by
264 13
1
3
913
0
Top 5% !
Popular
Specified
Popularity: 53313rd place

Published on:

No tags for this snippet yet.
LanguagePython
OSWindows
SourceGitHub
Windows VersionWindows

Using 7 bytes of preassembled shellcode, determine if the current 32-bit process is running in the WOW64 subsystem (as is the case when running 32-bit Python on 64-bit Windows) or if it's running from a 32-bit Windows OS.

Using 7 bytes of preassembled shellcode, determine if the current 32-bit process is running in the WOW64 subsystem (as is the case when running 32-bit Python on 64-bit Windows) or if it's running from a 32-bit Windows OS.: 
iswow64.py
Copy Embed Code
<iframe id="embedFrame" style="width:600px; height:300px;"
src="https://www.snip2code.com/Embed/632531/Using-7-bytes-of-preassembled-shellcode-?startLine=0"></iframe>
Click on the embed code to copy it into your clipboard Width Height
Leave empty to retrieve all the content Start End
# encoding: utf-8 """ iswow64.py Using 7 bytes of preassembled shellcode, determine if the current 32-bit process is running in the WOW64 subsystem (as is the case when running 32-bit Python on 64-bit Windows) or if it's running from a 32-bit Windows OS. This program is free software. It comes without any warranty, to the extent permitted by applicable law. You can redistribute it and/or modify it under the terms of the Do What The Fuck You Want To Public License, Version 2, as published by Sam Hocevar. See http://sam.zoy.org/wtfpl/COPYING for more details. """ from _ctypes import _SimpleCData as _SimpleCData from ctypes.wintypes import LPVOID, DWORD, INT, BOOLEAN, HANDLE from ctypes import WinDLL, POINTER, WinError, c_size_t as SIZE_T, sizeof as SIZEOF, \ cast as CAST, byref as BYREF, create_string_buffer as STRALLOC, \ WINFUNCTYPE as WINAPI, CFUNCTYPE as CDECL # Verify we're working on a 32-bit version of Python assert(SIZEOF(LPVOID) == SIZEOF(DWORD)) # Kernel32 DLL _kernel32 = WinDLL('kernel32.dll') # Custom Types class BOOL(INT): """ Just a 32-bit integer interpreted as a boolean. """ def from_param(self, value): if value is None: return INT(0) elif isinstance(value, _SimpleCData): return value else: return INT(value) def __eq__(self, other): value = self.value if isinstance(other, bool): return value == other elif isinstance(other, _SimpleCData): return value == bool(other.value) else: return value == bool(other) def __hash__(self): return hash(self._as_parameter_) # Typedefs LPCVOID = LPVOID PDWORD = POINTER(DWORD) PSIZE_T = POINTER(SIZE_T) # Constants NULL = LPVOID(0) NULL_PDWORD = CAST(NULL, PDWORD) NULL_PSIZE_T = CAST(NULL, PSIZE_T) ## Param values for flAllocationType & dwFreeType MEM_RESERVE = DWORD(0x00002000) MEM_COMMIT = DWORD(0x00001000) MEM_RELEASE = DWORD(0x8000) ## Param values for flProtect & flNewProtect PAGE_READWRITE = DWORD(0x04) PAGE_EXECUTE_READWRITE = DWORD(0x40) ## Param flags Constants _In = 1 _Out = 2 _InOpt = 3 _InOutOpt = _InOpt | _Out # Win32 API Function Prototypes """ HANDLE WINAPI GetCurrentProcess(void); """ GetCurrentProcess = WINAPI(HANDLE)(('GetCurrentProcess', _kernel32)) hCurrentProcess = GetCurrentProcess() """ LPVOID WINAPI VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) """ VirtualAlloc = WINAPI(LPVOID, LPVOID, SIZE_T, DWORD, DWORD)( _kernel32.VirtualAlloc ) """ BOOL VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType) """ VirtualFree = WINAPI(BOOL, LPVOID, SIZE_T, DWORD)( _kernel32.VirtualFree ) """ BOOL VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) """ VirtualProtect = WINAPI(BOOL, LPVOID, SIZE_T, DWORD, PDWORD)( _kernel32.VirtualProtect ) """ BOOL WINAPI WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumofBytesWritten) """ WriteProcessMemory = WINAPI(BOOL, HANDLE, LPVOID, LPCVOID, SIZE_T, PSIZE_T)( _kernel32.WriteProcessMemory ) """ BOOL WINAPI FlushInstructionCache(HANDLE hProcess, LPCVOID lpBaseAddress, SIZE_T dwSize) """ FlushInstructionCache = WINAPI(BOOL, HANDLE, LPCVOID, SIZE_T)( _kernel32.FlushInstructionCache ) def destroy_cfunc(cfuncproc): """ :param cfuncproc:Stuff :type cfuncproc:ctypes.CFUNCTYPE :return:Success :rtype:bool """ if isinstance(cfuncproc, LPVOID): cptr = cfuncproc csize = cfuncproc._allocsize else: cptr = cfuncproc._cptr csize = cfuncproc._procsize return bool(VirtualFree(cptr, csize, MEM_RELEASE)) def create_cfunc(cfunctype, shellcode): """ :param cfunctype: The function prototype to use for creation. :type cfunctype: ctypes.CFUNCTYPE :param shellcode: List of bytes forming the shellcode :type shellcode: list :return:The callable function in memory. :rtype:ctypes.CFUNCTYPE """ # Grab the size of the shellcode shellcode_size = len(shellcode) # Reserve memory for our shellcode bytes lpAllocated = LPVOID(VirtualAlloc(NULL, shellcode_size, MEM_RESERVE, PAGE_EXECUTE_READWRITE)) if not lpAllocated or (hasattr(lpAllocated, 'value') and lpAllocated.value is None): raise WinError() # Commit our allocation to obtain our allocated memory. lpRes = VirtualAlloc(lpAllocated.value, shellcode_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE) lpAllocated._allocsize = shellcode_size # Alter protection flags on the memory region that will contain our code. # if not VirtualProtect(lpAllocated.value, shellcode_size, PAGE_EXECUTE_READWRITE, NULL_PDWORD): # destroy_cfunc(lpAllocated) # raise WinError() # Assemble our shellcode buffer, then copy it over to our allocated memory. shellcode_buffer = STRALLOC(''.join(map(chr, shellcode)), shellcode_size) WriteProcessMemory(hCurrentProcess, lpAllocated, CAST(shellcode_buffer, LPVOID).value, shellcode_size, NULL_PSIZE_T) # Flush our instruction cache, and apply our prototype, then return the result. FlushInstructionCache(hCurrentProcess, lpAllocated, shellcode_size) cfuncproc = cfunctype(lpAllocated.value) cfuncproc._cptr = lpAllocated cfuncproc._procsize = shellcode_size return cfuncproc IsWow64ShellCode = [ # _IsWow64: 0x66, 0x8C, 0xC8, # mov ax, cs 0xC1, 0xE8, 0x05, # shr eax, 5 0xC3 # ret ] ISWOW64FUNCTYPE = CDECL(BOOLEAN) IsWow64 = create_cfunc(ISWOW64FUNCTYPE, IsWow64ShellCode) if IsWow64(): print 'IsWow64 = True' else: print 'IsWow64 = False' destroy_cfunc(IsWow64)
If you want to be updated about similar snippets, Sign in and follow our Channels

blog comments powered by Disqus