def install_hook(self, mod_name, new_address, name=None, ordinal=None): if not (bool(name) ^ bool(ordinal)): raise ValueError('must select either name or ordinal, not both') image_import_descriptors = self.get_proc_attribute('image_import_descriptor') image_dos_header_addr = self.get_proc_attribute('image_dos_header_addr') is_ordinal = lambda x: bool(x & 0x80000000) for iid in image_import_descriptors: cur_mod_name = self._get_name_for_image_import_descriptor(iid) if cur_mod_name.lower() != mod_name.lower(): continue ilt = self._get_ilt_for_image_import_descriptor(iid) iat = self._get_iat_for_image_import_descriptor(iid) for idx in range(len(ilt)): if ilt[idx] is None: continue hook_it = False if not is_ordinal(ilt[idx]) and name: cur_func_name = self._get_name_for_ilt_entry(ilt[idx]) if cur_func_name == name: hook_it = True elif is_ordinal(ilt[idx]) and ordinal: cur_func_ordinal = self._get_ordinal_for_ilt_entry(ilt[idx]) if cur_func_ordinal == ordinal: hook_it = True if hook_it: old_address = iat[idx] iat_ent_addr = image_dos_header_addr iat_ent_addr += iid.FirstThunk iat_ent_addr += (ctypes.sizeof(ctypes.c_void_p) * idx) new_addr = ctypes.c_void_p() new_addr.value = new_address written = wintypes.DWORD() if m_k32.WriteProcessMemory(self.handle, iat_ent_addr, ctypes.byref(new_addr), ctypes.sizeof(new_addr), ctypes.byref(written)) == 0: errno = m_k32.GetLastError() if errno == 998: errno = 0 old_permissions = wintypes.DWORD() if (m_k32.VirtualProtectEx(self.handle, iat_ent_addr, 0x400, flags('PAGE_READWRITE'), ctypes.byref(old_permissions)) == 0): raise WindowsProcessError('Error: VirtualProtectEx', get_last_error=m_k32.GetLastError()) if m_k32.WriteProcessMemory(self.handle, iat_ent_addr, ctypes.byref(new_addr), ctypes.sizeof(new_addr), ctypes.byref(written)) == 0: errno = m_k32.GetLastError() self.protect(iat_ent_addr, permissions=old_permissions) if errno: raise WindowsProcessError('Error: WriteProcessMemory', get_last_error=errno) hook = Hook('iat', iat_ent_addr, old_address, new_address) self._installed_hooks.append(hook) return hook raise ProcessError('failed to find location to install hook')
def load_library(self, libpath): libpath = os.path.abspath(libpath) libpath_bytes = libpath.encode('utf-8') + b'\x00' remote_page = m_k32.VirtualAllocEx(self.handle, None, len(libpath_bytes), flags("MEM_COMMIT"), flags("PAGE_EXECUTE_READWRITE")) if not remote_page: raise WindowsProcessError( 'Error: failed to allocate space for library name in the target process' ) if not m_k32.WriteProcessMemory(self.handle, remote_page, libpath_bytes, len(libpath_bytes), None): raise WindowsProcessError( 'Error: failed to copy the library name to the target process') remote_thread = m_k32.CreateRemoteThread(self.handle, None, 0, m_k32.LoadLibraryA.address, remote_page, 0, None) m_k32.WaitForSingleObject(remote_thread, -1) exitcode = wintypes.DWORD(0) m_k32.GetExitCodeThread(remote_thread, ctypes.byref(exitcode)) m_k32.VirtualFreeEx(self.handle, remote_page, len(libpath_bytes), flags("MEM_RELEASE")) if exitcode.value == 0: raise WindowsProcessError( "Error: failed to load: {0}, thread exited with status: 0x{1:x}" .format(libpath, exitcode.value)) return exitcode.value
def write_memory(self, address, data): if isinstance(data, str): data = data.encode('utf-8') _wr_data = (ctypes.c_char * len(data)) wr_data = _wr_data() wr_data.value = data written = wintypes.SIZE_T() if not m_k32.WriteProcessMemory(self.handle, address, ctypes.byref(wr_data), ctypes.sizeof(wr_data), ctypes.byref(written)): raise WindowsProcessError('Error: WriteProcessMemory', get_last_error=m_k32.GetLastError()) return
def mayhem(): handle = -1 # -1 is always a handle to the current process module_handle = m_k32.GetModuleHandleW('user32.dll') if not module_handle: print('user32.dll is not loaded') return address = m_k32.GetProcAddress(module_handle, b'GetClipboardData') if not address: print('failed to resolve user32.dll!GetClipboardData') return stub = jump_stub(ctypes.cast(GetClipboardData, ctypes.c_void_p).value) if m_k32.WriteProcessMemory(handle, address, stub, len(stub), None): print( "successfully installed the trampoline at 0x{0:x}".format(address)) else: print('failed to install the trampoline')