Metasploit mailing list archives
Re: Wmic through the windows api
From: Abuse 007 <abuse007 () gmail com>
Date: Fri, 17 May 2013 02:59:03 +1000
Hi Brian, Perhaps you need to allocate some memory in a process, write your custom data structure there, and then make the call with a pointer/reference to the custom data structure in the memory you allocated for it. Cheers, B On Fri, Mar 22, 2013 at 12:38 AM, Brian Seel <brian.seel () gmail com> wrote:
I finally was able to finish my extension that will allow anyone to do with calls from the windows api. There are a few finishing touches I need to do before I release it, but I am wondering what the best way to integrate this is. Obviously the rail gun route would have been better, but I couldn't get that to work. From what I see from the way other extensions are done, it looks like I should make a ruby wrapper to allow this to be called elsewhere in meterpreter. And then I just put the dll with all of the other extensions. Basically, my question is what considerations should I make before submitting a new extension. I understand that writing extensions is not the normal way of adding functionality.On Tue, Mar 3, 2013 at 3:56 PM, Brian Seel <brian.seel () gmail com> wrote: Ok... I dug into this a bit more. But I am having some confusion (withlittle and big endian for some reason).I am trying to implement this line in Railgun: CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER,IID_IWbemLocator, (LPVOID *) &pLoc);I know that CLSID_WbemLocator has tobe 4590F811-1D3A-11D0-891F-00AA004B2E24 and IID_IWbemLocator has to be dc12a687-737f-11cf-884d-00aa004b2e24. I have figured out that I need to allocate memory, and write the GUID structure directly.However, I used Immunity Debugger to see what it should look like on thestack, and saw the following:http://i.imgur.com/zB1pDGi.jpg It looks like the 4590F811, 1D3A, and 11D0 is big endian. But then 891Fand 00AA004B2E24 are little endian.How is something like that possible in a single struct?? Brian On Tue, Feb 19, 2013 at 7:56 PM, Brian Seel <brian.seel () gmail com>wrote:I tweeted this question to David Maloney, and then remembered aboutthis list...I am trying to write something that will do WMI queries through Railgun(similar to what Carlos Perez wrote... but with the Windows API). However, I am running into issues when I have to use a custom structuresBasically, I have created a definitions file for ole32.dll in Railgunand then call the following:CoInitializeEx(0, COINIT_MULTITHREADED); CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT,RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER,IID_IWbemLocator, (LPVOID *) &pLoc);The last line has two non standard datatypes, and I am not sure how tohandle those. I wrote this all as an extension in C++, and CLSID_WbemLocator and IID_IWbemLocator were defined in a header file.TL;DR: How do I pass nonstandard data types from the windows API to afunction with Railgun?MSDN reference:http://msdn.microsoft.com/en-us/library/windows/desktop/aa389762(v=vs.85).aspxThanks Brian_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: Wmic through the windows api Abuse 007 (May 16)
- <Possible follow-ups>
- Re: Wmic through the windows api egypt (May 17)