Home page logo

metasploit logo Metasploit mailing list archives

Fail to write a C/winsock Meterpreter Reflective DLL Injection snippet
From: al1c3andb0b <al1c3andb0b () lavabit com>
Date: Fri, 08 Apr 2011 05:07:48 +0200

My goal is to write a C/winsock program compatible with exploit/generic/handler and payload/windows/meterpreter/reverse_tcp: a program that is able to connect back to the handler, download the metsrv DLL, and load and initialize it.

The context:
- I allocate (malloc) a buffer (char* pe_image) of 749056 bytes
- I create a SOCKET, connect()/select()/recv() to download the metsrv.dll into that buffer

At this point, I can write the buffer to a binary file, call LoadLibrary() to load the PE, and GetProcAddress() to resolve the "Init" function and invoke it. That creates the expected Meterpreter session on the handler side.

To have a chance to avoid AV detection, I would like to use reflective injection, as described in S. Fewer paper.

For this I attempt to reuse some of his (Harmony Security) source code, that I've found under meterpreter/source/ReflectiveDLLInjection.

I import ReflectiveLoader.h, ReflectiveDLLInjection.h, LoadLibraryR.h, and LoadLibraryR.c.

I'd like to start with local injection.

Reading LoadLibraryR.c, I've found LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ) very close to my requirements: - parse the DLL buffer for the export table, and locate the ReflectiveLoader() function
- invoke this function to trigger the actual injection
- the function returns the address of the DLL new entry point
- invoke this entry point

Invoking LoadLibraryR() function with my buffer as parameter seems to work as I can see (debug) the reflective loader is well found, and the returned HMODULE is not null. That obviously does not trigger any Meterpreter session, as this implementation of LoadLibraryR() does not invoke Init(SOCKET). And, I was not able to use this HMODULE as a parameter for GetProcAddress() to resolve the "Init" function (it may not actually be "registered" to the main process import table, as by the LoadLibrary() syscall).

So I changed the prototype from:
LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
---> to
LoadLibraryR( LPVOID lpBuffer, DWORD dwLength, SOCKET metsocket )

and in the implementation from:
// call the loaded librarys DllMain to get its HMODULE
// Dont call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH as that is for payloads only.
if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )
    hResult = NULL;
--> to
pDllMain( NULL, DLL_QUERY_HMODULE, &hModule );
BOOL attached= pDllMain( hModule /* or NULL without line above */, DLL_METASPLOIT_ATTACH, &metsocket);

This last line causes the debugger to hang (in MSVC, the Call stack and Local windows are empty, I have to stop the process) with no Meterpreter session opened.

I've also tried to use the LoadRemoteLibraryR() function, but didn't find a solution to the "different adress spaces" issue.

I must miss some important points, but can't figure them out. Is I'm far from being fluent in x86 assembler, the shellcode within the related ruby sources (msfpayload,stagers,stages) didn't help me more.

Any help on what I'm doing/thinking wrong is welcome. As any pointer to relevant resources.



  By Date           By Thread  

Current thread:
  • Fail to write a C/winsock Meterpreter Reflective DLL Injection snippet al1c3andb0b (Apr 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]