From 43740d7626078f8f26fbb56b734cce9d13ca2551 Mon Sep 17 00:00:00 2001 From: jiuweigui Date: Sun, 14 Jul 2013 04:55:57 +0300 Subject: [PATCH] Minor edits --- .../post/windows/gather/prefetch_gather.rb | 186 ------------------ modules/post/windows/gather/prefetch_tool.rb | 14 +- 2 files changed, 5 insertions(+), 195 deletions(-) delete mode 100644 modules/post/windows/gather/prefetch_gather.rb diff --git a/modules/post/windows/gather/prefetch_gather.rb b/modules/post/windows/gather/prefetch_gather.rb deleted file mode 100644 index 2e3b1beb25..0000000000 --- a/modules/post/windows/gather/prefetch_gather.rb +++ /dev/null @@ -1,186 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' -require 'rex' -require 'msf/core/post/windows/registry' -require 'time' - - -class Metasploit3 < Msf::Post - include Msf::Post::Windows::Priv - - def initialize(info={}) - super(update_info(info, - 'Name' => 'Windows Gather Prefetch File Information', - 'Description' => %q{This module gathers prefetch file information from WinXP & Win7 systems.}, - 'License' => MSF_LICENSE, - 'Author' => ['TJ Glad '], - 'Platform' => ['win'], - 'SessionType' => ['meterpreter'] - )) - - end - - - # Checks if Prefetch registry key exists and what value it has. - - - def prefetch_key_value() - - reg_key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\Memory\ Management\\PrefetchParameters", KEY_READ) - key_value = reg_key.query_value("EnablePrefetcher").data - - - if key_value == 0 - print_error("EnablePrefetcher Value: (0) = Disabled (Non-Default).") - elsif key_value == 1 - print_good("EnablePrefetcher Value: (1) = Application launch prefetching enabled (Non-Default).") - elsif key_value == 2 - print_good("EnablePrefetcher Value: (2) = Boot prefetching enabled (Non-Default).") - elsif key_value == 3 - print_good("EnablePrefetcher Value: (3) = Applaunch and boot enabled (Default Value).") - else - print_error("No proper value set so information should be taken with a grain of salt.") - - end - reg_key.close - end - - - def gather_info(name_offset, hash_offset, lastrun_offset, runcount_offset, filename) - - # This function seeks and gathers information from specific offsets. - - h = client.railgun.kernel32.CreateFileA(filename, "GENERIC_READ", "FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_NORMAL", 0) - - if h['GetLastError'] != 0 - - print_error("Error opening a file handle.") - return nil - else - - handle = h['return'] - - # Finds the filename from the prefetch file - client.railgun.kernel32.SetFilePointer(handle, name_offset, 0, nil) - name = client.railgun.kernel32.ReadFile(handle, 60, 60, 4, nil) - x = name['lpBuffer'] - pname = x.slice(0..x.index("\x00\x00")) - - # Finds the run count from the prefetch file - client.railgun.kernel32.SetFilePointer(handle, runcount_offset, 0, nil) - count = client.railgun.kernel32.ReadFile(handle, 4, 4, 4, nil) - prun = count['lpBuffer'].unpack('L*') - - # FIXME: Finds the FILETIME offset and converts it. - # The time conversion is currently a bit confusing. - # ATM You have to add/substract your timezone from the - # time it prints out. That time is the one from the pf - # file and represents the time on your timezone - # i.e. if timestamp is 2013-07-13 21:00:13 and i'm on +2 - # then the correct time is 2013-07-13 19:00:13 - client.railgun.kernel32.SetFilePointer(handle, lastrun_offset, 0, 0) - tm = client.railgun.kernel32.ReadFile(handle, 8, 8, 4, nil) - filetime = tm['lpBuffer'].unpack('h*')[0].reverse.to_i(16) - xtime = ((filetime.to_i - 116444556000000000) / 10000000) - ptime = Time.at(xtime).utc.to_s - - # Finds the hash. - client.railgun.kernel32.SetFilePointer(handle, hash_offset, 0, 0) - hh = client.railgun.kernel32.ReadFile(handle, 4, 4, 4, nil) - phash = hh['lpBuffer'].unpack('h*')[0].reverse - - - print_line("%s\t\t %s\t\t %08s\t %-29s" % [ptime[0..