TransWikia.com

What allows meterpreter to migrate processes and how to defend against it?

Information Security Asked on October 28, 2021

I mainly use Linux so I’m not well-versed on how Windows and its privileges work. I’ve recently learned to use Metasploit and meterpreter on Windows boxes.

Previous research

This answer has given an overview of how meterpreter migrates on Windows.
This article has addressed process migration on Linux

My questions

  1. What allows process migration to work?
  2. What are the main differences between Windows and Linux in process migration?
  3. Is this migration a feature or a vulnerability?
  4. How can I defend it?
  5. Should I try to prevent process migration?

2 Answers

What allows process migration to work?

Process migration happens because of process injection,a technique where a process can run its code in the virtual address space of another process

Specifically in meterpreter payload its

  1. Open current process token to set SE_DEBUG PRIVILAGE
  2. Virtualallocexe to allocate memory in target process
  3. Writeprocessmemory to write the payload in target process virtual memory space
  4. Call the routine of the thread via Create remote thread

source

What are the main differences between Windows and Linux in process migration?

For starters Linux doesn't use DLL,although there are more process injection that doesn't use Dll in windows(PE Injection),in linux you would uses LD_PRELOAD or ptrace

Is this migration a feature or a vulnerability?

Feature,since there are many use cases of process injection like debugging,game hacking,using themes,changing functionality of programs and anti virus stuff.

How can I defend it?

Most likely you would want to hook functions that might be used and then perform checks if you want to allow it to happen(Might break stuff), further read

Should I try to prevent process migration?

It mostly used in malwares to hide,even without using it,you can do just as much damage.So....no

Answered by yeah_well on October 28, 2021

Control of memoryspaces and job control — such as the ability to launch a process into userspace runtime, allows for process migration.

In other words, it’s a feature called “an Operating System”.

Answered by atdre on October 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP