dstruct 0.0.1

data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb

@@ -0,0 +1,180 @@
+# -*- coding: binary -*-
+
+require 'rex/post/thread'
+require 'rex/post/meterpreter/client'
+require 'rex/post/meterpreter/extensions/stdapi/constants'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Sys
+
+##
+#
+# This class implements the Rex::Post::Thread interface which
+# wrappers a logical thread for a given process.
+#
+##
+class Thread < Rex::Post::Thread
+
+  include Rex::Post::Meterpreter::ObjectAliasesContainer
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Initialize the thread instance.
+  #
+  def initialize(process, handle, tid)
+    self.process = process
+    self.handle  = handle
+    self.tid     = tid
+    ObjectSpace.define_finalizer( self, self.class.finalize(self.process.client, self.handle) )
+  end
+
+  def self.finalize(client,handle)
+    proc { self.close(client,handle) }
+  end
+
+  ##
+  #
+  # Execution
+  #
+  ##
+
+  #
+  # Suspends the thread's execution.
+  #
+  def suspend
+    request = Packet.create_request('stdapi_sys_process_thread_suspend')
+
+    request.add_tlv(TLV_TYPE_THREAD_HANDLE, handle)
+
+    process.client.send_request(request)
+
+    return true
+  end
+
+  #
+  # Resumes the thread's execution.
+  #
+  def resume
+    request = Packet.create_request('stdapi_sys_process_thread_resume')
+
+    request.add_tlv(TLV_TYPE_THREAD_HANDLE, handle)
+
+    process.client.send_request(request)
+
+    return true
+  end
+
+  #
+  # Terminates the thread's execution.
+  #
+  def terminate(code)
+    request = Packet.create_request('stdapi_sys_process_thread_terminate')
+
+    request.add_tlv(TLV_TYPE_THREAD_HANDLE, handle)
+    request.add_tlv(TLV_TYPE_EXIT_CODE, code)
+
+    process.client.send_request(request)
+
+    return true
+  end
+
+  ##
+  #
+  # Register manipulation
+  #
+  ##
+
+  #
+  # Queries the register state of the thread.
+  #
+  def query_regs
+    request = Packet.create_request('stdapi_sys_process_thread_query_regs')
+    regs    = {}
+
+    request.add_tlv(TLV_TYPE_THREAD_HANDLE, handle)
+
+    response = process.client.send_request(request)
+
+    response.each(TLV_TYPE_REGISTER) { |reg|
+      regs[reg.get_tlv_value(TLV_TYPE_REGISTER_NAME)] = reg.get_tlv_value(TLV_TYPE_REGISTER_VALUE_32)
+    }
+
+    return regs
+  end
+
+  #
+  # Sets the register state of the thread.  The registers are supplied
+  # in the form of a hash.
+  #
+  def set_regs(regs_hash)
+    request = Packet.create_request('stdapi_sys_process_thread_set_regs')
+
+    request.add_tlv(TLV_TYPE_THREAD_HANDLE, handle)
+
+    # Add all of the register that we're setting
+    regs_hash.each_key { |name|
+      t = request.add_tlv(TLV_TYPE_REGISTER)
+
+      t.add_tlv(TLV_TYPE_REGISTER_NAME, name)
+      t.add_tlv(TLV_TYPE_REGISTER_VALUE_32, regs_hash[name])
+    }
+
+    process.client.send_request(request)
+
+    return true
+  end
+
+  #
+  # Formats the registers in a pretty way.
+  #
+  def pretty_regs
+    regs = query_regs
+
+    buf  = sprintf("eax=%.8x ebx=%.8x ecx=%.8x edx=%.8x esi=%.8x edi=%.8x\n",
+                   regs['eax'], regs['ebx'], regs['ecx'], regs['edx'], regs['esi'], regs['edi'])
+    buf += sprintf("eip=%.8x esp=%.8x ebp=%.8x\n",
+                   regs['eip'], regs['esp'], regs['ebp'])
+    buf += sprintf("cs=%.4x ss=%.4x ds=%.4x es=%.4x fs=%.4x gs=%.4x\n",
+                   regs['cs'], regs['ss'], regs['ds'], regs['es'], regs['fs'], regs['gs'])
+
+    return buf
+  end
+
+  ##
+  #
+  # Closure
+  #
+  ##
+
+  #
+  # Closes the thread handle.
