atomicshop 3.3.28__py3-none-any.whl → 3.10.0__py3-none-any.whl

atomicshop/wrappers/socketw/socket_wrapper.py

@@ -1,7 +1,5 @@
 import multiprocessing
 import threading
-import time
-
 import select
 from typing import Literal, Union, Callable, Any
 from pathlib import Path
@@ -9,17 +7,20 @@ import socket
 import shutil
 import os
 
+import paramiko
+
 from ...mitm import initialize_engines
 from ..psutilw import psutil_networks
 from ..certauthw import certauthw
 from ..loggingw import loggingw
-from ...script_as_string_processor import ScriptAsStringProcessor
+from ... import package_mains_processor
 from ...permissions import permissions
 from ... import filesystem, certificates
 from ...basics import booleans, tracebacks
 from ...print_api import print_api
+from ...ssh_remote import SSHRemote
 
-from . import base, creator, get_process, accepter, statistics_csv, ssl_base, sni
+from . import socket_base, creator, process_getter, accepter, statistics_csv, ssl_base, sni
 
 
 class SocketWrapperPortInUseError(Exception):
@@ -67,10 +68,7 @@ class SocketWrapper:
             ssh_user: str = None,
             ssh_pass: str = None,
             ssh_script_to_execute: Union[
-                Literal[
-                    'process_from_port',
-                    'process_from_ipv4'
-                ],
+                Literal['process_from_port'],
                 None
             ] = None,
             logs_directory: str = None,
@@ -80,6 +78,8 @@ class SocketWrapper:
             statistics_logger_queue: multiprocessing.Queue = None,
             exceptions_logger_name: str = 'SocketWrapperExceptions',
             exceptions_logger_queue: multiprocessing.Queue = None,
+            enable_sslkeylogfile_env_to_client_ssl_context: bool = False,
+            sslkeylog_file_path: str = None,
             print_kwargs: dict = None,
     ):
         """
@@ -173,6 +173,12 @@ class SocketWrapper:
         :param exceptions_logger_name: string, name of the logger that will be used to log exceptions.
         :param exceptions_logger_queue: multiprocessing.Queue, queue that will be used to log exceptions in
             multiprocessing. You need to start the logger listener in the main process to handle the queue.
+        :param enable_sslkeylogfile_env_to_client_ssl_context: boolean, if True, each client SSL context
+            that will be created by the SocketWrapper will have save the SSL handshake keys to the file
+            defined in 'sslkeylog_file_path' parameter.
+        :param sslkeylog_file_path: string, path to file where SSL handshake keys will be saved.
+            If not provided and 'enable_sslkeylogfile_env_to_client_ssl_context' is True, then
+            the environment variable 'SSLKEYLOGFILE' will be used.
         :param print_kwargs: dict, additional arguments to pass to the print function.
         """
 
@@ -208,6 +214,9 @@ class SocketWrapper:
         self.ssh_script_to_execute = ssh_script_to_execute
         self.forwarding_dns_service_ipv4_list___only_for_localhost = (
             forwarding_dns_service_ipv4_list___only_for_localhost)
+        self.enable_sslkeylogfile_env_to_client_ssl_context: bool = (
+            enable_sslkeylogfile_env_to_client_ssl_context)
+        self.sslkeylog_file_path: str = sslkeylog_file_path
         self.print_kwargs: dict = print_kwargs
 
         self.socket_object = None
@@ -226,12 +235,17 @@ class SocketWrapper:
         # Defining listening sockets list, which will be used with "select" library in 'loop_for_incoming_sockets'.
         self.listening_sockets: list = list()
 
-        # Defining 'ssh_script_processor' variable, which will be used to process SSH scripts.
+        # Defining 'ssh_script_string' variable, which will be used to process SSH scripts.
         self.ssh_script_processor = None
         if self.get_process_name:
             # noinspection PyTypeChecker
-            self.ssh_script_processor = \
-                ScriptAsStringProcessor().read_script_to_string(self.ssh_script_to_execute)
+            self.package_processor: package_mains_processor.PackageMainsProcessor | None = package_mains_processor.PackageMainsProcessor(script_file_stem=self.ssh_script_to_execute)
+
+        else:
+            self.package_processor = None
+
+        # We will initialize it during the first 'get_process_name' function call.
+        self.ssh_client: SSHRemote | None = None
 
         # If logs directory was not set, we will use the working directory.
         if not logs_directory:
@@ -551,8 +565,12 @@ class SocketWrapper:
                     print_kwargs={'logger': self.logger})
 
                 source_ip: str = client_address[0]
+                source_port: int = client_address[1]
                 dest_port: int = listening_socket_object.getsockname()[1]
 
+                message: str = f"Accepted connection from [{source_ip}:{source_port}] to [{listening_ip}:{dest_port}] | domain: {domain_from_engine}"
+                print_api(message, logger=self.logger)
+
                 # Not always there will be a hostname resolved by the IP address, so we will leave it empty if it fails.
                 try:
                     source_hostname = socket.gethostbyaddr(source_ip)[0]
@@ -564,21 +582,61 @@ class SocketWrapper:
                 # SSH Remote / LOCALHOST script execution to identify process section.
                 # If 'get_process_name' was set to True, then this will be executed.
                 if self.get_process_name:
+                    # Initializing SSHRemote class if not initialized.
+                    if self.ssh_client is None:
+                        self.ssh_client = SSHRemote(
+                            ip_address=source_ip, username=self.ssh_user, password=self.ssh_pass, logger=self.logger)
+
                     # Get the process name from the socket.
-                    get_command_instance = get_process.GetCommandLine(
-                        client_socket=client_socket,
-                        ssh_script_processor=self.ssh_script_processor,
-                        ssh_user=self.ssh_user,
-                        ssh_pass=self.ssh_pass,
+                    get_command_instance = process_getter.GetCommandLine(
+                        client_ip=source_ip,
+                        client_port=source_port,
+                        package_processor=self.package_processor,
+                        ssh_client=self.ssh_client,
                         logger=self.logger)
                     process_name = get_command_instance.get_process_name(print_kwargs={'logger': self.logger})
 
+                    # from ..pywin32w.win_event_log import fetch
+                    # events = fetch.get_latest_events(
+                    #     server_ip=source_ip,
+                    #     username=self.ssh_user,
+                    #     password=self.ssh_pass,
+                    #     log_name='Security',
+                    #     count=50,
+                    #     event_id_list=[5156]
+                    # )
+                    #
+                    # source_port = client_address[1]
+                    # for event in events:
+                    #     if source_port == event['StringsDict']['Source Port']:
+                    #         process_name = event['StringsDict']['Application Name']
+                    #         break
+                    #
+                    # if process_name == '':
+                    #     raise RuntimeError("Failed to get process name from the remote host via Event Log.")
+
                 # If 'accept()' function worked well, SSL worked well, then 'client_socket' won't be empty.
                 if client_socket:
                     # Get the protocol type from the socket.
                     is_tls: bool = False
 
-                    tls_properties = ssl_base.is_tls(client_socket)
+                    try:
+                        tls_properties = ssl_base.is_tls(client_socket, timeout=1)
+                    except TimeoutError:
+                        error: str = "TimeoutError: TLS detection timed out. Dropping accepted socket."
+                        self.logger.error(error)
+
+                        self.statistics_writer.write_accept_error(
+                            engine=engine_name,
+                            source_host=source_hostname,
+                            source_ip=source_ip,
+                            error_message=error,
+                            dest_port=str(dest_port),
+                            host=domain_from_engine,
+                            process_name=process_name)
+
+                        client_socket.close()
+                        continue
 
                     if tls_properties:
                         is_tls = True
@@ -616,7 +674,9 @@ class SocketWrapper:
                             forwarding_dns_service_ipv4_list___only_for_localhost=(
                                 self.forwarding_dns_service_ipv4_list___only_for_localhost),
                             tls=is_tls,
-                            exceptions_logger=self.exceptions_logger
+                            exceptions_logger=self.exceptions_logger,
+                            enable_sslkeylogfile_env_to_client_ssl_context=self.enable_sslkeylogfile_env_to_client_ssl_context,
+                            sslkeylog_file_path=self.sslkeylog_file_path
                         )
 
                         ssl_client_socket, accept_error_message = \
@@ -678,7 +738,7 @@ class SocketWrapper:
                     self.threads_list.append(thread_current)
 
                     # 'thread_callable_args[1][0]' is the client socket.
-                    client_address = base.get_source_address_from_socket(client_socket)
+                    client_address = socket_base.get_source_address_from_socket(client_socket)
 
                     self.logger.info(f"Accepted connection, thread created {client_address}. Continue listening...")
                 # Else, if no client_socket was opened during, accept, then print the error.
@@ -692,7 +752,8 @@ class SocketWrapper:
                         dest_port=str(dest_port),
                         host=domain_from_engine,
                         process_name=process_name)
-            except ConnectionResetError as e:
+            # Sometimes paramiko SSH connection return EOFError on connection reset, so we need to catch it separately.
+            except (ConnectionResetError, paramiko.ssh_exception.SSHException, EOFError) as e:
                 exception_string: str = tracebacks.get_as_string()
                 full_string: str = f"{str(e)} | {exception_string}"
                 self.statistics_writer.write_accept_error(
@@ -726,7 +787,7 @@ def before_socket_thread_worker(
     try:
         callable_function(*callable_args)
     except Exception as e:
-        exceptions_logger.write(e)
+        exceptions_logger.write(e, custom_exception_attribute='engine_name', custom_exception_attribute_placement='before')
 
 
 def get_engine_name(domain: str, engine_list: list):

atomicshop/wrappers/socketw/ssl_base.py

@@ -24,15 +24,19 @@ def convert_der_x509_bytes_to_pem_string(certificate) -> str:
     return ssl.DER_cert_to_PEM_cert(certificate)
 
 
-def is_tls(client_socket) -> Optional[Tuple[str, str]]:
+def is_tls(
+        client_socket,
+        timeout: float = None
+) -> Optional[Tuple[str, str]]:
     """
     Return protocol type of the incoming socket after 'accept()'.
     :param client_socket: incoming socket after 'accept()'.
+    :param timeout: optional timeout for receiving/peeking the first bytes.
     :return: tuple with content type, protocol type + version.
         If the length of the first bytes is less than 3, return None.
     """
 
-    first_bytes = receiver.peek_first_bytes(client_socket, bytes_amount=3)
+    first_bytes = receiver.peek_first_bytes(client_socket, bytes_amount=3, timeout=timeout)
 
     # Sometimes only one byte is available, so we need to handle that case.
     # convert to a tuple of ints, add three Nones, and keep only the first 3 items.

atomicshop/wrappers/win_auditw.py

@@ -0,0 +1,189 @@
+import subprocess
+import winreg
+
+from ..print_api import print_api
+
+
+AUDITING_REG_PATH: str = r"Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
+PROCESS_CREATION_INCLUDE_CMDLINE_VALUE: str = "ProcessCreationIncludeCmdLine_Enabled"
+
+
+def enable_command_line_auditing(print_kwargs: dict = None):
+    """
+    Enable the 'Include command line in process creation events' policy.
+
+    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+
+    if is_command_line_auditing_enabled():
+        print_api(
+            "[Include command line in process creation events] is already enabled.", color='blue',
+            **(print_kwargs or {}))
+        return
+
+    try:
+        # Open the registry key
+        with winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, AUDITING_REG_PATH) as reg_key:
+            # Set the value
+            winreg.SetValueEx(reg_key, PROCESS_CREATION_INCLUDE_CMDLINE_VALUE, 0, winreg.REG_DWORD, 1)
+
+        print_api(
+            "Successfully enabled [Include command line in process creation events].",
+            color='green', **(print_kwargs or {}))
+    except WindowsError as e:
+        print_api(
+            f"Failed to enable [Include command line in process creation events]: {e}", error_type=True,
+            color='red', **(print_kwargs or {}))
+
+
+def is_command_line_auditing_enabled():
+    try:
+        # Open the registry key
+        with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, AUDITING_REG_PATH, 0, winreg.KEY_READ) as reg_key:
+            # Query the value
+            value, reg_type = winreg.QueryValueEx(reg_key, PROCESS_CREATION_INCLUDE_CMDLINE_VALUE)
+            # Check if the value is 1 (enabled)
+            return value == 1
+    except FileNotFoundError:
+        # Key or value not found, assume it's not enabled
+        return False
+    except WindowsError as e:
+        print(f"Failed to read the 'Include command line in process creation events' setting: {e}")
+        return False
+
+
+def enable_audit_process_creation(print_kwargs: dict = None):
+    """
+    Enable the 'Audit Process Creation' policy.
+    Log: Security
+    Event ID: 4688 - A new process has been created.
+
+    auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    if is_audit_process_creation_enabled():
+        print_api("Audit Process Creation is already enabled.", color='blue', **(print_kwargs or {}))
+        return
+
+    # Enable "Audit Process Creation" policy
+    audit_policy_command = [
+        "auditpol", "/set", "/subcategory:Process Creation", "/success:enable", "/failure:enable"
+    ]
+    try:
+        subprocess.run(audit_policy_command, check=True)
+        print_api("Successfully enabled 'Audit Process Creation'.", color='green', **(print_kwargs or {}))
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to enable 'Audit Process Creation': {e}", error_type=True, color='red', **(print_kwargs or {}))
+        raise e
+
+
+def is_audit_process_creation_enabled(print_kwargs: dict = None) -> bool:
+    """
+    Check if the 'Audit Process Creation' policy is enabled.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    # Command to check the "Audit Process Creation" policy
+    audit_policy_check_command = [
+        "auditpol", "/get", "/subcategory:Process Creation"
+    ]
+    try:
+        result = subprocess.run(audit_policy_check_command, check=True, capture_output=True, text=True)
+        output = result.stdout
+        # print_api(output)  # Print the output for inspection
+
+        if "Process Creation" in output and "Success and Failure" in output:
+            # print_api(
+            #     "'Audit Process Creation' is enabled for both success and failure.",
+            #     color='green', **(print_kwargs or {}))
+            return True
+        else:
+            # print_api(output, **(print_kwargs or {}))
+            # print_api(
+            #     "'Audit Process Creation' is not fully enabled. Check the output above for details.",
+            #     color='yellow', **(print_kwargs or {}))
+            return False
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to check 'Audit Process Creation': {e}", color='red', error_type=True, **(print_kwargs or {}))
+        return False
+
+
+def enable_audit_process_termination(print_kwargs: dict = None):
+    """
+    Enable the 'Audit Process Termination' policy.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    if is_audit_process_termination_enabled():
+        print_api("Audit Process Termination is already enabled.", color='blue', **(print_kwargs or {}))
+        return
+
+    audit_policy_command = [
+        "auditpol", "/set", "/subcategory:Process Termination", "/success:enable", "/failure:enable"
+    ]
+    try:
+        subprocess.run(audit_policy_command, check=True)
+        print_api("Successfully enabled 'Audit Process Termination'.", color='green', **(print_kwargs or {}))
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to enable 'Audit Process Termination': {e}", error_type=True, color='red', **(print_kwargs or {}))
+        raise e
+
+
+def is_audit_process_termination_enabled(print_kwargs: dict = None) -> bool:
+    """
+    Check if the 'Audit Process Termination' policy is enabled.
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+    # Command to check the "Audit Process Creation" policy
+    audit_policy_check_command = [
+        "auditpol", "/get", "/subcategory:Process Termination"
+    ]
+    try:
+        result = subprocess.run(audit_policy_check_command, check=True, capture_output=True, text=True)
+        output = result.stdout
+        # print_api(output)  # Print the output for inspection
+
+        if "Process Termination" in output and "Success and Failure" in output:
+            # print_api(
+            #     "'Audit Process Termination' is enabled for both success and failure.",
+            #     color='green', **(print_kwargs or {}))
+            return True
+        else:
+            # print_api(output, **(print_kwargs or {}))
+            # print_api(
+            #     "'Audit Process Termination' is not fully enabled. Check the output above for details.",
+            #     color='yellow', **(print_kwargs or {}))
+            return False
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to check 'Audit Process Termination': {e}", color='red', error_type=True, **(print_kwargs or {}))
+        return False
+
+
+def enable_audit_filtering_platform_connection(print_kwargs: dict = None):
+    """
+    Enable the 'Filtering Platform Connection' policy.
+    This enables you to fetch connection creations and deletions from the Windows Security Event Log.
+    Log: Security
+    Event IDs:
+        5156 - The Windows Filtering Platform has permitted a connection.
+        5158 - The Windows Filtering Platform has blocked a connection.
+    Events include information about source and destination IP addresses and ports.
+
+    auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
+
+    :param print_kwargs: Optional keyword arguments for the print function.
+    """
+
+    audit_policy_command = [
+        "auditpol", "/set", '/subcategory:"Filtering Platform Connection"', "/success:enable", "/failure:enable"
+    ]
+    try:
+        subprocess.run(audit_policy_command, check=True)
+        print_api("Successfully enabled 'Audit Filtering Platform Connection'.", color='green', **(print_kwargs or {}))
+    except subprocess.CalledProcessError as e:
+        print_api(f"Failed to enable 'Audit Filtering Platform Connection': {e}", error_type=True, color='red', **(print_kwargs or {}))
+        raise e

