store and return HANDLE of created process for future uses

2025-01-02 11:36:22 +01:00 · 2023-02-17 09:25:53 -05:00 · 2023-02-17 09:25:53 -05:00 · e601e34a1b
commit e601e34a1b
parent 19840fa13d
2 changed files with 20 additions and 5 deletions
--- a/python/meterpreter/ext_server_stdapi.py
+++ b/python/meterpreter/ext_server_stdapi.py
@ -743,6 +743,7 @@ PROCESS_TERMINATE                 = 0x0001
 PROCESS_VM_READ                   = 0x0010
 PROCESS_QUERY_INFORMATION         = 0x0400
 PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
+PROCESS_ALL_ACCESS                = 0x1fffff
 VER_NT_WORKSTATION                = 0x0001
 VER_NT_DOMAIN_CONTROLLER          = 0x0002
 VER_NT_SERVER                     = 0x0003
@ -1383,11 +1384,17 @@ def stdapi_sys_process_execute(request, response):
        proc_h.start()
    else:
        proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-    proc_h_id = meterpreter.add_process(proc_h)
+
+    win32_handle = None
+    if has_windll:
+        k32 = ctypes.windll.kernel32
+        win32_handle = k32.OpenProcess(PROCESS_ALL_ACCESS, False, proc_h.pid)
+
+    proc_h_id = meterpreter.add_process(proc_h, win32_handle)
    response += tlv_pack(TLV_TYPE_PID, proc_h.pid)
    response += tlv_pack(TLV_TYPE_PROCESS_HANDLE, proc_h_id)
    if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED):
-        channel_id = meterpreter.add_channel(MeterpreterProcess(proc_h))
+        channel_id = meterpreter.add_channel(MeterpreterProcess(proc_h, win32_handle))
        response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
    return ERROR_SUCCESS, response

--- a/python/meterpreter/meterpreter.py
+++ b/python/meterpreter/meterpreter.py
@ -667,11 +667,14 @@ export(MeterpreterFile)

 #@export
 class MeterpreterProcess(MeterpreterChannel):
-    def __init__(self, proc_h):
+    def __init__(self, proc_h, win32_handle = None):
        self.proc_h = proc_h
+        self.win32_handle = win32_handle
        super(MeterpreterProcess, self).__init__()

    def close(self):
+        if has_windll and self.win32_handle:
+            ctypes.windll.kernel32.CloseHandle(self.win32_handle)
        if self.proc_h.poll() is None:
            self.proc_h.kill()
        if self.proc_h.ptyfd is not None:
@ -1258,11 +1261,13 @@ class PythonMeterpreter(object):
        self.next_channel_id += 1
        return idx

-    def add_process(self, process):
+    def add_process(self, process, win32_handle = None):
        idx = self.next_process_id
-        self.processes[idx] = process
+        self.processes[idx] = (process, win32_handle)
        debug_print('[*] added process id: ' + str(idx))
        self.next_process_id += 1
+        if win32_handle:
+            idx = win32_handle
        return idx

    def close_channel(self, channel_id):
@ -1356,6 +1361,9 @@ class PythonMeterpreter(object):
                            data += proc_h.stderr_reader.read()
                        if proc_h.stdout_reader.is_read_ready():
                            data += proc_h.stdout_reader.read()
+                        proc_win32_h = channel.win32_handle
+                        if has_windll and proc_win32_h:
+                            pass  # do what you want
                    # Defer closing the channel until the data has been sent
                    if not channel.is_alive():
                        close_channel = True