-
Notifications
You must be signed in to change notification settings - Fork 658
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add universal unhooking call to meterpreter server #302
Conversation
Hello again, @mrjefftang! Could you provide an example run? I am curious about when this extension gets loaded and how. I know some extensions are loaded at the start automatically while others are loaded on-demand. I don't see any corresponding change/PR to the framework side or any change to existing code to help me understand the loading chronology here. Is this an autoload based on the location in a filesystem? |
@bwatters-r7, framework pr is here rapid7/metasploit-framework#10676 |
@timwr, I scrolled right past it..... Thanks! |
Extension is a plug-in. Set to auto load before stdapi if enabled or on demand by user |
In terms of the order of operations, this doesnt make much sense (to me anyway) as an evasion strategy as a meterpreter extension, because extension loading requires metsrv to be loaded and active, and therefore already detected by the hooks we're trying to remove in the 1st place.
Thoughts? |
There's definitely a trade off of when we deliver this stage. From my understanding, metsrv only establishes a connect back so there's minimal API calls. So by setting autounhook, we can unhook prior to stdapi getting loaded and user input/scripts runnign which could cause more noise. In theory, we could just merge this all into the reflective DLL loader for metsrv but I think the trade off of letting metsrv run and callback will confirm exploit worked vs risking a large payload going down and failing somewhere in the loading process. |
Stages such as reverse TCP are establishing the initial transport, which is already under observation if they hook all the things. However, that can be obfuscated and with some cleanup, made to look like normal memory ops (rwx isn't great). The callback subsequently pulls in metsrv, and the existing transport is handed back to it for reuse as an address on a register. My suggestion is to place the unhook piece between stage0 and the acquisition of metsrv to prep the memory space into which the metsrv stage will be loaded. |
Waiting on feedback to some issues documented on the framework side. |
Merge branch 'land-302' into upstream-master
This is a second attempt at #174. The initial request choked on a powershell.exe host process for 2 reasons:
On the suggestion of @sempervictus, this is implemented as an extension/stage.