コード例 #1
0
ファイル: loader.py プロジェクト: pjrje4/sbpe
def launch(exepath):
    # on Linux and MacOS, use ld/dyld
    if platform.system() == 'Linux':
        os.environ['LD_PRELOAD'] = REMOTEPATH
    if platform.system() == 'Darwin':
        os.environ['DYLD_INSERT_LIBRARIES'] = REMOTEPATH
        os.environ['DYLD_FORCE_FLAT_NAMESPACE'] = '1'

    # start the game
    gpop = subprocess.Popen([exepath],
                            stderr=subprocess.STDOUT,
                            stdout=subprocess.PIPE,
                            cwd=os.path.dirname(exepath))

    # on Windows, inject into the running process
    if platform.system() == 'Windows':
        try:
            proc = NativeProcess(pid=gpop.pid)
            lib_h = proc.load_library(REMOTEPATH)
            # start remote thread
            addr = lib_h + STARTUP_OFFSET
            thr = proc.start_thread(addr)
            logging.info('starting from 0x{:x}'.format(addr))
            proc.join_thread(thr)
        except ProcessError as error:
            gpop.kill()
            logging.error(error.msg)
            return False

    return gpop
コード例 #2
0
ファイル: syringe.py プロジェクト: chubbymaggie/mayhem
def main():
	parser = argparse.ArgumentParser(
		description='syringe: library & shellcode injection utility',
		conflict_handler='resolve',
		epilog='The PID argument can be specified as -1 to inject into the context of the syringe process.'
	)
	parser.add_argument('-l', '--load', dest='library', action='store', help='load the library in the target process')
	shellcode_group = parser.add_mutually_exclusive_group()
	shellcode_group.add_argument('-i', '--inject', dest='shellcode', action='store', help='inject code into the process')
	shellcode_group.add_argument('-f', '--inject-file', dest='shellcode_file', type=argparse.FileType('rb'), help='inject code from a file into the process')
	parser.add_argument('-d', '--decode', dest='decode', action='store', choices=('b64', 'hex', 'raw'), default='b64', help='decode the shellcode prior to execution')
	parser.add_argument('pid', action='store', type=int, help='process to control')
	arguments = parser.parse_args()

	try:
		process_h = NativeProcess(pid=arguments.pid)
	except ProcessError as error:
		print("[-] {0}".format(error.msg))
		return
	print("[+] Opened a handle to pid: {0}".format(arguments.pid))

	if arguments.library:
		try:
			lib_h = process_h.load_library(arguments.library)
		except ProcessError as error:
			print("[-] {0}".format(error.msg))
		else:
			print("[+] Loaded {0} with handle 0x{1:08x}".format(arguments.library, lib_h))

	if arguments.shellcode or arguments.shellcode_file:
		if arguments.shellcode:
			shellcode = arguments.shellcode
		else:
			shellcode = arguments.shellcode_file.read()
			arguments.shellcode_file.close()
		if arguments.decode == 'b64':
			shellcode = shellcode.decode('base64')
		elif arguments.decode == 'hex':
			shellcode = shellcode.decode('hex')
		stub = "" # no stub by default
		if architecture_is_32bit(process_h.arch):
			stub = "\x8b\x44\x24\x04" # mov eax,[esp+4]
		elif architecture_is_64bit(process_h.arch):
			stub = "\x48\x8b\x44\x24\x08" # mov rax,[rsp+8]

		shellcode_sz = align_up(len(stub + shellcode), 1024)
		address = process_h.allocate(size=shellcode_sz, address=0)
		print("[+] Allocated {0} bytes at 0x{1:08x}".format(shellcode_sz, address))
		process_h.protect(address, size=shellcode_sz)
		process_h.write_memory(address, stub + shellcode)
		thread_id = process_h.start_thread(address, (address + len(stub)))
		print("[+] Started thread at 0x{0:08x}".format(address))
		print("[*] Waiting for thread to complete...")
		try:
			process_h.join_thread(thread_id)
			print("[+] Thread completed")
		except ProcessError as err:
			print("[-] {0} {1}".format(err.__class__.__name__, err.msg))

	process_h.close()
コード例 #3
0
def main():
	parser = ArgumentParser(description='python_injector: inject python code into a process', conflict_handler='resolve')
	parser.add_argument('shellcode', action='store', help='python code to inject into the process')
	parser.add_argument('pid', action='store', type=int, help='process to inject into')
	arguments = parser.parse_args()

	if not sys.platform.startswith('win'):
		print('[-] This tool is only available on Windows')
		return

	# get a handle the the process
	try:
		process_h = NativeProcess(pid=arguments.pid)
	except ProcessError as error:
		print("[-] {0}".format(error.msg))
		return
	print("[+] Opened a handle to pid: {0}".format(arguments.pid))

