sshmitm.plugins.powershell.log_session module

PSRP session logging forwarder.

Parses the PowerShell Remoting Protocol (PSRP) stream on-the-fly and logs each message type together with key fields (command names, output, error records, state transitions). The raw byte stream is forwarded unchanged.

PSRP over SSH uses a text-based framing (MS-PSRP §2.2.4 SSH transport):

<Data Stream=’Default’ PSGuid=’…’>BASE64</Data>

Each element’s base64 content decodes to a binary PSRP fragment:

ObjectId 8 bytes big-endian uint64 FragmentId 8 bytes big-endian uint64 Flags 1 byte bit 0 = start fragment, bit 1 = end fragment BlobLength 4 bytes big-endian uint32 Blob variable (part of the PSRP message)

Multiple fragments with the same ObjectId are reassembled into a PSRP message. Each message starts with a 40-byte header followed by CLIXML.

class sshmitm.plugins.powershell.log_session.PSRPLoggingForwarder(session)

Bases: PowerShellForwarder

Logs PSRP messages (commands, output, errors) while relaying the stream unchanged.

Parses the PowerShell Remoting Protocol stream on-the-fly and logs each message type together with key fields such as command names, pipeline output, error records, and state transitions. The raw byte stream is forwarded to the remote host unchanged — this plugin is fully transparent to both client and server.

Optionally writes a structured per-session transcript to a file.

Usage example

ssh-mitm server --powershell-interface log-session

To save a transcript to a directory:

ssh-mitm server --powershell-interface log-session \
    --psrp-transcript-dir /tmp/psrp-transcripts/

Notes

  • High-level message types (CreatePipeline, PipelineState, ErrorRecord, etc.) are logged at INFO level; all others at DEBUG.

  • Transcript files are named <session-id>.log and written into the configured directory, falling back to the session log directory.

Parameters:

session (Session)

__init__(session)

Initializes per-direction PSRP stream parsers and opens the transcript file.

Parameters:

session (Session) – the active SSH session being intercepted.

forward()

Forwards data between the client and the server

Return type:

None

handle_client_data(data)
Parameters:

data (bytes)

Return type:

bytes

handle_server_data(data)
Parameters:

data (bytes)

Return type:

bytes

classmethod parser_arguments()
Return type:

None