{atomicshop-3.3.28.dist-info → atomicshop-3.10.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: atomicshop
-Version: 3.3.28
+Version: 3.10.0
 Summary: Atomic functions and classes to make developer life easier
 Author: Denis Kras
 License-Expression: MIT
@@ -8,44 +8,39 @@ Project-URL: Homepage, https://github.com/BugSec-Official/atomicshop
 Classifier: Intended Audience :: Developers
 Classifier: Programming Language :: Python :: 3
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
-Requires-Python: <3.13,>=3.10
+Requires-Python: <3.14,>=3.12
 Description-Content-Type: text/markdown
 License-File: LICENSE.txt
 Requires-Dist: wheel
-Requires-Dist: beautifulsoup4
-Requires-Dist: cryptography
+Requires-Dist: setuptools
+Requires-Dist: beautifulsoup4==4.14.3
+Requires-Dist: cryptography==46.0.3
+Requires-Dist: dkarchiver==1.0.1
 Requires-Dist: dkinst
-Requires-Dist: dnslib
-Requires-Dist: dnspython
-Requires-Dist: docker
-Requires-Dist: flask_socketio
-Requires-Dist: google-api-python-client
-Requires-Dist: google-generativeai
-Requires-Dist: icmplib
+Requires-Dist: dnslib==0.9.26
+Requires-Dist: dnspython==2.8.0
+Requires-Dist: docker==7.1.0
+Requires-Dist: flask_socketio==5.5.1
+Requires-Dist: google-api-python-client==2.187.0
+Requires-Dist: google-genai==1.53.0
+Requires-Dist: icmplib==3.0.4
 Requires-Dist: numpy
-Requires-Dist: olefile
-Requires-Dist: openpyxl
-Requires-Dist: pandas
-Requires-Dist: paramiko
-Requires-Dist: pefile
-Requires-Dist: playwright
-Requires-Dist: protobuf
-Requires-Dist: psutil
-Requires-Dist: py7zr==0.22.0
-Requires-Dist: pyautogui
-Requires-Dist: pymongo
-Requires-Dist: pyopenssl
-Requires-Dist: python-bidi
+Requires-Dist: olefile==0.47
+Requires-Dist: openpyxl==3.1.5
+Requires-Dist: pandas==2.3.3
+Requires-Dist: paramiko==4.0.0
+Requires-Dist: pefile==2024.8.26
+Requires-Dist: playwright==1.56.0
+Requires-Dist: psutil==7.1.3
+Requires-Dist: pymongo==4.15.5
+Requires-Dist: pyopenssl==25.3.0
 Requires-Dist: python-docx
-Requires-Dist: python-magic
-Requires-Dist: pywin32; platform_system == "Windows"
-Requires-Dist: reportlab
-Requires-Dist: setuptools
+Requires-Dist: pywin32==311; platform_system == "Windows"
 Requires-Dist: SoundCard
 Requires-Dist: soundfile
 Requires-Dist: SpeechRecognition
-Requires-Dist: tldextract
-Requires-Dist: websockets
+Requires-Dist: tldextract==5.3.0
+Requires-Dist: websockets==15.0.1
 Dynamic: license-file
 
 <h1 align="center">Atomic Workshop</h1>