atomicshop 2.15.11__py3-none-any.whl → 3.10.5__py3-none-any.whl

atomicshop/wrappers/powershell_networking.py

@@ -0,0 +1,80 @@
+import json
+import subprocess
+from typing import List, Literal
+
+
+def get_interface_ips(
+    interface_name: str,
+    ip_type: Literal["virtual", "dynamic", "all"] = "virtual"
+) -> List[str]:
+    """
+    Return IPv4 addresses on an interface, filtered by 'mode'.
+
+    ip_type:
+      - "virtual": only static/virtual IPs (PrefixOrigin != 'Dhcp')
+      - "dynamic": only DHCP IPs (PrefixOrigin == 'Dhcp')
+      - "all":     all IPv4 IPs on the interface
+
+    If the interface does not exist or has no IPv4 addresses, returns [].
+    """
+
+    ps_script = f"""
+    try {{
+        Get-NetIPAddress -InterfaceAlias "{interface_name}" -AddressFamily IPv4 |
+            Select-Object IPAddress,
+                          @{{
+                              Name = 'PrefixOrigin';
+                              Expression = {{ [string]$_.PrefixOrigin }}
+                           }} |
+            ConvertTo-Json -Depth 3
+    }} catch {{
+        # Return empty JSON array if nothing found / interface missing
+        '[]'
+    }}
+    """
+
+    try:
+        result = subprocess.run(
+            ["powershell", "-NoProfile", "-Command", ps_script],
+            capture_output=True,
+            text=True,
+            check=True
+        )
+    except subprocess.CalledProcessError as e:
+        # If anything unexpected happens, raise a clearer error
+        msg = (e.stderr or e.stdout or "").strip()
+        raise RuntimeError(f"PowerShell Get-NetIPAddress failed: {msg}") from e
+
+    stdout = result.stdout.strip()
+    if not stdout:
+        return []
+
+    # At this point stdout should be valid JSON (list or single object)
+    data = json.loads(stdout)
+
+    if isinstance(data, dict):
+        data = [data]
+
+    ips: List[str] = []
+    ip_type = ip_type.lower()
+
+    for entry in data:
+        ip = entry.get("IPAddress")
+        origin_raw = entry.get("PrefixOrigin", "")
+        origin = str(origin_raw).lower()
+
+        if not ip:
+            continue
+
+        if ip_type == "virtual":
+            if origin != "dhcp":
+                ips.append(ip)
+        elif ip_type == "dynamic":
+            if origin == "dhcp":
+                ips.append(ip)
+        elif ip_type == "all":
+            ips.append(ip)
+        else:
+            raise ValueError(f"Unsupported mode: {ip_type!r}")
+
+    return ips

atomicshop/wrappers/psutilw/processes.py

@@ -1,7 +1,10 @@
-import psutil
+import os
 import time
 
+import psutil
+
 from ...print_api import print_api
+from ..ctyping import file_details_winapi
 
 
 def wait_for_process(pid: int):
@@ -43,3 +46,36 @@ def kill_process_by_pid(pid: int, print_kwargs: dict = None):
     except psutil.TimeoutExpired:
         # print(f"Process {pid} did not terminate in time.")
         pass
+
+
+def get_running_processes_with_exe_info() -> list[dict]:
+    """
+    Retrieve information about all running processes on the system.
+    """
+    processes_info: list[dict] = []
+
+    for proc in psutil.process_iter(attrs=["pid", "name", "exe"]):
+        try:
+            pid = proc.info["pid"]
+            name = proc.info["name"]
+            exe = proc.info["exe"]
+
+            if exe and os.path.isfile(exe):
+                # Get file properties
+                file_properties = file_details_winapi.get_file_properties(exe)
+
+                # Add process info to the list
+                processes_info.append({
+                    "PID": pid,
+                    "Name": name,
+                    "FilePath": exe,
+                    "FileDescription": file_properties["FileDescription"],
+                    "FileVersion": file_properties["FileVersion"],
+                    "ProductName": file_properties["ProductName"],
+                    "ProductVersion": file_properties["ProductVersion"],
+                })
+        except (psutil.AccessDenied, psutil.NoSuchProcess, psutil.ZombieProcess):
+            # Skip processes that cannot be accessed
+            continue
+
+    return processes_info

atomicshop/wrappers/psutilw/psutil_networks.py

@@ -0,0 +1,85 @@
+from typing import Union
+import shlex
+import socket
+
+import psutil
+
+from ... import networks
+
+
+def get_process_using_port(ip_port: str) -> Union[dict, None]:
+    """
+    Function to find the process using the port.
+    :param ip_port: string, Listening IP and port number. Example: '192.168.0.1:443'
+    :return: dict['pid', 'name', 'cmdline'] or None.
+    """
+
+    ip_address, port = ip_port.split(':')
+    port = int(port)
+
+    for proc in psutil.process_iter(['pid', 'name', 'cmdline']):
+        try:
+            connections = proc.connections(kind='inet')
+            for conn in connections:
+                # if conn.laddr.port == port:
+                # Status LISTEN is for TCP sockets and NONE is for UDP sockets.
+                # Sometimes after socket close, the port will be in TIME_WAIT state.
+                if (conn.laddr.port == port and (conn.status == 'LISTEN' or conn.status == 'NONE')) and conn.laddr.ip == ip_address:
+                    cmdline = proc.info['cmdline']
+                    if not cmdline:
+                        cmdline = '<EMPTY: TRY RUNNING AS ADMIN>'
+                    else:
+                        cmdline = shlex.join(cmdline)
+                    return {
+                        'pid': proc.info['pid'],
+                        'name': proc.info['name'],
+                        'cmdline': cmdline
+                    }
+        except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
+            pass
+    return None
+
+
+def get_processes_using_port_list(ips_ports: list) -> Union[dict, None]:
+    """
+    Function to find the process using the port.
+    :param ips_ports: List of listening ips and port numbers. Example:
+        ['192.168.0.1:443', '192.168.0.2:443']
+    :return: dict[port: {'pid', 'name', 'cmdline'}] or None.
+    """
+    port_process_map = {}
+    for ip_port in ips_ports:
+        process_info = get_process_using_port(ip_port)
+        if process_info:
+            port_process_map[ip_port] = process_info
+
+    return port_process_map
+
+
+def get_default_connection_name() -> Union[dict, None]:
+    """
+    Function to get the default network interface.
+    :return: dict[interface_name: details] or None.
+    """
+    # Get all interfaces.
+    interfaces: dict = psutil.net_if_addrs()
+    default_ip_address: str = networks.get_default_internet_ipv4()
+
+    for interface, details in interfaces.items():
+        for address in details:
+            # Check if the address is an IPv4 address (AF_INET) and not a loopback (127.0.0.1)
+            if address.family == socket.AF_INET and not address.address.startswith('127.'):
+                # Check if the address is the default IP address.
+                if address.address == default_ip_address:
+                    return {interface: details}
+
+    return None
+
+
+def list_network_interfaces() -> list:
+    """
+    Function to list all network interfaces.
+    :return: list of interface names.
+    """
+    iface_names = list(psutil.net_if_addrs().keys())
+    return iface_names

atomicshop/wrappers/pyopensslw.py

@@ -1,4 +1,4 @@
-import random
+from secrets import randbits
 from OpenSSL import crypto
 
 from .. import certificates
@@ -121,7 +121,14 @@ def generate_server_certificate_empty(
     """
 
     cert = crypto.X509()
-    cert.set_serial_number(random.randint(0, 2 ** 64 - 1))
+
+    # RFC 5280: serial must be positive and non-zero
+    # 1 … 2⁶⁴-1
+    cert.set_serial_number(randbits(64))
+    current_serial = cert.get_serial_number()
+    if current_serial <= 0:
+        raise RuntimeError(f"Refusing to create a certificate with non-positive serial: {str(current_serial)}")
+
     cert.get_subject().CN = certname
 
