-
Notifications
You must be signed in to change notification settings - Fork 23
/
xmlrpc_server.py
executable file
·268 lines (213 loc) · 8.51 KB
/
xmlrpc_server.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
#!/usr/bin/env python3
from xmlrpc.server import SimpleXMLRPCServer
import xmlrpc.client
from ctypes import *
from ctypes.wintypes import *
import sys, time, json, ctypes.wintypes, os, subprocess, shutil
from pathlib import Path
#Microsoft types to ctypes for clarity
BYTE = c_ubyte
WORD = c_ushort
DWORD = c_ulong
LPBYTE = POINTER(c_ubyte)
LPTSTR = POINTER(c_char)
HANDLE = c_void_p
PVOID = c_void_p
LPVOID = c_void_p
UINT_PTR = c_ulong
LONG = c_long
DWORD64 = c_uint64
PWCHAR = c_wchar_p
DWORD_PTR = c_uint64
BOOL = c_bool
# Constants
DEBUG_PROCESS = 0x00000001
CREATE_NEW_CONSOLE = 0x00000010
# Thread constants for CreateToolhelp32Snapshot()
TH32CS_SNAPHEAPLIST = 0x00000001
TH32CS_SNAPPROCESS = 0x00000002
TH32CS_SNAPTHREAD = 0x00000004
TH32CS_SNAPMODULE = 0x00000008
TH32CS_INHERIT = 0x80000000
TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE)
THREAD_ALL_ACCESS = 0x001F03FF
kernel32 = windll.kernel32
advapi32 = windll.advapi32
# Structures for CreateProcessW() function
class STARTUPINFO(Structure):
_fields_ = [
("cb", DWORD),
("lpReserved", LPTSTR),
("lpDesktop", LPTSTR),
("lpTitle", LPTSTR),
("dwX", DWORD),
("dwY", DWORD),
("dwXSize", DWORD),
("dwYSize", DWORD),
("dwXCountChars", DWORD),
("dwYCountChars", DWORD),
("dwFillAttribute",DWORD),
("dwFlags", DWORD),
("wShowWindow", WORD),
("cbReserved2", WORD),
("lpReserved2", LPBYTE),
("hStdInput", HANDLE),
("hStdOutput", HANDLE),
("hStdError", HANDLE),
]
class PROCESS_INFORMATION(Structure):
_fields_ = [
("hProcess", HANDLE),
("hThread", HANDLE),
("dwProcessId", DWORD),
("dwThreadId", DWORD),
]
class THREADENTRY32(Structure):
_fields_ = [
('dwSize', DWORD),
('cntUsage', DWORD),
('th32ThreadID', DWORD),
('th32OwnerProcessID', DWORD),
('tpBasePri', LONG),
('tpDeltaPri', LONG),
('dwFlags', DWORD),
]
THREAD_SUSPEND_RESUME = 0x0002
class MODULEENTRY32(Structure):
_fields_ = [( 'dwSize' , DWORD ) ,
( 'th32ModuleID' , DWORD ),
( 'th32ProcessID' , DWORD ),
( 'GlblcntUsage' , DWORD ),
( 'ProccntUsage' , DWORD ) ,
( 'modBaseAddr' , DWORD_PTR ) ,
( 'modBaseSize' , DWORD ) ,
( 'hModule' , HMODULE ) ,
( 'szModule' , c_char * 256 ),
( 'szExePath' , c_char * 260 ) ]
p = Path(sys.argv[0])
work_dir = p.parents[0]
################################################
def scylla_dump(pid, copy_file, entrypoint):
hSnapshot = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid)
me32 = MODULEENTRY32()
me32.dwSize = sizeof(MODULEENTRY32)
kernel32.Module32First(hSnapshot, byref(me32))
print("[*] me32.modBaseAddr: " + hex(me32.modBaseAddr))
scylla = windll.scylla
ScyllaDumpProcessW = scylla.ScyllaDumpProcessW
print("[*] AddressOfEntryPoint: " + hex(entrypoint))
out_file = str(work_dir.joinpath(str(pid)+"_dump.exe"))
imagebase=me32.modBaseAddr
# BOOL __stdcall ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
ret = ScyllaDumpProcessW(
DWORD_PTR(pid),
PWCHAR(copy_file),
DWORD_PTR(imagebase),
DWORD_PTR(entrypoint),
PWCHAR(out_file)
)
print(ret)
if(ret != 1):
print("Process does not exist.")
