Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Inherits:

Process

• Object
• Process
• Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Includes:

ObjectAliasesContainer

Defined in:

lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

Overview

This class implements the Rex::Post::Process interface.

Class Attribute Summary

• .client ⇒ Object

  Returns the value of attribute client.

Instance Attribute Summary

• #channel ⇒ Object readonly

  :nodoc:.

• #client ⇒ Object readonly

  :nodoc:.

• #handle ⇒ Object readonly

  :nodoc:.

• #pid ⇒ Object readonly

  :nodoc:.

Attributes included from ObjectAliasesContainer

#aliases

Class Method Summary

• .[](key) ⇒ Object

  Returns the process identifier of the process supplied in key if it’s valid.

• ._open(pid, perms, inherit = false) ⇒ Object

  Low-level process open.

• .close(client, handle) ⇒ Object

  Closes the handle to the process that was opened.

• .each_process(&block) ⇒ Object

  Enumerates all of the elements in the array returned by get_processes.

• .execute(path, arguments = nil, opts = nil) ⇒ Object

  Executes an application using the arguments provided.

• .finalize(client, handle) ⇒ Object
• .get_processes ⇒ Object

  Returns a ProcessList of processes as Hash objects with keys for ‘pid’, ‘ppid’, ‘name’, ‘path’, ‘user’, ‘session’ and ‘arch’.

• .getpid ⇒ Object

  Gets the process id that the remote side is executing under.

• .kill(*args) ⇒ Object

  Kills one or more processes.

• .open(pid = nil, perms = nil) ⇒ Object

  Attachs to the supplied process with a given set of permissions.

• .processes ⇒ Object

  An alias for get_processes.

Instance Method Summary

• #close(handle = self.handle) ⇒ Object

  Instance method.

• #initialize(pid, handle, channel = nil) ⇒ Process constructor

  Initializes the process instance and its aliases.

• #name ⇒ Object

  Returns the executable name of the process.

• #path ⇒ Object

  Returns the path to the process’ executable.

• #wait(timeout = -1 )) ⇒ Object

  Block until this process terminates on the remote side.

Methods included from ObjectAliasesContainer

#dump_alias_tree, #initialize_aliases, #method_missing

Methods inherited from Process

egid, egid=, euid, euid=, getresuid, gid, gid=, pid, ppid, setresuid, uid, uid=

Constructor Details

#initialize(pid, handle, channel = nil) ⇒ Process

Initializes the process instance and its aliases.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 268

def initialize(pid, handle, channel = nil)
  self.client  = self.class.client
  self.handle  = handle
  self.channel = channel

  # If the process identifier is zero, then we must lookup the current
  # process identifier
  if (pid == 0)
    self.pid = client.sys.process.getpid
  else
    self.pid = pid
  end

  initialize_aliases(
    {
      'image'  => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image.new(self),
      'io'     => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO.new(self),
      'memory' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory.new(self),
      'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
    })

  ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rex::Post::Meterpreter::ObjectAliasesContainer

Class Attribute Details

.client ⇒ Object

Returns the value of attribute client.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 38

def client
  @client
end

Instance Attribute Details

#channel ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 345

def channel
  @channel
end

#client ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 345

def client
  @client
end

#handle ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 345

def handle
  @handle
end

#pid ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 345

def pid
  @pid
end

Class Method Details

.[](key) ⇒ Object

Returns the process identifier of the process supplied in key if it’s valid.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 45

def Process.[](key)
  each_process { |p|
    if (p['name'].downcase == key.downcase)
      return p['pid']
    end
  }

  return nil
end

._open(pid, perms, inherit = false) ⇒ Object

Low-level process open.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 83

def Process._open(pid, perms, inherit = false)
  request = Packet.create_request('stdapi_sys_process_attach')

  if (pid == nil)
    pid = 0
  end

  # Populate the request
  request.add_tlv(TLV_TYPE_PID, pid)
  request.add_tlv(TLV_TYPE_PROCESS_PERMS, perms)
  request.add_tlv(TLV_TYPE_INHERIT, inherit)

  # Transmit the request
  response = self.client.send_request(request)
  handle   = response.get_tlv_value(TLV_TYPE_HANDLE)

  # If the handle is valid, allocate a process instance and return it
  if (handle != nil)
    return self.new(pid, handle)
  end

  return nil
end

.close(client, handle) ⇒ Object

Closes the handle to the process that was opened.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 313

def self.close(client, handle)
  request = Packet.create_request('stdapi_sys_process_close')
  request.add_tlv(TLV_TYPE_HANDLE, handle)
  response = client.send_request(request, nil)
  handle = nil;
  return true
end

.each_process(&block) ⇒ Object

Enumerates all of the elements in the array returned by get_processes.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 211

def Process.each_process(&block)
  self.get_processes.each(&block)
end

.execute(path, arguments = nil, opts = nil) ⇒ Object

Executes an application using the arguments provided

Hash arguments supported:

Hidden      => true/false
Channelized => true/false
Suspended   => true/false
InMemory    => true/false

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 117

def Process.execute(path, arguments = nil, opts = nil)
  request = Packet.create_request('stdapi_sys_process_execute')
  flags   = 0

