From 99b1159f748162670322c4fcd1dbe6ceb0aad091 Mon Sep 17 00:00:00 2001 From: ghost-ng Date: Thu, 25 Jan 2024 11:53:35 -0500 Subject: [PATCH] updated README --- README.md | 54 ++++++++++++++++++++++++++ TODO..md => TODO.md | 0 src/slingerpkg/lib/dcetransport.py | 52 ++++++++++++++++++++----- src/slingerpkg/lib/msrpcperformance.py | 32 +++++++++++++-- 4 files changed, 124 insertions(+), 14 deletions(-) rename TODO..md => TODO.md (100%) diff --git a/README.md b/README.md index df1845e..61db168 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,60 @@ Slinger is a versatile tool designed for advanced network interactions and manip - **System Information Gathering**: Gather detailed system information, including server disk information, logged-on users, and transport details. - **Wrapper Commands**: Commands to edit port forwarding rules, view the windows firewall, ip information, etc - **CLI System**: Slinger offers an exhaustively simple CLI complete with help entries +- **Query Performance Data**: (Experimental) Remotely query performance data like remote processes + +``` +🤠 (10.0.0.28):\\> ps +[*] Retrieving Processes List... +[!] Performance Data querying is experimental and is still under development +Name PID PPID Priority Threads Handles +------------------------- ----- ------ ---------- --------- --------- +Idle 0 0 0 1 0 +System 4 0 8 81 740 +mmc (uuid:wVWpou) 152 1868 6 19 824 +conhost 172 248 6 2 54 +cmd 248 2836 6 1 26 +svchost (uuid:LE9JOF) 428 712 8 14 779 +smss 440 4 11 2 52 +csrss 524 516 13 8 231 +csrss (uuid:ZHvV4L) 616 608 13 8 243 +vpnagent 620 712 10 6 437 +wininit 624 516 13 1 79 +winlogon 652 608 13 2 157 +services 712 624 9 6 258 +lsass 720 624 9 6 694 +svchost (uuid:HfKmym) 756 712 8 16 535 +svchost 780 712 8 7 358 +svchost (uuid:1ngQeO) 808 712 8 6 327 +dwm 896 652 13 7 190 +svchost (uuid:xqconX) 920 712 8 13 444 +svchost (uuid:AwBbeG) 980 712 8 28 1000 +rundll32 1076 980 10 5 204 +svchost (uuid:a31ADo) 1092 712 8 15 379 +spoolsv 1228 712 8 8 370 +svchost (uuid:0wxSfV) 1260 712 8 6 118 +svchost (uuid:Fwvb34) 1280 712 8 8 194 +msdtc 1292 712 8 9 163 +dns 1296 712 8 10 10224 +svchost (uuid:tQ16ZP) 1392 712 8 10 253 +VGAuthService 1432 712 8 2 114 +vm3dservice 1480 712 8 2 88 +vmtoolsd 1532 712 13 10 308 +vm3dservice (uuid:rfz3k2) 1544 1480 13 2 85 +svchost (uuid:i2Waqs) 1568 712 8 15 162 +dllhost 1976 712 8 10 192 +vmtoolsd (uuid:OXMvuj) 1996 2628 8 9 231 +WmiPrvSE 2176 780 8 10 316 +WmiPrvSE (uuid:elaPeM) 2312 780 8 7 234 +taskhostex 2540 980 8 5 201 +vpnui 2548 2952 8 6 356 +Taskmgr 2580 2628 8 10 305 +explorer 2628 2612 8 38 1304 +taskeng 2836 980 8 3 115 +ServerManager 2988 2548 8 8 430 +mmc 3004 2628 8 19 403 +[+] Proccesses with '(uuid:)' have duplicate names but are unique processes +``` ## Usage diff --git a/TODO..md b/TODO.md similarity index 100% rename from TODO..md rename to TODO.md diff --git a/src/slingerpkg/lib/dcetransport.py b/src/slingerpkg/lib/dcetransport.py index 10c26db..3457d3f 100755 --- a/src/slingerpkg/lib/dcetransport.py +++ b/src/slingerpkg/lib/dcetransport.py @@ -858,12 +858,13 @@ def _hQueryPerformaceData(self, object_num, arch=64): print_debug("Counter Definitions: \n" + str(counter_definitions)) # correct up to here - # Bring the position to the beginning of the instances (or counters) - pos = object_start + object_type['DefinitionLength'] + # Check if we have any instances #print_info("NumInstances: " + str(object_type['NumInstances'])) if object_type['NumInstances'] > 0: + # Bring the position to the beginning of the instances (or counters) + pos = object_start + object_type['DefinitionLength'] print_debug(f"Found {str(object_type['NumInstances'])} instances") # Parse the object instances and counters for j in range(object_type['NumInstances']): @@ -916,35 +917,65 @@ def _hQueryPerformaceData(self, object_num, arch=64): # start at the end of the PERF_COUNTER_DEFINITIONS and PERF_OBJECT_TYPE print_debug(f"Found {str(object_type['NumInstances'])} instances") + # Calculate the total length of all counter definitions total_counter_definitions_length = sum(cd['ByteLength'] for cd in counter_definitions.values()) + + # Calculate the start position of the counter block counter_block_start = object_start + object_type['HeaderLength'] + total_counter_definitions_length + initial_counter_block_pos = object_start + object_type['HeaderLength'] + total_counter_definitions_length + + # Calculate padding if needed + padding_needed = (8 - (initial_counter_block_pos % 8)) % 8 + + # Final position of the PERF_COUNTER_BLOCK, considering padding for alignment + final_counter_block_pos = initial_counter_block_pos + padding_needed + - print_debug("Counter Block Start: " + str(counter_block_start)) + # these should be the same + print_debug("Object Start: " + str(object_start)) + print_debug("Initial Counter Block Start: " + str(initial_counter_block_pos)) + print_debug("Final Counter Block Start: " + str(final_counter_block_pos)) print_debug("Original Position: " + str(pos)) # Parse the PERF_COUNTER_BLOCK - status, pos, counter_block = parse_perf_counter_block_test(queryvalue_result[1], pos) + #https://learn.microsoft.com/en-us/windows/win32/api/winperf/ns-winperf-perf_counter_block + + status, pos, counter_block = parse_perf_counter_block_test(queryvalue_result[1], final_counter_block_pos) print_debug("Counter Block: " + str(counter_block)) + if not status: # Handle error print_debug("Error parsing counter block", sys.exc_info()) return False, pos - print_debug("New Position: " + str(pos)) # Start parsing the counter data print_debug("NumCounters: " + str(object_type['NumCounters'])) + + + for k in range(object_type['NumCounters']): counter_def = counter_definitions[k] counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']] print_debug(f"#{k} Counter Name: " + str(counter_name)) - print_debug(f"Counter Block Start: {counter_block_start + counter_def['CounterOffset']} = {counter_block_start} + {counter_def['CounterOffset']}") - counter_block_start = counter_block_start + counter_def['CounterOffset'] - - status, pos, counter_result = parse_perf_counter_data(queryvalue_result[1], counter_block_start, counter_def) + # Bring the pos to the start of the counter + + #print_debug(f"Counter Block Start: {counter_block_start + counter_def['CounterOffset']} = {counter_block_start} + {counter_def['CounterOffset']}") + #counter_block_start = counter_block_start + counter_def['CounterOffset'] + #status, pos, counter_result = parse_perf_counter_data(queryvalue_result[1], counter_block_start, counter_def) + + + # change position to start of counter block + counter_data_start = counter_block_start + counter_def['CounterOffset'] + + # Now set pos to this position + pos = counter_data_start + + status, pos, counter_result = parse_perf_counter_data(queryvalue_result[1], pos, counter_def) + if not status: # Handle error print_debug("Error parsing counter", sys.exc_info()) @@ -960,10 +991,11 @@ def _hQueryPerformaceData(self, object_num, arch=64): # Update pos after processing all counters - pos = counter_block_start + counter_block['ByteLength'] + #pos = counter_block_start + counter_block['ByteLength'] print_debug("Exiting Counter Definitions Loop") + return True, pos, result diff --git a/src/slingerpkg/lib/msrpcperformance.py b/src/slingerpkg/lib/msrpcperformance.py index 4280dd5..64db5a6 100644 --- a/src/slingerpkg/lib/msrpcperformance.py +++ b/src/slingerpkg/lib/msrpcperformance.py @@ -54,6 +54,7 @@ """ def parse_perf_counter_data(data, pos, counter_definition): + print_debug("Counter Size: " + str(counter_definition['CounterSize'])) try: # Define format strings int32_fmt = '