-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read PE info of file thru SMB #94
Comments
I'm assuming you'd like that functionality w/o downloading the file (something you could do with the libraries' present methods). |
Exactly, I know that is possible using pysmb and pefile libs, but this requires transfering file. |
@tsmall888 this is pretty trivially done, take a look at the RemoteFIle class here https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py#L228, you would just have to read blocks from the remote file and parse them using pefile |
@byt3bl33d3r I thought about Take a look at this code: I did some tests but results are not that good. First of all, let's look at the
So you either pass a filename ( If you pass a filename, that filename is mmaped and then accessed as a bytearray, the same way as the buffer parameter. For this reason, the
This allows to do stuff like this:
which is kind of neat ;) So once I did that I created a PE class sending this new The problem is due to the way the pefile library is developed, this approach is not efficient, since the library accesses same portions of the file several times and sometimes it asks for almost the whole file (when it does look for strings, for example https://github.com/erocarrera/pefile/blob/master/pefile.py#L2544). If you want to see it in action, uncomment the Ideas are welcomed (maybe caching the data being read?), but I think this is it. It was fun to play with it tho ;) |
@asolino great solution! I had some troubles with pysmb lib. Now I will test your code. |
@asolino, sometimes during long smb connection with retrieving info (remoteFile.open(FILE_READ_DATA)) of many system .dll files I get following error:
and these messages for all next files
Can you check this? |
Do you have an example I could reproduce? Both code and target system, and target file. thanks! |
@asolino yes, something like this https://github.com/tsmall888/PEoverSMB/tree/master. But not always this errors is reproduced. |
I found the problem I think: Change this line for :
Also do a git pull 'cause I fixed some issues with Give it a try and let me know. I still think this is not a good approach since it reads the same file several times ;). |
…tesToRead parameter * Before, if `bytesToRead` was greater than the protocol's `MaxReadSize` buffer (dependant on the server's configuration), it would only read that amount of bytes. Now it will call `read_andx`() many times until it reached EOF or read all the bytes asked. * See #94
@asolino, looks like everything works fine. |
thanks for checking this @tsmall888. cheers. |
Hi!
Is it possible using impacket to get PE info (example: version of dll) of a file on a remote Windows share?
If no, may be you can implement this using pefile (https://github.com/erocarrera/pefile)?
Kind regards,
Timur
The text was updated successfully, but these errors were encountered: