Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

reflective_dll_loader.rb 1.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960
  1. # -*- coding: binary -*-
  2. ###
  3. #
  4. # This mixin contains functionality which loads a Reflective
  5. # DLL from disk into memory and finds the offset of the
  6. # reflective loader's entry point.
  7. #
  8. ###
  9. module Msf::ReflectiveDLLLoader
  10. # Load a reflectively-injectable DLL from disk and find the offset
  11. # to the ReflectiveLoader function inside the DLL.
  12. #
  13. # @param dll_path Path to the DLL to load.
  14. #
  15. # @return [Array] Tuple of DLL contents and offset to the
  16. # +ReflectiveLoader+ function within the DLL.
  17. def load_rdi_dll(dll_path)
  18. dll = ''
  19. ::File.open(dll_path, 'rb') { |f| dll = f.read }
  20. offset = parse_pe(dll)
  21. return dll, offset
  22. end
  23. # Load a reflectively-injectable DLL from an string and find the offset
  24. # to the ReflectiveLoader function inside the DLL.
  25. #
  26. # @param [Fixnum] dll_data the DLL to load.
  27. #
  28. # @return [Fixnum] offset to the +ReflectiveLoader+ function within the DLL.
  29. def load_rdi_dll_from_data(dll_data)
  30. offset = parse_pe(dll_data)
  31. offset
  32. end
  33. private
  34. def parse_pe(dll)
  35. pe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(dll))
  36. offset = nil
  37. pe.exports.entries.each do |e|
  38. if e.name =~ /^\S*ReflectiveLoader\S*/
  39. offset = pe.rva_to_file_offset(e.rva)
  40. break
  41. end
  42. end
  43. unless offset
  44. raise "Cannot find the ReflectiveLoader entry point in #{dll_path}"
  45. end
  46. offset
  47. end
  48. end