metasploit-gs/modules/post/windows/gather/forensics/imager.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

#
# Forensic byte-for-byte imaging of remote disks and volumes
#
# R. Wesley McGrew wesley@mcgrewsecurity.com
#    http://mcgrewsecurity.com
# Mississippi State University National Forensics Training Center
#    http://msu-nftc.org

require 'digest/md5'
require 'digest/sha1'

class MetasploitModule < Msf::Post

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Forensic Imaging',
        'Description' => %q{This module will perform byte-for-byte imaging of remote disks and volumes},
        'License' => MSF_LICENSE,
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Author' => ['Wesley McGrew <wesley[at]mcgrewsecurity.com>'],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_railgun_api
            ]
          }
        }
      )
    )
    register_options(
      [
        OptString.new('DEVICE', [true, 'Device to image (use enum_drives for possible names)', nil]),
        OptString.new('OUTFILE', [false, 'Output filename without extension', 'image']),
        OptInt.new('SPLIT', [false, 'Split image size, in bytes', 1610612736]),
        OptInt.new('BLOCKSIZE', [false, 'Block size, in bytes (multiples of 512)', 1048576]),
        OptInt.new('SKIP', [false, 'Skip this many blocks before beginning', 0]),
        OptInt.new('COUNT', [false, 'Image only this many blocks (0 - read till end)', 0])
      ]
    )
  end

  def run
    devname = datastore['DEVICE']
    base_filename = datastore['OUTFILE']
    split = datastore['SPLIT']
    block_size = datastore['BLOCKSIZE']
    skip = datastore['SKIP']
    num_to_read = datastore['COUNT']

    invalid_handle_value = 0xFFFFFFFF
    invalid_set_file_pointer = 0xFFFFFFFF
    fsctl_allow_extended_dasd_io = 0x00090083
    ioctl_disk_get_drive_geometry_ex = 0x000700A0

    r = client.railgun.kernel32.CreateFileA(devname, 'GENERIC_READ',
                                            0x3, nil, 'OPEN_EXISTING', 'FILE_ATTRIBUTE_READONLY', 0)
    handle = r['return']

    if handle == invalid_handle_value
      print_error("Could not open #{devname}")
      raise Rex::Script::Completed
    end

    r = client.railgun.kernel32.DeviceIoControl(handle, fsctl_allow_extended_dasd_io, nil, 0, 0, 0, 4, nil)

    ioctl = client.railgun.kernel32.DeviceIoControl(handle, ioctl_disk_get_drive_geometry_ex,
                                                    '', 0, 200, 200, 4, '')
    if ioctl['GetLastError'] == 6
      ioctl = client.railgun.kernel32.DeviceIoControl(handle, ioctl_disk_get_drive_geometry_ex,
                                                      '', 0, 200, 200, 4, '')
    end
    geometry = ioctl['lpOutBuffer']

    disk_size = geometry[24, 31].unpack('Q')[0]

    finished = false
    skip_counter = 0
    if num_to_read != 0
      count = 0
    end
    file_number = 1
    file_data_count = 0
    disk_bytes_count = 0
    fp = ::File.new('%s.%03i' % [base_filename, file_number], 'w')
    print_line("Started imaging #{devname} to %s.%03i" % [base_filename, file_number])

    md5_hash = Digest::MD5.new
    sha1_hash = Digest::SHA1.new

    while finished != true
      if skip_counter < skip
        print_line("Skipped #{block_size} bytes")
        r = client.railgun.kernel32.SetFilePointer(handle, block_size, 0, 1)
        if r['return'] == invalid_set_file_pointer && (r['GetLastError'] != 0)
          print_error('Skipped past the end of file?')
          raise Rex::Script::Completed
        end
        skip_counter += 1
        next
      end

      if (disk_size - disk_bytes_count) < block_size
        block_size = disk_size - disk_bytes_count
        finished = true
      end
      r = client.railgun.kernel32.ReadFile(handle, block_size, block_size, 4, nil)
      disk_bytes_count += block_size
      if disk_bytes_count == disk_size
        finished = true
      end

      data = r['lpBuffer'][0, r['lpNumberOfBytesRead']]

      if num_to_read != 0
        count += 1
        if count == num_to_read
          finished = true
        end
      end

      md5_hash << data
      sha1_hash << data

      fp.syswrite(data)
      file_data_count += data.length
      next unless file_data_count >= split

      fp.close
      next unless finished != true

      file_number += 1
      file_data_count = 0
      fp = ::File.new('%s.%03i' % [base_filename, file_number], 'w')
      print_line('...continuing with %s.%03i' % [base_filename, file_number])
    end
    fp.close

    print_line('Finished!')
    print_line("MD5  : #{md5_hash}")
    print_line("SHA1 : #{sha1_hash}")

    client.railgun.kernel32.CloseHandle(handle)
  end
end