librex 0.0.20 → 0.0.21

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb

@@ -0,0 +1,204 @@
+# Copyright (c) 2010, patrickHVE@googlemail.com
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * The names of the author may not be used to endorse or promote products
+#       derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL patrickHVE@googlemail.com BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#
+# sf - Sept 2010 - Modified for x64 support and merged into the stdapi extension.
+#
+
+require 'pp'
+require 'enumerator'
+
+require 'rex/post/meterpreter/extensions/stdapi/railgun/api_constants'
+require 'rex/post/meterpreter/extensions/stdapi/railgun/tlv'
+require 'rex/post/meterpreter/extensions/stdapi/railgun/util'
+require 'rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager'
+require 'rex/post/meterpreter/extensions/stdapi/railgun/multicall'
+require 'rex/post/meterpreter/extensions/stdapi/railgun/dll'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Railgun
+
+#
+# The Railgun class to dynamically expose the Windows API.
+#
+class Railgun
+	def initialize( client )
+
+		@client = client
+		@dll    = ::Hash.new
+		
+		@win_consts = WinConstManager.new()
+		
+		@constants_loaded = false
+
+		# Load the multi-caller
+		@multicaller = MultiCaller.new( @client, self, @win_consts )
+
+		# Load utility class
+		@util = Util.new( self, @client.platform )
+	end
+	
+	# read data from a memory address on the host (useful for working with LPVOID parameters)
+	def memread( address, length )
+	
+		raise "Invalid parameters." if( not address or not length )
+		
+		request = Packet.create_request( 'stdapi_railgun_memread' )
+		
+		request.add_tlv( TLV_TYPE_RAILGUN_MEM_ADDRESS, address )
+		request.add_tlv( TLV_TYPE_RAILGUN_MEM_LENGTH, length )
+
+		response = client.send_request( request )
+		if( response.result == 0 )
+			return response.get_tlv_value( TLV_TYPE_RAILGUN_MEM_DATA )
+		end
+		
+		return nil
+	end
+	
+	# write data to a memory address on the host (useful for working with LPVOID parameters)
+	def memwrite( address, data, length )
+	
+		raise "Invalid parameters." if( not address or not data or not length )
+		
+		request = Packet.create_request( 'stdapi_railgun_memwrite' )
+		
+		request.add_tlv( TLV_TYPE_RAILGUN_MEM_ADDRESS, address )
+		request.add_tlv( TLV_TYPE_RAILGUN_MEM_DATA, data )
+		request.add_tlv( TLV_TYPE_RAILGUN_MEM_LENGTH, length )
+
+		response = client.send_request( request )
+		if( response.result == 0 )
+			return true
+		end
+		
+		return false
+	end
+	
+	# adds a function to an existing DLL-definition
+	def add_function(dll_name, function_name, return_type, params, windows_name=nil)
+		raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(@dll.keys, "")}" unless @dll.has_key? dll_name
+		@dll[dll_name].add_function(function_name, return_type, params, windows_name)
+	end
+
+	# adds a function to an existing DLL-definition
+	# you can override the dll name if you want to include a path or the DLL name contains
+	# non-ruby-approved characters
+	def add_dll(dll_name, windows_name=nil)
+		raise "DLL #{dll_name} already exists. Existing DLLs: #{PP.pp(@dll.keys, "")}" unless not @dll.has_key? dll_name
+		if( windows_name == nil )
+			windows_name = dll_name
+		end
+		@dll[dll_name] = DLL.new(windows_name, @client, @win_consts)
+	end
+
+	def get_dll( dll_name )
+		# sf: we now lazy load the module definitions as needed to avoid the performance hit
+		#     to stdapi if we do it upon initilization (the user may never use railgun or else
+		#     require only a portion of the modules exposed by railgun so no need to pre load them)
+		if( not @dll.has_key?( dll_name ) )
+		
+			# the constants are also lazy loaded the first time we call const() or any API function...
+			if( not @constants_loaded )
+				ApiConstants.add_constants( @win_consts )
+				@constants_loaded = true
+			end
+
+			case dll_name
+				when 'kernel32'
+					require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32'
+					Def::Def_kernel32.add_imports(self)
+				when 'ntdll'
+					require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll'
+					Def::Def_ntdll.add_imports(self)
+				when 'user32'
+					require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32'
+					Def::Def_user32.add_imports(self)
+				when 'ws2_32'
+					require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32'
+					Def::Def_ws2_32.add_imports(self)
+				when 'iphlpapi'
+					require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi'
+					Def::Def_iphlpapi.add_imports(self)
+				when 'netapi32'
+					require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32'
+					Def::Def_netapi32.add_imports(self)
+				when 'advapi32'
+					require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32'
+					Def::Def_advapi32.add_imports(self)
+				when 'shell32'
+					require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32'
+					Def::Def_shell32.add_imports(self)
+			end
+			
+			if( @dll.has_key?( dll_name ) )
+				return @dll[dll_name]
+			end
+			
+		else
+			return @dll[dll_name]
+		end
+		
+		return nil
+	end
+	
+	# we fake having members like user32 and kernel32.
+	# reason is that
+	#   ...user32.MessageBoxW()
+	# is prettier than
+	#   ...dlls["user32"].functions["MessageBoxW"]()
+	def method_missing(dll_symbol, *args)
+		dll_name = dll_symbol.to_s
+
+		self.get_dll( dll_name )
+		
+		raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(@dll.keys, "")}" unless @dll.has_key? dll_name
+		
+		return @dll[dll_name]
+	end
+
+	# Give the programmer access to constants
+	def const(str)
+		# the constants are also lazy loaded the first time we call const() or any API function...
+		if( not @constants_loaded )
+			ApiConstants.add_constants( @win_consts )
+			@constants_loaded = true
+		end
+		return @win_consts.parse(str)
+	end
+
+	# The multi-call shorthand ( ["kernel32", "ExitProcess", [0]] )
+	def multi(functions)
+		@multicaller.call(functions)
+	end
+
+	attr_accessor :client, :dll, :multicaller, :win_consts, :util
+	
+end
+
+end; end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2010, patrickHVE@googlemail.com
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * The names of the author may not be used to endorse or promote products
+#       derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL patrickHVE@googlemail.com BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Railgun
+
+TLV_TYPE_EXTENSION_RAILGUN = 0
+TLV_TYPE_RAILGUN_SIZE_OUT = 			TLV_META_TYPE_UINT | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 1)
+TLV_TYPE_RAILGUN_STACKBLOB = 			TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 2)
+TLV_TYPE_RAILGUN_BUFFERBLOB_IN = 		TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 3)
+TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT = 	TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 4)
+
+TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT = 		TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 5)
+TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT = 	TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 6)
+TLV_TYPE_RAILGUN_BACK_RET = 			    TLV_META_TYPE_QWORD | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 7)
+TLV_TYPE_RAILGUN_BACK_ERR = 			    TLV_META_TYPE_UINT | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 8)
+
+TLV_TYPE_RAILGUN_DLLNAME = 			    TLV_META_TYPE_STRING | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 9)
+TLV_TYPE_RAILGUN_FUNCNAME = 			TLV_META_TYPE_STRING | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 10)
+TLV_TYPE_RAILGUN_MULTI_GROUP = 			TLV_META_TYPE_GROUP | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 11)
+
+TLV_TYPE_RAILGUN_MEM_ADDRESS =          TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 12 )
+TLV_TYPE_RAILGUN_MEM_DATA    =          TLV_META_TYPE_RAW   | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 13 )
+TLV_TYPE_RAILGUN_MEM_LENGTH  =          TLV_META_TYPE_UINT  | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 14 )
+
+end; end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb

@@ -0,0 +1,630 @@
+require 'rex/post/meterpreter/extensions/stdapi/railgun/dll_helper'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Railgun
+class  Util
+
+	# Bring in some useful string manipulation utility functions
+	include DLLHelper
+
+	# Data type size info: http://msdn.microsoft.com/en-us/library/s3f49ktz(v=vs.80).aspx
+	PRIMITIVE_TYPE_SIZES = {
+		:int => 4,
+		:__int8 => 1,
+		:__int16 => 2,
+		:__int32 => 4,
+		:__int64 => 8,
+		:bool => 1,
+		:char => 1,
+		:short => 2,
+		:long => 4,
+		:long_long => 8,
+		:float => 4,
+		:double => 8,
+		:long_double => 8,	
+		:wchar_t => 2,
+	}
+
+	# Maps a data type to its corresponding primitive or special type :pointer
+	# Note, primitive types are mapped to themselves
+	# typedef info: http://msdn.microsoft.com/en-us/library/aa383751(v=vs.85).aspx
+	TYPE_DEFINITIONS = {
+		##
+		# Primitives
+		##
+		:int => :int,
+		:__int8 => :__int8,
+		:__int16 => :__int16,
+		:__int32 => :__int32,
+		:__int64 => :__int64,
+		:bool => :bool,
+		:char => :char,
+		:short => :short,
+		:long => :long,
+		:long_long => :long_long,
+		:float => :float,
+		:double => :double,
+		:long_double => :long_double,
+		:wchar_t => :wchar_t,
+		##
+		# Non-pointers
+		##
+		#typedef WORD ATOM;
+		:ATOM => :short,
+		#typedef int BOOL;
+		:BOOL => :int,
+		#typedef BYTE BOOLEAN;
+		:BOOLEAN => :char,
+		#typedef unsigned char BYTE;
+		:BYTE => :char,
+		#typedef char CHAR;
+		:CHAR => :char,
+		#typedef DWORD COLORREF;
+		:COLORREF => :long,
+		#typedef unsigned long DWORD;
+		:DWORD => :long,
+		#typedef unsigned int DWORD32;
+		:DWORD32 => :int,
+		#typedef unsigned __int64 DWORD64;
+		:DWORD64 => :__int64,
+		#typedef float FLOAT;
+		:FLOAT => :float,
+		#typedef int HFILE;
+		:HFILE => :int,
+		#typedef LONG HRESULT;
+		:HRESULT => :long,
+		#typedef int INT;
+		:INT => :int,
+		#typedef signed int INT32;
+		:INT32 => :int,
+		#typedef signed __int64 INT64;
+		:INT64 => :__int64,
+		#typedef WORD LANGID;
+		:LANGID => :short,
+		#typedef DWORD LCID;
+		:LCID => :long,
+		#typedef DWORD LCTYPE;
+		:LCTYPE => :long,
+		#typedef DWORD LGRPID;
