[WIP] MeterpreterOptions break-up and default extension loading removal #20012
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…s, adding AutoLoadExtensions option (Windows, Linux)
dledda-r7
commented
Apr 8, 2025
Comment on lines
+195
to
+197
| console.run_single("load #{extension}") | ||
| console.run_single('unhook_pe') if extension == 'unhook' | ||
| session.load_session_info if extension == 'stdapi' && datastore['AutoSystemInfo'] |
There was a problem hiding this comment.
# TODO: abstract this a little, perhaps a "post load" function that removes
# platform-specific stuff?
…s, adding AutoLoadExtensions option (AppleIos,Php,Python,Java,Osx,Android)
|
Also blocked by #19799 To future me: modify it to have the architecutre specific |
dledda-r7
commented
Apr 9, 2025
Comment on lines
+17
to
+20
| OptString.new( | ||
| 'AutoLoadExtensions', | ||
| [true, "Automatically load extensions on bootstrap, semicolon separated.", 'stdapi'] | ||
| ), |
There was a problem hiding this comment.
Suggested change
| OptString.new( | |
| 'AutoLoadExtensions', | |
| [true, "Automatically load extensions on bootstrap, semicolon separated.", 'stdapi'] | |
| ), | |
| OptString.new( | |
| 'AutoLoadExtensions', | |
| [true, "Automatically load extensions on bootstrap, semicolon separated.", 'stdapi'] | |
| ), | |
| OptString.new( | |
| 'PayloadProcessCommandLine', | |
| [ false, 'The displayed command line that will be used by the payload', ''] | |
| ), |
dledda-r7
changed the title
dledda-r7
added
payload
rn-payload-enhancement
jvoisin
reviewed
Apr 9, 2025
Comment on lines
+186
to
+188
| extensions.push('unhook') if datastore['AutoUnhookProcess'] && session.platform == 'windows' | ||
| extensions.push('stdapi') if datastore['AutoLoadStdapi'] | ||
| extensions.push('priv') if datastore['AutoLoadStdapi'] && session.platform('windows') |
There was a problem hiding this comment.
is it session.platform('windows') or `session.platform == 'windows' ? I would be nice to pick one and stick to it.
| @@ -180,32 +180,23 @@ def bootstrap(datastore = {}, handler = nil) | |||
| print_warning('Meterpreter start up operations have been aborted. Use the session at your own risk.') | |||
| return nil | |||
| end | |||
| # Unhook the process prior to loading stdapi to reduce logging/inspection by any AV/PSP | |||
There was a problem hiding this comment.
It would be nice to keep this comment I think.
There was a problem hiding this comment.
it would be incorrect as now the loading order is determined by the order in ';' list.
There was a problem hiding this comment.
Then maybe next to the default ; list, as it's not obvious why unhook is better loaded before stdapi.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is related to #19975
In order to reduce the memory footprint of Meterpreter on target system is necessary to be sure only necessary code is loaded inside Meterpreter.
While working on standard api split, I noticed the presence of two extensions that were loaded without the user knowladge,
privandunhook.This PR modifies the loading logic to use a datastore option
AutoLoadExtensionwhich contains a ';' separated list of extensions to load. At the moment insidelib/msf/base/sessions/meterpreter.rbis present a code block (commented) that keep the compability of the current working logic of Meterpreter.Since the AutoLoadExtension logic depends on the platform, the break-up of
meterpreter_option.rbto platform-specific option was necessary.Tasks:
meterpreter_options/common.rbmeterpreter_options/linux.rbmeterpreter_options/windows.rbmeterpreter_options/android.rbmeterpreter_options/osx.rbmeterpreter_options/python.rbmeterpreter_options/php.rbmeterpreter_options/java.rbmeterpreter_options/apple_ios.rbmeterpreter_options/bsd.rbmeterpreter_options.rb