscription process."""
+        win_auditw.enable_audit_process_termination()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+
+        data = super().emit(timeout=timeout)
+
+        data['ProcessIdInt'] = int(data['ProcessId'], 16)
+
+        return data

atomicshop/wrappers/pywin32w/win_event_log/subscribes/schannel_logging.py

@@ -0,0 +1,97 @@
+import winreg
+import sys
+
+from .. import subscribe
+from .....print_api import print_api
+
+
+SCHANNEL_LOGGING_REG_PATH: str = r'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL'
+SCHANNEL_EVENT_LOGGING_KEY: str = 'EventLogging'
+LOG_CHANNEL: str = 'System'
+PROVIDER: str = 'Schannel'
+
+
+class SchannelLoggingSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process creation.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import schannel_logging
+
+        process_create_subscriber = schannel_logging.SchannelLoggingSubscriber()
+        process_create_subscriber.start()
+
+        while True:
+            event = process_create_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__(log_channel=LOG_CHANNEL, provider=PROVIDER)
+
+    def start(self):
+        """Start the subscription process."""
+        enable_schannel_logging()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+        return super().emit(timeout=timeout)
+
+
+def enable_schannel_logging(logging_value: int = 1, print_kwargs: dict = None):
+    """
+    Value 	Description
+    0x0000 	Do not log
+    0x0001 	Log error messages
+    0x0002 	Log warnings
+    0x0003 	Log warnings and error messages
+    0x0004 	Log informational and success events
+    0x0005 	Log informational, success events and error messages
+    0x0006 	Log informational, success events and warnings
+    0x0007 	Log informational, success events, warnings, and error messages (all log levels)
+    """
+
+    if is_schannel_logging_enabled(logging_value):
+        print_api(
+            "Schannel event logging is already enabled.", color='yellow',
+            **(print_kwargs or {}))
+        return
+
+    try:
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, SCHANNEL_LOGGING_REG_PATH, 0, winreg.KEY_ALL_ACCESS) as key:
+            winreg.SetValueEx(key, SCHANNEL_EVENT_LOGGING_KEY, 0, winreg.REG_DWORD, logging_value)
+
+        print_api(
+            "Successfully enabled Schannel logging.",
+            color='green', **(print_kwargs or {}))
+        print_api(
+            "Please restart the computer for the changes to take effect.",
+            color='yellow', **(print_kwargs or {}))
+        sys.exit()
+    except WindowsError as e:
+        print_api(
+            f"Failed to enable Schannel event logging: {e}", error_type=True,
+            color='red', **(print_kwargs or {}))
+
+
+def is_schannel_logging_enabled(logging_value: int) -> bool:
+    try:
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, SCHANNEL_LOGGING_REG_PATH, 0, winreg.KEY_READ) as key:
+            value, regtype = winreg.QueryValueEx(key, SCHANNEL_EVENT_LOGGING_KEY)
+            return value == logging_value
+    except FileNotFoundError:
+        return False
+    except WindowsError as e:
+        print(f"Failed to read the Schannel event logging setting: {e}")
+        return False

atomicshop/wrappers/pywin32w/winshell.py

@@ -0,0 +1,19 @@
+from pathlib import Path
+
+from win32com.client import Dispatch
+
+
+def create_shortcut(file_path_to_link: str, shortcut_file_path: str):
+    """
+    Create a shortcut in the startup folder to the specified file.
+
+    :param file_path_to_link: The path to the file you want to create a shortcut to.
+    :param shortcut_file_path: The name of the shortcut file. Should be with the ".lnk" extension.
+    """
+
+    shell = Dispatch('WScript.Shell')
+    shortcut = shell.CreateShortCut(shortcut_file_path)
+    shortcut.Targetpath = file_path_to_link
+    shortcut.WorkingDirectory = str(Path(file_path_to_link).parent)
+    shortcut.Description = f"Shortcut for {Path(file_path_to_link).name}"
+    shortcut.save()