+  #
+  def self.close(client, handle)
+    request = Packet.create_request('stdapi_sys_process_thread_close')
+    request.add_tlv(TLV_TYPE_THREAD_HANDLE, handle)
+    client.send_request(request, nil)
+    handle = nil
+    return true
+  end
+
+  # Instance method
+  def close
+    self.class.close(self.process.client, self.handle)
+  end
+
+  attr_reader :process, :handle, :tid # :nodoc:
+protected
+  attr_writer :process, :handle, :tid # :nodoc:
+
+end
+
+end; end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -0,0 +1,236 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+
+##
+#
+# General
+#
+##
+
+TLV_TYPE_HANDLE             = TLV_META_TYPE_QWORD   |  600
+TLV_TYPE_INHERIT            = TLV_META_TYPE_BOOL    |  601
+TLV_TYPE_PROCESS_HANDLE     = TLV_META_TYPE_QWORD   |  630
+TLV_TYPE_THREAD_HANDLE      = TLV_META_TYPE_QWORD   |  631
+TLV_TYPE_PRIVILEGE          = TLV_META_TYPE_STRING  |  632
+
+##
+#
+# Fs
+#
+##
+
+TLV_TYPE_DIRECTORY_PATH     = TLV_META_TYPE_STRING  | 1200
+TLV_TYPE_FILE_NAME          = TLV_META_TYPE_STRING  | 1201
+TLV_TYPE_FILE_PATH          = TLV_META_TYPE_STRING  | 1202
+TLV_TYPE_FILE_MODE          = TLV_META_TYPE_STRING  | 1203
+TLV_TYPE_FILE_SIZE          = TLV_META_TYPE_UINT    | 1204
+
+TLV_TYPE_STAT_BUF           = TLV_META_TYPE_COMPLEX | 1220
+
+TLV_TYPE_SEARCH_RECURSE     = TLV_META_TYPE_BOOL    | 1230
+TLV_TYPE_SEARCH_GLOB        = TLV_META_TYPE_STRING  | 1231
+TLV_TYPE_SEARCH_ROOT        = TLV_META_TYPE_STRING  | 1232
+TLV_TYPE_SEARCH_RESULTS     = TLV_META_TYPE_GROUP   | 1233
+##
+#
+# Net
+#
+##
+TLV_TYPE_HOST_NAME          = TLV_META_TYPE_STRING  | 1400
+TLV_TYPE_PORT               = TLV_META_TYPE_UINT    | 1401
+TLV_TYPE_INTERFACE_MTU      = TLV_META_TYPE_UINT    | 1402
+TLV_TYPE_INTERFACE_FLAGS    = TLV_META_TYPE_STRING  | 1403
+TLV_TYPE_INTERFACE_INDEX    = TLV_META_TYPE_UINT    | 1404
+
+TLV_TYPE_SUBNET             = TLV_META_TYPE_RAW     | 1420
+TLV_TYPE_NETMASK            = TLV_META_TYPE_RAW     | 1421
+TLV_TYPE_GATEWAY            = TLV_META_TYPE_RAW     | 1422
+TLV_TYPE_NETWORK_ROUTE      = TLV_META_TYPE_GROUP   | 1423
+TLV_TYPE_IP_PREFIX          = TLV_META_TYPE_UINT    | 1424
+TLV_TYPE_ARP_ENTRY          = TLV_META_TYPE_GROUP   | 1425
+
+TLV_TYPE_IP                 = TLV_META_TYPE_RAW     | 1430
+TLV_TYPE_MAC_ADDRESS        = TLV_META_TYPE_RAW     | 1431
+TLV_TYPE_MAC_NAME           = TLV_META_TYPE_STRING  | 1432
+TLV_TYPE_NETWORK_INTERFACE  = TLV_META_TYPE_GROUP   | 1433
+TLV_TYPE_IP6_SCOPE          = TLV_META_TYPE_RAW     | 1434