-4], prun[0], phash, pname]) - client.railgun.kernel32.CloseHandle(handle) - end - - end - - - def run - - print_status("Prefetch Gathering started.") - - if not is_admin? - - print_error("You don't have enough privileges. Try getsystem.") - - return nil - end - - - begin - - sysnfo = client.sys.config.sysinfo['OS'] - - # Check to see what Windows Version is running. - # Needed for offsets. - # Tested on WinXP and Win7 systems. Should work on WinVista & Win2k3.. - # http://www.forensicswiki.org/wiki/Prefetch - # http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format - - if sysnfo =~/(Windows XP)/ # Offsets for WinXP - - print_good("Detected Windows XP") - name_offset = 0x10 - hash_offset = 0x4C - lastrun_offset = 0x78 - runcount_offset = 0x90 - - elsif sysnfo =~/(Windows 7)/ # Offsets for Win7 - - print_good("Detected Windows 7") - name_offset = 0x10 - hash_offset = 0x4C - lastrun_offset = 0x80 - runcount_offset = 0x98 - - else - - print_error("No offsets for the target Windows version.") - - return nil - end - - print_status("Searching for Prefetch Hive Value.") - prefetch_key_value - - sysroot = client.fs.file.expand_path("%SYSTEMROOT%") - full_path = sysroot + "\\Prefetch\\" - file_type = "*.pf" - - print_line("\nLatest Run Time\t\t\tRun Count\tHash\t\tFilename\n") - - - getfile_prefetch_filenames = client.fs.file.search(full_path,file_type,recurse=false,timeout=-1) - getfile_prefetch_filenames.each do |file| - if file.empty? or file.nil? - - print_error("No files or not enough privileges.") - - return nil - - else - - filename = File.join(file['path'], file['name']) - - gather_info(name_offset, hash_offset, lastrun_offset, runcount_offset, filename) - - end - - end - - end - - - print_good("Finished gathering information from prefetch files.") - - - end -end diff --git a/modules/post/windows/gather/prefetch_tool.rb b/modules/post/windows/gather/prefetch_tool.rb index 4f78be1c23..f4a408bacb 100644 --- a/modules/post/windows/gather/prefetch_tool.rb +++ b/modules/post/windows/gather/prefetch_tool.rb @@ -27,10 +27,8 @@ class Metasploit3 < Msf::Post end - # Checks if Prefetch registry key exists and what value it has. - - - def prefetch_key_value() + def prefetch_key_value() + # Checks if Prefetch registry key exists and what value it has. reg_key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\Memory\ Management\\PrefetchParameters", KEY_READ) key_value = reg_key.query_value("EnablePrefetcher").data @@ -65,18 +63,16 @@ class Metasploit3 < Msf::Post end reg_key.close end - - def gather_prefetch_info(name_offset, hash_offset, lastrun_offset, runcount_offset, filename) + + def gather_prefetch_info(name_offset, hash_offset, lastrun_offset, runcount_offset, filename) # This function seeks and gathers information from specific offsets. - h = client.railgun.kernel32.CreateFileA(filename, "GENERIC_READ", "FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_NORMAL", 0) if h['GetLastError'] != 0 print_error("Error opening a file handle.") return nil else - handle = h['return'] # Finds the filename from the prefetch file @@ -120,7 +116,7 @@ class Metasploit3 < Msf::Post begin - sysnfo = client.sys.config.sysinfo['OS'] + sysnfo = client.sys.config.sysinfo['OS'] # Check to see what Windows Version is running. # Needed for offsets.