Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Inherits:
Process
  • Object
show all
Includes:
ObjectAliasesContainer
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

Overview

This class implements the Rex::Post::Process interface.

Class Attribute Summary collapse

Instance Attribute Summary collapse

Attributes included from ObjectAliasesContainer

#aliases

Class Method Summary collapse

Instance Method Summary collapse

Methods included from ObjectAliasesContainer

#dump_alias_tree, #initialize_aliases, #method_missing

Methods inherited from Process

egid, egid=, euid, euid=, getresuid, gid, gid=, pid, ppid, setresuid, uid, uid=

Constructor Details

#initialize(pid, handle, channel = nil) ⇒ Process

Initializes the process instance and its aliases.



327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 327

def initialize(pid, handle, channel = nil)
  self.client  = self.class.client
  self.handle  = handle
  self.channel = channel

  # If the process identifier is zero, then we must lookup the current
  # process identifier
  if (pid == 0)
    self.pid = client.sys.process.getpid
  else
    self.pid = pid
  end

  initialize_aliases(
    {
      'image'  => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image.new(self),
      'io'     => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO.new(self),
      'memory' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory.new(self),
      'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
    })

  # Ensure the remote object is closed when all references are removed
  ObjectSpace.define_finalizer(self, self.class.finalize(client, handle))
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rex::Post::Meterpreter::ObjectAliasesContainer

Class Attribute Details

.clientObject

Returns the value of attribute client.



37
38
39
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 37

def client
  @client
end

Instance Attribute Details

#channelObject

:nodoc:



420
421
422
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 420

def channel
  @channel
end

#clientObject

:nodoc:



420
421
422
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 420

def client
  @client
end

#handleObject

:nodoc:



420
421
422
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 420

def handle
  @handle
end

#pidObject

:nodoc:



420
421
422
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 420

def pid
  @pid
end

Class Method Details

.[](key) ⇒ Object

Returns the process identifier of the process supplied in key if it's valid.



44
45
46
47
48
49
50
51
52
53
54
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 44

def Process.[](key)
  return if key.nil?

  each_process { |p|
    if (p['name'].downcase == key.downcase)
      return p['pid']
    end
  }

  return nil
end

._open(pid, perms, inherit = false) ⇒ Object

Low-level process open.



84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 84

def Process._open(pid, perms, inherit = false)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_ATTACH)

  if (pid == nil)
    pid = 0
  end

  # Populate the request
  request.add_tlv(TLV_TYPE_PID, pid)
  request.add_tlv(TLV_TYPE_PROCESS_PERMS, perms)
  request.add_tlv(TLV_TYPE_INHERIT, inherit)

  # Transmit the request
  response = self.client.send_request(request)
  handle   = response.get_tlv_value(TLV_TYPE_HANDLE)

  # If the handle is valid, allocate a process instance and return it
  if (handle != nil)
    return self.new(pid, handle)
  end

  return nil
end

.capture_output(path, arguments = nil, opts = nil, time_out = 15) ⇒ Object

Execute an application and capture the output



197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 197

def Process.capture_output(path, arguments = nil, opts = nil, time_out = 15)
  start = Time.now.to_i
  process = execute(path, arguments, opts)
  data = ""

  # Wait up to time_out seconds for the first bytes to arrive
  while (d = process.channel.read)
    data << d
    if d == ""
      if Time.now.to_i - start < time_out
        sleep 0.1
      else
        break
      end
    end
  end
  data.chomp! if data

  begin
    process.channel.close
  rescue IOError => e
    # Channel was already closed, but we got the cmd output, so let's soldier on.
  end
  process.close

  return data
end

.close(client, handle) ⇒ Object

Closes the handle to the process that was opened.



384
385
386
387
388
389
390
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 384

def self.close(client, handle)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_CLOSE)
  request.add_tlv(TLV_TYPE_HANDLE, handle)
  client.send_request(request, nil)
  handle = nil
  return true
end

.each_process(&block) ⇒ Object

Enumerates all of the elements in the array returned by get_processes.



254
255
256
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 254

def Process.each_process(&block)
  self.get_processes.each(&block)
end

.execute(path, arguments = nil, opts = nil) ⇒ Object

Executes an application using the arguments provided

Hash arguments supported:

Hidden      => true/false
Channelized => true/false
Suspended   => true/false
InMemory    => true/false


118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 118

def Process.execute(path, arguments = nil, opts = nil)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_EXECUTE)
  flags   = 0

  # If we were supplied optional arguments...
  if (opts != nil)
    if (opts['Hidden'])
      flags |= PROCESS_EXECUTE_FLAG_HIDDEN
    end
    if (opts['Channelized'])
      flags |= PROCESS_EXECUTE_FLAG_CHANNELIZED
    end
    if (opts['Suspended'])
      flags |= PROCESS_EXECUTE_FLAG_SUSPENDED
    end
    if (opts['UseThreadToken'])
      flags |= PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN
    end
    if (opts['Desktop'])
      flags |= PROCESS_EXECUTE_FLAG_DESKTOP
    end
    if (opts['Session'])
      flags |= PROCESS_EXECUTE_FLAG_SESSION
      request.add_tlv( TLV_TYPE_PROCESS_SESSION, opts['Session'] )
    end
    if (opts['Subshell'])
      flags |= PROCESS_EXECUTE_FLAG_SUBSHELL
    end
    if (opts['Pty'])
      flags |= PROCESS_EXECUTE_FLAG_PTY
    end
    if (opts['ParentPid'])
      request.add_tlv(TLV_TYPE_PARENT_PID, opts['ParentPid']);
      request.add_tlv(TLV_TYPE_PROCESS_PERMS, PROCESS_ALL_ACCESS)
      request.add_tlv(TLV_TYPE_INHERIT, false)
    end
    inmem = opts['InMemory']
    if inmem

      # add the file contents into the tlv
      f = ::File.new(path, 'rb')
      request.add_tlv(TLV_TYPE_VALUE_DATA, f.read(f.stat.size))
      f.close

      # replace the path with the "dummy"
      path = inmem.kind_of?(String) ? inmem : 'cmd'
    end
  end

  request.add_tlv(TLV_TYPE_PROCESS_PATH, client.unicode_filter_decode( path ));

  # If process arguments were supplied
  if (arguments != nil)
    request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, arguments);
  end

  request.add_tlv(TLV_TYPE_PROCESS_FLAGS, flags);

  response = client.send_request(request)

  # Get the response parameters
  pid        = response.get_tlv_value(TLV_TYPE_PID)
  handle     = response.get_tlv_value(TLV_TYPE_PROCESS_HANDLE)
  channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
  channel    = nil

  # If we were creating a channel out of this
  if (channel_id != nil)
    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client,
        channel_id, "stdapi_process", CHANNEL_FLAG_SYNCHRONOUS, response)
  end

  # Return a process instance
  return self.new(pid, handle, channel)
end

.finalize(client, handle) ⇒ Object



352
353
354
355
356
357
358
359
360
361
362
363
364
365
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 352

def self.finalize(client, handle)
  proc do
    deferred_close_proc = proc do
      begin
        self.close(client, handle)
      rescue => e
        elog("finalize method for Process failed", error: e)
      end
    end

    # Schedule the finalizing logic out-of-band; as this logic might be called in the context of a Signal.trap, which can't synchronize mutexes
    client.framework.sessions.schedule(deferred_close_proc)
  end
end

.get_processesObject

Returns a ProcessList of processes as Hash objects with keys for 'pid', 'ppid', 'name', 'path', 'user', 'session' and 'arch'.



262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 262

def Process.get_processes
  request   = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_PROCESSES)
  processes = ProcessList.new

  response = client.send_request(request)

  response.each(TLV_TYPE_PROCESS_GROUP) { |p|
  arch = ""

  pa = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH)
  if !pa.nil?
    if pa == 1 # PROCESS_ARCH_X86
      arch = ARCH_X86
    elsif pa == 2 # PROCESS_ARCH_X64
      arch = ARCH_X64
    end
  else
    arch = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH_NAME)
  end

  processes <<
      {
        'pid'      => p.get_tlv_value(TLV_TYPE_PID),
        'ppid'     => p.get_tlv_value(TLV_TYPE_PARENT_PID),
        'name'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_NAME) ),
        'path'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_PATH) ),
        'session'  => p.get_tlv_value(TLV_TYPE_PROCESS_SESSION),
        'user'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_USER_NAME) ),
        'arch'     => arch
      }
  }

  return processes
end

.getpidObject

Gets the process id that the remote side is executing under.



243
244
245
246
247
248
249
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 243

def Process.getpid
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GETPID)

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_PID)
end

.kill(*args) ⇒ Object

Kills one or more processes.



228
229
230
231
232
233
234
235
236
237
238
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 228

def Process.kill(*args)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_KILL)

  args.each { |id|
    request.add_tlv(TLV_TYPE_PID, id)
  }

  client.send_request(request)

  return true
end

.memory_search(pid: 0, needles: [''], min_match_length: 5, max_match_length: 127) ⇒ Object

Search memory for supplied regexes and return matches



307
308
309
310
311
312
313
314
315
316
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 307

def Process.memory_search(pid: 0, needles: [''], min_match_length: 5, max_match_length: 127)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_SEARCH)

  request.add_tlv(TLV_TYPE_PID, pid)
  needles.each { |needle| request.add_tlv(TLV_TYPE_MEMORY_SEARCH_NEEDLE, needle) }
  request.add_tlv(TLV_TYPE_MEMORY_SEARCH_MATCH_LEN, max_match_length)
  request.add_tlv(TLV_TYPE_UINT, min_match_length)

  self.client.send_request(request)
end

.open(pid = nil, perms = nil) ⇒ Object

Attaches to the supplied process with a given set of permissions.



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 59

def Process.open(pid = nil, perms = nil)
  real_perms = 0

  if (perms == nil)
    perms = PROCESS_ALL
  end

  if (perms & PROCESS_READ) > 0
    real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
  end

  if (perms & PROCESS_WRITE) > 0
    real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
  end

  if (perms & PROCESS_EXECUTE) > 0
    real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
  end

  return _open(pid, real_perms)
end

.processesObject

An alias for get_processes.



300
301
302
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 300

def Process.processes
  self.get_processes
end

Instance Method Details

#close(handle = self.handle) ⇒ Object

Instance method



395
396
397
398
399
400
401
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 395

def close(handle = self.handle)
  unless self.pid.nil?
    ObjectSpace.undefine_finalizer(self)
    self.class.close(self.client, handle)
    self.pid = nil
  end
end

#get_infoObject (protected)

Gathers information about the process and returns a hash.



427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 427

def get_info
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_INFO)
  info    = {}

  request.add_tlv(TLV_TYPE_HANDLE, handle)

  # Send the request
  response = client.send_request(request)

  # Populate the hash
  info['name'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_NAME) )
  info['path'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_PATH) )

  return info
end

#nameObject

Returns the executable name of the process.



370
371
372
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 370

def name
  return get_info()['name']
end

#pathObject

Returns the path to the process' executable.



377
378
379
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 377

def path
  return get_info()['path']
end

#wait(timeout = -1 )) ⇒ Object

Block until this process terminates on the remote side. By default we choose not to allow a packet response timeout to occur as we may be waiting indefinatly for the process to terminate.



408
409
410
411
412
413
414
415
416
417
418
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 408

def wait( timeout = -1 )
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_WAIT)

  request.add_tlv(TLV_TYPE_HANDLE, self.handle)

  self.client.send_request(request, timeout)

  self.handle = nil

  return true
end