+
+TLV_TYPE_SUBNET_STRING      = TLV_META_TYPE_STRING  | 1440
+TLV_TYPE_NETMASK_STRING     = TLV_META_TYPE_STRING  | 1441
+TLV_TYPE_GATEWAY_STRING     = TLV_META_TYPE_STRING  | 1442
+TLV_TYPE_ROUTE_METRIC       = TLV_META_TYPE_UINT    | 1443
+
+# Resolve
+TLV_TYPE_ADDR_TYPE          = TLV_META_TYPE_UINT    | 1444
+
+# Proxy configuration
+TLV_TYPE_PROXY_CFG_AUTODETECT    = TLV_META_TYPE_BOOL    | 1445
+TLV_TYPE_PROXY_CFG_AUTOCONFIGURL = TLV_META_TYPE_STRING  | 1446
+TLV_TYPE_PROXY_CFG_PROXY         = TLV_META_TYPE_STRING  | 1447
+TLV_TYPE_PROXY_CFG_PROXYBYPASS   = TLV_META_TYPE_STRING  | 1448
+
+# Socket
+TLV_TYPE_PEER_HOST          = TLV_META_TYPE_STRING  | 1500
+TLV_TYPE_PEER_PORT          = TLV_META_TYPE_UINT    | 1501
+TLV_TYPE_LOCAL_HOST         = TLV_META_TYPE_STRING  | 1502
+TLV_TYPE_LOCAL_PORT         = TLV_META_TYPE_UINT    | 1503
+TLV_TYPE_CONNECT_RETRIES    = TLV_META_TYPE_UINT    | 1504
+TLV_TYPE_NETSTAT_ENTRY      = TLV_META_TYPE_GROUP   | 1505
+TLV_TYPE_PEER_HOST_RAW      = TLV_META_TYPE_RAW     | 1506
+TLV_TYPE_LOCAL_HOST_RAW     = TLV_META_TYPE_RAW     | 1507
+
+TLV_TYPE_SHUTDOWN_HOW       = TLV_META_TYPE_UINT    | 1530
+
+##
+#
+# Sys
+#
+##
+
+PROCESS_EXECUTE_FLAG_HIDDEN           = (1 << 0)
+PROCESS_EXECUTE_FLAG_CHANNELIZED      = (1 << 1)
+PROCESS_EXECUTE_FLAG_SUSPENDED        = (1 << 2)
+PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN = (1 << 3)
+PROCESS_EXECUTE_FLAG_DESKTOP          = (1 << 4)
+PROCESS_EXECUTE_FLAG_SESSION          = (1 << 5)
+
+# Registry
+TLV_TYPE_HKEY               = TLV_META_TYPE_QWORD   | 1000
+TLV_TYPE_ROOT_KEY           = TLV_TYPE_HKEY
+TLV_TYPE_BASE_KEY           = TLV_META_TYPE_STRING  | 1001
+TLV_TYPE_PERMISSION         = TLV_META_TYPE_UINT    | 1002
+TLV_TYPE_KEY_NAME           = TLV_META_TYPE_STRING  | 1003
+TLV_TYPE_VALUE_NAME         = TLV_META_TYPE_STRING  | 1010
+TLV_TYPE_VALUE_TYPE         = TLV_META_TYPE_UINT    | 1011
+TLV_TYPE_VALUE_DATA         = TLV_META_TYPE_RAW     | 1012
+TLV_TYPE_TARGET_HOST        = TLV_META_TYPE_STRING  | 1013
+
+# Config
+TLV_TYPE_COMPUTER_NAME      = TLV_META_TYPE_STRING  | 1040
+TLV_TYPE_OS_NAME            = TLV_META_TYPE_STRING  | 1041
+TLV_TYPE_USER_NAME          = TLV_META_TYPE_STRING  | 1042
+TLV_TYPE_ARCHITECTURE       = TLV_META_TYPE_STRING  | 1043
+TLV_TYPE_LANG_SYSTEM        = TLV_META_TYPE_STRING  | 1044
+
+# Environment
+TLV_TYPE_ENV_VARIABLE       = TLV_META_TYPE_STRING  | 1100
+TLV_TYPE_ENV_VALUE          = TLV_META_TYPE_STRING  | 1101
+TLV_TYPE_ENV_GROUP          = TLV_META_TYPE_GROUP   | 1102
+
+DELETE_KEY_FLAG_RECURSIVE   = (1 << 0)
+
+# Process
+TLV_TYPE_BASE_ADDRESS       = TLV_META_TYPE_QWORD   | 2000
+TLV_TYPE_ALLOCATION_TYPE    = TLV_META_TYPE_UINT    | 2001
+TLV_TYPE_PROTECTION         = TLV_META_TYPE_UINT    | 2002
+TLV_TYPE_PROCESS_PERMS      = TLV_META_TYPE_UINT    | 2003
+TLV_TYPE_PROCESS_MEMORY     = TLV_META_TYPE_RAW     | 2004
+TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_QWORD   | 2005
+TLV_TYPE_MEMORY_STATE       = TLV_META_TYPE_UINT    | 2006
+TLV_TYPE_MEMORY_TYPE        = TLV_META_TYPE_UINT    | 2007
+TLV_TYPE_ALLOC_PROTECTION   = TLV_META_TYPE_UINT    | 2008
+TLV_TYPE_PID                = TLV_META_TYPE_UINT    | 2300
+TLV_TYPE_PROCESS_NAME       = TLV_META_TYPE_STRING  | 2301
+TLV_TYPE_PROCESS_PATH       = TLV_META_TYPE_STRING  | 2302
+TLV_TYPE_PROCESS_GROUP      = TLV_META_TYPE_GROUP   | 2303
+TLV_TYPE_PROCESS_FLAGS      = TLV_META_TYPE_UINT    | 2304
+TLV_TYPE_PROCESS_ARGUMENTS  = TLV_META_TYPE_STRING  | 2305
+TLV_TYPE_PROCESS_ARCH       = TLV_META_TYPE_UINT    | 2306
+TLV_TYPE_PARENT_PID         = TLV_META_TYPE_UINT    | 2307
+TLV_TYPE_PROCESS_SESSION    = TLV_META_TYPE_UINT    | 2308
+
+TLV_TYPE_IMAGE_FILE         = TLV_META_TYPE_STRING  | 2400
+TLV_TYPE_IMAGE_FILE_PATH    = TLV_META_TYPE_STRING  | 2401
+TLV_TYPE_PROCEDURE_NAME     = TLV_META_TYPE_STRING  | 2402
+TLV_TYPE_PROCEDURE_ADDRESS  = TLV_META_TYPE_QWORD   | 2403
+TLV_TYPE_IMAGE_BASE         = TLV_META_TYPE_QWORD   | 2404
+TLV_TYPE_IMAGE_GROUP        = TLV_META_TYPE_GROUP   | 2405
+TLV_TYPE_IMAGE_NAME         = TLV_META_TYPE_STRING  | 2406
+
+TLV_TYPE_THREAD_ID          = TLV_META_TYPE_UINT    | 2500
+TLV_TYPE_THREAD_PERMS       = TLV_META_TYPE_UINT    | 2502
+TLV_TYPE_EXIT_CODE          = TLV_META_TYPE_UINT    | 2510
+TLV_TYPE_ENTRY_POINT        = TLV_META_TYPE_QWORD   | 2511
+TLV_TYPE_ENTRY_PARAMETER    = TLV_META_TYPE_QWORD   | 2512
+TLV_TYPE_CREATION_FLAGS     = TLV_META_TYPE_UINT    | 2513
+
+TLV_TYPE_REGISTER_NAME      = TLV_META_TYPE_STRING  | 2540
+TLV_TYPE_REGISTER_SIZE      = TLV_META_TYPE_UINT    | 2541
+TLV_TYPE_REGISTER_VALUE_32  = TLV_META_TYPE_UINT    | 2542
+TLV_TYPE_REGISTER           = TLV_META_TYPE_GROUP   | 2550
+
+##
+#
+# Ui
+#
+##
+TLV_TYPE_IDLE_TIME                         = TLV_META_TYPE_UINT   | 3000
+TLV_TYPE_KEYS_DUMP                         = TLV_META_TYPE_STRING | 3001
+TLV_TYPE_DESKTOP_SCREENSHOT                = TLV_META_TYPE_RAW    | 3002
+TLV_TYPE_DESKTOP_SWITCH                    = TLV_META_TYPE_BOOL   | 3003
+TLV_TYPE_DESKTOP                           = TLV_META_TYPE_GROUP  | 3004
+TLV_TYPE_DESKTOP_SESSION                   = TLV_META_TYPE_UINT   | 3005
+TLV_TYPE_DESKTOP_STATION                   = TLV_META_TYPE_STRING | 3006
+TLV_TYPE_DESKTOP_NAME                      = TLV_META_TYPE_STRING | 3007
+TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY        = TLV_META_TYPE_UINT   | 3008
+TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH = TLV_META_TYPE_UINT   | 3009
+TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER = TLV_META_TYPE_STRING | 3010
+TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH = TLV_META_TYPE_UINT   | 3011
+TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER = TLV_META_TYPE_STRING | 3012
+
+##
+#
+# Event Log
+#
+##
+TLV_TYPE_EVENT_SOURCENAME   = TLV_META_TYPE_STRING  | 4000
+TLV_TYPE_EVENT_HANDLE       = TLV_META_TYPE_QWORD   | 4001
+TLV_TYPE_EVENT_NUMRECORDS   = TLV_META_TYPE_UINT    | 4002
+
+TLV_TYPE_EVENT_READFLAGS    = TLV_META_TYPE_UINT    | 4003
+TLV_TYPE_EVENT_RECORDOFFSET = TLV_META_TYPE_UINT    | 4004
+
+TLV_TYPE_EVENT_RECORDNUMBER = TLV_META_TYPE_UINT    | 4006
+TLV_TYPE_EVENT_TIMEGENERATED= TLV_META_TYPE_UINT    | 4007
+TLV_TYPE_EVENT_TIMEWRITTEN  = TLV_META_TYPE_UINT    | 4008
+TLV_TYPE_EVENT_ID           = TLV_META_TYPE_UINT    | 4009
+TLV_TYPE_EVENT_TYPE         = TLV_META_TYPE_UINT    | 4010
+TLV_TYPE_EVENT_CATEGORY     = TLV_META_TYPE_UINT    | 4011
+TLV_TYPE_EVENT_STRING       = TLV_META_TYPE_STRING  | 4012
+TLV_TYPE_EVENT_DATA         = TLV_META_TYPE_RAW     | 4013
+
+##
+#
+# Power
+#
+##
+TLV_TYPE_POWER_FLAGS        = TLV_META_TYPE_UINT    | 4100
+TLV_TYPE_POWER_REASON       = TLV_META_TYPE_UINT    | 4101
+
+##
+#
+# Webcam
+#
+##
+
+TLV_TYPE_WEBCAM_IMAGE       = TLV_META_TYPE_RAW     | (TLV_EXTENSIONS + 1)
+TLV_TYPE_WEBCAM_INTERFACE_ID= TLV_META_TYPE_UINT    | (TLV_EXTENSIONS + 2)
+TLV_TYPE_WEBCAM_QUALITY     = TLV_META_TYPE_UINT    | (TLV_EXTENSIONS + 3)
+TLV_TYPE_WEBCAM_NAME        = TLV_META_TYPE_STRING  | (TLV_EXTENSIONS + 4)
+
+##
+#
+# Audio
+#
+##
+
+TLV_TYPE_AUDIO_DURATION     = TLV_META_TYPE_UINT    | (TLV_EXTENSIONS + 1)
+TLV_TYPE_AUDIO_DATA         = TLV_META_TYPE_RAW     | (TLV_EXTENSIONS + 2)
+
+end; end; end; end; end
+

data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb

@@ -0,0 +1,259 @@
+# -*- coding: binary -*-
+
+require 'rex/post/ui'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+
+###
+#
+# Allows for interacting with the user interface on the remote machine,
+# such as by disabling the keyboard and mouse.
+#
+# WARNING:
+#
+# Using keyboard and mouse enabling/disabling features will result in
+# a DLL file being written to disk.
+#
+###
+class UI < Rex::Post::UI
+
+  include Rex::Post::Meterpreter::ObjectAliasesContainer
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Initializes the post-exploitation user-interface manipulation subsystem.
+  #
+  def initialize(client)
+    self.client = client
+  end
+
+  ##
+  #
+  # Device enabling/disabling
+  #
+  ##
+
+  #
+  # Disable keyboard input on the remote machine.
+  #
+  def disable_keyboard
+    return enable_keyboard(false)
+  end
+
+  #
+  # Enable keyboard input on the remote machine.
+  #
+  def enable_keyboard(enable = true)
+    request = Packet.create_request('stdapi_ui_enable_keyboard')
+
+    request.add_tlv(TLV_TYPE_BOOL, enable)
+
+    response = client.send_request(request)
+
+    return true
+  end
+
+  #
+  # Disable mouse input on the remote machine.
+  #
+  def disable_mouse
+    return enable_mouse(false)
+  end
+
+  #
+  # Enable mouse input on the remote machine.
+  #
+  def enable_mouse(enable = true)
+    request = Packet.create_request('stdapi_ui_enable_mouse')
+
+    request.add_tlv(TLV_TYPE_BOOL, enable)
+
+    response = client.send_request(request)
+
+    return true
+  end
+
+  #
+  # Returns the number of seconds the remote machine has been idle
+  # from user input.
+  #
+  def idle_time
+    request = Packet.create_request('stdapi_ui_get_idle_time')
+
+    response = client.send_request(request)
+
+    return response.get_tlv_value(TLV_TYPE_IDLE_TIME);
+  end
+
+  #
+  # Enumerate desktops.
+  #
+  def enum_desktops
+    request  = Packet.create_request('stdapi_ui_desktop_enum')
+    response = client.send_request(request)
+    desktopz = []
+    if( response.result == 0 )
+      response.each( TLV_TYPE_DESKTOP ) { | desktop |
+      desktopz << {
+          'session' => desktop.get_tlv_value( TLV_TYPE_DESKTOP_SESSION ),
+          'station' => desktop.get_tlv_value( TLV_TYPE_DESKTOP_STATION ),
+          'name'    => desktop.get_tlv_value( TLV_TYPE_DESKTOP_NAME )
+        }
+      }
+    end
+    return desktopz
+  end
+
+  #
+  # Get the current desktop meterpreter is using.
+  #
+  def get_desktop
+    request  = Packet.create_request( 'stdapi_ui_desktop_get' )
+    response = client.send_request( request )
+    desktop  = {}
+    if( response.result == 0 )
+      desktop = {
+          'session' => response.get_tlv_value( TLV_TYPE_DESKTOP_SESSION ),
+          'station' => response.get_tlv_value( TLV_TYPE_DESKTOP_STATION ),
+          'name'    => response.get_tlv_value( TLV_TYPE_DESKTOP_NAME )
+        }
+    end
+    return desktop
+  end
+
+  #
+  # Change the meterpreters current desktop. The switch param sets this
+  # new desktop as the interactive one (The local users visible desktop
+  # with screen/keyboard/mouse control).
