Fix based on suggestions

jiuweigui · jiuweigui · commit 73f42591560f · 2013-08-24T19:14:48.000+03:00
diff --git a/modules/post/windows/gather/enum_prefetch.rb b/modules/post/windows/gather/enum_prefetch.rb
@@ -10,7 +10,9 @@
 require 'msf/core/post/windows/registry'
 class Metasploit3 < Msf::Post
 
+	include Msf::Post::File
 	include Msf::Post::Windows::Priv
+	include Msf::Post::Windows::Registry
 
 	def initialize(info={})
 		super(update_info(info,
@@ -28,86 +30,62 @@ def initialize(info={})
 
 	def prefetch_key_value()
 		# Checks if Prefetch registry key exists and what value it has.
-		prefetch_key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\Memory\ Management\\PrefetchParameters", KEY_READ)
-		key_value = prefetch_key.query_value("EnablePrefetcher").data
-
-		if key_value == 0
+		prefetch_key_value = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\PrefetchParameters", "EnablePrefetcher")
+		if prefetch_key_value == 0
 			print_error("EnablePrefetcher Value: (0) = Disabled (Non-Default).")
-		elsif key_value == 1
+		elsif prefetch_key_value == 1
 			print_good("EnablePrefetcher Value: (1) = Application launch prefetching enabled (Non-Default).")
-		elsif key_value == 2
+		elsif prefetch_key_value == 2
 			print_good("EnablePrefetcher Value: (2) = Boot prefetching enabled (Non-Default, excl. Win2k3).")
-		elsif key_value == 3
+		elsif prefetch_key_value == 3
 			print_good("EnablePrefetcher Value: (3) = Applaunch and boot enabled (Default Value, excl. Win2k3).")
 		else
 			print_error("No value or unknown value. Results might vary.")
 		end
-		prefetch_key.close
 	end
 
 	def timezone_key_values(key_value)
 		# Looks for timezone from registry
-		timezone_key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", KEY_READ)
-		if timezone_key.nil?
+		timezone = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", key_value)
+		tz_bias = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", "Bias")
+		if timezone.nil? or tz_bias.nil?
 			print_line("Couldn't find key/value for timezone from registry.")
 		else
-			timezone = timezone_key.query_value(key_value).data
-			tzbias = timezone_key.query_value("Bias").data
-			if timezone.nil? or tzbias.nil?
-				print_error("Couldn't find timezone information from registry.")
-			else
 				print_good("Remote: Timezone is %s." % timezone)
-				if tzbias < 0xfff
-					bias = tzbias
-					print_good("Remote: Localtime bias to UTC: -%s minutes." % bias)
+				if tz_bias < 0xfff
+					print_good("Remote: Localtime bias to UTC: -%s minutes." % tz_bias)
 				else
 					offset = 0xffffffff
-					bias = offset - tzbias
+					bias = offset - tz_bias
 					print_good("Remote: Localtime bias to UTC: +%s minutes." % bias)
 				end
 			end
 		end
-		timezone_key.close
-	end
 
-	def gather_prefetch_info(name_offset, hash_offset, lastrun_offset, runcount_offset, filename, table)
-		# This function seeks and gathers information from specific offsets.
-		h = client.railgun.kernel32.CreateFileA(filename, "GENERIC_READ", "FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_READONLY", nil)
-
-		if h['GetLastError'] != 0
-			print_error("Error opening a file handle on %s." % filename)
+	def gather_pf_info(name_offset, hash_offset, runcount_offset, filename, table)
+		# We'll load the file and parse information from the offsets
+		prefetch_file = read_file(filename)
+		if prefetch_file.empty? or prefetch_file.nil?
+			print_error("Couldn't read file: #{filename}")
 		else
-			handle = h['return']
-
-			# Finds the filename from the prefetch file
-			client.railgun.kernel32.SetFilePointer(handle, name_offset, 0, nil)
-			fname = client.railgun.kernel32.ReadFile(handle, 60, 60, 4, nil)
-			name = fname['lpBuffer']
-			idx = name.index("\x00\x00")
-
-			# Finds the run count from the prefetch file
-			client.railgun.kernel32.SetFilePointer(handle, runcount_offset, 0, nil)
-			count = client.railgun.kernel32.ReadFile(handle, 4, 4, 4, nil)
-
-			# Finds the file path hash from the prefetch file.
-			client.railgun.kernel32.SetFilePointer(handle, hash_offset, 0, nil)
-			hash = client.railgun.kernel32.ReadFile(handle, 4, 4, 4, nil)
-
-			# Finds the LastModified/Created timestamp (MACE)
+			# First we'll get the filename
+			pf_filename = prefetch_file[name_offset..name_offset+60]
+			idx = pf_filename.index("\x00\x00")
+			name = Rex::Text.to_ascii(pf_filename.slice(0..idx))
+			# Next we'll get the run count
+			run_count = prefetch_file[runcount_offset..runcount_offset+4].unpack('L*')[0].to_s
+			# Then file path hash
+			path_hash = prefetch_file[hash_offset..hash_offset+4].unpack('h8')[0].reverse.upcase.to_s
+			# Last is mace value for timestamps
 			mtimes = client.priv.fs.get_file_mace(filename)
-
-			# Checking and moving the values
-			if idx.nil? or count.nil? or hash.nil? or mtimes.nil?
-				print_error("Error reading file (might be temporary): %s" % filename)
+			if mtimes.nil? or mtimes.empty?
+				last_modified = "Error reading value"
+				created = "Error reading value"
 			else
-				pname = Rex::Text.to_ascii(name.slice(0..idx))
-				prun = count['lpBuffer'].unpack('L*')[0]
-				phash = hash['lpBuffer'].unpack('h*')[0].reverse
-				lmod = mtimes['Modified'].utc
-				creat = mtimes['Created'].utc
-				table << [lmod, creat,prun,phash,pname]
+				last_modified = mtimes['Modified'].utc.to_s
+				created = mtimes['Created'].utc.to_s
 			end
-			client.railgun.kernel32.CloseHandle(handle)
+			table << [last_modified, created, run_count, path_hash, name]
 		end
 	end
 
@@ -123,6 +101,9 @@ def run
 		error_msg = "You don't have enough privileges. Try getsystem."
 
 		if sysnfo =~/(Windows XP|2003|.NET)/
+			# For some reason we need system privileges to read file
+			# mace time on XP/2003 while we can do the same only
+			# as admin on Win7.
 			if not is_system?
 				print_error(error_msg)
 				return nil
@@ -131,7 +112,6 @@ def run
 			print_good("Detected #{sysnfo} (max 128 entries)")
 			name_offset = 0x10
 			hash_offset = 0x4C
-			lastrun_offset = 0x78
 			runcount_offset = 0x90
 			# Registry key for timezone
 			key_value = "StandardName"
@@ -145,7 +125,6 @@ def run
 			print_good("Detected #{sysnfo} (max 128 entries)")
 			name_offset = 0x10
 			hash_offset = 0x4C
-			lastrun_offset = 0x80
 			runcount_offset = 0x98
 			# Registry key for timezone
 			key_value = "TimeZoneKeyName"
@@ -169,25 +148,25 @@ def run
 		prefetch_key_value
 		timezone_key_values(key_value)
 		print_good("Current UTC Time: %s" % Time.now.utc)
-		sysroot = client.fs.file.expand_path("%SYSTEMROOT%")
-		full_path = sysroot + "\\Prefetch\\"
+		sys_root = expand_path("%SYSTEMROOT%")
+		full_path = sys_root + "\\Prefetch\\"
 		file_type = "*.pf"
 		print_status("Gathering information from remote system. This will take awhile..")
 
 		# Goes through the files in Prefetch directory, creates file paths for the
-		# gather_prefetch_info function that enumerates all the pf info
+		# gather_pf_info function that enumerates all the pf info
 
 		getfile_prefetch_filenames = client.fs.file.search(full_path,file_type,timeout=-1)
 		if getfile_prefetch_filenames.empty? or getfile_prefetch_filenames.nil?
-			print_error("Could not find/access any .pf files. Can't continue.")
+			print_error("Could not find/access any .pf files. Can't continue. (Might be temporary error..)")
 			return nil
 		else
 			getfile_prefetch_filenames.each do |file|
 				if file.empty? or file.nil?
-					print_error("Could not open file: %s" % filename)
+					print_error("Could not open file: %s" % file)
 				else
 					filename = File.join(file['path'], file['name'])
-					gather_prefetch_info(name_offset, hash_offset, lastrun_offset, runcount_offset, filename, table)
+					gather_pf_info(name_offset, hash_offset, runcount_offset, filename, table)
 				end
 			end
 		end
