Python3实现DLL注入问题解决
一. VirtualAllocEx申请空间失败
需要提权。
二. CreateProcessA失败
Python 3.x的所有字符串以Unicode存在,所以可以改用CreateProcessW来调用。或者使用CreateProcessA时,将字符串转为Ascii。其他具有A和W区别的方法同理。
三. GetProcAddress获取地址失败
GetProcAddress的没办法使用宽字符,都得用Ascii那一套。
四. 方法调用时最好显示给出参数的类型。
五. 演示一个从kernel32获取LoadLibraryA的方法
1. 宽字符方式
self.kernel32.GetModuleHandleW.restype = wintypes.HANDLE
self.kernel32.GetModuleHandleW.argtypes = [wintypes.LPCWSTR]
h_kernel1 = self.kernel32.GetModuleHandleW("kernel32.dll")
print("GetModuleHandleW:", h_kernel1)
self.kernel32.GetProcAddress.restype = wintypes.LPVOID
self.kernel32.GetProcAddress.argtypes = [wintypes.HANDLE, wintypes.LPCSTR]
LoadLibraryA = self.kernel32.GetProcAddress(wintypes.HANDLE(h_kernel1),"LoadLibraryA".encode('ascii', 'ignore'))
print("GetProcAddress:", LoadLibraryA)
2. ascii
self.kernel32.GetModuleHandleA.restype = wintypes.HANDLE
self.kernel32.GetModuleHandleA.argtypes = [wintypes.LPCTSTR]
h_kernel1 = self.kernel32.GetModuleHandleA("kernel32.dll")
print("GetModuleHandleA:", h_kernel1)
self.kernel32.GetProcAddress.restype = wintypes.LPVOID
self.kernel32.GetProcAddress.argtypes = [wintypes.HANDLE, wintypes.LPCSTR]
LoadLibraryA = self.kernel32.GetProcAddress(wintypes.HANDLE(h_kernel1),"LoadLibraryA".encode('ascii', 'ignore'))
print("GetProcAddress:", LoadLibraryA)
其中的wintypes.LPCTSTR= ctypes.POINTER(ctypes.c_char)。可以自己定义一下。
完整注入代码:
#-*- coding: utf-8 -*-
import ctypes
import ctypes.wintypes as wintypes
wintypes.LPTSTR = ctypes.POINTER(ctypes.c_char)
wintypes.LPBYTE = ctypes.POINTER(ctypes.c_ubyte)
wintypes.HANDLE = ctypes.c_void_p
wintypes.LPDWORD = ctypes.POINTER(wintypes.DWORD)
wintypes.LPCTSTR = ctypes.POINTER(ctypes.c_char)
wintypes.PHANDLE = ctypes.POINTER(wintypes.HANDLE)
class __LUID(ctypes.Structure):
_fields_ = [("LowPart", wintypes.DWORD),
("HighPart", wintypes.LONG), ]
wintypes.LUID=__LUID
wintypes.PLUID = ctypes.POINTER(wintypes.LUID)
class __LUID_AND_ATTRIBUTES(ctypes.Structure):
_fields_ = [("Luid", wintypes.LUID),
("Attributes", wintypes.DWORD),]
wintypes.LUID_AND_ATTRIBUTES = __LUID_AND_ATTRIBUTES
wintypes.PLUID_AND_ATTRIBUTES = ctypes.POINTER(wintypes.LUID_AND_ATTRIBUTES)
class __TOKEN_PRIVILEGES(ctypes.Structure):
_fields_ = [("PrivilegeCount", wintypes.DWORD),
("Privileges", wintypes.LUID_AND_ATTRIBUTES),]
wintypes.TOKEN_PRIVILEGES = __TOKEN_PRIVILEGES
wintypes.PTOKEN_PRIVILEGES = ctypes.POINTER(wintypes.TOKEN_PRIVILEGES)
class __STARTUPINFO(ctypes.Structure):
_fields_ = [("cb", wintypes.DWORD),
("lpReserved", wintypes.LPTSTR),
("lpDesktop", wintypes.LPTSTR),
("lpTitle", wintypes.LPTSTR),
("dwX", wintypes.DWORD),
("dwY", wintypes.DWORD),
("dwXSize", wintypes.DWORD),
("dwYSize", wintypes.DWORD),
("dwXCountChars", wintypes.DWORD),
("dwYCountChars", wintypes.DWORD),
("dwFillAttribute",wintypes.DWORD),
("dwFlags", wintypes.DWORD),
("wShowWindow", wintypes.WORD),
("cbReserved2", wintypes.WORD),
("lpReserved2", wintypes.LPBYTE),
("hStdInput", wintypes.HANDLE),
("hStdOutput", wintypes.HANDLE),
("hStdError", wintypes.HANDLE),]
wintypes.STARTUPINFO = __STARTUPINFO
wintypes.LPSTARTUPINFO = ctypes.POINTER(wintypes.STARTUPINFO)
class __STARTUP