Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Inherits:
Process
  • Object
show all
Includes:
ObjectAliasesContainer
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

Overview

This class implements the Rex::Post::Process interface.

Class Attribute Summary collapse

Instance Attribute Summary collapse

Attributes included from ObjectAliasesContainer

#aliases

Class Method Summary collapse

Instance Method Summary collapse

Methods included from ObjectAliasesContainer

#dump_alias_tree, #initialize_aliases, #method_missing

Methods inherited from Process

egid, egid=, euid, euid=, getresuid, gid, gid=, pid, ppid, setresuid, uid, uid=

Constructor Details

#initialize(pid, handle, channel = nil) ⇒ Process

Initializes the process instance and its aliases.


279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 279

def initialize(pid, handle, channel = nil)
  self.client  = self.class.client
  self.handle  = handle
  self.channel = channel

  # If the process identifier is zero, then we must lookup the current
  # process identifier
  if (pid == 0)
    self.pid = client.sys.process.getpid
  else
    self.pid = pid
  end

  initialize_aliases(
    {
      'image'  => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image.new(self),
      'io'     => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO.new(self),
      'memory' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory.new(self),
      'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
    })

  # Ensure the remote object is closed when all references are removed
  ObjectSpace.define_finalizer(self, self.class.finalize(client, handle))
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rex::Post::Meterpreter::ObjectAliasesContainer

Class Attribute Details

.clientObject

Returns the value of attribute client


37
38
39
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 37

def client
  @client
end

Instance Attribute Details

#channelObject

:nodoc:


361
362
363
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 361

def channel
  @channel
end

#clientObject

:nodoc:


361
362
363
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 361

def client
  @client
end

#handleObject

:nodoc:


361
362
363
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 361

def handle
  @handle
end

#pidObject

:nodoc:


361
362
363
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 361

def pid
  @pid
end

Class Method Details

.[](key) ⇒ Object

Returns the process identifier of the process supplied in key if it's valid.


44
45
46
47
48
49
50
51
52
53
54
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 44

def Process.[](key)
  return if key.nil?

  each_process { |p|
    if (p['name'].downcase == key.downcase)
      return p['pid']
    end
  }

  return nil
end

._open(pid, perms, inherit = false) ⇒ Object

Low-level process open.


84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 84

def Process._open(pid, perms, inherit = false)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_ATTACH)

  if (pid == nil)
    pid = 0
  end

  # Populate the request
  request.add_tlv(TLV_TYPE_PID, pid)
  request.add_tlv(TLV_TYPE_PROCESS_PERMS, perms)
  request.add_tlv(TLV_TYPE_INHERIT, inherit)

  # Transmit the request
  response = self.client.send_request(request)
  handle   = response.get_tlv_value(TLV_TYPE_HANDLE)

  # If the handle is valid, allocate a process instance and return it
  if (handle != nil)
    return self.new(pid, handle)
  end

  return nil
end

.close(client, handle) ⇒ Object

Closes the handle to the process that was opened.


325
326
327
328
329
330
331
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 325

def self.close(client, handle)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_CLOSE)
  request.add_tlv(TLV_TYPE_HANDLE, handle)
  client.send_request(request, nil)
  handle = nil;
  return true
end

.each_process(&block) ⇒ Object

Enumerates all of the elements in the array returned by get_processes.


220
221
222
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 220

def Process.each_process(&block)
  self.get_processes.each(&block)
end

.execute(path, arguments = nil, opts = nil) ⇒ Object

Executes an application using the arguments provided

Hash arguments supported:

Hidden      => true/false
Channelized => true/false
Suspended   => true/false
InMemory    => true/false

118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 118

def Process.execute(path, arguments = nil, opts = nil)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_EXECUTE)
  flags   = 0

  # If we were supplied optional arguments...
  if (opts != nil)
    if (opts['Hidden'])
      flags |= PROCESS_EXECUTE_FLAG_HIDDEN
    end
    if (opts['Channelized'])
      flags |= PROCESS_EXECUTE_FLAG_CHANNELIZED
    end
    if (opts['Suspended'])
      flags |= PROCESS_EXECUTE_FLAG_SUSPENDED
    end
    if (opts['UseThreadToken'])
      flags |= PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN
    end
    if (opts['Desktop'])
      flags |= PROCESS_EXECUTE_FLAG_DESKTOP
    end
    if (opts['Session'])
      flags |= PROCESS_EXECUTE_FLAG_SESSION
      request.add_tlv( TLV_TYPE_PROCESS_SESSION, opts['Session'] )
    end
    if (opts['Subshell'])
      flags |= PROCESS_EXECUTE_FLAG_SUBSHELL
    end
    if (opts['ParentPid'])
      request.add_tlv(TLV_TYPE_PARENT_PID, opts['ParentPid']);
      request.add_tlv(TLV_TYPE_PROCESS_PERMS, PROCESS_ALL_ACCESS)
      request.add_tlv(TLV_TYPE_INHERIT, false)
    end
    inmem = opts['InMemory']
    if inmem