     cert.set_version(2)

atomicshop/wrappers/pywin32w/cert_store.py

@@ -0,0 +1,116 @@
+from typing import Literal
+import win32crypt as wcrypt
+
+from ...print_api import print_api
+from ... import certificates
+
+
+# lpszStoreProvider
+CERT_STORE_PROV_SYSTEM = 0x0000000A
+# dwFlags
+CERT_SYSTEM_STORE_LOCAL_MACHINE = 0x00020000
+CERT_SYSTEM_STORE_CURRENT_USER = 0x00010000
+CERT_CLOSE_STORE_FORCE_FLAG = 0x00000001
+CRYPT_STRING_BASE64HEADER = 0x00000000
+X509_ASN_ENCODING = 0x00000001
+CERT_STORE_ADD_REPLACE_EXISTING = 3
+
+
+STORE_LOCATION_TO_CERT_SYSTEM_STORE: dict = {
+    "ROOT": CERT_SYSTEM_STORE_LOCAL_MACHINE,
+    "CA": CERT_SYSTEM_STORE_LOCAL_MACHINE,
+    "MY": CERT_SYSTEM_STORE_CURRENT_USER
+}
+
+
+def delete_certificate_by_issuer_name(
+        issuer_name: str,
+        store_location: Literal[
+            "ROOT",
+            "CA",
+            "MY"] = "ROOT",
+        print_kwargs: dict = None
+):
+    """
+    NEED ADMIN RIGHTS.
+    The function will remove all certificates with the specified issuer name.
+    There can be several certificates with this name.
+
+    :param issuer_name: string, issuer name to search for.
+    :param store_location: string, store location to search in. Default is "ROOT".
+    :param print_kwargs: dict, print_api kwargs.
+    """
+
+    """
+    WinAPI doesn't like to do 2 actions in one iteration. So, first we will collect all certificates to remove,
+    and in the second iteration remove them.
+    
+    Full Explanation:
+    When you iterate with for cert in store.CertEnumCertificatesInStore(): and call 
+    cert.CertDeleteCertificateFromStore() inside that loop, you’re modifying the underlying certificate store 
+    while its internal enumeration is still active. This can lead to a segmentation fault (access violation 0xC0000005).
+    By collecting the certificates in the first pass, you freeze the iteration so the store 
+    doesn’t get mutated mid-enumeration.
+    In the second pass, when you actually remove them, you’re no longer in the middle of enumerating. 
+    This prevents the store’s pointer from becoming invalid.
+    
+    This approach should stop the Process finished with exit code -1073741819 (0xC0000005) issue.
+    """
+
+    store = wcrypt.CertOpenStore(
+        CERT_STORE_PROV_SYSTEM,
+        0,
+        None,
+        STORE_LOCATION_TO_CERT_SYSTEM_STORE[store_location],
+        store_location
+    )
+
+    # Collect all matching certificates in a list
+    certs_to_remove = []
+    for cert in store.CertEnumCertificatesInStore():
+        # Certificate properties.
+        # cert.CertEnumCertificateContextProperties()
+        subject_string: str = wcrypt.CertNameToStr(cert.Subject)
+        if subject_string == issuer_name:
+            # Remove the certificate.
+            certs_to_remove.append(cert)
+
+    # Remove all certificates from the list.
+    for cert in certs_to_remove:
+        cert.CertDeleteCertificateFromStore()
+        print_api(f"Removed the Certificate from store [{store_location}] with issuer [{issuer_name}]", **(print_kwargs or {}))
+
+    # There is an exception about store close.
+    # store.CertCloseStore()
+
+
+def install_certificate_file(
+        file_path: str,
+        store_location: Literal[
+            "ROOT", "CA", "MY"] = "ROOT",
+        print_kwargs: dict = None
+):
+    """
+    NEED ADMIN RIGHTS.
+    The function will install the certificate from the file to the specified store location.
+
+    :param file_path: string, full file path to the certificate file.
+    :param store_location: string, store location to install the certificate. Default is "ROOT".
+    :param print_kwargs: dict, print_api kwargs.
+    """
+
+    with open(file_path, 'r') as f:
+        certificate_string = f.read()
+
+    certificate_pem = certificates.get_pem_certificate_from_string(certificate_string)
+
+    certificate_bytes = wcrypt.CryptStringToBinary(certificate_pem, CRYPT_STRING_BASE64HEADER)[0]
+
+    store = wcrypt.CertOpenStore(
+        CERT_STORE_PROV_SYSTEM, 0, None, STORE_LOCATION_TO_CERT_SYSTEM_STORE[store_location], store_location)
+
+    store.CertAddEncodedCertificateToStore(X509_ASN_ENCODING, certificate_bytes, CERT_STORE_ADD_REPLACE_EXISTING)
+    store.CertCloseStore(CERT_CLOSE_STORE_FORCE_FLAG)
+
+    message = f"Certificate installed to the store: [{store_location}] from file: [{file_path}]"
+    print_api(message, **(print_kwargs or {}))