+  #
+  def set_desktop( session=-1, station='WinSta0', name='Default', switch=false )
+    request  = Packet.create_request( 'stdapi_ui_desktop_set' )
+    request.add_tlv( TLV_TYPE_DESKTOP_SESSION, session )
+    request.add_tlv( TLV_TYPE_DESKTOP_STATION, station )
+    request.add_tlv( TLV_TYPE_DESKTOP_NAME, name )
+    request.add_tlv( TLV_TYPE_DESKTOP_SWITCH, switch )
+    response = client.send_request( request )
+    if( response.result == 0 )
+      return true
+    end
+    return false
+  end
+
+  #
+  # Grab a screenshot of the interactive desktop
+  #
+  def screenshot( quality=50 )
+    request = Packet.create_request( 'stdapi_ui_desktop_screenshot' )
+    request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY, quality )
+    # include the x64 screenshot dll if the host OS is x64
+    if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ )
+      screenshot_path = MeterpreterBinaries.path('screenshot','x64.dll')
+      screenshot_path = ::File.expand_path( screenshot_path )
+      screenshot_dll  = ''
+      ::File.open( screenshot_path, 'rb' ) do |f|
+        screenshot_dll += f.read( f.stat.size )
+      end
+      request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER, screenshot_dll, false, true )
+      request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH, screenshot_dll.length )
+    end
+    # but allways include the x86 screenshot dll as we can use it for wow64 processes if we are on x64
+    screenshot_path = MeterpreterBinaries.path('screenshot','x86.dll')
+    screenshot_path = ::File.expand_path( screenshot_path )
+    screenshot_dll  = ''
+    ::File.open( screenshot_path, 'rb' ) do |f|
+      screenshot_dll += f.read( f.stat.size )
+    end
+    request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER, screenshot_dll, false, true )
+    request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH, screenshot_dll.length )
+    # send the request and return the jpeg image if successfull.
+    response = client.send_request( request )
+    if( response.result == 0 )
+      return response.get_tlv_value( TLV_TYPE_DESKTOP_SCREENSHOT )
+    end
+    return nil
+  end
+
+  #
+  # Unlock or lock the desktop
+  #
+  def unlock_desktop(unlock=true)
+    request  = Packet.create_request('stdapi_ui_unlock_desktop')
+    request.add_tlv(TLV_TYPE_BOOL, unlock)
+    response = client.send_request(request)
+    return true
+  end
+
+  #
+  # Start the keyboard sniffer
+  #
+  def keyscan_start
+    request  = Packet.create_request('stdapi_ui_start_keyscan')
+    response = client.send_request(request)
+    return true
+  end
+
+  #
+  # Stop the keyboard sniffer
+  #
+  def keyscan_stop
+    request  = Packet.create_request('stdapi_ui_stop_keyscan')
+    response = client.send_request(request)
+    return true
+  end
+
+  #
+  # Dump the keystroke buffer
+  #
+  def keyscan_dump
+    request  = Packet.create_request('stdapi_ui_get_keys')
+    response = client.send_request(request)
+    return response.get_tlv_value(TLV_TYPE_KEYS_DUMP);
+  end
+
+  #
+  # Extract the keystroke from the buffer data
+  #
+  def keyscan_extract(buffer_data)
+    outp = ""
+    buffer_data.unpack("n*").each do |inp|
+      fl = (inp & 0xff00) >> 8
+      vk = (inp & 0xff)
+      kc = VirtualKeyCodes[vk]
+
+      f_shift = fl & (1<<1)
+      f_ctrl  = fl & (1<<2)
+      f_alt   = fl & (1<<3)
+
+      if(kc)
+        name = ((f_shift != 0 and kc.length > 1) ? kc[1] : kc[0])
+        case name
+        when /^.$/
+          outp << name
+        when /shift|click/i
+        when 'Space'
+          outp << " "
+        else
+          outp << " <#{name}> "
+        end
+      else
+        outp << " <0x%.2x> " % vk
+      end
+    end
+    return outp
+  end
+
+protected
+  attr_accessor :client # :nodoc:
+
+end
+
+end; end; end; end; end