Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Inherits:
Process
  • Object
show all
Includes:
ObjectAliasesContainer
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

Overview

This class implements the Rex::Post::Process interface.

Class Attribute Summary collapse

Instance Attribute Summary collapse

Attributes included from ObjectAliasesContainer

#aliases

Class Method Summary collapse

Instance Method Summary collapse

Methods included from ObjectAliasesContainer

#dump_alias_tree, #initialize_aliases, #method_missing

Methods inherited from Process

egid, egid=, euid, euid=, getresuid, gid, gid=, pid, ppid, setresuid, uid, uid=

Constructor Details

#initialize(pid, handle, channel = nil) ⇒ Process

Initializes the process instance and its aliases.


267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 267

def initialize(pid, handle, channel = nil)
  self.client  = self.class.client
  self.handle  = handle
  self.channel = channel

  # If the process identifier is zero, then we must lookup the current
  # process identifier
  if (pid == 0)
    self.pid = client.sys.process.getpid
  else
    self.pid = pid
  end

  initialize_aliases(
    {
      'image'  => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image.new(self),
      'io'     => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO.new(self),
      'memory' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory.new(self),
      'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
    })

  ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rex::Post::Meterpreter::ObjectAliasesContainer

Class Attribute Details

.clientObject

Returns the value of attribute client


37
38
39
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 37

def client
  @client
end

Instance Attribute Details

#channelObject

:nodoc:


344
345
346
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 344

def channel
  @channel
end

#clientObject

:nodoc:


344
345
346
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 344

def client
  @client
end

#handleObject

:nodoc:


344
345
346
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 344

def handle
  @handle
end

#pidObject

:nodoc:


344
345
346
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 344

def pid
  @pid
end

Class Method Details

.[](key) ⇒ Object

Returns the process identifier of the process supplied in key if it's valid.


44
45
46
47
48
49
50
51
52
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 44

def Process.[](key)
  each_process { |p|
    if (p['name'].downcase == key.downcase)
      return p['pid']
    end
  }

  return nil
end

._open(pid, perms, inherit = false) ⇒ Object

Low-level process open.


82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 82

def Process._open(pid, perms, inherit = false)
  request = Packet.create_request('stdapi_sys_process_attach')

  if (pid == nil)
    pid = 0
  end

  # Populate the request
  request.add_tlv(TLV_TYPE_PID, pid)
  request.add_tlv(TLV_TYPE_PROCESS_PERMS, perms)
  request.add_tlv(TLV_TYPE_INHERIT, inherit)

  # Transmit the request
  response = self.client.send_request(request)
  handle   = response.get_tlv_value(TLV_TYPE_HANDLE)

  # If the handle is valid, allocate a process instance and return it
  if (handle != nil)
    return self.new(pid, handle)
  end

  return nil
end

.close(client, handle) ⇒ Object

Closes the handle to the process that was opened.


312
313
314
315
316
317
318
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 312

def self.close(client, handle)
  request = Packet.create_request('stdapi_sys_process_close')
  request.add_tlv(TLV_TYPE_HANDLE, handle)
  response = client.send_request(request, nil)
  handle = nil;
  return true
end

.each_process(&block) ⇒ Object

Enumerates all of the elements in the array returned by get_processes.


210
211
212
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 210

def Process.each_process(&block)
  self.get_processes.each(&block)
end

.execute(path, arguments = nil, opts = nil) ⇒ Object

Executes an application using the arguments provided

Hash arguments supported:

Hidden      => true/false
Channelized => true/false
Suspended   => true/false
InMemory    => true/false

116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 116

def Process.execute(path, arguments = nil, opts = nil)
  request = Packet.create_request('stdapi_sys_process_execute')
  flags   = 0

  # If we were supplied optional arguments...
  if (opts != nil)
    if (opts['Hidden'])
      flags |= PROCESS_EXECUTE_FLAG_HIDDEN
    end
    if (opts['Channelized'])
      flags |= PROCESS_EXECUTE_FLAG_CHANNELIZED
    end
    if (opts['Suspended'])
      flags |= PROCESS_EXECUTE_FLAG_SUSPENDED
    end
    if (opts['UseThreadToken'])
      flags |= PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN
    end
    if (opts['Desktop'])
      flags |= PROCESS_EXECUTE_FLAG_DESKTOP
    end
    if (opts['Session'])
      flags |= PROCESS_EXECUTE_FLAG_SESSION
      request.add_tlv( TLV_TYPE_PROCESS_SESSION, opts['Session'] )
    end
    inmem = opts['InMemory']
    if inmem