atomicshop/wrappers/pywin32w/win_event_log/fetch.py

@@ -0,0 +1,174 @@
+import win32evtlog
+import win32security
+import win32con
+
+
+def get_latest_events(
+    server_ip: str = ".",
+    username: str = None,
+    password: str = None,
+    domain: str = ".",
+    log_name: str = "Security",
+    count: int = None,
+    event_id_list: list[int] | None = None
+):
+    """
+    Fetch latest `count` events from a Windows Event Log (local or remote) using pywin32.
+
+    - If username/password are None => use current security context.
+    - If server_ip is ".", "localhost", "127.0.0.1", "" or None => open local log.
+    - If count is None => return *all* events in the log.
+    - If event_id_list is not None => only return events whose EventID is in that list.
+
+    :param server_ip: IPv4/hostname of remote machine, or "." / None for local
+    :param username: Username to authenticate with (optional)
+    :param password: Password for the user (optional)
+    :param domain: Domain or computer name; ignored if username is None.
+                   If None and username is given, "." is used.
+    :param log_name: Log name (e.g. "Security", "System", "Application")
+    :param count: Number of most recent events to return, or None for all
+    :param event_id_list: List of Event IDs (low 16-bit) to include, or None for all
+    :return: List of dicts describing events (most recent first)
+    """
+
+    # Normalize server for OpenEventLog: None means "local machine"
+    normalized_server = server_ip
+    if server_ip in (None, "", ".", "localhost", "127.0.0.1"):
+        normalized_server = None
+
+    # Max events logic: None => infinite
+    max_events = float("inf") if count is None else count
+
+    # Precompute set of event IDs for fast membership checks
+    event_ids_set = set(event_id_list) if event_id_list is not None else None
+
+    # Decide whether we need impersonation
+    use_impersonation = username is not None and password is not None
+
+    h_user = None
+    events = []
+
+    try:
+        if use_impersonation:
+            if domain is None:
+                domain = "."
+
+            # Log on with explicit credentials and impersonate for the remote call
+            # LOGON32_LOGON_NEW_CREDENTIALS lets us use these creds for remote access
+            # while keeping the local token mostly unchanged.
+            h_user = win32security.LogonUser(
+                username,
+                domain,
+                password,
+                win32con.LOGON32_LOGON_NEW_CREDENTIALS,
+                win32con.LOGON32_PROVIDER_WINNT50,
+            )
+
+            win32security.ImpersonateLoggedOnUser(h_user)
+
+        # Connect to remote event log
+        # `server_ip` can be an IP or hostname; no need for leading "\\".
+        # local if normalized_server is None.
+        h_log = win32evtlog.OpenEventLog(normalized_server, log_name)
+
+        flags = (
+            win32evtlog.EVENTLOG_BACKWARDS_READ
+            | win32evtlog.EVENTLOG_SEQUENTIAL_READ
+        )
+
+        offset = 0  # not used with BACKWARDS_READ + SEQUENTIAL_READ, but kept for clarity
+
+        while len(events) < max_events:
+            records = win32evtlog.ReadEventLog(h_log, flags, offset)
+            if not records:
+                break
+
+            for ev in records:
+                # Low 16 bits are the actual Event ID
+                eid = ev.EventID & 0xFFFF
+
+                # If filtering by event IDs, skip others
+                if event_ids_set is not None and eid not in event_ids_set:
+                    continue
+
+                raw_strings = list(ev.StringInserts or [])
+                strings_dict = _parse_strings(eid, ev.SourceName, raw_strings)
+
+                evt = {
+                    "RecordNumber": ev.RecordNumber,
+                    "TimeGenerated": ev.TimeGenerated.Format(),  # string time
+                    "ComputerName": ev.ComputerName,
+                    "SourceName": ev.SourceName,
+                    # Low 16 bits are the actual Event ID
+                    "EventID": ev.EventID & 0xFFFF,
+                    "EventType": ev.EventType,
+                    "EventCategory": ev.EventCategory,
+                    "Strings": raw_strings,
+                    "StringsDict": strings_dict,
+                }
+                events.append(evt)
+
+                if len(events) >= max_events:
+                    break
+
+        win32evtlog.CloseEventLog(h_log)
+
+    finally:
+        # Clean up impersonation if we used it, Always revert impersonation and close handle
+        if use_impersonation and h_user is not None:
+            win32security.RevertToSelf()
+            h_user.Close()
+
+    # `events` is in newest to oldest already because of BACKWARDS_READ.
+    return events
+
+
+def _parse_strings(event_id: int, source_name: str, strings: list[str]) -> dict:
+    """
+    Convert the raw 'Strings' list into a dictionary with friendly field names
+    for specific event IDs. For unknown events, fall back to String1, String2, ...
+
+    Currently has a special mapping for:
+      - 5156 (Security log, WFP allowed connection)
+    """
+    if not strings:
+        return {}
+
+    # Normalize source name a bit
+    src = (source_name or "").lower()
+
+    # Special-case: Security 5156 (Windows Filtering Platform has permitted a connection)
+    # Insertion strings (in order) are:
+    #   1 Process ID
+    #   2 Application Name
+    #   3 Direction
+    #   4 Source Address
+    #   5 Source Port
+    #   6 Destination Address
+    #   7 Destination Port
+    #   8 Protocol
+    #   9 Filter Run-Time ID
+    #   10 Layer Name
+    #   11 Layer Run-Time ID
+    if event_id == 5156 and "security-auditing" in src:
+        keys_5156 = [
+            "Process ID",
+            "Application Name",
+            "Direction",
+            "Source Address",
+            "Source Port",
+            "Destination Address",
+            "Destination Port",
+            "Protocol",
+            "Filter Run-Time ID",
+            "Layer Name",
+            "Layer Run-Time ID",
+        ]
+        return {
+            key: strings[i]
+            for i, key in enumerate(keys_5156)
+            if i < len(strings)
+        }
+
+    # Default: generic mapping
+    return {f"String{i+1}": s for i, s in enumerate(strings)}

atomicshop/wrappers/pywin32w/win_event_log/subscribes/process_create.py

@@ -1,12 +1,7 @@
-import subprocess
-import winreg
-
 from .. import subscribe
-from .....print_api import print_api
+from .... import win_auditw
 
 
-AUDITING_REG_PATH: str = r"Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
-PROCESS_CREATION_INCLUDE_CMDLINE_VALUE: str = "ProcessCreationIncludeCmdLine_Enabled"
 LOG_CHANNEL: str = 'Security'
 EVENT_ID: int = 4688
 
@@ -30,8 +25,8 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
 
     def start(self):
         """Start the subscription process."""
-        enable_audit_process_creation()
-        enable_command_line_auditing()
+        win_auditw.enable_audit_process_creation()
+        win_auditw.enable_command_line_auditing()
 
         super().start()
 