  # If we were supplied optional arguments...
  if (opts != nil)
    if (opts['Hidden'])
      flags |= PROCESS_EXECUTE_FLAG_HIDDEN
    end
    if (opts['Channelized'])
      flags |= PROCESS_EXECUTE_FLAG_CHANNELIZED
    end
    if (opts['Suspended'])
      flags |= PROCESS_EXECUTE_FLAG_SUSPENDED
    end
    if (opts['UseThreadToken'])
      flags |= PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN
    end
    if (opts['Desktop'])
      flags |= PROCESS_EXECUTE_FLAG_DESKTOP
    end
    if (opts['Session'])
      flags |= PROCESS_EXECUTE_FLAG_SESSION
      request.add_tlv( TLV_TYPE_PROCESS_SESSION, opts['Session'] )
    end
    inmem = opts['InMemory']
    if inmem

      # add the file contents into the tlv
      f = ::File.new(path, 'rb')
      request.add_tlv(TLV_TYPE_VALUE_DATA, f.read(f.stat.size))
      f.close

      # replace the path with the "dummy"
      path = inmem.kind_of?(String) ? inmem : 'cmd'
    end
  end

  request.add_tlv(TLV_TYPE_PROCESS_PATH, client.unicode_filter_decode( path ));

  # If process arguments were supplied
  if (arguments != nil)
    request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, arguments);
  end

  request.add_tlv(TLV_TYPE_PROCESS_FLAGS, flags);

  response = client.send_request(request)

  # Get the response parameters
  pid        = response.get_tlv_value(TLV_TYPE_PID)
  handle     = response.get_tlv_value(TLV_TYPE_PROCESS_HANDLE)
  channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
  channel    = nil

  # If we were creating a channel out of this
  if (channel_id != nil)
    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client,
        channel_id, "stdapi_process", CHANNEL_FLAG_SYNCHRONOUS)
  end

  # Return a process instance
  return self.new(pid, handle, channel)
end

.finalize(client, handle) ⇒ Object

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 292

def self.finalize(client,handle)
  proc { self.close(client,handle) }
end

.get_processes ⇒ Object

Returns a ProcessList of processes as Hash objects with keys for ‘pid’, ‘ppid’, ‘name’, ‘path’, ‘user’, ‘session’ and ‘arch’.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 219

def Process.get_processes
  request   = Packet.create_request('stdapi_sys_process_get_processes')
  processes = ProcessList.new

  response = client.send_request(request)

  response.each(TLV_TYPE_PROCESS_GROUP) { |p|
  arch = ""

  pa = p.get_tlv_value( TLV_TYPE_PROCESS_ARCH )
  if( pa != nil )
    if pa == 1 # PROCESS_ARCH_X86
      arch = ARCH_X86
    elsif pa == 2 # PROCESS_ARCH_X64
      arch = ARCH_X86_64
    end
  end

  processes <<
      {
        'pid'      => p.get_tlv_value(TLV_TYPE_PID),
        'ppid'     => p.get_tlv_value(TLV_TYPE_PARENT_PID),
        'name'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_NAME) ),
        'path'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_PATH) ),
        'session'  => p.get_tlv_value(TLV_TYPE_PROCESS_SESSION),
        'user'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_USER_NAME) ),
        'arch'     => arch
      }
  }

  return processes
end

.getpid ⇒ Object

Gets the process id that the remote side is executing under.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 200

def Process.getpid
  request = Packet.create_request('stdapi_sys_process_getpid')

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_PID)
end

.kill(*args) ⇒ Object

Kills one or more processes.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 185

def Process.kill(*args)
  request = Packet.create_request('stdapi_sys_process_kill')

  args.each { |id|
    request.add_tlv(TLV_TYPE_PID, id)
  }

  client.send_request(request)

  return true
end

.open(pid = nil, perms = nil) ⇒ Object

Attachs to the supplied process with a given set of permissions.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 58

def Process.open(pid = nil, perms = nil)
  real_perms = 0

  if (perms == nil)
    perms = PROCESS_ALL
  end

  if (perms & PROCESS_READ)
    real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
  end

  if (perms & PROCESS_WRITE)
    real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
  end

  if (perms & PROCESS_EXECUTE)
    real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
  end

  return _open(pid, real_perms)
end

.processes ⇒ Object

An alias for get_processes.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 255

def Process.processes
  self.get_processes
end

Instance Method Details

#close(handle = self.handle) ⇒ Object

Instance method

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 324

def close(handle=self.handle)
  self.class.close(self.client, handle)
end

#name ⇒ Object

Returns the executable name of the process.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 299

def name
  return get_info()['name']
end

#path ⇒ Object

Returns the path to the process’ executable.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 306

def path
  return get_info()['path']
end

#wait(timeout = -1 )) ⇒ Object

Block until this process terminates on the remote side. By default we choose not to allow a packet responce timeout to occur as we may be waiting indefinatly for the process to terminate.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 333

def wait( timeout = -1 )
  request = Packet.create_request('stdapi_sys_process_wait')

  request.add_tlv(TLV_TYPE_HANDLE, self.handle)

  response = self.client.send_request(request, timeout)

  self.handle = nil

  return true
end