Accessing the Windows API Directly

If you are into pentesting I am sure you might have heard about the IRB shell in the Metasploit framework. This will be a small post about accessing Windows API using Railgun. Using Railgun we can access different functions in DLLs during runtime in memory. We could also write our own DLLs and call them directly using Railgun. This technique is used in the Meterpreter scripts and post exploitation modules to access the API to perform automated tasks.
For demonstration I will be using a Windows 7 machine as the target and Kali as the attacker machine.
After owning the box in the meterpreter session type “irb” and from there we can start the interactive ruby shell. The “client” will be our meterpreter client. We can access common API calls like this. Suppose I want to get the system information.

client.sys.config.sysinfo

Get the user ID

client.sys.config.getuid

(more…)

Advertisements