def launch(exepath):
# on Linux and MacOS, use ld/dyld
if platform.system() == 'Linux':
os.environ['LD_PRELOAD'] = REMOTEPATH
if platform.system() == 'Darwin':
os.environ['DYLD_INSERT_LIBRARIES'] = REMOTEPATH
os.environ['DYLD_FORCE_FLAT_NAMESPACE'] = '1'
# start the game
gpop = subprocess.Popen([exepath],
stderr=subprocess.STDOUT,
stdout=subprocess.PIPE,
cwd=os.path.dirname(exepath))
# on Windows, inject into the running process
if platform.system() == 'Windows':
try:
proc = NativeProcess(pid=gpop.pid)
lib_h = proc.load_library(REMOTEPATH)
# start remote thread
addr = lib_h + STARTUP_OFFSET
thr = proc.start_thread(addr)
logging.info('starting from 0x{:x}'.format(addr))
proc.join_thread(thr)
except ProcessError as error:
gpop.kill()
logging.error(error.msg)
return False
return gpop
def main():
parser = argparse.ArgumentParser(
description='syringe: library & shellcode injection utility',
conflict_handler='resolve',
epilog='The PID argument can be specified as -1 to inject into the context of the syringe process.'
)
parser.add_argument('-l', '--load', dest='library', action='store', help='load the library in the target process')
shellcode_group = parser.add_mutually_exclusive_group()
shellcode_group.add_argument('-i', '--inject', dest='shellcode', action='store', help='inject code into the process')
shellcode_group.add_argument('-f', '--inject-file', dest='shellcode_file', type=argparse.FileType('rb'), help='inject code from a file into the process')
parser.add_argument('-d', '--decode', dest='decode', action='store', choices=('b64', 'hex', 'raw'), default='b64', help='decode the shellcode prior to execution')
parser.add_argument('pid', action='store', type=int, help='process to control')
arguments = parser.parse_args()
try:
process_h = NativeProcess(pid=arguments.pid)
except ProcessError as error:
print("[-] {0}".format(error.msg))
return
print("[+] Opened a handle to pid: {0}".format(arguments.pid))
if arguments.library:
try:
lib_h = process_h.load_library(arguments.library)
except ProcessError as error:
print("[-] {0}".format(error.msg))
else:
print("[+] Loaded {0} with handle 0x{1:08x}".format(arguments.library, lib_h))
if arguments.shellcode or arguments.shellcode_file:
if arguments.shellcode:
shellcode = arguments.shellcode
else:
shellcode = arguments.shellcode_file.read()
arguments.shellcode_file.close()
if arguments.decode == 'b64':
shellcode = shellcode.decode('base64')
elif arguments.decode == 'hex':
shellcode = shellcode.decode('hex')
stub = "" # no stub by default
if architecture_is_32bit(process_h.arch):
stub = "\x8b\x44\x24\x04" # mov eax,[esp+4]
elif architecture_is_64bit(process_h.arch):
stub = "\x48\x8b\x44\x24\x08" # mov rax,[rsp+8]
shellcode_sz = align_up(len(stub + shellcode), 1024)
address = process_h.allocate(size=shellcode_sz, address=0)
print("[+] Allocated {0} bytes at 0x{1:08x}".format(shellcode_sz, address))
process_h.protect(address, size=shellcode_sz)
process_h.write_memory(address, stub + shellcode)
thread_id = process_h.start_thread(address, (address + len(stub)))
print("[+] Started thread at 0x{0:08x}".format(address))
print("[*] Waiting for thread to complete...")
try:
process_h.join_thread(thread_id)
print("[+] Thread completed")
except ProcessError as err:
print("[-] {0} {1}".format(err.__class__.__name__, err.msg))
process_h.close()
def main():
parser = ArgumentParser(description='python_injector: inject python code into a process', conflict_handler='resolve')
parser.add_argument('shellcode', action='store', help='python code to inject into the process')
parser.add_argument('pid', action='store', type=int, help='process to inject into')
arguments = parser.parse_args()
if not sys.platform.startswith('win'):
print('[-] This tool is only available on Windows')
return
# get a handle the the process
try:
process_h = NativeProcess(pid=arguments.pid)
except ProcessError as error:
print("[-] {0}".format(error.msg))
return
print("[+] Opened a handle to pid: {0}".format(arguments.pid))
# find and inject the python library
python_lib = "python{0}{1}.dll".format(sys.version_info.major, sys.version_info.minor)
python_lib = ctypes.util.find_library(python_lib)
if python_lib:
print("[*] Found Python library at: {0}".format(python_lib))
else:
print('[-] Failed to find the Python library')
return
print('[*] Injecting Python into the process...')