@@ -60,100 +55,3 @@ class ProcessCreateSubscriber(subscribe.EventLogSubscriber):
         #         print(f"Error looking up account SID: {e}")
 
         return data
-
-
-def enable_audit_process_creation(print_kwargs: dict = None):
-    """
-    Enable the 'Audit Process Creation' policy.
-
-    :param print_kwargs: Optional keyword arguments for the print function.
-    """
-    if is_audit_process_creation_enabled():
-        print_api("Audit Process Creation is already enabled.", color='yellow', **(print_kwargs or {}))
-        return
-
-    # Enable "Audit Process Creation" policy
-    audit_policy_command = [
-        "auditpol", "/set", "/subcategory:Process Creation", "/success:enable", "/failure:enable"
-    ]
-    try:
-        subprocess.run(audit_policy_command, check=True)
-        print_api("Successfully enabled 'Audit Process Creation'.", color='green', **(print_kwargs or {}))
-    except subprocess.CalledProcessError as e:
-        print_api(f"Failed to enable 'Audit Process Creation': {e}", error_type=True, color='red', **(print_kwargs or {}))
-        raise e
-
-
-def is_audit_process_creation_enabled(print_kwargs: dict = None) -> bool:
-    """
-    Check if the 'Audit Process Creation' policy is enabled.
-
-    :param print_kwargs: Optional keyword arguments for the print function.
-    """
-    # Command to check the "Audit Process Creation" policy
-    audit_policy_check_command = [
-        "auditpol", "/get", "/subcategory:Process Creation"
-    ]
-    try:
-        result = subprocess.run(audit_policy_check_command, check=True, capture_output=True, text=True)
-        output = result.stdout
-        # print_api(output)  # Print the output for inspection
-
-        if "Process Creation" in output and "Success and Failure" in output:
-            # print_api(
-            #     "'Audit Process Creation' is enabled for both success and failure.",
-            #     color='green', **(print_kwargs or {}))
-            return True
-        else:
-            # print_api(output, **(print_kwargs or {}))
-            # print_api(
-            #     "'Audit Process Creation' is not fully enabled. Check the output above for details.",
-            #     color='yellow', **(print_kwargs or {}))
-            return False
-    except subprocess.CalledProcessError as e:
-        print_api(f"Failed to check 'Audit Process Creation': {e}", color='red', error_type=True, **(print_kwargs or {}))
-        return False
-
-
-def enable_command_line_auditing(print_kwargs: dict = None):
-    """
-    Enable the 'Include command line in process creation events' policy.
-
-    :param print_kwargs: Optional keyword arguments for the print function.
-    """
-
-    if is_command_line_auditing_enabled():
-        print_api(
-            "'Include command line in process creation events' is already enabled.", color='yellow',
-            **(print_kwargs or {}))
-        return
-
-    try:
-        # Open the registry key
-        with winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, AUDITING_REG_PATH) as reg_key:
-            # Set the value
-            winreg.SetValueEx(reg_key, PROCESS_CREATION_INCLUDE_CMDLINE_VALUE, 0, winreg.REG_DWORD, 1)
-
-        print_api(
-            "Successfully enabled 'Include command line in process creation events'.",
-            color='green', **(print_kwargs or {}))
-    except WindowsError as e:
-        print_api(
-            f"Failed to enable 'Include command line in process creation events': {e}", error_type=True,
-            color='red', **(print_kwargs or {}))
-
-
-def is_command_line_auditing_enabled():
-    try:
-        # Open the registry key
-        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, AUDITING_REG_PATH, 0, winreg.KEY_READ) as reg_key:
-            # Query the value
-            value, reg_type = winreg.QueryValueEx(reg_key, PROCESS_CREATION_INCLUDE_CMDLINE_VALUE)
-            # Check if the value is 1 (enabled)
-            return value == 1
-    except FileNotFoundError:
-        # Key or value not found, assume it's not enabled
-        return False
-    except WindowsError as e:
-        print(f"Failed to read the 'Include command line in process creation events' setting: {e}")
-        return False