-
Notifications
You must be signed in to change notification settings - Fork 49
Expand file tree
/
Copy pathcode.py
More file actions
64 lines (52 loc) · 1.72 KB
/
Copy pathcode.py
File metadata and controls
64 lines (52 loc) · 1.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#
# Shellcode Loader
# Archive of Reversing.ID
#
# storing payload in stack
#
# Run:
# $ code.py
#
# Technique:
# - allocation: VirtualAlloc
# - writing: RtlMoveMemory
# - permission: VirtualProtect
# - execution:
import ctypes
# Definition
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
MEM_RELEASE = 0x8000
MEM_FREE = 0x10000
PAGE_READONLY = 0x2
PAGE_READWRITE = 0x4
PAGE_EXECUTE = 0x10
PAGE_EXECUTE_READ = 0x20
PAGE_EXECUTE_READWRITE = 0x40
fnVirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
fnVirtualProtect = ctypes.windll.kernel32.VirtualProtect
fnRtlMoveMemory = ctypes.windll.kernel32.RtlMoveMemory
# adjust the types
fnVirtualAlloc.restype = ctypes.c_void_p
fnRtlMoveMemory.argtypes = (ctypes.c_void_p, ctypes.c_void_p, ctypes.c_size_t)
def main():
old_protect = ctypes.c_uint32()
# shellcode storage in stack
payload = bytearray(b"\x90\x90\xCC\xC3")
buffer = (ctypes.c_char * len(payload)).from_buffer(payload)
# allocate memory buffer for payload as READ-WRITE (no executable)
runtime = fnVirtualAlloc(
ctypes.c_int(0),
ctypes.c_int(len(payload)),
ctypes.c_int(MEM_COMMIT | MEM_RESERVE),
ctypes.c_int(PAGE_READWRITE))
# copy payload to the buffer
fnRtlMoveMemory (ctypes.c_void_p(runtime), buffer, ctypes.c_size_t(len(payload)))
# make buffer executable (R-X)
fnVirtualProtect (ctypes.c_void_p(runtime), ctypes.c_size_t(len(payload)), PAGE_EXECUTE_READ, ctypes.byref(old_protect))
# create function prototype which return int, instantiate, and execute
func_t = ctypes.CFUNCTYPE(ctypes.c_int)
func = func_t(runtime)
func()
if __name__=='__main__':
main()