Module: Msf::ReflectiveDLLLoader

Included in:

Payload::Windows::MeterpreterLoader, Payload::Windows::MeterpreterLoader_x64, Payload::Windows::ReflectiveDllInject, Payload::Windows::ReflectiveDllInject_x64, Post::Windows::ReflectiveDLLInjection, Rex::Payloads::Meterpreter::Config

Defined in:

lib/msf/core/reflective_dll_loader.rb

Constant Summary

EXPORT_REFLECTIVELOADER =

This is the ordinal of the reflective loader by default In new RDI DLLs that come with MSF

1

Instance Method Summary

• #load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) ⇒ Array

  Load a reflectively-injectable DLL from disk and find the offset to the ReflectiveLoader function inside the DLL.

• #load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) ⇒ Integer

  Load a reflectively-injectable DLL from a string and find the offset to the ReflectiveLoader function inside the DLL.

Instance Method Details

#load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) ⇒ Array

Load a reflectively-injectable DLL from disk and find the offset to the ReflectiveLoader function inside the DLL.

Parameters:

• dll_path (String) —

  Path to the DLL to load.

Returns:

• (Array) —

  Tuple of DLL contents and offset to the ReflectiveLoader function within the DLL.

# File 'lib/msf/core/reflective_dll_loader.rb', line 26

def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
  encrypted_dll = ::File.binread(dll_path)
  dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll)

  offset = parse_pe(dll, loader_name: loader_name, loader_ordinal: loader_ordinal)

  unless offset
    raise "Cannot find the ReflectiveLoader entry point in #{dll_path}"
  end

  return dll, offset
end

#load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) ⇒ Integer

Load a reflectively-injectable DLL from a string and find the offset to the ReflectiveLoader function inside the DLL.

Parameters:

• dll_data (String) —

  the DLL data to load.

Returns:

• (Integer) —

  offset to the ReflectiveLoader function within the DLL.

# File 'lib/msf/core/reflective_dll_loader.rb', line 45

def load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
  decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data)
  offset = parse_pe(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)

  unless offset
    raise 'Cannot find the ReflectiveLoader entry point in DLL data'
  end

  offset
end