Metasploit mailing list archives
Question regarding "reflectivedllinject.rb"
From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Sun, 6 Jan 2013 19:17:59 +0300
INFO - When running a multi/handler/meterpreter with appropriate settings, the metsrv.dll is patched in memory before being sent to the stager. QUESTION - Regarding the reflectivedll bootstrap, the only two "variables" are the RVA of *ReflectiveLoader*, and the EXITFUNC placeholder ... the RVA is retrieved using "PeParsey" ... question is: Why `[offset-7].pack( "V" )` not just the offset? why -7 ? QUESTION - also when parsing metsrv.dll with "pedump" for example: /////////////////////////////// # pedump --export metsrv.dll === EXPORTS === # module "metsrv.dll" # flags=0x0 ts="2012-09-11 19:09:43" version=0.0 ord_base=1 # nFuncs=80 nNames=80 ORD ENTRY_VA NAME 1 15dc Init 2 213e _ReflectiveLoader@0 /////////////////////////////// Here, the our RVA is 213e ... right? so "213e-7" = "2137" = "37 21 00 00" big endian, However, the patched metsrv.dll "got that from wireshark dump of the stage" has that value set to "37 15 00 00" which is less by 0xC00! ... If someone would be kind enough to give a brief explanation about "why this is happening" + "the (-7) thing", I'll really appreciate it, Thanks in advance, Sherif. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Question regarding "reflectivedllinject.rb" Sherif El-Deeb (Jan 06)
- Re: Question regarding "reflectivedllinject.rb" Stephen Fewer (Jan 06)
- Re: Question regarding "reflectivedllinject.rb" Sherif El-Deeb (Jan 06)
- Re: Question regarding "reflectivedllinject.rb" Stephen Fewer (Jan 06)