      # add the file contents into the tlv
      f = ::File.new(path, 'rb')
      request.add_tlv(TLV_TYPE_VALUE_DATA, f.read(f.stat.size))
      f.close

      # replace the path with the "dummy"
      path = inmem.kind_of?(String) ? inmem : 'cmd'
    end
  end

  request.add_tlv(TLV_TYPE_PROCESS_PATH, client.unicode_filter_decode( path ));

  # If process arguments were supplied
  if (arguments != nil)
    request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, arguments);
  end

  request.add_tlv(TLV_TYPE_PROCESS_FLAGS, flags);

  response = client.send_request(request)

  # Get the response parameters
  pid        = response.get_tlv_value(TLV_TYPE_PID)
  handle     = response.get_tlv_value(TLV_TYPE_PROCESS_HANDLE)
  channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
  channel    = nil

  # If we were creating a channel out of this
  if (channel_id != nil)
    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client,
        channel_id, "stdapi_process", CHANNEL_FLAG_SYNCHRONOUS, response)
  end

  # Return a process instance
  return self.new(pid, handle, channel)
end

.finalize(client, handle) ⇒ Object


304
305
306
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 304

def self.finalize(client, handle)
  proc { self.close(client, handle) }
end

.get_processesObject

Returns a ProcessList of processes as Hash objects with keys for 'pid', 'ppid', 'name', 'path', 'user', 'session' and 'arch'.


228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 228

def Process.get_processes
  request   = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_PROCESSES)
  processes = ProcessList.new

  response = client.send_request(request)

  response.each(TLV_TYPE_PROCESS_GROUP) { |p|
  arch = ""

  pa = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH)
  if !pa.nil?
    if pa == 1 # PROCESS_ARCH_X86
      arch = ARCH_X86
    elsif pa == 2 # PROCESS_ARCH_X64
      arch = ARCH_X64
    end
  else
    arch = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH_NAME)
  end

  processes <<
      {
        'pid'      => p.get_tlv_value(TLV_TYPE_PID),
        'ppid'     => p.get_tlv_value(TLV_TYPE_PARENT_PID),
        'name'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_NAME) ),
        'path'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_PATH) ),
        'session'  => p.get_tlv_value(TLV_TYPE_PROCESS_SESSION),
        'user'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_USER_NAME) ),
        'arch'     => arch
      }
  }

  return processes
end

.getpidObject

Gets the process id that the remote side is executing under.


209
210
211
212
213
214
215
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 209

def Process.getpid
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GETPID)

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_PID)
end

.kill(*args) ⇒ Object

Kills one or more processes.


194
195
196
197
198
199
200
201
202
203
204
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 194

def Process.kill(*args)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_KILL)

  args.each { |id|
    request.add_tlv(TLV_TYPE_PID, id)
  }

  client.send_request(request)

  return true
end

.open(pid = nil, perms = nil) ⇒ Object

Attachs to the supplied process with a given set of permissions.


59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 59

def Process.open(pid = nil, perms = nil)
  real_perms = 0

  if (perms == nil)
    perms = PROCESS_ALL
  end

  if (perms & PROCESS_READ)
    real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
  end

  if (perms & PROCESS_WRITE)
    real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
  end

  if (perms & PROCESS_EXECUTE)
    real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
  end

  return _open(pid, real_perms)
end

.processesObject

An alias for get_processes.


266
267
268
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 266

def Process.processes
  self.get_processes
end

Instance Method Details

#close(handle = self.handle) ⇒ Object

Instance method


336
337
338
339
340
341
342
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 336

def close(handle = self.handle)
  unless self.pid.nil?
    ObjectSpace.undefine_finalizer(self)
    self.class.close(self.client, handle)
    self.pid = nil
  end
end

#get_infoObject (protected)

Gathers information about the process and returns a hash.


368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 368

def get_info
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_INFO)
  info    = {}

  request.add_tlv(TLV_TYPE_HANDLE, handle)

  # Send the request
  response = client.send_request(request)

  # Populate the hash
  info['name'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_NAME) )
  info['path'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_PATH) )

  return info
end

#nameObject

Returns the executable name of the process.


311
312
313
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 311

def name
  return get_info()['name']
end

#pathObject

Returns the path to the process' executable.


318
319
320
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 318

def path
  return get_info()['path']
end

#wait(timeout = -1 )) ⇒ Object

Block until this process terminates on the remote side. By default we choose not to allow a packet responce timeout to occur as we may be waiting indefinatly for the process to terminate.


349
350
351
352
353
354
355
356
357
358
359
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 349

def wait( timeout = -1 )
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_WAIT)

  request.add_tlv(TLV_TYPE_HANDLE, self.handle)

  self.client.send_request(request, timeout)

  self.handle = nil

  return true
end