Read PE info of file thru SMB

[t33m]

Hi!

Is it possible using impacket to get PE info (example: version of dll) of a file on a remote Windows share?
If no, may be you can implement this using pefile (https://github.com/erocarrera/pefile)?

Kind regards,
Timur

[asolino]

I'm assuming you'd like that functionality w/o downloading the file (something you could do with the libraries' present methods).

[t33m]

Exactly, I know that is possible using pysmb and pefile libs, but this requires transfering file.

[byt3bl33d3r]

@tsmall888 this is pretty trivially done, take a look at the RemoteFIle class here https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py#L228, you would just have to read blocks from the remote file and parse them using pefile

[asolino]

@byt3bl33d3r I thought about RemoteFile as well actually ;)

Take a look at this code:
https://gist.github.com/asolino/684da226435f2844bc58

I did some tests but results are not that good. First of all, let's look at the class PE constructor:

def __init__(self, name=None, data=None, fast_load=None):

So you either pass a filename (name parameter) or you pass a buffer with the file's data (data parameter).

If you pass a filename, that filename is mmaped and then accessed as a bytearray, the same way as the buffer parameter. For this reason, the RemoteFile class as it is in secretsdump  is not enough. So what I did is to extend that class so you can access the file's contents slicing into its contents:

class RemoteFile:
[...]
    def __len__(self):
        # Get's the file len
        if self.__fileLen is None:
            self.__fileLen = self.__smbConnection.queryInfo(self.__tid, self.__fid)['EndOfFile']

        return self.__fileLen

    def __getitem__(self, index):
        # Get's portions of file
        # Uncomment this if you want to debug what's going on
        #print index
        if isinstance(index, int):
            # Asking for a single byte, odd
            offset = index
            bytesToRead = 1
        elif isinstance(index, slice):
            # Asking many byte, calculating and returning
            offset = index.start
            if index.stop == sys.maxint:
                # We have to read till the end of file
                bytesToRead = self.__len__()
            else:
                bytesToRead = index.stop - index.start


        return self.__smbConnection.readFile(self.__tid, self.__fid, offset=offset, bytesToRead=bytesToRead)
[...]

This allows to do stuff like this:

# Print 4 bytes from file starting at position 4
print remoteFile[4:8]
# Give me the last 2 bytes
print remoteFile[-2:]

which is kind of neat ;)

So once I did that I created a PE class sending this new RemoteFile class as the PE's data parameter and, it actually worked ;).

The problem is due to the way the pefile library is developed, this approach is not efficient, since the library accesses same portions of the file several times and sometimes it asks for almost the whole file (when it does look for strings, for example https://github.com/erocarrera/pefile/blob/master/pefile.py#L2544).

If you want to see it in action, uncomment the print index line so you get all the requests from the library. I think the original file is downloaded several times actually ;). Seems like it is way more efficient to download the whole file once and then pass that file to this library :(

Ideas are welcomed (maybe caching the data being read?), but I think this is it. It was fun to play with it tho ;)

[t33m]

@asolino great solution!

I had some troubles with pysmb lib. Now I will test your code.

[t33m]

@asolino, sometimes during long smb connection with retrieving info (remoteFile.open(FILE_READ_DATA)) of many system .dll files I get following error:

[Errno 104] Connection reset by peer

and these messages for all next files

[Errno 32] Broken pipe

Can you check this?

[asolino]

Do you have an example I could reproduce? Both code and target system, and target file.

thanks!

[t33m]

@asolino yes, something like this https://github.com/tsmall888/PEoverSMB/tree/master.
As a target host I use Windows Server 2012 R2 Standard Evaluation [Version 6.3.9600].

But not always this errors is reproduced.

[asolino]

I found the problem I think:

Change this line for :

    if bytesToRead > 0:
        return self.__smbConnection.readFile(self.__tid, self.__fid, offset=offset, bytesToRead=bytesToRead)
    else:
        return ''

Also do a git pull 'cause I fixed some issues with SMBConnection.readFile() that are only present with the RemoteFile class you're using.

Give it a try and let me know.

I still think this is not a good approach since it reads the same file several times ;).

[t33m]

@asolino, looks like everything works fine.

[asolino]

thanks for checking this @tsmall888. cheers.