Python3实现DLL注入问题解决

一. VirtualAllocEx申请空间失败

需要提权。

二. CreateProcessA失败

Python 3.x的所有字符串以Unicode存在，所以可以改用CreateProcessW来调用。或者使用CreateProcessA时，将字符串转为Ascii。其他具有A和W区别的方法同理。

三. GetProcAddress获取地址失败

GetProcAddress的没办法使用宽字符，都得用Ascii那一套。

四. 方法调用时最好显示给出参数的类型。

五. 演示一个从kernel32获取LoadLibraryA的方法

1. 宽字符方式

self.kernel32.GetModuleHandleW.restype = wintypes.HANDLE
self.kernel32.GetModuleHandleW.argtypes = [wintypes.LPCWSTR]
h_kernel1 = self.kernel32.GetModuleHandleW("kernel32.dll")
print("GetModuleHandleW:", h_kernel1)
self.kernel32.GetProcAddress.restype = wintypes.LPVOID
self.kernel32.GetProcAddress.argtypes = [wintypes.HANDLE, wintypes.LPCSTR]
LoadLibraryA = self.kernel32.GetProcAddress(wintypes.HANDLE(h_kernel1),"LoadLibraryA".encode('ascii', 'ignore'))
print("GetProcAddress:", LoadLibraryA)

2. ascii

self.kernel32.GetModuleHandleA.restype = wintypes.HANDLE
self.kernel32.GetModuleHandleA.argtypes = [wintypes.LPCTSTR]
h_kernel1 = self.kernel32.GetModuleHandleA("kernel32.dll")
print("GetModuleHandleA:", h_kernel1)
self.kernel32.GetProcAddress.restype = wintypes.LPVOID
self.kernel32.GetProcAddress.argtypes = [wintypes.HANDLE, wintypes.LPCSTR]
LoadLibraryA = self.kernel32.GetProcAddress(wintypes.HANDLE(h_kernel1),"LoadLibraryA".encode('ascii', 'ignore'))
print("GetProcAddress:", LoadLibraryA)

