Change RDI so that the loader function can be specified by name or ordinal #9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7 tasks
|
This is exactly what the rest of the RDI code had done for years when
testing for ordinals. I just ported it to this over to this function
because it was the one point it hadn't been implemented!
…On Sat, 20 Jun 2020, 07:59 Spencer McIntyre, ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In inject/src/LoadLibraryR.c
<#9 (comment)>
:
>
+ // test if we are importing by name or by ordinal...
+ if (((DWORD)cpReflectiveLoaderName & 0xFFFF0000) == 0x00000000)
This sort of looks a little fragile, especially for 64-bit systems. Would
it be possible to make the interpretation of ordinal vs name more explicit?
If not at least comparing a QWORD value with 0xffffffffffff0000 on 64-bit
systems would help reduce the risk of a misinterpretation. I know it has to
be passed around so ByOrdinal and ByName suffixes would probably be a
pain to write, but what about using a struct?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#9 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAHBYBKXA7LBXF3GBHTUHDRXPNSTANCNFSM4ND5GZHQ>
.
|
OJ
commented
Jun 22, 2020
|
|
||
| // test if we are importing by name or by ordinal... | ||
| if ((((DWORD_PTR)cpReflectiveLoaderName) >> 16) == 0) |
There was a problem hiding this comment.
As discussed on Slack @smcintyre-r7 @bcook-r7 👍 Thanks!
smcintyre-r7
approved these changes
Jun 23, 2020
smcintyre-r7
approved these changes
Jun 23, 2020
|
I tested this with the corresponding metasploit-payloads PR. The payloads are loading and it looks like the functionality that this introduces is solid and working as intended. I'll have this merged momentarily before moving on to some more indepth testing on the payloads side of things. Thanks @OJ ! |
|
Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
With the goal of removing more and more recognisable stuff from the DLLs, I've modified the code to allow the user to specify the name or ordinal of the ReflectiveLoader.
This means that:
ReflectiveLoaderfrom the DLL images we produce, and load functions based on ordinalsClearly this breaks back compat, so it might need to be rolled into all the other things that we've done.
This relates to: