Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Question regarding "reflectivedllinject.rb"

From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Sun, 6 Jan 2013 19:17:59 +0300
INFO - When running a multi/handler/meterpreter with appropriate
settings, the metsrv.dll is patched in memory before being sent to the
stager.

QUESTION - Regarding the reflectivedll bootstrap, the only two
"variables" are the RVA of *ReflectiveLoader*, and the EXITFUNC
placeholder ... the RVA is retrieved using "PeParsey" ... question is:
Why  `[offset-7].pack( "V" )` not just the offset? why -7 ?

QUESTION - also when parsing metsrv.dll with "pedump" for example:
///////////////////////////////
# pedump --export metsrv.dll

=== EXPORTS ===

# module "metsrv.dll"
# flags=0x0  ts="2012-09-11 19:09:43"  version=0.0  ord_base=1
# nFuncs=80  nNames=80

  ORD ENTRY_VA  NAME
    1     15dc  Init
    2     213e  _ReflectiveLoader@0
///////////////////////////////

Here, the our RVA is 213e ... right? so "213e-7" = "2137" = "37 21 00
00" big endian,
However, the patched metsrv.dll "got that from wireshark dump of the
stage" has that value set to "37 15 00 00" which is less by 0xC00! ...

If someone would be kind enough to give a brief explanation about "why
this is happening" + "the (-7) thing", I'll really appreciate it,
Thanks in advance,

Sherif.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: