Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Inherits:

Process

• Object
• Process
• Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process

Includes:

ObjectAliasesContainer

Defined in:

lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

Overview

This class implements the Rex::Post::Process interface.

Class Attribute Summary

• .client ⇒ Object

  Returns the value of attribute client.

Instance Attribute Summary

• #channel ⇒ Object

  :nodoc:.

• #client ⇒ Object

  :nodoc:.

• #handle ⇒ Object

  :nodoc:.

• #pid ⇒ Object

  :nodoc:.

Attributes included from ObjectAliasesContainer

#aliases

Class Method Summary

• .[](key) ⇒ Object

  Returns the process identifier of the process supplied in key if it’s valid.

• ._open(pid, perms, inherit = false) ⇒ Object

  Low-level process open.

• .capture_output(path, arguments = '', opts = nil, time_out = 15) ⇒ Object

  Execute an application and capture the output.

• .close(client, handle) ⇒ Object

  Closes the handle to the process that was opened.

• .each_process(&block) ⇒ Object

  Enumerates all of the elements in the array returned by get_processes.

• .execute(path, arguments = '', opts = nil) ⇒ Object

  Executes an application using the arguments provided.

• .finalize(client, handle) ⇒ Object
• .get_processes ⇒ Object

  Returns a ProcessList of processes as Hash objects with keys for ‘pid’, ‘ppid’, ‘name’, ‘path’, ‘user’, ‘session’ and ‘arch’.

• .getpid ⇒ Object

  Gets the process id that the remote side is executing under.

• .kill(*args) ⇒ Object

  Kills one or more processes.

• .memory_search(pid: 0, needles: [''], min_match_length: 5, max_match_length: 127) ⇒ Object

  Search memory for supplied regexes and return matches.

• .open(pid = nil, perms = nil) ⇒ Object

  Attaches to the supplied process with a given set of permissions.

• .processes ⇒ Object

  An alias for get_processes.

Instance Method Summary

• #close(handle = self.handle) ⇒ Object

  Instance method.

• #get_info ⇒ Object protected

  Gathers information about the process and returns a hash.

• #initialize(pid, handle, channel = nil) ⇒ Process constructor

  Initializes the process instance and its aliases.

• #name ⇒ Object

  Returns the executable name of the process.

• #path ⇒ Object

  Returns the path to the process’ executable.

• #wait(timeout = -1 )) ⇒ Object

  Block until this process terminates on the remote side.

Methods included from ObjectAliasesContainer

#dump_alias_tree, #initialize_aliases, #method_missing

Methods inherited from Process

egid, egid=, euid, euid=, getresuid, gid, gid=, pid, ppid, setresuid, uid, uid=

Constructor Details

#initialize(pid, handle, channel = nil) ⇒ Process

Initializes the process instance and its aliases.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 351

def initialize(pid, handle, channel = nil)
  self.client  = self.class.client
  self.handle  = handle
  self.channel = channel

  # If the process identifier is zero, then we must lookup the current
  # process identifier
  if (pid == 0)
    self.pid = client.sys.process.getpid
  else
    self.pid = pid
  end

  initialize_aliases(
    {
      'image'  => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image.new(self),
      'io'     => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO.new(self),
      'memory' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory.new(self),
      'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
    })

  # Ensure the remote object is closed when all references are removed
  ObjectSpace.define_finalizer(self, self.class.finalize(client, handle))
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rex::Post::Meterpreter::ObjectAliasesContainer

Class Attribute Details

.client ⇒ Object

Returns the value of attribute client.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 37

def client
  @client
end

Instance Attribute Details

#channel ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 444

def channel
  @channel
end

#client ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 444

def client
  @client
end

#handle ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 444

def handle
  @handle
end

#pid ⇒ Object

:nodoc:

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 444

def pid
  @pid
end

Class Method Details

.[](key) ⇒ Object

Returns the process identifier of the process supplied in key if it’s valid.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 44

def Process.[](key)
  return if key.nil?

  each_process { |p|
    if (p['name'].downcase == key.downcase)
      return p['pid']
    end
  }

  return nil
end

._open(pid, perms, inherit = false) ⇒ Object

Low-level process open.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 84

def Process._open(pid, perms, inherit = false)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_ATTACH)

  if (pid == nil)
    pid = 0
  end

  # Populate the request
  request.add_tlv(TLV_TYPE_PID, pid)
  request.add_tlv(TLV_TYPE_PROCESS_PERMS, perms)
  request.add_tlv(TLV_TYPE_INHERIT, inherit)

  # Transmit the request
  response = self.client.send_request(request)
  handle   = response.get_tlv_value(TLV_TYPE_HANDLE)

  # If the handle is valid, allocate a process instance and return it
  if (handle != nil)
    return self.new(pid, handle)
  end

  return nil
end

.capture_output(path, arguments = '', opts = nil, time_out = 15) ⇒ Object

Execute an application and capture the output

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 221

def Process.capture_output(path, arguments = '', opts = nil, time_out = 15)
  start = Time.now.to_i
  process = execute(path, arguments, opts)
  data = ""

  # Wait up to time_out seconds for the first bytes to arrive
  while (d = process.channel.read)
    data << d
    if d == ""
      if Time.now.to_i - start < time_out
        sleep 0.1
      else
        break
      end
    end
  end
  data.chomp! if data

  begin
    process.channel.close
  rescue IOError => e
    # Channel was already closed, but we got the cmd output, so let's soldier on.
  end
  process.close

  return data
end

.close(client, handle) ⇒ Object

Closes the handle to the process that was opened.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 408

def self.close(client, handle)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_CLOSE)
  request.add_tlv(TLV_TYPE_HANDLE, handle)
  client.send_request(request, nil)
  handle = nil
  return true
end

.each_process(&block) ⇒ Object

Enumerates all of the elements in the array returned by get_processes.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 278

def Process.each_process(&block)
  self.get_processes.each(&block)
end

.execute(path, arguments = '', opts = nil) ⇒ Object

Executes an application using the arguments provided

Parameters:

• path (String) —

  Path on the remote system to the executable to run

• arguments (String, Array<String>) (defaults to: '') —

  Arguments to the process. When passed as a String (rather than an array of Strings), this is treated as a string containing all arguments.

• opts (Hash) (defaults to: nil) —

  Optional settings to parameterise the process launch

• Hidden (Hash) —

  a customizable set of options

• Channelized (Hash) —

  a customizable set of options

• Suspended (Hash) —

  a customizable set of options

• UseThreadToken (Hash) —

  a customizable set of options

• Desktop (Hash) —

  a customizable set of options

• Session (Hash) —

  a customizable set of options

• Subshell (Hash) —

  a customizable set of options

• Pty (Hash) —

  a customizable set of options

• ParentId (Hash) —

  a customizable set of options

• InMemory (Hash) —

  a customizable set of options

• :legacy_args (Hash) —

  a customizable set of options

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 127

def Process.execute(path, arguments = '', opts = nil)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_EXECUTE)
  flags   = 0

  # If we were supplied optional arguments...
  if (opts != nil)
    if (opts['Hidden'])
      flags |= PROCESS_EXECUTE_FLAG_HIDDEN
    end
    if (opts['Channelized'])
      flags |= PROCESS_EXECUTE_FLAG_CHANNELIZED
    end
    if (opts['Suspended'])
      flags |= PROCESS_EXECUTE_FLAG_SUSPENDED
    end
    if (opts['UseThreadToken'])
      flags |= PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN
    end
    if (opts['Desktop'])
      flags |= PROCESS_EXECUTE_FLAG_DESKTOP
    end
    if (opts['Session'])
      flags |= PROCESS_EXECUTE_FLAG_SESSION
      request.add_tlv( TLV_TYPE_PROCESS_SESSION, opts['Session'] )
    end
    if (opts['Subshell'])
      flags |= PROCESS_EXECUTE_FLAG_SUBSHELL
    end
    if (opts['Pty'])
      flags |= PROCESS_EXECUTE_FLAG_PTY
    end
    if (opts['ParentPid'])
      request.add_tlv(TLV_TYPE_PARENT_PID, opts['ParentPid']);
      request.add_tlv(TLV_TYPE_PROCESS_PERMS, PROCESS_ALL_ACCESS)
      request.add_tlv(TLV_TYPE_INHERIT, false)
    end
    inmem = opts['InMemory']
    if inmem

      # add the file contents into the tlv
      f = ::File.new(path, 'rb')
      request.add_tlv(TLV_TYPE_VALUE_DATA, f.read(f.stat.size))
      f.close

      # replace the path with the "dummy"
      path = inmem.kind_of?(String) ? inmem : 'cmd'
    end
  end

  # Add arguments
  # If process arguments were supplied
  if arguments.kind_of?(Array)
    request.add_tlv(TLV_TYPE_PROCESS_UNESCAPED_PATH, client.unicode_filter_decode( path ))
    # This flag is needed to disambiguate how to handle escaping special characters in the path when no arguments are provided
    flags |= PROCESS_EXECUTE_FLAG_ARG_ARRAY
    arguments.each do |arg|
      request.add_tlv(TLV_TYPE_PROCESS_ARGUMENT, arg);
    end
    if opts[:legacy_path]
      request.add_tlv(TLV_TYPE_PROCESS_PATH, opts[:legacy_path])
    end
    if opts[:legacy_args]
      request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, opts[:legacy_args])
    end
  elsif arguments.nil? || arguments.kind_of?(String)
    request.add_tlv(TLV_TYPE_PROCESS_PATH, client.unicode_filter_decode( path ))
    request.add_tlv(TLV_TYPE_PROCESS_ARGUMENTS, arguments)
  else
    raise ArgumentError.new('Unknown type for arguments')
  end

  request.add_tlv(TLV_TYPE_PROCESS_FLAGS, flags);

  response = client.send_request(request)

  # Get the response parameters
  pid        = response.get_tlv_value(TLV_TYPE_PID)
  handle     = response.get_tlv_value(TLV_TYPE_PROCESS_HANDLE)
  channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
  channel    = nil

  # If we were creating a channel out of this
  if (channel_id != nil)
    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client,
        channel_id, "stdapi_process", CHANNEL_FLAG_SYNCHRONOUS, response)
  end

  # Return a process instance
  return self.new(pid, handle, channel)
end

.finalize(client, handle) ⇒ Object

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 376

def self.finalize(client, handle)
  proc do
    deferred_close_proc = proc do
      begin
        self.close(client, handle)
      rescue => e
        elog("finalize method for Process failed", error: e)
      end
    end

    # Schedule the finalizing logic out-of-band; as this logic might be called in the context of a Signal.trap, which can't synchronize mutexes
    client.framework.sessions.schedule(deferred_close_proc)
  end
end

.get_processes ⇒ Object

Returns a ProcessList of processes as Hash objects with keys for ‘pid’, ‘ppid’, ‘name’, ‘path’, ‘user’, ‘session’ and ‘arch’.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 286

def Process.get_processes
  request   = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_PROCESSES)
  processes = ProcessList.new

  response = client.send_request(request)

  response.each(TLV_TYPE_PROCESS_GROUP) { |p|
  arch = ""

  pa = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH)
  if !pa.nil?
    if pa == 1 # PROCESS_ARCH_X86
      arch = ARCH_X86
    elsif pa == 2 # PROCESS_ARCH_X64
      arch = ARCH_X64
    end
  else
    arch = p.get_tlv_value(TLV_TYPE_PROCESS_ARCH_NAME)
  end

  processes <<
      {
        'pid'      => p.get_tlv_value(TLV_TYPE_PID),
        'ppid'     => p.get_tlv_value(TLV_TYPE_PARENT_PID),
        'name'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_NAME) ),
        'path'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_PATH) ),
        'session'  => p.get_tlv_value(TLV_TYPE_PROCESS_SESSION),
        'user'     => client.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_USER_NAME) ),
        'arch'     => arch
      }
  }

  return processes
end

.getpid ⇒ Object

Gets the process id that the remote side is executing under.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 267

def Process.getpid
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GETPID)

  response = client.send_request(request)

  return response.get_tlv_value(TLV_TYPE_PID)
end

.kill(*args) ⇒ Object

Kills one or more processes.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 252

def Process.kill(*args)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_KILL)

  args.each { |id|
    request.add_tlv(TLV_TYPE_PID, id)
  }

  client.send_request(request)

  return true
end

.memory_search(pid: 0, needles: [''], min_match_length: 5, max_match_length: 127) ⇒ Object

Search memory for supplied regexes and return matches

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 331

def Process.memory_search(pid: 0, needles: [''], min_match_length: 5, max_match_length: 127)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_SEARCH)

  request.add_tlv(TLV_TYPE_PID, pid)
  needles.each { |needle| request.add_tlv(TLV_TYPE_MEMORY_SEARCH_NEEDLE, needle) }
  request.add_tlv(TLV_TYPE_MEMORY_SEARCH_MATCH_LEN, max_match_length)
  request.add_tlv(TLV_TYPE_UINT, min_match_length)

  self.client.send_request(request)
end

.open(pid = nil, perms = nil) ⇒ Object

Attaches to the supplied process with a given set of permissions.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 59

def Process.open(pid = nil, perms = nil)
  real_perms = 0

  if (perms == nil)
    perms = PROCESS_ALL
  end

  if (perms & PROCESS_READ) > 0
    real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
  end

  if (perms & PROCESS_WRITE) > 0
    real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
  end

  if (perms & PROCESS_EXECUTE) > 0
    real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
  end

  return _open(pid, real_perms)
end

.processes ⇒ Object

An alias for get_processes.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 324

def Process.processes
  self.get_processes
end

Instance Method Details

#close(handle = self.handle) ⇒ Object

Instance method

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 419

def close(handle = self.handle)
  unless self.pid.nil?
    ObjectSpace.undefine_finalizer(self)
    self.class.close(self.client, handle)
    self.pid = nil
  end
end

#get_info ⇒ Object (protected)

Gathers information about the process and returns a hash.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 451

def get_info
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_GET_INFO)
  info    = {}

  request.add_tlv(TLV_TYPE_HANDLE, handle)

  # Send the request
  response = client.send_request(request)

  # Populate the hash
  info['name'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_NAME) )
  info['path'] = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_PATH) )

  return info
end

#name ⇒ Object

Returns the executable name of the process.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 394

def name
  return get_info()['name']
end

#path ⇒ Object

Returns the path to the process’ executable.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 401

def path
  return get_info()['path']
end

#wait(timeout = -1 )) ⇒ Object

Block until this process terminates on the remote side. By default we choose not to allow a packet response timeout to occur as we may be waiting indefinatly for the process to terminate.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb', line 432

def wait( timeout = -1 )
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_PROCESS_WAIT)

  request.add_tlv(TLV_TYPE_HANDLE, self.handle)

  self.client.send_request(request, timeout)

  self.handle = nil

  return true
end