This repository contains various non-core plugins for MemProcFS - The Memory Process File System.
Plugins range from non-core plugins to plugins that have offensive capabilities - such as pypykatz. Please find a short description for each plugin below:
Tamas Jos (@skelsec) , info@skelsec.com , https://github.com/skelsec/
pypykatz for MemProcFS exposes mimikatz functionality in the folder /py/secrets/ in the file system root provided that the target is a supported Windows system. Functionality includes retrieval of hashes, passwords, kerberos tickets and various other credentials.
- Ensure MemProcFS supported version of 64-bit Python for Windows is on the system path (or specify in
-pythonpathoption when starting MemProcFS). NB! embedded Python will not work with pypykatz since it requires access to Python pip installed packages. - Install pypykatz pip package, in correct python environment, by running
pip install dissect.cstruct pypykatz. - Copy the pypykatz for MemProcFS plugin by copying all files from
/files/plugins/pym_pypykatzto corresponding folder in MemProcFS - overwriting any existing files there. - Start MemProcFS.
Tamas Jos (@skelsec) , info@skelsec.com , https://github.com/skelsec/
regsecrets for MemProcFS exposes mimikatz functionality in the folder /py/regsecrets/ in the file system root provided that the target is a supported Windows system. Functionality includes retrieval NTLM hashes for local accounts amongst other things.
- Ensure MemProcFS supported version of 64-bit Python for Windows is on the system path (or specify in
-pythonpathoption when starting MemProcFS). NB! embedded Python will not work with pypykatz and aiowinreg since it requires access to Python pip installed packages. - Install pypykatz and aiowinreg pip package, in correct python environment, by running
pip install pypykatz aiowinreg. - Copy the pyregsecrets for MemProcFS plugin by copying all files from
/files/plugins/pym_regsecretsto corresponding folder in MemProcFS - overwriting any existing files there. - Start MemProcFS.