atomicshop 2.13.2__py3-none-any.whl → 2.14.0__py3-none-any.whl

atomicshop/__init__.py

@@ -1,4 +1,4 @@
 """Atomic Basic functions and classes to make developer life easier"""
 
 __author__ = "Den Kras"
-__version__ = '2.13.2'
+__version__ = '2.14.0'

atomicshop/etws/trace.py

@@ -1,6 +1,7 @@
 import queue
 import sys
 import time
+from typing import Literal
 
 # Import FireEye Event Tracing library.
 import etw
@@ -26,7 +27,8 @@ class EventTrace(etw.ETW):
             session_name: str = None,
             close_existing_session_name: bool = True,
             enable_process_poller: bool = False,
-            process_poller_etw_session_name: str = None
+            process_poller_etw_session_name: str = None,
+            process_poller_method: Literal['psutil', 'pywin32', 'process_dll', 'sysmon_etw'] = 'sysmon_etw'
     ):
         """
         :param providers: List of tuples with provider name and provider GUID.
@@ -41,6 +43,12 @@ class EventTrace(etw.ETW):
             Since the DNS events doesn't contain the process name and command line, only PID.
             Then DNS events will be enriched with the process name and command line from the process poller.
         :param process_poller_etw_session_name: The name of the ETW session for tracing process creation.
+        :param process_poller_method: The method to get the process information. For more information, see the
+            'process_poller.ProcessPollerPool' class. Summary:
+                'psutil': Uses 'psutil' library to get the process information.
+                'pywin32': Uses 'pywin32' library to get the process information.
+                'process_dll': Uses 'process' custom DLL to get the process information.
+                'sysmon_etw': Uses 'sysmon_etw' uses sysmon and ETW to get the process information.
 
         ------------------------------------------
 
@@ -83,7 +91,7 @@ class EventTrace(etw.ETW):
 
         if self.enable_process_poller:
             self.process_poller = process_poller.ProcessPollerPool(
-                operation='process', poller_method='sysmon_etw',
+                operation='process', poller_method=process_poller_method,
                 sysmon_etw_session_name=process_poller_etw_session_name)
 
         super().__init__(

atomicshop/wrappers/pywin32w/win_event_log/subscribe.py

@@ -0,0 +1,149 @@
+import win32evtlog
+import xml.etree.ElementTree as Et
+import time
+import threading
+import queue
+from typing import Union
+
+
+class EventLogSubscriber:
+    """
+    Class for subscribing to Windows Event Log events.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log import subscribe
+
+        event_log_subscriber = subscribe.EventLogSubscriber('Security', 4688)
+        event_log_subscriber.start()
+
+        while True:
+            event = event_log_subscriber.emit()
+            print(event)
+    """
+    def __init__(self, log_channel: str, event_id: int):
+        """
+        :param log_channel: The name of the event log channel to subscribe to. Examples:
+            Security, System, Application, etc.
+        :param event_id: The ID of the event to subscribe to.
+            Example: 4688 for process creation events in "Security" channel.
+        """
+        self.log_channel: str = log_channel
+        self.event_id: str = str(event_id)
+
+        self._event_queue = queue.Queue()
+        self._subscription_thread = None
+
+    def start(self):
+        """Start the subscription process."""
+        self._subscription_thread = threading.Thread(
+            target=start_subscription, args=(self.log_channel, self.event_id, self._event_queue)
