Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Inherits:
Process
  • Object
show all
Includes:
ObjectAliasesContainer
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

Overview

This class implements the Rex::Post::Process interface.

Class Attribute Summary collapse

Instance Attribute Summary collapse

Attributes included from ObjectAliasesContainer

#aliases

Class Method Summary collapse

Instance Method Summary collapse

Methods included from ObjectAliasesContainer

#dump_alias_tree, #initialize_aliases, #method_missing

Methods inherited from Process

egid, egid=, euid, euid=, getresuid, gid, gid=, pid, ppid, setresuid, uid, uid=

Constructor Details

#initialize(pid, handle, channel = nil) ⇒ Process

Initializes the process instance and its aliases.



351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 351

def initialize(pid, handle, channel = nil)
  self.client  = self.class.client
  self.handle  = handle
  self.channel = channel

  # If the process identifier is zero, then we must lookup the current
  # process identifier
  if (pid == 0)
    self.pid = client.sys.process.getpid
  else
    self.pid = pid
  end

  initialize_aliases(
    {
      'image'  => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image.new(self),
      'io'     => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO.new(self),
      'memory' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory.new(self),
      'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
    })

  # Ensure the remote object is closed when all references are removed
  ObjectSpace.define_finalizer(self, self.class.finalize(client, handle))
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rex::Post::Meterpreter::ObjectAliasesContainer

Class Attribute Details

.clientObject

Returns the value of attribute client.



37
38
39
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 37

def client
  @client
end

Instance Attribute Details

#channelObject

:nodoc:



444
445
446
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 444

def channel
  @channel
end

#clientObject

:nodoc:



444
445
446
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 444

def client
  @client
end

#handleObject

:nodoc:



444
445
446
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 444

def handle
  @handle
end

#pidObject

:nodoc:



444
445
446
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 444

def pid
  @pid
end

Class Method Details

.[](key) ⇒ Object

Returns the process identifier of the process supplied in key if it’s valid.



44
45
46
47
48
49
50
51
52
53
54
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 44

def Process.[](key)
  return if key.nil?

  each_process { |p|
    if (p['name'].downcase == key.downcase)
      return p['pid']
    end
  }

  return nil
end

._open(pid, perms, inherit = false) ⇒ Object

Low-level process open.



84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 84

def Process._open(pid, perms, inherit = false)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_ATTACH)

  if (pid == nil)
    pid = 0
  end

  # Populate the request
  request.add_tlv(TLV_TYPE_PID, pid)
  request.add_tlv(TLV_TYPE_PROCESS_PERMS, perms)
  request.add_tlv(TLV_TYPE_INHERIT, inherit)

  # Transmit the request
  response = self.client.send_request(request)
  handle   = response.get_tlv_value(TLV_TYPE_HANDLE)

  # If the handle is valid, allocate a process instance and return it
  if (handle != nil)
    return self.new(pid, handle)
  end

  return nil
end

.capture_output(path, arguments = '', opts = nil, time_out = 15) ⇒ Object

Execute an application and capture the output



221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 221

def Process.capture_output(path, arguments = '', opts = nil, time_out = 15)
  start = Time.now.to_i
  process = execute(path, arguments, opts)
  data = ""

  # Wait up to time_out seconds for the first bytes to arrive
  while (d = process.channel.read)
    data << d
    if d == ""
      if Time.now.to_i - start < time_out
        sleep 0.1
      else
        break
      end
    end
  end
  data.chomp! if data

  begin
    process.channel.close
  rescue IOError => e
    # Channel was already closed, but we got the cmd output, so let's soldier on.
  end
  process.close

  return data
end

.close(client, handle) ⇒ Object

Closes the handle to the process that was opened.



408
409
410
411
412
413
414
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 408

def self.close(client, handle)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_CLOSE)
  request.add_tlv(TLV_TYPE_HANDLE, handle)
  client.send_request(request, nil)
  handle = nil
  return true
end

.each_process(&block) ⇒ Object

Enumerates all of the elements in the array returned by get_processes.



278
279
280
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 278

def Process.each_process(&block)
  self.get_processes.each(&block)
end

.execute(path, arguments = '', opts = nil) ⇒ Object

Executes an application using the arguments provided

Parameters:

  • path (String)

    Path on the remote system to the executable to run

  • arguments (String, Array<String>) (defaults to: '')

    Arguments to the process. When passed as a String (rather than an array of Strings), this is treated as a string containing all arguments.

  • opts (Hash) (defaults to: nil)

    Optional settings to parameterise the process launch

  • Hidden (Hash)

    a customizable set of options

  • Channelized (Hash)

    a customizable set of options

  • Suspended (Hash)

    a customizable set of options

  • UseThreadToken (Hash)

    a customizable set of options

  • Desktop (Hash)

    a customizable set of options

  • Session (Hash)

    a customizable set of options

  • Subshell (Hash)

    a customizable set of options

  • Pty (Hash)

    a customizable set of options

  • ParentId (Hash)

    a customizable set of options

  • InMemory (Hash)

    a customizable set of options

  • :legacy_args (Hash)

    a customizable set of options



127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 127

def Process.execute(path, arguments = '', opts = nil)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_EXECUTE)
  flags   = 0

  # If we were supplied optional arguments...
  if (opts != nil)
    if (opts['Hidden'])
      flags |= PROCESS_EXECUTE_FLAG_HIDDEN
    end
    if (opts['Channelized'])
      flags |= PROCESS_EXECUTE_FLAG_CHANNELIZED
    end
    if (opts['Suspended'])
      flags |= PROCESS_EXECUTE_FLAG_SUSPENDED
    end
    if (opts['UseThreadToken'])
      flags |= PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN
    end
    if (opts['Desktop'])
      flags |= PROCESS_EXECUTE_FLAG_DESKTOP
    end
    if (opts['Session'])
      flags |= PROCESS_EXECUTE_FLAG_SESSION
      request.add_tlv( TLV_TYPE_PROCESS_SESSION, opts['Session'] )
    end
    if (opts['Subshell'])
      flags |= PROCESS_EXECUTE_FLAG_SUBSHELL
    end
    if (opts['Pty'])
      flags |= PROCESS_EXECUTE_FLAG_PTY
    end
    if (opts['ParentPid'])
      request.add_tlv(TLV_TYPE_PARENT_PID, opts['ParentPid']);
      request.add_tlv(TLV_TYPE_PROCESS_PERMS, PROCESS_ALL_ACCESS)
      request.add_tlv(TLV_TYPE_INHERIT, false)
    end
    inmem = opts['InMemory']
    if inmem

      # add the file contents into the tlv
      f = ::File.new(path, 'rb')
      request.add_tlv(TLV_TYPE_VALUE_DATA, f.read(f.stat.size))
      f.close

      # replace the path with the "dummy"
      path = inmem.kind_of?(String) ? inmem : 'cmd'
    end
  end

  # Add arguments
  # If process arguments were supplied
  if arguments.kind_of?(Array)
    request.add_tlv(TLV_TYPE_PROCESS_UNESCAPED_PATH, client.unicode_filter_decode( path ))
    # This flag is needed to disambiguate how to handle escaping special characters in the path when no arguments are provided
    flags |= PROCESS_EXECUTE_FLAG_ARG_ARRAY
    arguments.each do |arg|
      request.add_tlv(TLV_TYPE_PROCESS_ARGUMENT, arg);
    end
    if opts[:legacy_path]
      request.add_tlv(TLV_TYPE_PROCESS_PATH, opts[:legacy_path])
    end
    if opts[:legacy_args]
      request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, opts[:legacy_args])
    end
  elsif arguments.nil? || arguments.kind_of?(String)
    request.add_tlv(TLV_TYPE_PROCESS_PATH, client.unicode_filter_decode( path ))
    request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, arguments)
  else
    raise ArgumentError.new('Unknown type for arguments')
  end

  request.add_tlv(TLV_TYPE_PROCESS_FLAGS, flags);

  response = client.send_request(request)

  # Get the response parameters
  pid        = response.get_tlv_value(TLV_TYPE_PID)
  handle     = response.get_tlv_value(TLV_TYPE_PROCESS_HANDLE)
  channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
  channel    = nil

  # If we were creating a channel out of this
  if (channel_id != nil)
    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client,
        channel_id, "stdapi_process", CHANNEL_FLAG_SYNCHRONOUS, response)
  end

  # Return a process instance
  return self.new(pid, handle, channel)
end

.finalize(client, handle) ⇒ Object



376
377
378
379
380
381
382
383
384
385
386
387
388
389
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 376

def self.finalize(client, handle)
  proc do
    deferred_close_proc = proc do
      begin
        self.close(client, handle)
      rescue => e
        elog("finalize method for Process failed", error: e)
      end
    end

    # Schedule the finalizing logic out-of-band; as this logic might be called in the context of a Signal.trap, which can't synchronize mutexes
    client.framework.sessions.schedule(deferred_close_proc)
  end
end

.get_processesObject

Returns a ProcessList of processes as Hash objects with keys for ‘pid’, ‘ppid’, ‘name’, ‘path’, ‘user’, ‘session’ and ‘arch’.



286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 286

def Process.get_processes
  request   = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_PROCESSES)
  processes = ProcessList.new

  response = client.send_request(request)

  response.each(TLV_TYPE_PROCESS_GROUP) { |p|
  arch = ""

  pa = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH)
  if !pa.nil?
    if pa == 1 # PROCESS_ARCH_X86
      arch = ARCH_X86
    elsif pa == 2 # PROCESS_ARCH_X64
      arch = ARCH_X64
    end
  else
    arch = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH_NAME)
  end

  processes <<
      {
        'pid'      => p.get_tlv_value(TLV_TYPE_PID),
        'ppid'     => p.get_tlv_value(TLV_TYPE_PARENT_PID),
        'name'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_NAME) ),
        'path'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_PATH) ),
        'session'  => p.get_tlv_value(TLV_TYPE_PROCESS_SESSION),
        'user'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_USER_NAME) ),
        'arch'     => arch
      }
  }

  return processes
end

.getpidObject

Gets the process id that the remote side is executing under.



267
268
269
270
271
272
273
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 267

def Process.getpid
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GETPID)

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_PID)
end

.kill(*args) ⇒ Object

Kills one or more processes.



252
253
254
255
256
257
258
259
260
261
262
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 252

def Process.kill(*args)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_KILL)

  args.each { |id|
    request.add_tlv(TLV_TYPE_PID, id)
  }

  client.send_request(request)

  return true
end

.memory_search(pid: 0, needles: [''], min_match_length: 5, max_match_length: 127) ⇒ Object

Search memory for supplied regexes and return matches



331
332
333
334
335
336
337
338
339
340
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 331

def Process.memory_search(pid: 0, needles: [''], min_match_length: 5, max_match_length: 127)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_SEARCH)

  request.add_tlv(TLV_TYPE_PID, pid)
  needles.each { |needle| request.add_tlv(TLV_TYPE_MEMORY_SEARCH_NEEDLE, needle) }
  request.add_tlv(TLV_TYPE_MEMORY_SEARCH_MATCH_LEN, max_match_length)
  request.add_tlv(TLV_TYPE_UINT, min_match_length)

  self.client.send_request(request)
end

.open(pid = nil, perms = nil) ⇒ Object

Attaches to the supplied process with a given set of permissions.



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 59

def Process.open(pid = nil, perms = nil)
  real_perms = 0

  if (perms == nil)
    perms = PROCESS_ALL
  end

  if (perms & PROCESS_READ) > 0
    real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
  end

  if (perms & PROCESS_WRITE) > 0
    real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
  end

  if (perms & PROCESS_EXECUTE) > 0
    real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
  end

  return _open(pid, real_perms)
end

.processesObject

An alias for get_processes.



324
325
326
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 324

def Process.processes
  self.get_processes
end

Instance Method Details

#close(handle = self.handle) ⇒ Object

Instance method



419
420
421
422
423
424
425
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 419

def close(handle = self.handle)
  unless self.pid.nil?
    ObjectSpace.undefine_finalizer(self)
    self.class.close(self.client, handle)
    self.pid = nil
  end
end

#get_infoObject (protected)

Gathers information about the process and returns a hash.



451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 451

def get_info
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_INFO)
  info    = {}

  request.add_tlv(TLV_TYPE_HANDLE, handle)

  # Send the request
  response = client.send_request(request)

  # Populate the hash
  info['name'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_NAME) )
  info['path'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_PATH) )

  return info
end

#nameObject

Returns the executable name of the process.



394
395
396
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 394

def name
  return get_info()['name']
end

#pathObject

Returns the path to the process’ executable.



401
402
403
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 401

def path
  return get_info()['path']
end

#wait(timeout = -1 )) ⇒ Object

Block until this process terminates on the remote side. By default we choose not to allow a packet response timeout to occur as we may be waiting indefinatly for the process to terminate.



432
433
434
435
436
437
438
439
440
441
442
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 432

def wait( timeout = -1 )
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_WAIT)

  request.add_tlv(TLV_TYPE_HANDLE, self.handle)

  self.client.send_request(request, timeout)

  self.handle = nil

  return true
end