Metasploit mailing list archives
Re: Question regarding "reflectivedllinject.rb"
From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Sun, 6 Jan 2013 20:49:26 +0300
Thanks a lot, chewing through that ... P.S: It must be my lucky day; having the most knowledgeable person about the topic, on planet earth, reply to my question about "Reflective DLLs" ;) appreciated. Sherif. On Sun, Jan 6, 2013 at 7:49 PM, Stephen Fewer <stephen_fewer () harmonysecurity com> wrote:
Hi Sherif, To answer your first question, check out EBX which is what the offset is being added to in .\msf\lib\msf\core\payload\windows\reflectivedllinject.rb. You can see how the bootstrap code gets the current location of the metsrv image via; # dec ebp ; M # pop edx ; Z # call 0 ; call next instruction # pop ebx ; get our location (+7) so EBX is going to be +7 bytes off the start location of the image, hence why we adjust the file offset to ReflectiveLoader by -7 in order to account for this (as we add the file offset to ebx). As for your second question, you can see from the source we are using a file offset (offset = pe.rva_to_file_offset( entry.rva )) as opposed to an RVA (which would be section aligned), so the file offset of the RVA 0x213E is computed to be 0x153E, and 0x153E - 7 = 0x1537 which is the value you see in your pcap! :) Regards, - Stephen. On 06/01/2013 16:17, Sherif El-Deeb wrote:INFO - When running a multi/handler/meterpreter with appropriate settings, the metsrv.dll is patched in memory before being sent to the stager. QUESTION - Regarding the reflectivedll bootstrap, the only two "variables" are the RVA of *ReflectiveLoader*, and the EXITFUNC placeholder ... the RVA is retrieved using "PeParsey" ... question is: Why `[offset-7].pack( "V" )` not just the offset? why -7 ? QUESTION - also when parsing metsrv.dll with "pedump" for example: /////////////////////////////// # pedump --export metsrv.dll === EXPORTS === # module "metsrv.dll" # flags=0x0 ts="2012-09-11 19:09:43" version=0.0 ord_base=1 # nFuncs=80 nNames=80 ORD ENTRY_VA NAME 1 15dc Init 2 213e _ReflectiveLoader@0 /////////////////////////////// Here, the our RVA is 213e ... right? so "213e-7" = "2137" = "37 21 00 00" big endian, However, the patched metsrv.dll "got that from wireshark dump of the stage" has that value set to "37 15 00 00" which is less by 0xC00! ... If someone would be kind enough to give a brief explanation about "why this is happening" + "the (-7) thing", I'll really appreciate it, Thanks in advance, Sherif. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Question regarding "reflectivedllinject.rb" Sherif El-Deeb (Jan 06)
- Re: Question regarding "reflectivedllinject.rb" Stephen Fewer (Jan 06)
- Re: Question regarding "reflectivedllinject.rb" Sherif El-Deeb (Jan 06)
- Re: Question regarding "reflectivedllinject.rb" Stephen Fewer (Jan 06)