Is it possible to use a python file as Agent Monitor in place of WindowsDebugger monitor in peach? If yes, is there any guide that has the specifications (if any) for the python file?
Asked
Active
Viewed 263 times
1 Answers
0
Maybe a little late
But maybe you can use the socket monitor: peach will consider a fault if it receive a message on a specific socket:
<Agent name="Local">
<Monitor class="Socket">
<Param name="Port" value="6666" />
<Param name="Timeout" value="5000" />
</Monitor>
</Agent>
and an example (process detection in powershell)
$q = "Select * from win32_ProcessStartTrace where processname 'Process.exe'"
$port=6666
$remoteHost = "127.0.0.1"
$message = "[fault]"
Register-CimIndicationEvent -Query $q -SourceIdentifier test
while ($true) {
Start-Sleep -Seconds 1
$var = (Get-Event -SourceIdentifier test -ErrorAction SilentlyContinue | findstr "RunspaceId")
if ($var) {
echo "Fault detected"
$socket = new-object System.Net.Sockets.TcpClient($remoteHost, $port)
$data = [System.Text.Encoding]::ASCII.GetBytes($message)
$stream = $socket.GetStream()
$stream.Write($data, 0, $data.Length)
Remove-Event -SourceIdentifier test
$var = $null
}
}
Alex
- 1