@@ -31,18 +31,15 @@ def on_admin_login(self, context, connection):
3131 if sid_directory .get_longname () and sid_directory .get_longname () not in self .false_positive :
3232
3333 # Extracts the username from the SID
34- if remote_ops ._RemoteOperations__rrp :
35- ans = rrp .hOpenLocalMachine (remote_ops ._RemoteOperations__rrp )
36- reg_handle = ans ["phKey" ]
37- ans = rrp .hBaseRegOpenKey (remote_ops ._RemoteOperations__rrp , reg_handle , f"SOFTWARE\\ Microsoft\\ Windows NT\\ CurrentVersion\\ ProfileList\\ { sid_directory .get_longname ()} )
38- key_handle = ans ["phkResult" ]
39- username = profileimagepath = None
40- try :
41- _ , profileimagepath = rrp .hBaseRegQueryValue (remote_ops ._RemoteOperations__rrp , key_handle , "ProfileImagePath\x00 " )
42- # Get username and remove embedded null byte
43- username = profileimagepath .split ("\\ " )[- 1 ].replace ("\x00 " , "" )
44- except rrp .DCERPCSessionError as e :
45- context .log .debug (f"Couldn't get username from SID { e } { connection .host } )
34+ reg_handle = rrp .hOpenLocalMachine (remote_ops ._RemoteOperations__rrp )["phKey" ]
35+ key_handle = rrp .hBaseRegOpenKey (remote_ops ._RemoteOperations__rrp , reg_handle , f"SOFTWARE\\ Microsoft\\ Windows NT\\ CurrentVersion\\ ProfileList\\ { sid_directory .get_longname ()} )["phkResult" ]
36+ username = profileimagepath = None
37+ try :
38+ _ , profileimagepath = rrp .hBaseRegQueryValue (remote_ops ._RemoteOperations__rrp , key_handle , "ProfileImagePath\x00 " )
39+ # Get username and remove embedded null byte
40+ username = profileimagepath .split ("\\ " )[- 1 ].replace ("\x00 " , "" )
41+ except rrp .DCERPCSessionError as e :
42+ context .log .debug (f"Couldn't get username from SID { e } { connection .host } )
4643
4744 # Lists for any file or directory in the recycle bin
4845 spider_folder = f"$Recycle.Bin\\ { sid_directory .get_longname ()} \\ "
0 commit comments