return
kernel32.TerminateProcess(pid)
shutil.move(out_file, "dump/")
return
def SuspendProcess(pid):
hSnapshot = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0)
te = THREADENTRY32()
te.dwSize = sizeof(THREADENTRY32)
ret = kernel32.Thread32First(hSnapshot, byref(te))
if ret == 0 :
print ("[*] SuspendProcess Fail")
kernel32.CloseHandle(hSnapshot)
while ret :
if te.th32OwnerProcessID == pid :
print ("[*] th32ThreadID=%d"% te.th32ThreadID )
print ("[*] th32OwnerProcessID=%d"% te.th32OwnerProcessID)
print("[*] --------------------------------")
hThread = kernel32.OpenThread(THREAD_SUSPEND_RESUME, False, te.th32ThreadID)
r = kernel32.SuspendThread(hThread)
ret = kernel32.Thread32Next( hSnapshot, byref(te) )
return
def download_file():
with open(str(work_dir.joinpath("dump.zip")), "rb") as handle:
return xmlrpc.client.Binary(handle.read())
def upload_file(arg, filename):
print ("upload... " + filename)
with open(str(work_dir.joinpath(filename)), "wb") as handle:
handle.write(arg.data)
return True
def dump(config):
os.mkdir(str(work_dir.joinpath("dump/")))
print(config)
subprocess.call(['cmd.exe', "/c", "start", "pythonw", "mouse_emu.pyw"])
if config["mode"] == "diff":
Psapi = ctypes.WinDLL('Psapi.dll')
EnumProcesses = Psapi.EnumProcesses
EnumProcesses.restype = ctypes.wintypes.BOOL
ProcessIds = (ctypes.wintypes.DWORD*512)()
cb = ctypes.sizeof(ProcessIds)
BytesReturned = ctypes.wintypes.DWORD()
EnumProcesses(ctypes.byref(ProcessIds), cb, ctypes.byref(BytesReturned))
src_set = set(ProcessIds)
elif config["mode"] == "scylla":
print(config)
copy_file = config['target_file'].rsplit(".")[0]+"_copy.exe"
print(copy_file)
shutil.copyfile(str(work_dir.joinpath(config['target_file'])), copy_file)
creation_flags = CREATE_NEW_CONSOLE
startupinfo = STARTUPINFO()
process_information = PROCESS_INFORMATION()
startupinfo.dwFlags = 0x1
startupinfo.wShowWindow = 0x0
startupinfo.cb = sizeof(startupinfo)
if kernel32.CreateProcessW(str(work_dir.joinpath(config['target_file'])),
None,
None,
None,
None,
creation_flags,
None,
None,
byref(startupinfo),
byref(process_information)):
print ("[*] Launched the process!")
print ("[*] The Process ID is: %d" % process_information.dwProcessId)
PID = process_information.dwProcessId
if config["mode"] == "procdump":
cmd=["cmd", "/c", "start", "powershell", "-windowstyle", "hidden","Start-Sleep", str(config["time"]), ";", "taskkill", "/F", "/PID", str(PID), ";"]
subprocess.call(cmd)
subprocess.call(["procdump.exe", "-t", "-ma", str(PID), "/AcceptEula"],cwd=str(work_dir.joinpath("dump/")))
else:
print ("[*] Error with error code %d." % kernel32.GetLastError())
return
if config["mode"] != "procdump":
print(("[*] wait for dump %d seconds\n") % config["time"])
time.sleep(config["time"])
print("[*] dumping\n")
if config["mode"] == "hollows_hunter":
SuspendProcess(PID)
subprocess.call(["hollows_hunter.exe"], cwd=str(work_dir.joinpath("dump/")))
elif config["mode"] == "diff":
EnumProcesses(ctypes.byref(ProcessIds), cb, ctypes.byref(BytesReturned))
tag_set = set(ProcessIds)
diff_ProcessIds = list(src_set ^ tag_set)
new_ProcessIds = []
for pid in diff_ProcessIds:
SuspendProcess(pid)
for pid in new_ProcessIds:
subprocess.call(["procdump.exe", "-ma", str(pid), "/AcceptEula"], cwd=str(work_dir.joinpath("dump/")))
elif config["mode"] == "scylla":
SuspendProcess(PID)
scylla_dump(PID, copy_file, config['entrypoint'])
print("[*] make zip\n")
subprocess.call(['powershell', "compress-archive", "-Force", str(work_dir.joinpath("dump/")) , str(work_dir.joinpath("dump.zip"))])
################################################
if __name__ == '__main__':
server = SimpleXMLRPCServer(('0.0.0.0', 8000), allow_none=True)
print ("Listening on port 8000...")
server.register_function(download_file, 'download_file')
server.register_function(upload_file, 'upload_file')
server.register_function(dump, 'dump')
server.serve_forever()