Es gibt alle Pids der Prozesse aus die gerade laufen, danach gibt man PID + DLL ein und diese wird injected das ist eigentlich schon alles ^^
Wenn es Fragen gibt, einfach drauflos schreiben.
PHP Code:
'''
Created on 24.05.2013
@author: Patrick Walther
'''
import sys
from ctypes import *
PAGE_READWRITE = 0x04
VIRTUAL_MEM = (0x1000 | 0x2000)
PROCESS_ALL_ACCESS = 0x1F0FFF
kernel32 = windll.kernel32
psapi = windll.psapi
def EnumProcesses():
arr = c_ulong * 256
lpidProcess= arr()
cb = sizeof(lpidProcess)
cbNeeded = c_ulong()
hModule = c_ulong()
count = c_ulong()
modname = c_buffer(30)
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
#Call Enumprocesses to get hold of process id's
psapi.EnumProcesses(byref(lpidProcess),
cb,
byref(cbNeeded))
#Number of processes returned
nReturned = cbNeeded.value/sizeof(c_ulong())
pidProcess = [i for i in lpidProcess][:nReturned]
for pid in pidProcess:
#Get handle to the process based on PID
hProcess = kernel32.OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
False,
pid)
if hProcess:
psapi.EnumProcessModules(hProcess,
byref(hModule),
sizeof(hModule),
byref(count))
psapi.GetModuleBaseNameA(hProcess,
hModule.value,
modname,
sizeof(modname))
print "".join([ i for i in modname if i != '\x00'])
print " PID: %d" % pid
#-- Clean up
for i in range(modname._length_):
modname[i]='\x00'
kernel32.CloseHandle(hProcess)
EnumProcesses()
pid = raw_input("Enter the pid of the process to inject to: ")
dll_path = raw_input("Enter the path to the dll: ")
dll_len = len(dll_path)
# Get process handle
h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid))
if not h_process:
print"[*] Couldn't acquire a handle to PID: %s" % pid
sys.exit(0)
# Get some storage for the dll-path
arg_address = kernel32.VirtualAllocEx(h_process, 0, dll_len, VIRTUAL_MEM, PAGE_READWRITE)
# Write dll in the allocated storage
written = c_int(0)
kernel32.WriteProcessMemory(h_process,arg_address, dll_path, dll_len, byref(written))
h_kernel32 = kernel32.GetModulHandleA("kernel32.dll")
h_loadlib = kernel32.GetProcAddress(h_kernel32,"LoadLibraryA")
#try to create remote thread
thread_id = c_ulong(0)
if not kernel32.CreateRemoteThread(h_process,
None,
0,
h_loadlib,
arg_address,
0,
byref(thread_id)):
print "[*] Failed to inject the DLL. Exiting."
sys.exit(0)
print "[*] Remote thread with ID 0x%08x created." % thread_id.value