+		:LGRPID => :long,
+		#typedef long LONG;
+		:LONG => :long,
+		#typedef signed int LONG32;
+		:LONG32 => :int,
+		#typedef __int64 LONG64;
+		:LONG64 => :__int64,
+		#typedef PDWORD PLCID;
+		:PLCID => :pointer,
+		#typedef LPVOID SC_LOCK;
+		:SC_LOCK => :pointer,
+		#typedef short SHORT;
+		:SHORT => :short,
+		#typedef unsigned char UCHAR;
+		:UCHAR => :char,
+		#typedef unsigned int UINT;
+		:UINT => :int,
+		#typedef unsigned int UINT32;
+		:UINT32 => :int,
+		#typedef unsigned long ULONG;
+		:ULONG => :long,
+		#typedef unsigned int ULONG32;
+		:ULONG32 => :int,
+		#typedef unsigned __int64 ULONG64;
+		:ULONG64 => :__int64,
+		#typedef unsigned short USHORT;
+		:USHORT => :short,
+		#typedef wchar_t WCHAR;
+		:WCHAR => :wchar_t,
+		#typedef unsigned short WORD;
+		:WORD => :short,
+		##
+		# Pointers declared with *
+		##
+		#typedef DWORD* LPCOLORREF;
+		:LPCOLORREF => :pointer,
+		#typedef void* LPCVOID;
+		:LPCVOID => :pointer,
+		#typedef WCHAR* LPCWSTR;
+		:LPCWSTR => :pointer,
+		#typedef DWORD* LPDWORD;
+		:LPDWORD => :pointer,
+		#typedef HANDLE* LPHANDLE;
+		:LPHANDLE => :pointer,
+		#typedef int* LPINT;
+		:LPINT => :pointer,
+		#typedef long* LPLONG;
+		:LPLONG => :pointer,
+		#typedef CHAR* LPSTR;
+		:LPSTR => :pointer,
+		#typedef void* LPVOID;
+		:LPVOID => :pointer,
+		#typedef WORD* LPWORD;
+		:LPWORD => :pointer,
+		#typedef WCHAR* LPWSTR;
+		:LPWSTR => :pointer,
+		#typedef BOOL* PBOOL;
+		:PBOOL => :pointer,
+		#typedef BOOLEAN* PBOOLEAN;
+		:PBOOLEAN => :pointer,
+		#typedef BYTE* PBYTE;
+		:PBYTE => :pointer,
+		#typedef CHAR* PCHAR;
+		:PCHAR => :pointer,
+		#typedef CHAR* PCSTR;
+		:PCSTR => :pointer,
+		#typedef WCHAR* PCWSTR;
+		:PCWSTR => :pointer,
+		#typedef DWORD* PDWORD;
+		:PDWORD => :pointer,
+		#typedef DWORDLONG* PDWORDLONG;
+		:PDWORDLONG => :pointer,
+		#typedef DWORD_PTR* PDWORD_PTR;
+		:PDWORD_PTR => :pointer,
+		#typedef DWORD32* PDWORD32;
+		:PDWORD32 => :pointer,
+		#typedef DWORD64* PDWORD64;
+		:PDWORD64 => :pointer,
+		#typedef FLOAT* PFLOAT;
+		:PFLOAT => :pointer,
+		#typedef HANDLE* PHANDLE;
+		:PHANDLE => :pointer,
+		#typedef HKEY* PHKEY;
+		:PHKEY => :pointer,
+		#typedef int* PINT;
+		:PINT => :pointer,
+		#typedef INT_PTR* PINT_PTR;
+		:PINT_PTR => :pointer,
+		#typedef INT32* PINT32;
+		:PINT32 => :pointer,
+		#typedef INT64* PINT64;
+		:PINT64 => :pointer,
+		#typedef LONG* PLONG;
+		:PLONG => :pointer,
+		#typedef LONGLONG* PLONGLONG;
+		:PLONGLONG => :pointer,
+		#typedef LONG_PTR* PLONG_PTR;
+		:PLONG_PTR => :pointer,
+		#typedef LONG32* PLONG32;
+		:PLONG32 => :pointer,
+		#typedef LONG64* PLONG64;
+		:PLONG64 => :pointer,
+		#typedef SHORT* PSHORT;
+		:PSHORT => :pointer,
+		#typedef SIZE_T* PSIZE_T;
+		:PSIZE_T => :pointer,
+		#typedef SSIZE_T* PSSIZE_T;
+		:PSSIZE_T => :pointer,
+		#typedef CHAR* PSTR;
+		:PSTR => :pointer,
+		#typedef TBYTE* PTBYTE;
+		:PTBYTE => :pointer,
+		#typedef TCHAR* PTCHAR;
+		:PTCHAR => :pointer,
+		#typedef UCHAR* PUCHAR;
+		:PUCHAR => :pointer,
+		#typedef UINT* PUINT;
+		:PUINT => :pointer,
+		#typedef UINT_PTR* PUINT_PTR;
+		:PUINT_PTR => :pointer,
+		#typedef UINT32* PUINT32;
+		:PUINT32 => :pointer,
+		#typedef UINT64* PUINT64;
+		:PUINT64 => :pointer,
+		#typedef ULONG* PULONG;
+		:PULONG => :pointer,
+		#typedef ULONGLONG* PULONGLONG;
+		:PULONGLONG => :pointer,
+		#typedef ULONG_PTR* PULONG_PTR;
+		:PULONG_PTR => :pointer,
+		#typedef ULONG32* PULONG32;
+		:PULONG32 => :pointer,
+		#typedef ULONG64* PULONG64;
+		:PULONG64 => :pointer,
+		#typedef USHORT* PUSHORT;
+		:PUSHORT => :pointer,
+		#typedef void* PVOID;
+		:PVOID => :pointer,
+		#typedef WCHAR* PWCHAR;
+		:PWCHAR => :pointer,
+		#typedef WORD* PWORD;
+		:PWORD => :pointer,
+		#typedef WCHAR* PWSTR;
+		:PWSTR => :pointer,
+		#typedef HANDLE HACCEL;
+		:HACCEL => :pointer,
+		##
+		#  Handles
+		##
+		#typedef PVOID HANDLE;
+		:HANDLE => :pointer,
+		#typedef HANDLE HBITMAP;
+		:HBITMAP => :pointer,
+		#typedef HANDLE HBRUSH;
+		:HBRUSH => :pointer,
+		#typedef HANDLE HCOLORSPACE;
+		:HCOLORSPACE => :pointer,
+		#typedef HANDLE HCONV;
+		:HCONV => :pointer,
+		#typedef HANDLE HCONVLIST;
+		:HCONVLIST => :pointer,
+		#typedef HANDLE HDC;
+		:HDC => :pointer,
+		#typedef HANDLE HDDEDATA;
+		:HDDEDATA => :pointer,
+		#typedef HANDLE HDESK;
+		:HDESK => :pointer,
+		#typedef HANDLE HDROP;
+		:HDROP => :pointer,
+		#typedef HANDLE HDWP;
+		:HDWP => :pointer,
+		#typedef HANDLE HENHMETAFILE;
+		:HENHMETAFILE => :pointer,
+		#typedef HANDLE HFONT;
+		:HFONT => :pointer,
+		#typedef HANDLE HGDIOBJ;
+		:HGDIOBJ => :pointer,
+		#typedef HANDLE HGLOBAL;
+		:HGLOBAL => :pointer,
+		#typedef HANDLE HHOOK;
+		:HHOOK => :pointer,
+		#typedef HANDLE HICON;
+		:HICON => :pointer,
+		#typedef HANDLE HINSTANCE;
+		:HINSTANCE => :pointer,
+		#typedef HANDLE HKEY;
+		:HKEY => :pointer,
+		#typedef HANDLE HKL;
+		:HKL => :pointer,
+		#typedef HANDLE HLOCAL;
+		:HLOCAL => :pointer,
+		#typedef HANDLE HMENU;
+		:HMENU => :pointer,
+		#typedef HANDLE HMETAFILE;
+		:HMETAFILE => :pointer,
+		#typedef HANDLE HPALETTE;
+		:HPALETTE => :pointer,
+		#typedef HANDLE HPEN;
+		:HPEN => :pointer,
+		#typedef HANDLE HRGN;
+		:HRGN => :pointer,
+		#typedef HANDLE HRSRC;
+		:HRSRC => :pointer,
+		#typedef HANDLE HSZ;
+		:HSZ => :pointer,
+		#typedef HANDLE WINSTA;
+		:WINSTA => :pointer,
+		#typedef HANDLE HWND;
+		:HWND => :pointer,
+		#typedef HANDLE SC_HANDLE;
+		:SC_HANDLE => :pointer,
+		#typedef HANDLE SERVICE_STATUS_HANDLE;
+		:SERVICE_STATUS_HANDLE => :pointer,
+	}
+
+	# param 'railgun' is a Railgun instance.
+	# param 'platform' is a value like client.platform
+	def initialize(railgun, platform)
+		@railgun = railgun
+		@is_64bit = is_64bit_platform?(platform)
+	end
+
+	# Given a packed pointer, unpacks it according to architecture
+	def unpack_pointer(packed_pointer)
+		if is_64bit
+			# XXX: Only works if attacker and victim are like-endianed 
+			packed_pointer.unpack('Q')[0]
+		else
+			packed_pointer.unpack('V')[0]
+		end
+	end
+
+	###
+	# Summary: Returns true if pointer will be considered a 'null' pointer
+	#
+	# If given nil, returns true
+	# If given 0, returns true
+	# If given a string, if 0 after unpacking, returns true
+	# false otherwise
+	##
+	def is_null_pointer(pointer)
+		if pointer.class == String
+			pointer = unpack_pointer(pointer)
+		end
+		
+		return pointer.nil? || pointer == 0
+	end
+
+	###
+	# Summary: Reads null-terminated unicode strings from memory.
+	#
+	# Given a pointer to a null terminated array of WCHARs, return a ruby string
+	# Null pointers cause an empty string to be returned
+	##
+	def read_wstring(pointer, length = nil)
+		# Return an empty string for null pointers
+		if is_null_pointer(pointer)
+			return ''
+		end
+
+		# If length not provided, use lstrlenW 
+		if length.nil?
+			length = railgun.kernel32.lstrlenW(pointer)['return']
+		end
+
+		# Retrieve the array of characters
+		chars = read_array(:WCHAR, length, pointer) 
+
+		# Concatenate the characters and convert to a ruby string
+		str = uniz_to_str(chars.join(''))
+
+		return str
+	end
+
+	###
+	# Summary: Read a given number of bytes from memory or from a provided buffer.
+	#
+	# If 'buffer' is not provided, read 'size' bytes from the client's memory
+	# If 'buffer' is provided, reads 'size' characters from the index of 'address'
+	##
+	def memread(address, size, buffer = nil)
+		if buffer.nil?
+			return railgun.memread(address, size)
+		else
+			return buffer[address .. (address + size - 1)]
+		end
+	end
+
+	# Read and unpack a pointer from the given buffer at a given offset
+	def read_pointer(buffer, offset = 0)
+		unpack_pointer(buffer[offset, (offset + pointer_size)])
+	end
+
+	# Reads data structures and several windows data types
+	def read_data(type, position, buffer = nil)
+		if buffer.nil?
+			buffer = memread(position, sizeof_type(type))
+			position = 0
+		end
+
+		# If we're asked to read a data structure, deligate to read_struct
+		if is_struct_type?(type)
+			return read_struct(type, buffer, position)
+		end
+
+		# If the type is an array with a given size...
+		#    BYTE[3] for example or BYTE[ENCRYPTED_PWLEN] or even PDWORD[23]
+		if is_array_type?(type)
+			# Separate the element type from the size of the array
+			element_type, length = split_array_type(type)
+
+			# Have read_array take care of the rest
+			return read_array(element_type, length, position, buffer)
+		end
+
+		size = sizeof_type(type)
+		raw  = memread(position, size, buffer)
+
+		# read/unpack data for the types we have hard-coded support for
+		case type
+		when :LPWSTR
+			# null-terminated string of 16-bit Unicode characters
+			return read_wstring(read_pointer(raw))
+		when :DWORD
+			# Both on x86 and x64, DWORD is 32 bits
+			return raw.unpack('V').first
+		when :BOOL
+			return raw.unpack('l').first == 1
+		when :LONG
+			return raw.unpack('l').first
+		end
+
+ 		#If nothing worked thus far, return it raw
+		return raw
+	end
+
+	# Read 'length' number of instances of 'type' from 'bufptr' 
+	# bufptr is an index in 'buffer' or, if buffer is nil, a memory address
+	def read_array(type, length, bufptr, buffer = nil)
+		if length <= 0
+			return []
+		end
+
+		size = sizeof_type(type)
+		# Grab the bytes that the array consists of
+		buffer = memread(bufptr, size * length, buffer)
+
+		offset = 0
+
+		1.upto(length).map do |n|
+			data = read_data(type, offset, buffer) 
+
+			offset = offset + size
+
+			data
+		end
+	end
+
+	# construct the data structure described in 'definition' from 'buffer'
+	# starting from the index 'offset'
+	def read_struct(definition, buffer, offset = 0)
+		data = {}
+
+		offsets = struct_offsets(definition, offset)
+
+		definition.each do |mapping|
+			key, data_type = mapping
+
+			data[key] = read_data(data_type, offsets.shift, buffer)
+		end
+
+		data
+	end
+
+
+	# Returns true if the data type is a pointer, false otherwise
+	def is_pointer_type?(type)
+		return TYPE_DEFINITIONS[type] == :pointer
+	end
+
+	# Returns whether the given type represents an array of another type
+	# For example BYTE[3], BYTE[ENCRYPTED_PWLEN], or even PDWORD[23]
+	def is_array_type?(type)
+		return type =~ /^\w+\[\w+\]$/ ? true : false
+	end
+
+	# Returns true if the type passed describes a data structure, false otherwise
+	def is_struct_type?(type)
+		return type.class == Array
+	end
+
+
+	# Returns the pointer size for this architecture
+	def pointer_size
+		is_64bit ? 8 : 4
+	end
+
+	# Return the size, in bytes, of the given type
+	def sizeof_type(type)
+		if is_pointer_type?(type)
+			return pointer_size
+		end
+
+		if is_array_type?(type)
+			element_type, length = split_array_type(type)
+
+			return length * sizeof_type(element_type)
+		end
+
+		if is_struct_type?(type)
+			return sizeof_struct(type)
+		end
+
+		if TYPE_DEFINITIONS.has_key?(type)
+			primitive = TYPE_DEFINITIONS[type]
+	
+			if primitive == :pointer
+				return pointer_size
+			end		
+	
+			if PRIMITIVE_TYPE_SIZES.has_key?(primitive)
+				return PRIMITIVE_TYPE_SIZES[primitive]
+			else
+				raise "Type #{type} was mapped to non-existent primitive #{primitive}"
+			end
+		end
+
+		raise "Unable to determine size for type #{type}."
