DLL Injection in python
print "[+] Universal DLL Injector by Y"
print "[+] contact : If you know me then give me a shout"
print "[+] usage: ./dll_injector.py <PID> <DLLPATH>"
print "\n"
from ctypes import *
import sys,ctypes
# Define constants we use
PAGE_RW_PRIV = 0x04
PROCESS_ALL_ACCESS = 0x1F0FFF
VIRTUAL_MEM = 0x3000
#CTYPES handler
kernel32 = windll.kernel32
def dll_inject(PID,DLL_PATH):
print "[+] Starting DLL Injector"
LEN_DLL = len(DLL_PATH)# get the length of the DLL PATH
print "\t[+] Getting process handle for PID:%d " % PID
hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)
if hProcess == None:
print "\t[+] Unable to get process handle"
sys.exit(0)
print "\t[+] Allocating space for DLL PATH"
DLL_PATH_ADDR = kernel32.VirtualAllocEx(hProcess,
0,
LEN_DLL,
VIRTUAL_MEM,
PAGE_RW_PRIV)
bool_Written = c_int(0)
print "\t[+] Writing DLL PATH to current process space"
kernel32.WriteProcessMemory(hProcess,
DLL_PATH_ADDR,
DLL_PATH,
LEN_DLL,
byref(bool_Written))
print "\t[+] Resolving Call Specific functions & libraries"
kernel32DllHandler_addr = kernel32.GetModuleHandleA("kernel32")
print "\t\t[+] Resolved kernel32 library at 0x%08x" % kernel32DllHandler_addr
LoadLibraryA_func_addr = kernel32.GetProcAddress(kernel32DllHandler_addr,"LoadLibraryA")
print "\t\t[+] Resolve LoadLibraryA function at 0x%08x" %LoadLibraryA_func_addr
thread_id = c_ulong(0) # for our thread id
print "\t[+] Creating Remote Thread to load our DLL"
if not kernel32.CreateRemoteThread(hProcess,
None,
0,
LoadLibraryA_func_addr,
DLL_PATH_ADDR,
0,
byref(thread_id)):
print "Injection Failed, exiting"
sys.exit(0)
else:
print "Remote Thread 0x%08x created, DLL code injected" % thread_id.value
PID = int(sys.argv[1])
DLL_PATH = str(sys.argv[2])
dll_inject(PID, DLL_PATH)
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
print "[+] Universal DLL Injector by Y"
print "[+] contact : If you know me then give me a shout"
print "[+] usage: ./dll_injector.py <PID> <DLLPATH>"
print "\n"
from ctypes import *
import sys,ctypes
# Define constants we use
PAGE_RW_PRIV = 0x04
PROCESS_ALL_ACCESS = 0x1F0FFF
VIRTUAL_MEM = 0x3000
#CTYPES handler
kernel32 = windll.kernel32
def dll_inject(PID,DLL_PATH):
print "[+] Starting DLL Injector"
LEN_DLL = len(DLL_PATH)# get the length of the DLL PATH
print "\t[+] Getting process handle for PID:%d " % PID
hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)
if hProcess == None:
print "\t[+] Unable to get process handle"
sys.exit(0)
print "\t[+] Allocating space for DLL PATH"
DLL_PATH_ADDR = kernel32.VirtualAllocEx(hProcess,
0,
LEN_DLL,
VIRTUAL_MEM,
PAGE_RW_PRIV)
bool_Written = c_int(0)
print "\t[+] Writing DLL PATH to current process space"
kernel32.WriteProcessMemory(hProcess,
DLL_PATH_ADDR,
DLL_PATH,
LEN_DLL,
byref(bool_Written))
print "\t[+] Resolving Call Specific functions & libraries"
kernel32DllHandler_addr = kernel32.GetModuleHandleA("kernel32")
print "\t\t[+] Resolved kernel32 library at 0x%08x" % kernel32DllHandler_addr
LoadLibraryA_func_addr = kernel32.GetProcAddress(kernel32DllHandler_addr,"LoadLibraryA")
print "\t\t[+] Resolve LoadLibraryA function at 0x%08x" %LoadLibraryA_func_addr
thread_id = c_ulong(0) # for our thread id
print "\t[+] Creating Remote Thread to load our DLL"
if not kernel32.CreateRemoteThread(hProcess,
None,
0,
LoadLibraryA_func_addr,
DLL_PATH_ADDR,
0,
byref(thread_id)):
print "Injection Failed, exiting"
sys.exit(0)
else:
print "Remote Thread 0x%08x created, DLL code injected" % thread_id.value
PID = int(sys.argv[1])
DLL_PATH = str(sys.argv[2])
dll_inject(PID, DLL_PATH)Source: waitfordebug.wordpress.com