atomicshop/wrappers/pywin32w/wmis/msft_netipaddress.py

@@ -0,0 +1,113 @@
+from typing import Optional
+
+from win32com.client import CDispatch
+
+from . import wmi_helpers
+
+
+def set_skip_as_source(
+        ip_addresses: list[str],
+        enable: bool = True,
+        wmi_instance: CDispatch = None
+) -> None:
+    """
+    Toggle SkipAsSource for every address in *ip_addrs*.
+
+    Parameters
+    ----------
+    ip_addresses : list/tuple/iterable of str
+        One or more literal IP strings, e.g. "192.168.157.3"
+    enable : bool
+        True → behave like  Set‑NetIPAddress ‑SkipAsSource $true
+        False → behave like Set‑NetIPAddress ‑SkipAsSource $false
+    wmi_instance : CDispatch
+        WMI instance to use. If not provided, a new one will be created.
+        'root\\StandardCimv2'
+
+    ================
+
+    Explanation.
+        When you add extra IPv4 addresses to the same NIC, Windows treats them all as “first‑class” unless you tell it otherwise.
+        Because the two new addresses (192.168.157.3 and .4) are numerically lower than the original one (.129), the TCP/IP stack now prefers one of those lower addresses as the default source for any socket whose program didn’t bind an explicit local IP.
+
+        What that looks like on the wire
+        Client sends SYN → 192.168.157.3 (or .4).
+        – Server replies with SYN/ACK ←192.168.157.3 → handshake completes, HTTP works.
+
+        Client sends SYN → 192.168.157.129.
+        – Stack still picks .3 as its favourite and answers SYN/ACK ← 192.168.157.3.
+        – Client discards the packet (wrong IP), retransmits the SYN, your code’s accept() wakes up again, and you see an “infinite accept loop”.
+
+        The flag that fixes it: SkipAsSource
+        Tell Windows not to use the extra addresses unless an application asks for them.
+
+        PowerShell.
+        # One‑off: mark the addresses you already added
+        Get-NetIPAddress -IPAddress 192.168.157.3 | Set-NetIPAddress -SkipAsSource $true
+        Get-NetIPAddress -IPAddress 192.168.157.4 | Set-NetIPAddress -SkipAsSource $true
+
+        # —OR— add new addresses the right way from the start
+        New-NetIPAddress -InterfaceAlias "Ethernet0" `
+                         -IPAddress 192.168.157.3 `
+                         -PrefixLength 24 `
+                         -SkipAsSource $true
+        SkipAsSource = $true keeps the address fully routable for incoming traffic and lets programs bind to it explicitly.
+
+        Windows will never choose that address as the source of an outgoing packet unless the program bound the socket to it.
+
+        After you flip the flag (no reboot required) the three‑way handshake is symmetrical again and the endless accept() loop disappears.
+    """
+
+    if not wmi_instance:
+        wmi_instance, _ = wmi_helpers.get_wmi_instance(namespace='root\\StandardCimv2')
+
+    for ip in ip_addresses:
+        query = f"SELECT * FROM MSFT_NetIPAddress WHERE IPAddress='{ip}'"
+        matches = wmi_instance.ExecQuery(query)
+        if not matches:
+            print(f"[!] {ip}: no such address found")
+            continue
+
+        for obj in matches:                     # usually just one
+            if bool(obj.SkipAsSource) == enable:
+                print(f"[=] {ip}: SkipAsSource already {enable}")
+                continue
+
+            obj.SkipAsSource = enable
+            obj.Put_()                          # commit the change
+            print(f"[+] {ip}: SkipAsSource set to {enable}")
+
+
+def is_skip_as_source(
+        ip_address: str,
+        wmi_instance: CDispatch = None
+) -> Optional[bool]:
+    """
+    Check whether *ip_address* currently has SkipAsSource set.
+
+    Returns
+    -------
+    True        – the flag is enabled
+    False       – the flag is disabled
+    None        – no MSFT_NetIPAddress object matches the IP (not present)
+
+    Notes
+    -----
+    * Works for both IPv4/IPv6.
+    * Uses the same Win32 CIM class (root\\StandardCimv2 › MSFT_NetIPAddress).
+    * You can pass an existing `wmi_instance` to avoid reconnecting in tight loops.
+    """
+    # Get a WMI connection if the caller didn’t hand us one
+    if not wmi_instance:
+        wmi_instance, _ = wmi_helpers.get_wmi_instance(namespace='root\\StandardCimv2')
+
+    query = f"SELECT SkipAsSource FROM MSFT_NetIPAddress WHERE IPAddress='{ip_address}'"
+    matches = wmi_instance.ExecQuery(query)
+
+    if not matches:                       # address not configured on this host/NIC
+        return None
+
+    # There should be only one entry per literal IP, but handle duplicates sanely
+    # Return True if *any* matching record has SkipAsSource = True,
+    # otherwise False (all are False).
+    return any(bool(obj.SkipAsSource) for obj in matches)