	# find and inject the python library
	python_lib = "python{0}{1}.dll".format(sys.version_info.major, sys.version_info.minor)
	python_lib = ctypes.util.find_library(python_lib)
	if python_lib:
		print("[*] Found Python library at: {0}".format(python_lib))
	else:
		print('[-] Failed to find the Python library')
		return

	print('[*] Injecting Python into the process...')
	try:
		python_lib_h = process_h.load_library(python_lib)
	except ProcessError as error:
		print("[-] {0}".format(error.msg))
		return
	else:
		print("[+] Loaded {0} with handle 0x{1:08x}".format(python_lib, python_lib_h))

	# resolve the necessary functions
	k32 = ctypes.windll.kernel32
	local_handle = k32.GetModuleHandleA(python_lib)
	py_initialize_ex = python_lib_h + (k32.GetProcAddress(local_handle, 'Py_InitializeEx') - local_handle)
	py_run_simple_string = python_lib_h + (k32.GetProcAddress(local_handle, 'PyRun_SimpleString') - local_handle)
	print('[*] Resolved address:')
	print("  - Py_InitializeEx:    0x{0:08x}".format(py_initialize_ex))
	print("  - PyRun_SimpleString: 0x{0:08x}".format(py_run_simple_string))

	# call remote functions to initialize and run via remote threads
	thread_h = process_h.start_thread(py_initialize_ex, 0)
	process_h.join_thread(thread_h)

	shellcode = arguments.shellcode
	shellcode_addr = process_h.allocate(size=align_up(len(shellcode)), permissions='PAGE_READWRITE')
	process_h.write_memory(shellcode_addr, shellcode)
	thread_h = process_h.start_thread(py_run_simple_string, shellcode_addr)
	process_h.join_thread(thread_h)

	process_h.close()
コード例 #4
0
def main():
    parser = argparse.ArgumentParser(
        description='syringe: library & shellcode injection utility',
        conflict_handler='resolve',
        epilog=
        'The PID argument can be specified as -1 to inject into the context of the syringe process.'
    )
    parser.add_argument('-l',
                        '--load',
                        dest='library',
                        action='store',
                        help='load the library in the target process')
    shellcode_group = parser.add_mutually_exclusive_group()
    shellcode_group.add_argument('-i',
                                 '--inject',
                                 dest='shellcode',
                                 action='store',
                                 help='inject code into the process')
    shellcode_group.add_argument(
        '-f',
        '--inject-file',
        dest='shellcode_file',
        type=argparse.FileType('rb'),
        help='inject code from a file into the process')
    parser.add_argument('-d',
                        '--decode',
                        dest='decode',
                        action='store',
                        choices=('b64', 'hex', 'raw'),
                        default='b64',
                        help='decode the shellcode prior to execution')
    parser.add_argument('pid',
                        action='store',
                        type=int,
                        help='process to control')
    arguments = parser.parse_args()

    try:
        process_h = NativeProcess(pid=arguments.pid)
    except ProcessError as error:
        print("[-] {0}".format(error.msg))
        return
    print("[+] Opened a handle to pid: {0}".format(arguments.pid))

    if arguments.library:
        try:
            lib_h = process_h.load_library(arguments.library)
        except ProcessError as error:
            print("[-] {0}".format(error.msg))
        else:
            print("[+] Loaded {0} with handle 0x{1:08x}".format(
                arguments.library, lib_h))

    if arguments.shellcode or arguments.shellcode_file:
        if arguments.shellcode:
            shellcode = arguments.shellcode
        else:
            shellcode = arguments.shellcode_file.read()
            arguments.shellcode_file.close()
        if arguments.decode == 'b64':
            shellcode = shellcode.decode('base64')
        elif arguments.decode == 'hex':
            shellcode = shellcode.decode('hex')
        stub = ''  # no stub by default
        if architecture_is_32bit(process_h.arch):
            stub = b'\x8b\x44\x24\x04'  # mov eax,[esp+4]
        elif architecture_is_64bit(process_h.arch):
            stub = b'\x48\x8b\x44\x24\x08'  # mov rax,[rsp+8]

        shellcode_sz = align_up(len(stub + shellcode), 1024)
        address = process_h.allocate(size=shellcode_sz, address=0)
        print("[+] Allocated {0} bytes at 0x{1:08x}".format(
            shellcode_sz, address))
        process_h.protect(address, size=shellcode_sz)
        process_h.write_memory(address, stub + shellcode)
        thread_id = process_h.start_thread(address, (address + len(stub)))
        print("[+] Started thread at 0x{0:08x}".format(address))
        print("[*] Waiting for thread to complete...")
        try:
            process_h.join_thread(thread_id)
            print("[+] Thread completed")
        except ProcessError as err:
            print("[-] {0} {1}".format(err.__class__.__name__, err.msg))

    process_h.close()