import sys
from ctypes import *
FAGE_READWRITE = 0x04
PROCESS_ALL_ACCESS = 0x001F0FFF
VIRTUAL_MEN = (0x1000 | 0x2000)
kernel32 = windll.kernel32
user32 = windll.user32
pid = sys.argv[1]
dll_path = sys.argv[2]
dll_len = len(dll_path)
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,int(pid))
if not h_process:
print "[*] Couldn't acquire a handle to PID: %s" % pid
sys.exit()
argv_address = kernel32.VirtualAllocEx(h_process,0,dll_len,VIRTUAL_MEN,FAGE_READWRITE)
written = c_int(0)
kernel32.WriteProcessMemory(h_process,argv_address,dll_path,dll_len,byref(written))
h_user32 = kernel32.GetModuleHandleA("kernel32.dll")
h_loadlib = kernel32.GetProcAddress(h_user32,"MessageBoxA")
thread_id = c_ulong(0)
if not kernel32.CreateRemoteThread(
h_process,
None,
0,
h_loadlib,
argv_address,
0,
byref(thread_id)
):
print "[*] Failed to inject the DLL. Exiting."
sys.exit()
else:
user32.MessageBoxA(0,0,0,0)
print "thread_ID: 0x%08x create" % thread_id.value
这个代码的目的是实现程序运行时,dll注入成功后,弹窗。
由于sys.argv[1]和sys.argv[2],我们需要用cmd运行
标签:process,Python,argv,dll,sys,kernel32,user32,注入