try:
python_lib_h = process_h.load_library(python_lib)
except ProcessError as error:
print("[-] {0}".format(error.msg))
return
else:
print("[+] Loaded {0} with handle 0x{1:08x}".format(python_lib, python_lib_h))
# resolve the necessary functions
k32 = ctypes.windll.kernel32
local_handle = k32.GetModuleHandleA(python_lib)
py_initialize_ex = python_lib_h + (k32.GetProcAddress(local_handle, 'Py_InitializeEx') - local_handle)
py_run_simple_string = python_lib_h + (k32.GetProcAddress(local_handle, 'PyRun_SimpleString') - local_handle)
print('[*] Resolved address:')
print(" - Py_InitializeEx: 0x{0:08x}".format(py_initialize_ex))
print(" - PyRun_SimpleString: 0x{0:08x}".format(py_run_simple_string))
# call remote functions to initialize and run via remote threads
thread_h = process_h.start_thread(py_initialize_ex, 0)
process_h.join_thread(thread_h)
shellcode = arguments.shellcode
shellcode_addr = process_h.allocate(size=align_up(len(shellcode)), permissions='PAGE_READWRITE')
process_h.write_memory(shellcode_addr, shellcode)
thread_h = process_h.start_thread(py_run_simple_string, shellcode_addr)
process_h.join_thread(thread_h)
process_h.close()
def main():
parser = argparse.ArgumentParser(
description='syringe: library & shellcode injection utility',
conflict_handler='resolve',
epilog=
'The PID argument can be specified as -1 to inject into the context of the syringe process.'
)
parser.add_argument('-l',
'--load',
dest='library',
action='store',
help='load the library in the target process')
shellcode_group = parser.add_mutually_exclusive_group()
shellcode_group.add_argument('-i',
'--inject',
dest='shellcode',
action='store',
help='inject code into the process')
shellcode_group.add_argument(
'-f',
'--inject-file',
dest='shellcode_file',
type=argparse.FileType('rb'),
help='inject code from a file into the process')
parser.add_argument('-d',
'--decode',
dest='decode',
action='store',
choices=('b64', 'hex', 'raw'),
default='b64',
help='decode the shellcode prior to execution')
parser.add_argument('pid',
action='store',
type=int,
help='process to control')
arguments = parser.parse_args()
try:
process_h = NativeProcess(pid=arguments.pid)
except ProcessError as error:
print("[-] {0}".format(error.msg))
return
print("[+] Opened a handle to pid: {0}".format(arguments.pid))
if arguments.library:
try:
lib_h = process_h.load_library(arguments.library)
except ProcessError as error:
print("[-] {0}".format(error.msg))
else:
print("[+] Loaded {0} with handle 0x{1:08x}".format(
arguments.library, lib_h))
if arguments.shellcode or arguments.shellcode_file:
if arguments.shellcode:
shellcode = arguments.shellcode
else:
shellcode = arguments.shellcode_file.read()
arguments.shellcode_file.close()
if arguments.decode == 'b64':
shellcode = shellcode.decode('base64')
elif arguments.decode == 'hex':
shellcode = shellcode.decode('hex')
stub = '' # no stub by default
if architecture_is_32bit(process_h.arch):
stub = b'\x8b\x44\x24\x04' # mov eax,[esp+4]
elif architecture_is_64bit(process_h.arch):
stub = b'\x48\x8b\x44\x24\x08' # mov rax,[rsp+8]
shellcode_sz = align_up(len(stub + shellcode), 1024)
address = process_h.allocate(size=shellcode_sz, address=0)
print("[+] Allocated {0} bytes at 0x{1:08x}".format(
shellcode_sz, address))
process_h.protect(address, size=shellcode_sz)
process_h.write_memory(address, stub + shellcode)
thread_id = process_h.start_thread(address, (address + len(stub)))
print("[+] Started thread at 0x{0:08x}".format(address))
print("[*] Waiting for thread to complete...")
try:
process_h.join_thread(thread_id)
print("[+] Thread completed")
except ProcessError as err:
print("[-] {0} {1}".format(err.__class__.__name__, err.msg))
process_h.close()