Re: Question regarding "reflectivedllinject.rb"

[Sherif El-Deeb <archeldeeb () gmail com>]

Thanks a lot, chewing through that ...

P.S: It must be my lucky day; having the most knowledgeable person
about the topic, on planet earth, reply to my question about
"Reflective DLLs" ;) appreciated.

Sherif.




On Sun, Jan 6, 2013 at 7:49 PM, Stephen Fewer
<stephen_fewer () harmonysecurity com> wrote:
> Hi Sherif,
>
> To answer your first question, check out EBX which is what the offset is
> being added to in .\msf\lib\msf\core\payload\windows\reflectivedllinject.rb.
>
> You can see how the bootstrap code gets the current location of the
> metsrv image via;
>
> # dec ebp ; M
> # pop edx ; Z
> # call 0  ; call next instruction
> # pop ebx ; get our location (+7)
>
> so EBX is going to be +7 bytes off the start location of the image,
> hence why we adjust the file offset to ReflectiveLoader by -7 in order
> to account for this (as we add the file offset to ebx).
>
> As for your second question, you can see from the source we are using a
> file offset (offset = pe.rva_to_file_offset( entry.rva )) as opposed to
> an RVA (which would be section aligned), so the file offset of the RVA
> 0x213E is computed to be 0x153E, and 0x153E - 7 = 0x1537 which is the
> value you see in your pcap! :)
>
> Regards,
>
> - Stephen.
>
>
>
> On 06/01/2013 16:17, Sherif El-Deeb wrote:
> > INFO - When running a multi/handler/meterpreter with appropriate
> > settings, the metsrv.dll is patched in memory before being sent to the
> > stager.
> >
> > QUESTION - Regarding the reflectivedll bootstrap, the only two
> > "variables" are the RVA of *ReflectiveLoader*, and the EXITFUNC
> > placeholder ... the RVA is retrieved using "PeParsey" ... question is:
> > Why  `[offset-7].pack( "V" )` not just the offset? why -7 ?
> >
> > QUESTION - also when parsing metsrv.dll with "pedump" for example:
> > ///////////////////////////////
> > # pedump --export metsrv.dll
> >
> > === EXPORTS ===
> >
> > # module "metsrv.dll"
> > # flags=0x0  ts="2012-09-11 19:09:43"  version=0.0  ord_base=1
> > # nFuncs=80  nNames=80
> >
> >   ORD ENTRY_VA  NAME
> >     1     15dc  Init
> >     2     213e  _ReflectiveLoader@0
> > ///////////////////////////////
> >
> > Here, the our RVA is 213e ... right? so "213e-7" = "2137" = "37 21 00
> > 00" big endian,
> > However, the patched metsrv.dll "got that from wireshark dump of the
> > stage" has that value set to "37 15 00 00" which is less by 0xC00! ...
> >
> > If someone would be kind enough to give a brief explanation about "why
> > this is happening" + "the (-7) thing", I'll really appreciate it,
> > Thanks in advance,
> >
> > Sherif.
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework