From a7ee95381b29066dd3d3b1e190e0e351a3ad9881 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 28 Jun 2013 16:28:00 -0500 Subject: [PATCH 1/3] Updates module description, and uses the proper func for hex dump As an user, it's important to know that using this module may result a lost session because it must migrate to grep memory, but does not migrate back. The module also has its own hex dump routine, which is no longer needed because we have a built-in Rex::Text.to_hex_dump --- modules/post/windows/gather/memory_grep.rb | 56 ++++++---------------- 1 file changed, 14 insertions(+), 42 deletions(-) diff --git a/modules/post/windows/gather/memory_grep.rb b/modules/post/windows/gather/memory_grep.rb index 845c7e6451..1e567cbe61 100644 --- a/modules/post/windows/gather/memory_grep.rb +++ b/modules/post/windows/gather/memory_grep.rb @@ -13,8 +13,10 @@ class Metasploit3 < Msf::Post super( update_info(info, 'Name' => 'Windows Gather Process Memory Grep', 'Description' => %q{ - This module allows for searching the memory space of a proccess for potentially sensitive - data. + This module allows for searching the memory space of a proccess for potentially + sensitive data. Please note: This module will have to migrate to the process you + are grepping, and will not migrate back automatically. This means that if the user + terminates the application after using this module, you may lose your session. }, 'License' => MSF_LICENSE, 'Author' => ['bannedit'], @@ -40,13 +42,13 @@ class Metasploit3 < Msf::Post regex = Regexp.new(datastore['REGEX']) target_pid = client.sys.process[name] - print_status("Found #{datastore['PROCESS']} running as pid: #{target_pid}") - if not target_pid print_error("Could not access the target process") return end + print_status("Found #{datastore['PROCESS']} running as pid: #{target_pid}") + process = session.sys.process.open(target_pid, PROCESS_ALL_ACCESS) begin print_status("Walking process threads...") @@ -95,7 +97,6 @@ class Metasploit3 < Msf::Post handles.each do |handle| lpentry = "\x00" * 42 while (ret = railgun.kernel32.HeapWalk(handle, lpentry)) and ret['return'] - #print ret.inspect entry = ret['lpEntry'][0, 4].unpack('V')[0] size = ret['lpEntry'][4, 4].unpack('V')[0] data = process.memory.read(entry, size) @@ -113,7 +114,10 @@ class Metasploit3 < Msf::Post idx = mem['Data'].index(regex) if idx != nil - print_status("Match found...\n" + hex_dump(mem['Data'][idx, 512], mem['Address']+idx)) + print_status("Match found!") + print_line + data = mem['Data'][idx, 512], mem['Address']+idx + print_line(Rex::Text.to_hex_dump(data[0])) end end @@ -121,43 +125,11 @@ class Metasploit3 < Msf::Post idx = mem['Data'].index(regex) if idx != nil - print_status("Match found...\n" + hex_dump(mem['Data'][idx, 512], mem['Address']+idx)) + print_status("Match found") + print_line + data = mem['Data'][idx, 512], mem['Address']+idx + print_line(Rex::Text.to_hex_dump(data[0])) end end end - - def hex_dump(str, base = 0, width = 16) - buf = '' - idx = 0 - cnt = 0 - snl = false - lst = 0 - - while (idx < str.length) - - chunk = str[idx, width] - addr = "0x%08x:\t" % (base + idx) - line = chunk.unpack("H*")[0].scan(/../).join(" ") - buf << addr + line # add the index to the beginning of the line (base + idx) - - if (lst == 0) - lst = line.length - buf << " " * 4 - else - buf << " " * ((lst - line.length) + 4).abs - end - - chunk.unpack("C*").each do |c| - if (c > 0x1f and c < 0x7f) - buf << c.chr - else - buf << "." - end - end - - buf << "\n" - idx += width - end - buf << "\n" - end end From 82eed1582f952d6a319bf3a67e84861929dbf489 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 28 Jun 2013 17:05:43 -0500 Subject: [PATCH 2/3] No need for the 2nd element --- modules/post/windows/gather/memory_grep.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/post/windows/gather/memory_grep.rb b/modules/post/windows/gather/memory_grep.rb index 1e567cbe61..11cb825be4 100644 --- a/modules/post/windows/gather/memory_grep.rb +++ b/modules/post/windows/gather/memory_grep.rb @@ -116,8 +116,8 @@ class Metasploit3 < Msf::Post if idx != nil print_status("Match found!") print_line - data = mem['Data'][idx, 512], mem['Address']+idx - print_line(Rex::Text.to_hex_dump(data[0])) + data = mem['Data'][idx, 512] + print_line(Rex::Text.to_hex_dump(data)) end end @@ -127,8 +127,8 @@ class Metasploit3 < Msf::Post if idx != nil print_status("Match found") print_line - data = mem['Data'][idx, 512], mem['Address']+idx - print_line(Rex::Text.to_hex_dump(data[0])) + data = mem['Data'][idx, 512] + print_line(Rex::Text.to_hex_dump(data)) end end end From 43c4f07e060e351f4b76d1e150dd20a2514ecf33 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Sun, 30 Jun 2013 18:32:15 -0500 Subject: [PATCH 3/3] Use "unless" Guidelines favor "unless". --- modules/post/windows/gather/memory_grep.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/gather/memory_grep.rb b/modules/post/windows/gather/memory_grep.rb index 11cb825be4..7c0f534181 100644 --- a/modules/post/windows/gather/memory_grep.rb +++ b/modules/post/windows/gather/memory_grep.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Post regex = Regexp.new(datastore['REGEX']) target_pid = client.sys.process[name] - if not target_pid + unless target_pid print_error("Could not access the target process") return end