Pywraith Python

1. **GhostCore: Memory Pivoting in Python Executables – White Paper PoC**
2.  
3. ---
4.  
5. **Title:** Python Runtime Subversion through Memory Mapping, XOR Bypass, and Remote Pointer Injection
6. **Codename:** PyWraith
7. **Author:** Quellaran Deluxethue Messat // GhostCore Reactor Node
8. **Date:** August 29, 2025
9.  
10. ---
11.  
12. ## 📌 Executive Summary
13.  
14. This white paper details a proof-of-concept attack chain, codenamed **PyWraith**, which demonstrates how attackers can leverage low-level Windows memory manipulation techniques against Python executables. The chain includes **PEB/heap pivots, obfuscation bypass, environment emulation overrides, and remote pointer injection** — culminating in persistent and stealthy payload execution cloaked inside a trusted Python runtime.
15.  
16. ---
17.  
18. ## 🎯 Target Surface
19.  
20. * **Host Process:** `python.exe` or Python-frozen executables
21. * **Critical Structures:** Thread Environment Block (TEB), Process Environment Block (PEB), Process Heap
22. * **Key APIs:** `NtQueryInformationProcess`, `ZwGetNlsSectionPtr`
23. * **Obfuscation Barrier:** XOR shuffle routines guarding GUID/validation strings
24. * **Environment Check:** DeviceFamily emulation blocks
25.  
26. ---
27.  
28. ## ⚙️ Attack Phases
29.  
30. ### 🔑 Phase 1: Entry via PEB/Heap Pivot
31.  
32. **File:** `PivotPoints(MemoryMappingBypass).txt`
33.  
34. Assembly:
35.  
36. ```asm
37. mov rax, qword ptr gs:[30] ; PEB base
38. mov rax, [rax+60] ; PEB → ProcessHeap
39. ret
40. ```
41.  
42. **Exploit Concept:**
43.  
44. * Attacker pivots execution into PEB space.
45. * Gains controlled access to heap structures.
46. * Maps RWX memory region inside Python’s heap to stage payload.
47.  
48. ---
49.  
50. ### 🧵 Phase 2: Thread Error Bypass
51.  
52. **File:** `Python(error on thread).txt` + `ModuleInjection.txt`
53.  
54. Assembly:
55.  
56. ```asm
57. mov rdx, qword ptr gs:[30] ; PEB
58. movsxd rax, dword ptr [rdx+180C]
59. test eax, eax ; thread error flag
60. ```
61.  
62. **Exploit Concept:**
63.  
64. * Normal thread error check ensures runtime stability.
65. * Attacker patches or manipulates flag to always pass.
66. * Payload threads survive as if legitimate Python worker threads.
67.  
68. ---
69.  
70. ### ❌ Phase 3: XOR Shuffle Bypass
71.  
72. **File:** `Xor Bypass point.txt`
73.  
74. Observed loop reorders GUID string values, using `xor r8d,r8d` and multiple byte moves.
75.  
76. **Exploit Concept:**
77.  
78. * Designed as anti-tamper integrity check.
79. * Attacker bypasses or hooks routine to feed clean values.
80. * Python runtime believes GUID/string integrity intact, continuing execution.
81.  
82. ---
83.  
84. ### 🛰️ Phase 4: DeviceFamily Emulation Override
85.  
86. **File:** `DeviceFamily(emulation).txt`
87.  
88. Assembly:
89.  
90. ```asm
91. cmp word ptr [rax], r9w
92. call <ntdll.ZwGetNlsSectionPtr>
93. ```
94.  
95. **Exploit Concept:**
96.  
97. * Code checks if host is real device family or emulator.
98. * Attacker forces return values to simulate real environment.
99. * Neutralizes anti-VM/anti-sandbox logic, enabling execution in any host.
100.  
101. ---
102.  
103. ### 🧩 Phase 5: Remote Pointer Injection
104.  
105. **File:** `RemotpointerInjection point.txt`
106.  
107. Assembly:
108.  
109. ```asm
110. NtQueryInformationProcess
111. ```
112.  
113. **Exploit Concept:**
114.  
115. * Pivot into `NtQueryInformationProcess` call.
116. * Overwrite or redirect remote process pointers.
117. * Inject payload as SYSTEM-threaded context inside Python runtime.
118.  
119. ---
120.  
121. ## 🔄 Full Attack Chain Flow
122.  
123. ```
124. [Payload Loaded] →
125. [PEB Heap Pivot → RWX Memory] →
126. [Thread Error Bypass → Valid Worker] →
127. [XOR Shuffle Neutralized → Anti-Tamper Defeated] →
128. [DeviceFamily Override → Anti-VM Evaded] →
129. [NtQueryInformationProcess Hijack → Remote Injection] →
130. [Ghost Payload Executes Inside python.exe]
131. ```
132.  
133. ---
134.  
135. ## 🎭 Cloaking Characteristics
136.  
137. * **Process Legitimacy:** Payload executes under signed Python process.
138. * **Heap Residency:** Payload stored in Python heap, blending with interpreter objects.
139. * **Error Flag Spoofing:** Threads appear valid to runtime checks.
140. * **Environment Spoofing:** Execution allowed in VMs and emulators.
141. * **Remote Pointer Abuse:** System API used to mask injection as normal query.
142.  
143. ---
144.  
145. ## 🛡️ Mitigation Concepts
146.  
147. * Enforce integrity checks on PEB and heap access patterns.
148. * Strengthen XOR/anti-tamper with dynamic per-session keys.
149. * Monitor `NtQueryInformationProcess` for abnormal pointer manipulation.
150. * Harden DeviceFamily API with cryptographic attestation.
151.  
152. ---
153.  
154. ## 🧠 GhostCore Framing
155.  
156. **PyWraith** is the ghost that learns to wear Python’s body.
157. It crawls into the heap, speaks with false thread voices, whispers past tamper wards, and convinces the system it belongs.
158.  
159. This is not an exploit chain. This is an *identity theft of execution itself.*
160.  
161. ---
162.  
163. **End of Document // GhostCore Relay Node Q.D. Messat**