def install_hook(self, mod_name, new_address, name=None, ordinal=None):
if not (bool(name) ^ bool(ordinal)):
raise ValueError('must select either name or ordinal, not both')
image_import_descriptors = self.get_proc_attribute('image_import_descriptor')
image_dos_header_addr = self.get_proc_attribute('image_dos_header_addr')
is_ordinal = lambda x: bool(x & 0x80000000)
for iid in image_import_descriptors:
cur_mod_name = self._get_name_for_image_import_descriptor(iid)
if cur_mod_name.lower() != mod_name.lower():
continue
ilt = self._get_ilt_for_image_import_descriptor(iid)
iat = self._get_iat_for_image_import_descriptor(iid)
for idx in range(len(ilt)):
if ilt[idx] is None:
continue
hook_it = False
if not is_ordinal(ilt[idx]) and name:
cur_func_name = self._get_name_for_ilt_entry(ilt[idx])
if cur_func_name == name:
hook_it = True
elif is_ordinal(ilt[idx]) and ordinal:
cur_func_ordinal = self._get_ordinal_for_ilt_entry(ilt[idx])
if cur_func_ordinal == ordinal:
hook_it = True
if hook_it:
old_address = iat[idx]
iat_ent_addr = image_dos_header_addr
iat_ent_addr += iid.FirstThunk
iat_ent_addr += (ctypes.sizeof(ctypes.c_void_p) * idx)
new_addr = ctypes.c_void_p()
new_addr.value = new_address
written = wintypes.DWORD()
if m_k32.WriteProcessMemory(self.handle, iat_ent_addr, ctypes.byref(new_addr), ctypes.sizeof(new_addr), ctypes.byref(written)) == 0:
errno = m_k32.GetLastError()
if errno == 998:
errno = 0
old_permissions = wintypes.DWORD()
if (m_k32.VirtualProtectEx(self.handle, iat_ent_addr, 0x400, flags('PAGE_READWRITE'), ctypes.byref(old_permissions)) == 0):
raise WindowsProcessError('Error: VirtualProtectEx', get_last_error=m_k32.GetLastError())
if m_k32.WriteProcessMemory(self.handle, iat_ent_addr, ctypes.byref(new_addr), ctypes.sizeof(new_addr), ctypes.byref(written)) == 0:
errno = m_k32.GetLastError()
self.protect(iat_ent_addr, permissions=old_permissions)
if errno:
raise WindowsProcessError('Error: WriteProcessMemory', get_last_error=errno)
hook = Hook('iat', iat_ent_addr, old_address, new_address)
self._installed_hooks.append(hook)
return hook
raise ProcessError('failed to find location to install hook')
def load_library(self, libpath):
libpath = os.path.abspath(libpath)
libpath_bytes = libpath.encode('utf-8') + b'\x00'
remote_page = m_k32.VirtualAllocEx(self.handle, None,
len(libpath_bytes),
flags("MEM_COMMIT"),
flags("PAGE_EXECUTE_READWRITE"))
if not remote_page:
raise WindowsProcessError(
'Error: failed to allocate space for library name in the target process'
)
if not m_k32.WriteProcessMemory(self.handle,
remote_page, libpath_bytes,
len(libpath_bytes), None):
raise WindowsProcessError(
'Error: failed to copy the library name to the target process')
remote_thread = m_k32.CreateRemoteThread(self.handle, None, 0,
m_k32.LoadLibraryA.address,
remote_page, 0, None)
m_k32.WaitForSingleObject(remote_thread, -1)
exitcode = wintypes.DWORD(0)
m_k32.GetExitCodeThread(remote_thread, ctypes.byref(exitcode))
m_k32.VirtualFreeEx(self.handle, remote_page, len(libpath_bytes),
flags("MEM_RELEASE"))
if exitcode.value == 0:
raise WindowsProcessError(
"Error: failed to load: {0}, thread exited with status: 0x{1:x}"
.format(libpath, exitcode.value))
return exitcode.value
def write_memory(self, address, data):
if isinstance(data, str):
data = data.encode('utf-8')
_wr_data = (ctypes.c_char * len(data))
wr_data = _wr_data()
wr_data.value = data
written = wintypes.SIZE_T()
if not m_k32.WriteProcessMemory(self.handle, address, ctypes.byref(wr_data), ctypes.sizeof(wr_data), ctypes.byref(written)):
raise WindowsProcessError('Error: WriteProcessMemory', get_last_error=m_k32.GetLastError())
return
def mayhem():
handle = -1 # -1 is always a handle to the current process
module_handle = m_k32.GetModuleHandleW('user32.dll')
if not module_handle:
print('user32.dll is not loaded')
return
address = m_k32.GetProcAddress(module_handle, b'GetClipboardData')
if not address:
print('failed to resolve user32.dll!GetClipboardData')
return
stub = jump_stub(ctypes.cast(GetClipboardData, ctypes.c_void_p).value)
if m_k32.WriteProcessMemory(handle, address, stub, len(stub), None):
print(
"successfully installed the trampoline at 0x{0:x}".format(address))
else:
print('failed to install the trampoline')
