image load, unload, get proc addr

git-svn-id: file:///home/svn/incoming/trunk@2379 4d416f70-5f16-0410-b530-b9f4589650da

lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

@@ -5,6 +5,7 @@ require 'Rex/Post/Meterpreter/Packet'
 require 'Rex/Post/Meterpreter/Client'
 require 'Rex/Post/Meterpreter/Extensions/Stdapi/Stdapi'
 
+require 'Rex/Post/Meterpreter/Extensions/Stdapi/Sys/ProcessSubsystem/Image'
 require 'Rex/Post/Meterpreter/Extensions/Stdapi/Sys/ProcessSubsystem/Memory'
 
 module Rex
@@ -149,6 +150,7 @@ class Process < Rex::Post::Process
 
 		initialize_aliases(
 			{
+				'image'  => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image.new(self),
 				'memory' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory.new(self),
 			})
 	end

lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb

@@ -0,0 +1,78 @@
+#!/usr/bin/ruby
+
+require 'Rex/Post/Meterpreter/Client'
+require 'Rex/Post/Meterpreter/Extensions/Stdapi/Constants'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Sys
+module ProcessSubsystem
+
+###
+#
+# Image
+# -----
+#
+# Interacts with loading, unloading, enumerating, and querying
+# image files in the context of a given process.
+#
+###
+class Image
+
+	##
+	#
+	# Constructor
+	#
+	##
+
+	def initialize(process)
+		self.process = process
+	end
+
+	# Loads an image file into the context of the process
+	def load(image_path)
+		request = Packet.create_request('stdapi_sys_process_image_load')
+
+		request.add_tlv(TLV_TYPE_HANDLE, process.handle)
+		request.add_tlv(TLV_TYPE_IMAGE_FILE_PATH, image_path)
+
+		response = process.client.send_request(request)
+
+		return response.get_tlv_value(TLV_TYPE_IMAGE_BASE)
+	end
+
+	# Returns the address of the procedure that is found in the supplied
+	# library
+	def get_procedure_address(image_file, procedure)
+		request = Packet.create_request('stdapi_sys_process_image_get_proc_address')
+
+		request.add_tlv(TLV_TYPE_IMAGE_FILE, image_file)
+		request.add_tlv(TLV_TYPE_PROCEDURE_NAME, procedure)
+
+		response = process.client.send_request(request)
+
+		return response.get_tlv_value(TLV_TYPE_PROCEDURE_ADDRESS)
+	end
+
+	# Unloads an image file that is loaded into the address space of the
+	# process by its base address
+	def unload(base)
+		request = Packet.create_request('stdapi_sys_process_image_unload')
+
+		request.add_tlv(TLV_TYPE_HANDLE, process.handle)
+		request.add_tlv(TLV_TYPE_IMAGE_BASE, base)
+
+		response = process.client.send_request(request)
+
+		return true
+	end
+
+protected
+	attr_accessor :process
+
+end
+
+end; end; end; end; end; end; end

lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb

@@ -11,6 +11,16 @@ module Stdapi
 module Sys
 module ProcessSubsystem
 
+###
+#
+# Memory
+# ------
+#
+# Provides an interface to allocate, free, read, write, query,
+# protect, lock, and unlock memory in the context of a given
+# process.
+#
+###
 class Memory
 
 	# Page protection translation hash
@@ -30,6 +40,12 @@ class Memory
 		PROT_WRITE               => PAGE_READWRITE
 	}
 
+	##
+	#
+	# Constructor
+	#
+	##
+
 	def initialize(process)
 		self.process = process
 	end

lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -46,6 +46,12 @@ TLV_TYPE_PROCESS_NAME       = TLV_META_TYPE_STRING  | 2301
 TLV_TYPE_PROCESS_PATH       = TLV_META_TYPE_STRING  | 2302
 TLV_TYPE_PROCESS_GROUP      = TLV_META_TYPE_GROUP   | 2303
 
+TLV_TYPE_IMAGE_FILE         = TLV_META_TYPE_STRING  | 2400
+TLV_TYPE_IMAGE_FILE_PATH    = TLV_META_TYPE_STRING  | 2401
+TLV_TYPE_PROCEDURE_NAME     = TLV_META_TYPE_STRING  | 2402
+TLV_TYPE_PROCEDURE_ADDRESS  = TLV_META_TYPE_UINT    | 2403
+TLV_TYPE_IMAGE_BASE         = TLV_META_TYPE_UINT    | 2404
+
 ##
 #
 # Fs