+	end
+
+	# Calculates the size of the struct after alignment
+	def sizeof_struct(struct)
+		offsets = struct_offsets(struct, 0)
+		last_data_size = sizeof_type(struct.last[1])
+		size_no_padding = offsets.last + last_data_size
+
+		return size_no_padding + calc_padding(size_no_padding)
+	end
+
+	# Given a description of a data structure, returns an array containing 
+	# the offset from the beginning for each subsequent element, taking into
+	# consideration alignment and padding
+	def struct_offsets(definition, offset)
+		padding = 0
+		offsets = []
+
+		definition.each do |mapping|
+			key, data_type = mapping
+
+			if sizeof_type(data_type) > padding
+				offset = offset + padding
+			end
+	
+			offsets.push(offset)
+
+			offset = offset + sizeof_type(data_type)
+
+			padding = calc_padding(offset)
+		end
+
+		offsets
+	end
+	
+	# http://en.wikipedia.org/wiki/Data_structure_alignment
+	def required_alignment
+		is_64bit ? 8 : 4
+	end
+
+	# Bytes that needed to be added to be aligned
+	def calc_padding(offset)
+		align = required_alignment
+
+		# If offset is not aligned...
+		if (offset % align) != 0
+			# Calculate padding needed to be aligned
+			align - (offset & (align - 1))
+		else
+			0
+		end
+	end
+
+	# Given an explicit array definition (e.g. BYTE[23]) return size (e.g. 23) and
+	# and type (e.g. BYTE). If a constant is given, attempt to resolve it
+	# that constant
+	def split_array_type(type)
+		if type =~ /^(\w+)\[(\w+)\]$/
+			element_type = $1
+			length = $2
+	
+			unless length =~ /^\d+$/
+				length = railgun.const(length)
+			end
+	
+			return element_type, length
+		else	
+			raise "Can not split non-array type #{type}"
+		end
+	end
+
+	# Returns true if given platform has 64bit architecture
+	# expects client.platform
+	def is_64bit_platform?(platform)
+		platform =~ /win64/
+	end
+
+	###
+	# Summary: 
+	#   Evaluates a bit field, returning a hash representing the meaning 
+	#   and state of each bit.
+	#
+	# Parameters:
+	#   value: a bit field represented by a Fixnum
+	#   mappings: { 'WINAPI_CONSTANT_NAME' => :descriptive_symbol, ... }
+	#
+	# Returns:
+	#   { :descriptive_symbol => true/false, ... }
+	##
+	def judge_bit_field(value, mappings)
+		flags = {}
+		rg = railgun
+
+		mappings.each do |constant_name, key|
+			flags[key] = (value & rg.const(constant_name)) != 0
+		end
+
+		flags
+	end
+
+	protected
+
+	attr_accessor :railgun, :is_64bit
+end # Util
+end # Railgun
+end # Stdapi
+end # Extensions
+end # Meterpreter
+end # Post
+end # Rex