def find_meterpreter_trace(pid, rateLimit): if (System.arch == 'i386' and System.bits == 32): try: meterpreter_trace_keywords = [['stdapi_railgun_api', False], ['stdapi_railgun_api_multi', False], ['stdapi_railgun_memread', False], ['stdapi_railgun_memwrite', False]] process = psutil.Process(pid) if (process.is_running() and process.name() == 'java.exe'): meterpreter_trace_keywords = [ [ 'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_fs_file', False ], [ 'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_client', False ], [ 'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_server', False ], [ 'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_udp_client', False ] ] except Exception, e: pass #suppress no process name #print "Searching in",pid foundIndex = 0 process = Process(pid) line = 0 #For each ASCII string found in the process memory... for address, size, data in process.strings(): #print "%s: %s" % (HexDump.address(address),data) data = data.strip() if (data.find(meterpreter_trace_keywords[foundIndex][0]) >= 0): meterpreter_trace_keywords[foundIndex][1] = True mdlog.print_console( mdlog.SUCCESS_LEVEL, (meterpreter_trace_keywords[foundIndex][0])) foundIndex += 1 if foundIndex > len(meterpreter_trace_keywords) - 1: break line += 1 if (line > rateLimit): return False if foundIndex < 3: #print "Found: %d" , foundIndex return False else: found = True for trace in meterpreter_trace_keywords: found = found and trace[1] return found
def strings( pid ): # Instance a Process object. process = Process( pid ) # For each ASCII string found in the process memory... for address, size, data in process.strings(): # Print the string and the memory address where it was found. print "%s: %s" % ( HexDump.address(address), data )
def strings(pid): # Instance a Process object. process = Process(pid) # For each ASCII string found in the process memory... for address, size, data in process.strings(): # Print the string and the memory address where it was found. print "%s: %s" % (HexDump.address(address), data)
def find_meterpreter_trace(pid,rateLimit): if (System.arch == 'i386' and System.bits==32): try: meterpreter_trace_keywords = [['stdapi_railgun_api',False], ['stdapi_railgun_api_multi',False], ['stdapi_railgun_memread',False], ['stdapi_railgun_memwrite',False] ] process = psutil.Process(pid) if (process.is_running() and process.name()=='java.exe'): meterpreter_trace_keywords = [['class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_fs_file',False], ['class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_client',False], ['class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_server',False], ['class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_udp_client',False] ] except Exception,e: pass #suppress no process name #print "Searching in",pid foundIndex = 0 process = Process(pid) line = 0 #For each ASCII string found in the process memory... for address, size, data in process.strings(): #print "%s: %s" % (HexDump.address(address),data) data = data.strip() if (data.find(meterpreter_trace_keywords[foundIndex][0]) >= 0): meterpreter_trace_keywords[foundIndex][1] = True mdlog.print_console(mdlog.SUCCESS_LEVEL,(meterpreter_trace_keywords[foundIndex][0])) foundIndex += 1 if foundIndex > len(meterpreter_trace_keywords)-1: break line += 1 if (line > rateLimit): return False if foundIndex < 3: #print "Found: %d" , foundIndex return False else: found = True for trace in meterpreter_trace_keywords: found = found and trace[1] return found
pid = HexInput.integer(sys.argv[1]) except Exception, e: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print "Process not found: %s" % sys.argv[1] return if len(pl) > 1: print "Multiple processes found for %s" % sys.argv[1] for p, n in pl: print "\t%s: %s" % (p.get_pid(), n) return pid = pl[0][0].get_pid() s.clear() del s p = Process(pid) for address, size, data in p.strings(): if data.endswith('\0'): data = data[:-1] print "%s: %r" % (HexDump.address(address), data) if __name__ == '__main__': try: import psyco psyco.bind(main) except ImportError: pass main()
def strings(pid): process = Process(pid) for address, size, data in process.strings(): print "%s: %s" % (HexDump.address(address), data)
s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print "Process not found: %s" % sys.argv[1] return if len(pl) > 1: print "Multiple processes found for %s" % sys.argv[1] for p, n in pl: print "\t%s: %s" % (p.get_pid(), n) return pid = pl[0][0].get_pid() s.clear() del s p = Process(pid) for address, size, data in p.strings(): if data.endswith("\0"): data = data[:-1] print "%s: %r" % (HexDump.address(address), data) if __name__ == "__main__": try: import psyco psyco.bind(main) except ImportError: pass main()
if (version.major, version.minor, version.micro) != (2, 7, 6): print("Error: This program is written for Python 2.7.6") print("You are running:", version.major, ".", version.minor, ".", version.micro) exit(1) # Retrieves system snapshot and iterates through running tasks system = System() for task in system: task_name = task.get_filename() if task_name is None: continue if (task_name.find("firefox.exe") != -1) or (task_name.find("chrome.exe") != -1): # Obtains memory information about currently running browser process = Process(task.get_pid()) filename = "" if task_name.find("firefox.exe") != -1: filename = "firefox_output.txt" else: filename = "chrome_output.txt" with open(filename, "w") as f: # Extracts all string literals from memory # All strings are logged, while URLs are printed to terminal for address, size, data in process.strings(): tuple = (HexDump.address(address), HexDump.printable(data)) f.write(tuple[0] + "\t" + tuple[1] + "\n") if tuple[1].startswith( (r"http://", r"https://", r"HTTP-memory-only")): print tuple[0], "\t", tuple[1]