def find_meterpreter_trace(pid, rateLimit):
if (System.arch == 'i386' and System.bits == 32):
try:
meterpreter_trace_keywords = [['stdapi_railgun_api', False],
['stdapi_railgun_api_multi', False],
['stdapi_railgun_memread', False],
['stdapi_railgun_memwrite', False]]
process = psutil.Process(pid)
if (process.is_running() and process.name() == 'java.exe'):
meterpreter_trace_keywords = [
[
'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_fs_file',
False
],
[
'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_client',
False
],
[
'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_server',
False
],
[
'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_udp_client',
False
]
]
except Exception, e:
pass #suppress no process name
#print "Searching in",pid
foundIndex = 0
process = Process(pid)
line = 0
#For each ASCII string found in the process memory...
for address, size, data in process.strings():
#print "%s: %s" % (HexDump.address(address),data)
data = data.strip()
if (data.find(meterpreter_trace_keywords[foundIndex][0]) >= 0):
meterpreter_trace_keywords[foundIndex][1] = True
mdlog.print_console(
mdlog.SUCCESS_LEVEL,
(meterpreter_trace_keywords[foundIndex][0]))
foundIndex += 1
if foundIndex > len(meterpreter_trace_keywords) - 1:
break
line += 1
if (line > rateLimit):
return False
if foundIndex < 3:
#print "Found: %d" , foundIndex
return False
else:
found = True
for trace in meterpreter_trace_keywords:
found = found and trace[1]
return found
def strings( pid ):
# Instance a Process object.
process = Process( pid )
# For each ASCII string found in the process memory...
for address, size, data in process.strings():
# Print the string and the memory address where it was found.
print "%s: %s" % ( HexDump.address(address), data )
def strings(pid):
# Instance a Process object.
process = Process(pid)
# For each ASCII string found in the process memory...
for address, size, data in process.strings():
# Print the string and the memory address where it was found.
print "%s: %s" % (HexDump.address(address), data)
def find_meterpreter_trace(pid,rateLimit):
if (System.arch == 'i386' and System.bits==32):
try:
meterpreter_trace_keywords = [['stdapi_railgun_api',False],
['stdapi_railgun_api_multi',False],
['stdapi_railgun_memread',False],
['stdapi_railgun_memwrite',False]
]
process = psutil.Process(pid)
if (process.is_running() and process.name()=='java.exe'):
meterpreter_trace_keywords = [['class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_fs_file',False],
['class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_client',False],
['class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_server',False],
['class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_udp_client',False]
]
except Exception,e:
pass #suppress no process name
#print "Searching in",pid
foundIndex = 0
process = Process(pid)
line = 0
#For each ASCII string found in the process memory...
for address, size, data in process.strings():
#print "%s: %s" % (HexDump.address(address),data)
data = data.strip()
if (data.find(meterpreter_trace_keywords[foundIndex][0]) >= 0):
meterpreter_trace_keywords[foundIndex][1] = True
mdlog.print_console(mdlog.SUCCESS_LEVEL,(meterpreter_trace_keywords[foundIndex][0]))
foundIndex += 1
if foundIndex > len(meterpreter_trace_keywords)-1:
break
line += 1
if (line > rateLimit):
return False
if foundIndex < 3:
#print "Found: %d" , foundIndex
return False
else:
found = True
for trace in meterpreter_trace_keywords:
found = found and trace[1]
return found
pid = HexInput.integer(sys.argv[1])
except Exception, e:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p, n in pl:
print "\t%s: %s" % (p.get_pid(), n)
return
pid = pl[0][0].get_pid()
s.clear()
del s
p = Process(pid)
for address, size, data in p.strings():
if data.endswith('\0'): data = data[:-1]
print "%s: %r" % (HexDump.address(address), data)
if __name__ == '__main__':
try:
import psyco
psyco.bind(main)
except ImportError:
pass
main()
def strings(pid):
process = Process(pid)
for address, size, data in process.strings():
print "%s: %s" % (HexDump.address(address), data)
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p, n in pl:
print "\t%s: %s" % (p.get_pid(), n)
return
pid = pl[0][0].get_pid()
s.clear()
del s
p = Process(pid)
for address, size, data in p.strings():
if data.endswith("\0"):
data = data[:-1]
print "%s: %r" % (HexDump.address(address), data)
if __name__ == "__main__":
try:
import psyco
psyco.bind(main)
except ImportError:
pass
main()
if (version.major, version.minor, version.micro) != (2, 7, 6):
print("Error: This program is written for Python 2.7.6")
print("You are running:", version.major, ".", version.minor, ".",
version.micro)
exit(1)
# Retrieves system snapshot and iterates through running tasks
system = System()
for task in system:
task_name = task.get_filename()
if task_name is None:
continue
if (task_name.find("firefox.exe") != -1) or (task_name.find("chrome.exe")
!= -1):
# Obtains memory information about currently running browser
process = Process(task.get_pid())
filename = ""
if task_name.find("firefox.exe") != -1:
filename = "firefox_output.txt"
else:
filename = "chrome_output.txt"
with open(filename, "w") as f:
# Extracts all string literals from memory
# All strings are logged, while URLs are printed to terminal
for address, size, data in process.strings():
tuple = (HexDump.address(address), HexDump.printable(data))
f.write(tuple[0] + "\t" + tuple[1] + "\n")
if tuple[1].startswith(
(r"http://", r"https://", r"HTTP-memory-only")):
print tuple[0], "\t", tuple[1]