其中的wintypes.LPCTSTR= ctypes.POINTER(ctypes.c_char)。可以自己定义一下。

完整注入代码：

#-*- coding: utf-8 -*-
import ctypes
import ctypes.wintypes as wintypeswintypes.LPTSTR = ctypes.POINTER(ctypes.c_char)
wintypes.LPBYTE = ctypes.POINTER(ctypes.c_ubyte)
wintypes.HANDLE = ctypes.c_void_p
wintypes.LPDWORD = ctypes.POINTER(wintypes.DWORD)
wintypes.LPCTSTR = ctypes.POINTER(ctypes.c_char)
wintypes.PHANDLE = ctypes.POINTER(wintypes.HANDLE)class __LUID(ctypes.Structure):_fields_ = [("LowPart", wintypes.DWORD),("HighPart", wintypes.LONG), ]wintypes.LUID=__LUID
wintypes.PLUID = ctypes.POINTER(wintypes.LUID)class __LUID_AND_ATTRIBUTES(ctypes.Structure):_fields_ = [("Luid",        wintypes.LUID),("Attributes",  wintypes.DWORD),]
wintypes.LUID_AND_ATTRIBUTES = __LUID_AND_ATTRIBUTES
wintypes.PLUID_AND_ATTRIBUTES = ctypes.POINTER(wintypes.LUID_AND_ATTRIBUTES)class __TOKEN_PRIVILEGES(ctypes.Structure):_fields_ = [("PrivilegeCount",  wintypes.DWORD),("Privileges",      wintypes.LUID_AND_ATTRIBUTES),]
wintypes.TOKEN_PRIVILEGES = __TOKEN_PRIVILEGES
wintypes.PTOKEN_PRIVILEGES = ctypes.POINTER(wintypes.TOKEN_PRIVILEGES)class __STARTUPINFO(ctypes.Structure):_fields_ = [("cb",            wintypes.DWORD),("lpReserved",    wintypes.LPTSTR),("lpDesktop",     wintypes.LPTSTR),("lpTitle",       wintypes.LPTSTR),("dwX",           wintypes.DWORD),("dwY",           wintypes.DWORD),("dwXSize",       wintypes.DWORD),("dwYSize",       wintypes.DWORD),("dwXCountChars", wintypes.DWORD),("dwYCountChars", wintypes.DWORD),("dwFillAttribute",wintypes.DWORD),("dwFlags",       wintypes.DWORD),("wShowWindow",   wintypes.WORD),("cbReserved2",   wintypes.WORD),("lpReserved2",   wintypes.LPBYTE),("hStdInput",     wintypes.HANDLE),("hStdOutput",    wintypes.HANDLE),("hStdError",     wintypes.HANDLE),]
wintypes.STARTUPINFO = __STARTUPINFO
wintypes.LPSTARTUPINFO = ctypes.POINTER(wintypes.STARTUPINFO)class __STARTUPINFOW(ctypes.Structure):_fields_ = [("cb",            wintypes.DWORD),("lpReserved",    wintypes.LPWSTR),("lpDesktop",     wintypes.LPWSTR),("lpTitle",       wintypes.LPWSTR),("dwX",           wintypes.DWORD),("dwY",           wintypes.DWORD),("dwXSize",       wintypes.DWORD),("dwYSize",       wintypes.DWORD),("dwXCountChars", wintypes.DWORD),("dwYCountChars", wintypes.DWORD),("dwFillAttribute",wintypes.DWORD),("dwFlags",       wintypes.DWORD),("wShowWindow",   wintypes.WORD),("cbReserved2",   wintypes.WORD),("lpReserved2",   wintypes.LPBYTE),("hStdInput",     wintypes.HANDLE),("hStdOutput",    wintypes.HANDLE),("hStdError",     wintypes.HANDLE),]
wintypes.STARTUPINFOW = __STARTUPINFOW
wintypes.LPSTARTUPINFOW = ctypes.POINTER(wintypes.STARTUPINFOW)class __PROCESS_INFORMATION(ctypes.Structure):_fields_ = [("hProcess",    wintypes.HANDLE),("hThread",     wintypes.HANDLE),("dwProcessId", wintypes.DWORD),("dwThreadId",  wintypes.DWORD),]
wintypes.PROCESS_INFORMATION = __PROCESS_INFORMATION
wintypes.LPPROCESS_INFORMATION = ctypes.POINTER(wintypes.PROCESS_INFORMATION)class __SYSTEM_MODULE_INFORMATION(ctypes.Structure):_fields_ = [("ModuleCount",        wintypes.ULONG),("WhoCares",      ctypes.c_void_p * 2),("BaseAddress",      ctypes.c_void_p),("Size",     wintypes.ULONG),("MoarStuff",     wintypes.ULONG),("MoarMoar",      wintypes.USHORT),("HeyThere",     wintypes.USHORT),("Pwned",        wintypes.USHORT),("W00t",     wintypes.USHORT),("ImageName",        ctypes.c_char * 256),]
wintypes.SYSTEM_MODULE_INFORMATION = __SYSTEM_MODULE_INFORMATION
wintypes.PSYSTEM_MODULE_INFORMATION = ctypes.POINTER(wintypes.SYSTEM_MODULE_INFORMATION)class __IMAGE_DOS_HEADER(ctypes.Structure):_fields_ = [("e_magic",    wintypes.WORD),("e_cblp",     wintypes.WORD),("e_cp",       wintypes.WORD),("e_crlc",     wintypes.WORD),("e_cparhdr",  wintypes.WORD),("e_minalloc", wintypes.WORD),("e_maxalloc", wintypes.WORD),("e_ss",       wintypes.WORD),("e_sp",       wintypes.WORD),("e_csum",     wintypes.WORD),("e_ip",       wintypes.WORD),("e_cs",       wintypes.WORD),("e_lfarlc",   wintypes.WORD),("e_ovno",     wintypes.WORD),("e_res",      wintypes.WORD * 4),("e_oemid",    wintypes.WORD),("e_oeminfo",  wintypes.WORD),("e_res2",     wintypes.WORD * 10),("e_lfanew",   wintypes.LONG),]
wintypes.IMAGE_DOS_HEADER = __IMAGE_DOS_HEADER