+        )
+        self._subscription_thread.daemon = True
+        self._subscription_thread.start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        if self._subscription_thread:
+            self._subscription_thread.join()
+            self._subscription_thread = None
+
+    def emit(self, timeout: float = None) -> Union[dict, None]:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data, or None if no event is available.
+        """
+        try:
+            return self._event_queue.get(timeout=timeout)
+        except queue.Empty:
+            return None
+
+
+def _parse_event_xml(event_xml):
+    root = Et.fromstring(event_xml)
+    data = {}
+    for elem in root.iter():
+        if 'Name' in elem.attrib:
+            data[elem.attrib['Name']] = elem.text
+    return data
+
+
+def _handle_event(event, event_queue):
+    event_xml = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
+    try:
+        data = _parse_event_xml(event_xml)
+    except Et.ParseError as e:
+        print(f"Error parsing event XML: {e}")
+        return
+
+    event_dict: dict = {
+        'user_sid': data.get("SubjectUserSid", "Unknown"),
+        'user_name': data.get("SubjectUserName", "Unknown"),
+        'domain': data.get("SubjectDomainName", "Unknown"),
+        'pid_hex': data.get("NewProcessId", "0"),
+        'process_name': data.get("NewProcessName", "Unknown"),
+        'command_line': data.get("CommandLine", None),
+        'parent_pid_hex': data.get("ProcessId", "0"),
+        'parent_process_name': data.get("ParentProcessName", "Unknown")
+    }
+
+    try:
+        process_id = int(event_dict['pid_hex'], 16)
+    except ValueError:
+        process_id = "Unknown"
+
+    try:
+        parent_pid = int(event_dict['parent_pid_hex'], 16)
+    except ValueError:
+        parent_pid = "Unknown"
+
+    event_dict['pid'] = process_id
+    event_dict['parent_pid'] = parent_pid
+
+    # if user_sid != "Unknown":
+    #     try:
+    #         user_name, domain, type = win32security.LookupAccountSid(None, user_sid)
+    #     except Exception as e:
+    #         print(f"Error looking up account SID: {e}")
+
+    event_queue.put(event_dict)
+
+
+def _event_callback(action, context, event):
+    event_queue = context['event_queue']
+    if action == win32evtlog.EvtSubscribeActionDeliver:
+        _handle_event(event, event_queue)
+
+
+def start_subscription(log_channel: str, event_id: int, event_queue):
+    """
+    Start listening for events in the specified log channel with the given event ID.
+
+    :param log_channel: The name of the event log channel to subscribe to. Examples:
+        Security, System, Application, etc.
+    :param event_id: The ID of the event to subscribe to.
+        Example: 4688 for process creation events in "Security" channel.
+    :param event_queue: A queue to store the received events
+    """
+    # This selects the System node within each event.
+    # The System node contains metadata about the event, such as the event ID, provider name, timestamp, and more.
+    query = f"*[System/EventID={str(event_id)}]"
+
+    subscription = win32evtlog.EvtSubscribe(
+        log_channel,
+        win32evtlog.EvtSubscribeToFutureEvents,
+        SignalEvent=None,
+        Query=query,
+        Callback=_event_callback,
+        Context={'event_queue': event_queue}
+    )
+
+    print("Listening for new process creation events...")
+
+    try:
+        while True:
+            time.sleep(1)
+    except KeyboardInterrupt:
+        print("Stopped listening for events.")

atomicshop/wrappers/pywin32w/win_event_log/subscribes/subscribe_to_process_create.py

@@ -0,0 +1,145 @@
+import subprocess
+import winreg
+
+from .. import subscribe
+from .....print_api import print_api
+
+
+AUDITING_REG_PATH: str = r"Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
+PROCESS_CREATION_INCLUDE_CMDLINE_VALUE: str = "ProcessCreationIncludeCmdLine_Enabled"
+
+
+class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
+    """
+    Class for subscribing to Windows Event Log events related to process creation.
+
+    Usage:
+        from atomicshop.wrappers.pywin32w.win_event_log.subscribes import subscribe_to_process_create
+
+        process_create_subscriber = subscribe_to_process_create.ProcessCreateSubscriber()
+        process_create_subscriber.start()
+
+        while True:
+            event = process_create_subscriber.emit()
+            print(event)
+    """
+    def __init__(self):
+        super().__init__('Security', 4688)
+
+    def start(self):
+        """Start the subscription process."""
+        enable_audit_process_creation()
+        enable_command_line_auditing()
+
+        super().start()
+
+    def stop(self):
+        """Stop the subscription process."""
+        super().stop()
+
+    def emit(self, timeout: float = None) -> dict:
+        """
+        Get the next event from the event queue.
+
+        :param timeout: The maximum time (in seconds) to wait for an event.
+            If None, the function will block until an event is available.
+        :return: A dictionary containing the event data.
+        """
+        return super().emit(timeout=timeout)
+
+
+def enable_audit_process_creation(print_kwargs: dict = None):
+    """
+    Enable the 'Audit Process Creation' policy.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    if is_audit_process_creation_enabled():
+        print_api("Audit Process Creation is already enabled.", color='yellow', **(print_kwargs or {}))
+        return
+
+    # Enable "Audit Process Creation" policy
+    audit_policy_command = [
+        "auditpol", "/set", "/subcategory:Process Creation", "/success:enable", "/failure:enable"
+    ]
+    try:
+        subprocess.run(audit_policy_command, check=True)
+        print_api("Successfully enabled 'Audit Process Creation'.", color='green', **(print_kwargs or {}))
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to enable 'Audit Process Creation': {e}", error_type=True, color='red', **(print_kwargs or {}))
+        raise e
+
+
+def is_audit_process_creation_enabled(print_kwargs: dict = None) -> bool:
+    """
+    Check if the 'Audit Process Creation' policy is enabled.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    # Command to check the "Audit Process Creation" policy
+    audit_policy_check_command = [
+        "auditpol", "/get", "/subcategory:Process Creation"
+    ]
+    try:
+        result = subprocess.run(audit_policy_check_command, check=True, capture_output=True, text=True)
+        output = result.stdout
+        # print_api(output)  # Print the output for inspection
+
+        if "Process Creation" in output and "Success and Failure" in output:
+            # print_api(
+            #     "'Audit Process Creation' is enabled for both success and failure.",
+            #     color='green', **(print_kwargs or {}))
+            return True
+        else:
+            print_api(output, **(print_kwargs or {}))
+            print_api(
+                "'Audit Process Creation' is not fully enabled. Check the output above for details.",
+                color='yellow', **(print_kwargs or {}))
+            return False
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to check 'Audit Process Creation': {e}", color='red', error_type=True, **(print_kwargs or {}))
+        return False
+
+
+def enable_command_line_auditing(print_kwargs: dict = None):
+    """
+    Enable the 'Include command line in process creation events' policy.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+
+    if is_command_line_auditing_enabled():
+        print_api(
+            "'Include command line in process creation events' is already enabled.", color='yellow',
+            **(print_kwargs or {}))
+        return
+
+    try:
+        # Open the registry key
+        with winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, AUDITING_REG_PATH) as reg_key:
+            # Set the value
+            winreg.SetValueEx(reg_key, PROCESS_CREATION_INCLUDE_CMDLINE_VALUE, 0, winreg.REG_DWORD, 1)
+
+        print_api(
+            "Successfully enabled 'Include command line in process creation events'.",
+            color='green', **(print_kwargs or {}))
+    except WindowsError as e:
+        print_api(
+            f"Failed to enable 'Include command line in process creation events': {e}", error_type=True,
+            color='red', **(print_kwargs or {}))
+
+
+def is_command_line_auditing_enabled():
+    try:
+        # Open the registry key
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, AUDITING_REG_PATH, 0, winreg.KEY_READ) as reg_key:
+            # Query the value
+            value, reg_type = winreg.QueryValueEx(reg_key, PROCESS_CREATION_INCLUDE_CMDLINE_VALUE)
+            # Check if the value is 1 (enabled)
+            return value == 1
+    except FileNotFoundError:
+        # Key or value not found, assume it's not enabled
+        return False
+    except WindowsError as e:
+        print(f"Failed to read the 'Include command line in process creation events' setting: {e}")
+        return False

{atomicshop-2.13.2.dist-info → atomicshop-2.14.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: atomicshop
-Version: 2.13.2
+Version: 2.14.0
 Summary: Atomic functions and classes to make developer life easier
 Author: Denis Kras
 License: MIT License

