Python——dll注入

import sys
from ctypes import *

FAGE_READWRITE = 0x04
PROCESS_ALL_ACCESS = 0x001F0FFF
VIRTUAL_MEN = (0x1000 | 0x2000)

kernel32 = windll.kernel32
user32 = windll.user32

pid = sys.argv[1]
dll_path = sys.argv[2]
dll_len = len(dll_path)

h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,int(pid))

if not h_process:
    print "[*] Couldn't acquire a handle to PID: %s" % pid

    sys.exit()

argv_address = kernel32.VirtualAllocEx(h_process,0,dll_len,VIRTUAL_MEN,FAGE_READWRITE)

written = c_int(0)

kernel32.WriteProcessMemory(h_process,argv_address,dll_path,dll_len,byref(written))

h_user32 = kernel32.GetModuleHandleA("kernel32.dll")

h_loadlib = kernel32.GetProcAddress(h_user32,"MessageBoxA")

thread_id = c_ulong(0)

if not kernel32.CreateRemoteThread(
    h_process,
    None,
    0,
    h_loadlib,
    argv_address,
    0,
    byref(thread_id)
):
    print "[*] Failed to inject the DLL. Exiting."
    sys.exit()
else:
    user32.MessageBoxA(0,0,0,0)

print "thread_ID: 0x%08x create" % thread_id.value

这个代码的目的是实现程序运行时,dll注入成功后,弹窗。

由于sys.argv[1]和sys.argv[2],我们需要用cmd运行

Python——dll注入

Python——dll注入

 

Python——dll注入

 

上一篇:TC4.3 右键菜单


下一篇:如何从javascript调用user32.dll方法