wintypes.PIMAGES_DOS_HEADER = ctypes.POINTER(wintypes.IMAGE_DOS_HEADER)class __IMAGE_FILE_HEADER(ctypes.Structure):_fields_ = [("Machine",              wintypes.WORD),("NumberOfSections",     wintypes.WORD),("TimeDateStamp",        wintypes.DWORD),("PointerToSymbolTable", wintypes.DWORD),("NumberOfSymbols",      wintypes.DWORD),("SizeOfOptionalHeader", wintypes.WORD),("Characteristics",      wintypes.WORD),]
wintypes.IMAGE_FILE_HEADER = __IMAGE_FILE_HEADER
wintypes.PIMAGE_FILE_HEADER = ctypes.POINTER(wintypes.IMAGE_FILE_HEADER)class __IMAGE_DATA_DIRECTORY(ctypes.Structure):_fields_ = [("VirtualAddress", wintypes.DWORD),("Size",           wintypes.DWORD),]
wintypes.IMAGE_DATA_DIRECTORY = __IMAGE_DATA_DIRECTORY
wintypes.PIMAGE_DATA_DIRECTORY = ctypes.POINTER(wintypes.IMAGE_DATA_DIRECTORY)class __IMAGE_OPTIONAL_HEADER(ctypes.Structure):_fields_ = [("Magic",                        wintypes.WORD),("MajorLinkerVersion",           wintypes.BYTE),("MinorLinkerVersion",           wintypes.BYTE),("SizeOfCode",                   wintypes.DWORD),("SizeOfInitializedData",        wintypes.DWORD),("SizeOfUninitializedData",      wintypes.DWORD),("AddressOfEntryPoint",          wintypes.DWORD),("BaseOfCode",                   wintypes.DWORD),("BaseOfData",                   wintypes.DWORD),("ImageBase",                    wintypes.DWORD),("SectionAlignment",             wintypes.DWORD),("FileAlignment",                wintypes.DWORD),("MajorOperatingSystemVersion",  wintypes.WORD),("MinorOperatingSystemVersion",  wintypes.WORD),("MajorImageVersion",            wintypes.WORD),("MinorImageVersion",            wintypes.WORD),("MajorSubsystemVersion",        wintypes.WORD),("MinorSubsystemVersion",        wintypes.WORD),("Win32VersionValue",            wintypes.DWORD),("SizeOfImage",                  wintypes.DWORD),("SizeOfHeaders",                wintypes.DWORD),("CheckSum",                     wintypes.DWORD),("Subsystem",                    wintypes.WORD),("DllCharacteristics",           wintypes.WORD),("SizeOfStackReserve",           wintypes.DWORD),("SizeOfStackCommit",            wintypes.DWORD),("SizeOfHeapReserve",            wintypes.DWORD),("SizeOfHeapCommit",             wintypes.DWORD),("LoaderFlags",                  wintypes.DWORD),("NumberOfRvaAndSizes",          wintypes.DWORD),("DataDirectory",                wintypes.IMAGE_DATA_DIRECTORY * 16),]
wintypes.IMAGE_OPTIONAL_HEADER = __IMAGE_OPTIONAL_HEADER
wintypes.PIMAGE_OPTIONAL_HEADER = ctypes.POINTER(wintypes.IMAGE_OPTIONAL_HEADER)class __IMAGE_NT_HEADER(ctypes.Structure):_fields_ = [("Signature", wintypes.DWORD),("FileHeader", wintypes.IMAGE_FILE_HEADER),("OptionalHeader", wintypes.IMAGE_OPTIONAL_HEADER),]
wintypes.IMAGE_NT_HEADER = __IMAGE_NT_HEADER
wintypes.PIMAGE_NT_HEADER = ctypes.POINTER(wintypes.IMAGE_NT_HEADER)class SECURITY_ATTRIBUTES(ctypes.Structure):_fields_ = [("nLength",                         wintypes.DWORD),("lpSecurityDescriptor",            wintypes.LPVOID),("bInheritHandle",                  wintypes.BOOL)]
LPSECURITY_ATTRIBUTES = ctypes.POINTER(SECURITY_ATTRIBUTES)
wintypes.LPTHREAD_START_ROUTINE = wintypes.LPVOIDclass myInjDll(object):PROCESS_ALL_ACCESS = (0x000F0000 | 0x00100000 | 0xFFF)PAGE_READWRITE = 0x04PAGE_EXECUTE_READWRITE = 0x40MEM_COMMIT = (0x1000 | 0x2000)TOKEN_ADJUST_PRIVILEGES = 0x20SE_PRIVILEGE_ENABLED = 0x00000002def __init__(self):self.szExePath = r"E:\Users\wuhaibin01\Downloads\little-car-master\Project1\x64\Debug\Project1.exe"self.szForceDX12Cmdline =Noneself.szWorkspace = r'E:\Users\wuhaibin01\Downloads\little-car-master\Project1\x64'self.dll_path = r'E:\Visual Studio 2019\TestHook\testHook\x64\Release\HhooKDLL.dll'self.SE_DEBUG_NAME = "SeDebugPrivilege"self.kernel32 = ctypes.windll.kernel32self.request_debug_privileges()self.handle = Noneself.pid = Nonedef injectDll(self):self.kernel32.OpenProcess.restype = wintypes.HANDLEself.kernel32.OpenProcess.argtypes = [wintypes.DWORD,wintypes.BOOL,wintypes.DWORD]self.handle = self.kernel32.OpenProcess(self.PROCESS_ALL_ACCESS,False,self.pid)dllname = "{}".format(self.dll_path).encode('ascii', 'ignore')dll_len = len(dllname)+1self.kernel32.GetModuleHandleW.restype = wintypes.HANDLEself.kernel32.GetModuleHandleW.argtypes = [wintypes.LPCWSTR]h_kernel1 = self.kernel32.GetModuleHandleW("kernel32.dll")print("GetModuleHandleA:", h_kernel1)self.kernel32.GetProcAddress.restype = wintypes.LPVOIDself.kernel32.GetProcAddress.argtypes = [wintypes.HANDLE, wintypes.LPCSTR]LoadLibraryA = self.kernel32.GetProcAddress(wintypes.HANDLE(h_kernel1),"LoadLibraryA".encode('ascii', 'ignore'))print("GetProcAddress:", LoadLibraryA)self.kernel32.VirtualAllocEx.restype = wintypes.LPVOIDself.kernel32.VirtualAllocEx.argtypes = [wintypes.HANDLE,wintypes.LPVOID,ctypes.c_size_t,wintypes.DWORD,wintypes.DWORD]RemotePage = self.kernel32.VirtualAllocEx(self.handle,None,dll_len,myInjDll.MEM_COMMIT,myInjDll.PAGE_EXECUTE_READWRITE)print("VirtualAllocEx:", RemotePage)self.kernel32.WriteProcessMemory.restype = wintypes.BOOLself.kernel32.WriteProcessMemory.argtypes = [wintypes.HANDLE,wintypes.LPVOID,wintypes.LPCVOID,ctypes.c_size_t,ctypes.POINTER(ctypes.c_size_t)]result = self.kernel32.WriteProcessMemory(self.handle,RemotePage,dllname,dll_len,None)print("WriteProcessMemory:", result)self.kernel32.CreateRemoteThread.restype = wintypes.HANDLEself.kernel32.CreateRemoteThread.argtypes = [wintypes.HANDLE,LPSECURITY_ATTRIBUTES,ctypes.c_size_t,wintypes.LPTHREAD_START_ROUTINE,wintypes.LPVOID,wintypes.DWORD,wintypes.LPVOID]RemoteThread = self.kernel32.CreateRemoteThread(self.handle,None,0,LoadLibraryA,RemotePage,0,None)print("RemoteThread:", RemoteThread)self.kernel32.WaitForSingleObject.restype = wintypes.DWORDself.kernel32.WaitForSingleObject.argtypes = [wintypes.HANDLE, wintypes.DWORD]# Wait 10 seconds then barrel on...result = self.kernel32.WaitForSingleObject(RemoteThread,-1)print("WaitForSingleObject:", result)def createProcess(self):startupinfo = wintypes.STARTUPINFOW()process_information = wintypes.PROCESS_INFORMATION()startupinfo.dwFlags = 0x1startupinfo.wShowWindow = 0x1startupinfo.cb = ctypes.sizeof(startupinfo)self.kernel32.CreateProcessW.restype = wintypes.BOOLself.kernel32.CreateProcessW.argtypes = [wintypes.LPCWSTR,wintypes.LPWSTR,LPSECURITY_ATTRIBUTES,LPSECURITY_ATTRIBUTES,wintypes.BOOL,wintypes.DWORD,wintypes.LPVOID,wintypes.LPCWSTR,wintypes.LPSTARTUPINFOW,wintypes.LPPROCESS_INFORMATION]result = self.kernel32.CreateProcessW(self.szExePath,self.szForceDX12Cmdline,None,None,True,0,None,self.szWorkspace,ctypes.byref(startupinfo),ctypes.byref(process_information))print("createProcess: result:", result)self.handle = process_information.hProcessself.pid = process_information.dwProcessIdprint("hanlde:",self.handle,"pid:", self.pid)def request_debug_privileges(self):privs = wintypes.LUID()ctypes.windll.advapi32.LookupPrivilegeValueW.restype = wintypes.BOOLctypes.windll.advapi32.LookupPrivilegeValueW.argtypes = [wintypes.LPCWSTR,wintypes.LPCWSTR,wintypes.PLUID]result = ctypes.windll.advapi32.LookupPrivilegeValueW(None, self.SE_DEBUG_NAME,ctypes.byref(privs))print("request_debug_privileges:LookupPrivilegeValueW:", result)token = wintypes.TOKEN_PRIVILEGES(1,wintypes.LUID_AND_ATTRIBUTES(privs,self.SE_PRIVILEGE_ENABLED))hToken = wintypes.HANDLE()ctypes.windll.advapi32.OpenProcessToken.restype = wintypes.BOOLctypes.windll.advapi32.OpenProcessToken.argtypes = [wintypes.HANDLE,wintypes.DWORD,wintypes.PHANDLE]result = ctypes.windll.advapi32.OpenProcessToken(wintypes.HANDLE(self.kernel32.GetCurrentProcess()),self.TOKEN_ADJUST_PRIVILEGES,ctypes.byref(hToken))print("request_debug_privileges:OpenProcessToken:", result)ctypes.windll.advapi32.AdjustTokenPrivileges.restype = wintypes.BOOLctypes.windll.advapi32.AdjustTokenPrivileges.argtypes = [wintypes.HANDLE,wintypes.BOOL,wintypes.PTOKEN_PRIVILEGES,wintypes.DWORD,wintypes.PTOKEN_PRIVILEGES,wintypes.LPDWORD]result = ctypes.windll.advapi32.AdjustTokenPrivileges(hToken,False,ctypes.byref(token),0x0, None, None )print("request_debug_privileges:AdjustTokenPrivileges:", result)ctypes.windll.kernel32.CloseHandle.restype = wintypes.BOOLctypes.windll.kernel32.CloseHandle.argtypes = [wintypes.HANDLE]result = ctypes.windll.kernel32.CloseHandle(hToken)print("request_debug_privileges:CloseHandle:", result)if __name__ == "__main__":m_Injd = myInjDll()# m_Injd.szExePath = r'E:\PycharmProject\JXSP2\Client\Engine\Binaries\Win64\Game_x64h.exe'# m_Injd.szForceDX12Cmdline = ' --dx11 --console --start=Python --python-args=innerdesktop'# m_Injd.szWorkspace = r'E:\PycharmProject\SVNv1\Client'm_Injd.createProcess()m_Injd.injectDll()

Python3实现DLL注入问题解决相关推荐

Python并发编程——paramiko远程控制的模块、病毒攻击原理、dll注入、
文章目录 paramiko模块作业攻击原理解析一.什么是dll 二.为何要有dll 什么是dll注入: 什么时候需要dll注入 dll注入的方法使用SetWindowsHookEx函数对应用程 ...
c语言 dll注入,教大家写一个远程线程的DLL注入，其实还是蛮简单的……………………...
该楼层疑似违规已被系统折叠隐藏此楼查看此楼然后新建一个win32 application 的工程新建c++ source file 写入: #include #include int WINAP ...
c语言dll注入,教大家写一个远程线程的DLL注入，其实还是蛮简单的……………………...
该楼层疑似违规已被系统折叠隐藏此楼查看此楼然后新建一个win32 application 的工程新建c++ source file 写入: #include #include int WINAP ...
系统安全攻防战：DLL注入技术详解
DLL注入是一种允许攻击者在另一个进程的地址空间的上下文中运行任意代码的技术.攻击者使用DLL注入的过程中如果被赋予过多的运行特权,那么攻击者就很有可能会在DLL文件中嵌入自己的恶意攻击代码以获取更高 ...
DLL注入-APC注入
APC注入 APC注入的原理是利用当线程被唤醒时APC中的注册函数会被执行的机制,并以此去执行我们的DLL加载代码,进而完成DLL注入的目的,其具体流程如下: 1)当EXE里某个线程执行到Sl ...
实现HOOK其他进程的Messagebox(2) DLL注入工具
DLL注入工具(远程线程技术和简单的MFC CListCtrl控件知识). DLL文件已经编写好.测试程序也很简单.现在就是解决将DLL注入到目标进程中.. 这里采用远程线程注入技术..本来WIN32 ...
dll oem证书导入工具_恶意代码分析之反射型DLL注入
01 技术概要这是一种允许攻击者从内存而非磁盘向指定进程注入DLL的技术,该技术比常规的DLL注入更为隐蔽,因为除了不需要磁盘上的实际DLL文件之外,它也不需要任何Windows加载程序的辅助即可注 ...
x64dbg 修改为dll_c++笔记(dll 注入的实现)
//新建项目a //新建源文件a.c 代码如下 //生成a.exe#include<stdio.h> #include<stdlib.h> #include <windo ...
2020-11-24（dll注入的N种搞法）
所谓DLL注入,本来是软件用于向其他程序添加/扩展功能.调试或逆向工程的一种合法技术.不过,后来恶意软件也常用这种方式来干坏事.因此,这意味着从安全的角度来看,我们必须知道DLL注入是如何工作的. 之 ...

Python3实现DLL注入问题解决

Python3实现DLL注入问题解决

Python3实现DLL注入问题解决相关推荐

最新文章

热门文章