      # add the file contents into the tlv
      f = ::File.new(path, 'rb')
      request.add_tlv(TLV_TYPE_VALUE_DATA, f.read(f.stat.size))
      f.close

      # replace the path with the "dummy"
      path = inmem.kind_of?(String) ? inmem : 'cmd'
    end
  end

  request.add_tlv(TLV_TYPE_PROCESS_PATH, client.unicode_filter_decode( path ));

  # If process arguments were supplied
  if (arguments != nil)
    request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, arguments);
  end

  request.add_tlv(TLV_TYPE_PROCESS_FLAGS, flags);

  response = client.send_request(request)

  # Get the response parameters
  pid        = response.get_tlv_value(TLV_TYPE_PID)
  handle     = response.get_tlv_value(TLV_TYPE_PROCESS_HANDLE)
  channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
  channel    = nil

  # If we were creating a channel out of this
  if (channel_id != nil)
    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client,
        channel_id, "stdapi_process", CHANNEL_FLAG_SYNCHRONOUS)
  end

  # Return a process instance
  return self.new(pid, handle, channel)
end

.finalize(client, handle) ⇒ Object


291
292
293
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 291

def self.finalize(client,handle)
  proc { self.close(client,handle) }
end

.get_processesObject

Returns a ProcessList of processes as Hash objects with keys for 'pid', 'ppid', 'name', 'path', 'user', 'session' and 'arch'.


218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 218

def Process.get_processes
  request   = Packet.create_request('stdapi_sys_process_get_processes')
  processes = ProcessList.new

  response = client.send_request(request)

  response.each(TLV_TYPE_PROCESS_GROUP) { |p|
  arch = ""

  pa = p.get_tlv_value( TLV_TYPE_PROCESS_ARCH )
  if( pa != nil )
    if pa == 1 # PROCESS_ARCH_X86
      arch = ARCH_X86
    elsif pa == 2 # PROCESS_ARCH_X64
      arch = ARCH_X86_64
    end
  end

  processes <<
      {
        'pid'      => p.get_tlv_value(TLV_TYPE_PID),
        'ppid'     => p.get_tlv_value(TLV_TYPE_PARENT_PID),
        'name'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_NAME) ),
        'path'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_PATH) ),
        'session'  => p.get_tlv_value(TLV_TYPE_PROCESS_SESSION),
        'user'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_USER_NAME) ),
        'arch'     => arch
      }
  }

  return processes
end

.getpidObject

Gets the process id that the remote side is executing under.


199
200
201
202
203
204
205
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 199

def Process.getpid
  request = Packet.create_request('stdapi_sys_process_getpid')

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_PID)
end

.kill(*args) ⇒ Object

Kills one or more processes.


184
185
186
187
188
189
190
191
192
193
194
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 184

def Process.kill(*args)
  request = Packet.create_request('stdapi_sys_process_kill')

  args.each { |id|
    request.add_tlv(TLV_TYPE_PID, id)
  }

  client.send_request(request)

  return true
end

.open(pid = nil, perms = nil) ⇒ Object

Attachs to the supplied process with a given set of permissions.


57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 57

def Process.open(pid = nil, perms = nil)
  real_perms = 0

  if (perms == nil)
    perms = PROCESS_ALL
  end

  if (perms & PROCESS_READ)
    real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
  end

  if (perms & PROCESS_WRITE)
    real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
  end

  if (perms & PROCESS_EXECUTE)
    real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
  end

  return _open(pid, real_perms)
end

.processesObject

An alias for get_processes.


254
255
256
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 254

def Process.processes
  self.get_processes
end

Instance Method Details

#close(handle = self.handle) ⇒ Object

Instance method


323
324
325
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 323

def close(handle=self.handle)
  self.class.close(self.client, handle)
end

#nameObject

Returns the executable name of the process.


298
299
300
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 298

def name
  return get_info()['name']
end

#pathObject

Returns the path to the process' executable.


305
306
307
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 305

def path
  return get_info()['path']
end

#wait(timeout = -1 )) ⇒ Object

Block until this process terminates on the remote side. By default we choose not to allow a packet responce timeout to occur as we may be waiting indefinatly for the process to terminate.


332
333
334
335
336
337
338
339
340
341
342
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 332

def wait( timeout = -1 )
  request = Packet.create_request('stdapi_sys_process_wait')

  request.add_tlv(TLV_TYPE_HANDLE, self.handle)

  response = self.client.send_request(request, timeout)

  self.handle = nil

  return true
end