{atomicshop-2.13.2.dist-info → atomicshop-2.14.0.dist-info}/RECORD

@@ -1,4 +1,4 @@
-atomicshop/__init__.py,sha256=e_cepUB_kyEwwtls5dudclY5653g8Bn7epJj7a_khw8,123
+atomicshop/__init__.py,sha256=LlDA7S0dPFwG14ZFuGv5tyUVyow2__rgMRanlcYHT88,123
 atomicshop/_basics_temp.py,sha256=6cu2dd6r2dLrd1BRNcVDKTHlsHs_26Gpw8QS6v32lQ0,3699
 atomicshop/_create_pdf_demo.py,sha256=Yi-PGZuMg0RKvQmLqVeLIZYadqEZwUm-4A9JxBl_vYA,3713
 atomicshop/_patch_import.py,sha256=ENp55sKVJ0e6-4lBvZnpz9PQCt3Otbur7F6aXDlyje4,6334
@@ -106,7 +106,7 @@ atomicshop/etws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/etws/const.py,sha256=v3x_IdCYeSKbCGywiZFOZln80ldpwKW5nuMDuUe51Jg,1257
 atomicshop/etws/providers.py,sha256=fVmWi-uGdtnsQTDpu_ty6dzx0GMhGokiST73LNBEJ38,129
 atomicshop/etws/sessions.py,sha256=k3miewU278xn829cqDbsuH_bmZHPQE9-Zn-hINbxUSE,1330
-atomicshop/etws/trace.py,sha256=ptdDyLuk8frKgmgOEug8KrH5niC6SfgWnOqw06tGPAw,7831
+atomicshop/etws/trace.py,sha256=H0uDB6I86UoNyijE5HCukp_paJNHTjKL6eAzBRGSI50,8509
 atomicshop/etws/traces/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/etws/traces/trace_dns.py,sha256=8Fl5UW4An3SE8tGXGTufTgOcWa574YZ6zQbU7x5DYrs,6270
 atomicshop/etws/traces/trace_sysmon_process_creation.py,sha256=WdlQiOfRZC-_PpuE6BkOw5zB0DLc3fhVrANyLrgfCac,4833
@@ -246,9 +246,14 @@ atomicshop/wrappers/psutilw/disks.py,sha256=3ZSVoommKH1TWo37j_83frB-NqXF4Nf5q5mB
 atomicshop/wrappers/psutilw/memories.py,sha256=_S0aL8iaoIHebd1vOFrY_T9aROM5Jx2D5CvDh_4j0Vc,528
 atomicshop/wrappers/psutilw/psutilw.py,sha256=q3EwgprqyrR4zLCjl4l5DHFOQoukEvQMIPjNB504oQ0,21262
 atomicshop/wrappers/psycopgw/psycopgw.py,sha256=XJvVf0oAUjCHkrYfKeFuGCpfn0Oxj3u4SbKMKA1508E,7118
+atomicshop/wrappers/pywin32w/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/pywin32w/console.py,sha256=LstHajPLgXp9qQxFNR44QfH10nOnNp3bCJquxaTquns,1175
 atomicshop/wrappers/pywin32w/winshell.py,sha256=i2bKiMldPU7_azsD5xGQDdMwjaM7suKJd3k0Szmcs6c,723
 atomicshop/wrappers/pywin32w/wmi_win32process.py,sha256=qMzXtJ5hBZ5ydAyqpDbSx0nO2RJQL95HdmV5SzNKMhk,6826
+atomicshop/wrappers/pywin32w/win_event_log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/wrappers/pywin32w/win_event_log/subscribe.py,sha256=UztWltQPK_fQ3EWyY6tGfhAqwxDjK7RVIAZppu97rKI,5104
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+atomicshop/wrappers/pywin32w/win_event_log/subscribes/subscribe_to_process_create.py,sha256=_rMCTaREi_PJxAPP4gAB0IW9F0XO-suUXLf97tboKSc,5594
 atomicshop/wrappers/socketw/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 atomicshop/wrappers/socketw/accepter.py,sha256=HQC1EyZmyUtVEfFbaBkHCE-VZp6RWyd9mEqAkgsE1fk,1749
 atomicshop/wrappers/socketw/base.py,sha256=1vvg8EhRGvnxdrRAm1VJSLCXkm2SZDHRjdpTuhkH3Mg,1844
@@ -265,8 +270,8 @@ atomicshop/wrappers/socketw/socket_server_tester.py,sha256=AhpurHJmP2kgzHaUbq5ey
 atomicshop/wrappers/socketw/socket_wrapper.py,sha256=aXBwlEIJhFT0-c4i8iNlFx2It9VpCEpsv--5Oqcpxao,11624
 atomicshop/wrappers/socketw/ssl_base.py,sha256=k4V3gwkbq10MvOH4btU4onLX2GNOsSfUAdcHmL1rpVE,2274
 atomicshop/wrappers/socketw/statistics_csv.py,sha256=t3dtDEfN47CfYVi0CW6Kc2QHTEeZVyYhc57IYYh5nmA,826
-atomicshop-2.13.2.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
-atomicshop-2.13.2.dist-info/METADATA,sha256=FwrMOVELwpnXQKf-LbaJhMr9B2mbEos5YA94BQbSuAk,10478
-atomicshop-2.13.2.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-atomicshop-2.13.2.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
-atomicshop-2.13.2.dist-info/RECORD,,
+atomicshop-2.14.0.dist-info/LICENSE.txt,sha256=lLU7EYycfYcK2NR_1gfnhnRC8b8ccOTElACYplgZN88,1094
+atomicshop-2.14.0.dist-info/METADATA,sha256=M4vV-yH5er5NVOQJMUtIPqdgh6IHzINAY1frKcRF9oU,10478
+atomicshop-2.14.0.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+atomicshop-2.14.0.dist-info/top_level.txt,sha256=EgKJB-7xcrAPeqTRF2laD_Np2gNGYkJkd4OyXqpJphA,11
+atomicshop-2.14.0.dist-info/RECORD,,