Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Inherits:
Process
  • Object
show all
Includes:
ObjectAliasesContainer
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

Overview

This class implements the Rex::Post::Process interface.

Class Attribute Summary collapse

Instance Attribute Summary collapse

Attributes included from ObjectAliasesContainer

#aliases

Class Method Summary collapse

Instance Method Summary collapse

Methods included from ObjectAliasesContainer

#dump_alias_tree, #initialize_aliases, #method_missing

Methods inherited from Process

egid, egid=, euid, euid=, getresuid, gid, gid=, pid, ppid, setresuid, uid, uid=

Constructor Details

#initialize(pid, handle, channel = nil) ⇒ Process

Initializes the process instance and its aliases.


310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 310

def initialize(pid, handle, channel = nil)
  self.client  = self.class.client
  self.handle  = handle
  self.channel = channel

  # If the process identifier is zero, then we must lookup the current
  # process identifier
  if (pid == 0)
    self.pid = client.sys.process.getpid
  else
    self.pid = pid
  end

  initialize_aliases(
    {
      'image'  => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image.new(self),
      'io'     => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO.new(self),
      'memory' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory.new(self),
      'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
    })

  # Ensure the remote object is closed when all references are removed
  ObjectSpace.define_finalizer(self, self.class.finalize(client, handle))
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rex::Post::Meterpreter::ObjectAliasesContainer

Class Attribute Details

.clientObject

Returns the value of attribute client


37
38
39
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 37

def client
  @client
end

Instance Attribute Details

#channelObject

:nodoc:


392
393
394
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 392

def channel
  @channel
end

#clientObject

:nodoc:


392
393
394
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 392

def client
  @client
end

#handleObject

:nodoc:


392
393
394
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 392

def handle
  @handle
end

#pidObject

:nodoc:


392
393
394
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 392

def pid
  @pid
end

Class Method Details

.[](key) ⇒ Object

Returns the process identifier of the process supplied in key if it's valid.


44
45
46
47
48
49
50
51
52
53
54
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 44

def Process.[](key)
  return if key.nil?

  each_process { |p|
    if (p['name'].downcase == key.downcase)
      return p['pid']
    end
  }

  return nil
end

._open(pid, perms, inherit = false) ⇒ Object

Low-level process open.


84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 84

def Process._open(pid, perms, inherit = false)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_ATTACH)

  if (pid == nil)
    pid = 0
  end

  # Populate the request
  request.add_tlv(TLV_TYPE_PID, pid)
  request.add_tlv(TLV_TYPE_PROCESS_PERMS, perms)
  request.add_tlv(TLV_TYPE_INHERIT, inherit)

  # Transmit the request
  response = self.client.send_request(request)
  handle   = response.get_tlv_value(TLV_TYPE_HANDLE)

  # If the handle is valid, allocate a process instance and return it
  if (handle != nil)
    return self.new(pid, handle)
  end

  return nil
end

.capture_output(path, arguments = nil, opts = nil, time_out = 15) ⇒ Object

Execute an application and capture the output


194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 194

def Process.capture_output(path, arguments = nil, opts = nil, time_out = 15)
  start = Time.now.to_i
  process = execute(path, arguments, opts)
  data = ""

  # Wait up to time_out seconds for the first bytes to arrive
  while (d = process.channel.read)
    data << d
    if d == ""
      if Time.now.to_i - start < time_out
        sleep 0.1
      else
        break
      end
    end
  end
  data.chomp! if data

  begin
    process.channel.close
  rescue IOError => e
    # Channel was already closed, but we got the cmd output, so let's soldier on.
  end
  process.close

  return data
end

.close(client, handle) ⇒ Object

Closes the handle to the process that was opened.


356
357
358
359
360
361
362
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 356

def self.close(client, handle)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_CLOSE)
  request.add_tlv(TLV_TYPE_HANDLE, handle)
  client.send_request(request, nil)
  handle = nil;
  return true
end

.each_process(&block) ⇒ Object

Enumerates all of the elements in the array returned by get_processes.


251
252
253
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 251

def Process.each_process(&block)
  self.get_processes.each(&block)
end

.execute(path, arguments = nil, opts = nil) ⇒ Object

Executes an application using the arguments provided

Hash arguments supported:

Hidden      => true/false
Channelized => true/false
Suspended   => true/false
InMemory    => true/false

118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 118

def Process.execute(path, arguments = nil, opts = nil)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_EXECUTE)
  flags   = 0

  # If we were supplied optional arguments...
  if (opts != nil)
    if (opts['Hidden'])
      flags |= PROCESS_EXECUTE_FLAG_HIDDEN
    end
    if (opts['Channelized'])
      flags |= PROCESS_EXECUTE_FLAG_CHANNELIZED
    end
    if (opts['Suspended'])
      flags |= PROCESS_EXECUTE_FLAG_SUSPENDED
    end
    if (opts['UseThreadToken'])
      flags |= PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN
    end
    if (opts['Desktop'])
      flags |= PROCESS_EXECUTE_FLAG_DESKTOP
    end
    if (opts['Session'])
      flags |= PROCESS_EXECUTE_FLAG_SESSION
      request.add_tlv( TLV_TYPE_PROCESS_SESSION, opts['Session'] )
    end
    if (opts['Subshell'])
      flags |= PROCESS_EXECUTE_FLAG_SUBSHELL
    end
    if (opts['ParentPid'])
      request.add_tlv(TLV_TYPE_PARENT_PID, opts['ParentPid']);
      request.add_tlv(TLV_TYPE_PROCESS_PERMS, PROCESS_ALL_ACCESS)
      request.add_tlv(TLV_TYPE_INHERIT, false)
    end
    inmem = opts['InMemory']
    if inmem

      # add the file contents into the tlv
      f = ::File.new(path, 'rb')
      request.add_tlv(TLV_TYPE_VALUE_DATA, f.read(f.stat.size))
      f.close

      # replace the path with the "dummy"
      path = inmem.kind_of?(String) ? inmem : 'cmd'
    end
  end

  request.add_tlv(TLV_TYPE_PROCESS_PATH, client.unicode_filter_decode( path ));

  # If process arguments were supplied
  if (arguments != nil)
    request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, arguments);
  end

  request.add_tlv(TLV_TYPE_PROCESS_FLAGS, flags);

  response = client.send_request(request)

  # Get the response parameters
  pid        = response.get_tlv_value(TLV_TYPE_PID)
  handle     = response.get_tlv_value(TLV_TYPE_PROCESS_HANDLE)
  channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
  channel    = nil

  # If we were creating a channel out of this
  if (channel_id != nil)
    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client,
        channel_id, "stdapi_process", CHANNEL_FLAG_SYNCHRONOUS, response)
  end

  # Return a process instance
  return self.new(pid, handle, channel)
end

.finalize(client, handle) ⇒ Object


335
336
337
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 335

def self.finalize(client, handle)
  proc { self.close(client, handle) }
end

.get_processesObject

Returns a ProcessList of processes as Hash objects with keys for 'pid', 'ppid', 'name', 'path', 'user', 'session' and 'arch'.


259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 259

def Process.get_processes
  request   = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_PROCESSES)
  processes = ProcessList.new

  response = client.send_request(request)

  response.each(TLV_TYPE_PROCESS_GROUP) { |p|
  arch = ""

  pa = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH)
  if !pa.nil?
    if pa == 1 # PROCESS_ARCH_X86
      arch = ARCH_X86
    elsif pa == 2 # PROCESS_ARCH_X64
      arch = ARCH_X64
    end
  else
    arch = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH_NAME)
  end

  processes <<
      {
        'pid'      => p.get_tlv_value(TLV_TYPE_PID),
        'ppid'     => p.get_tlv_value(TLV_TYPE_PARENT_PID),
        'name'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_NAME) ),
        'path'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_PATH) ),
        'session'  => p.get_tlv_value(TLV_TYPE_PROCESS_SESSION),
        'user'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_USER_NAME) ),
        'arch'     => arch
      }
  }

  return processes
end

.getpidObject

Gets the process id that the remote side is executing under.


240
241
242
243
244
245
246
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 240

def Process.getpid
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GETPID)

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_PID)
end

.kill(*args) ⇒ Object

Kills one or more processes.


225
226
227
228
229
230
231
232
233
234
235
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 225

def Process.kill(*args)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_KILL)

  args.each { |id|
    request.add_tlv(TLV_TYPE_PID, id)
  }

  client.send_request(request)

  return true
end

.open(pid = nil, perms = nil) ⇒ Object

Attachs to the supplied process with a given set of permissions.


59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 59

def Process.open(pid = nil, perms = nil)
  real_perms = 0

  if (perms == nil)
    perms = PROCESS_ALL
  end

  if (perms & PROCESS_READ)
    real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
  end

  if (perms & PROCESS_WRITE)
    real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
  end

  if (perms & PROCESS_EXECUTE)
    real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
  end

  return _open(pid, real_perms)
end

.processesObject

An alias for get_processes.


297
298
299
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 297

def Process.processes
  self.get_processes
end

Instance Method Details

#close(handle = self.handle) ⇒ Object

Instance method


367
368
369
370
371
372
373
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 367

def close(handle = self.handle)
  unless self.pid.nil?
    ObjectSpace.undefine_finalizer(self)
    self.class.close(self.client, handle)
    self.pid = nil
  end
end

#get_infoObject (protected)

Gathers information about the process and returns a hash.


399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 399

def get_info
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_INFO)
  info    = {}

  request.add_tlv(TLV_TYPE_HANDLE, handle)

  # Send the request
  response = client.send_request(request)

  # Populate the hash
  info['name'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_NAME) )
  info['path'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_PATH) )

  return info
end

#nameObject

Returns the executable name of the process.


342
343
344
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 342

def name
  return get_info()['name']
end

#pathObject

Returns the path to the process' executable.


349
350
351
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 349

def path
  return get_info()['path']
end

#wait(timeout = -1 )) ⇒ Object

Block until this process terminates on the remote side. By default we choose not to allow a packet responce timeout to occur as we may be waiting indefinatly for the process to terminate.


380
381
382
383
384
385
386
387
388
389
390
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 380

def wait( timeout = -1 )
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_WAIT)

  request.add_tlv(TLV_TYPE_HANDLE, self.handle)

  self.client.send_request(request, timeout)

  self.handle = nil

  return true
end