Hooking remote process?

Question

Hooking remote process?

Closed this issue 3 years ago · 2 comments

Hey there - cool project!

I want to use this in a project I'm working on, but am unsure how I would go about hooking the IAT in a remote process.

I've followed your example to see if it would work for me, but I see that this is not (yet?) implemented:

Traceback (most recent call last):
  File "<redacted>", line 74, in <module>
    iat_create_file[0].set_hook(createfile_callback)
  File "<redacted>\venv\lib\site-packages\windows\pe_parse.py", line 181, in set_hook
    raise NotImplementedError("Setting hook in remote process (use python code injection)")
NotImplementedError: Setting hook in remote process (use python code injection)

use python code injection

Do you have an example of how you would go about replicating your sample code via python code injection the same way?

Specifically, how would I go about hooking CreateFileA like you've done locally:

@CreateFileACallback
def createfile_callback(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile, real_function):
    print("Trying to open {0}".format(lpFileName))
    if "secret" in lpFileName:
        return 0xffffffff
    return real_function()

but in a remote process?

Answer 1 · 2021-10-17T19:15:14.000Z

I ended up getting this answered with the help of the pymem community (I use this lib as well for RPM/WPM).

Here's an example of using both pymem for the remote injection and PythonForWindows for the winapi calls against notepad.exe:

import pymem
import sys
import os
from json import dumps

wdir = os.path.abspath('.')

log_path = os.path.join(wdir, 'out.log').replace("\\", "\\\\")
err_path = os.path.join(wdir, 'err.log').replace("\\", "\\\\")

shellcode = r"""
import sys
from os import chdir
from traceback import format_exc

sys.path=%s
chdir(sys.path[0])

def write_file(message):
    with open("%s", "a") as f:
        f.write(str(message))

try:
    import windows
    from windows.hooks import *

    @CreateFileWCallback
    def createfile_callback(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile, real_function):
        try:
            write_file("Trying to open {0}".format(lpFileName))
            return real_function()
        except:
            write_file(format_exc())

    peb = windows.current_process.peb.modules[0]
    imp = peb.pe.imports
    
    iat_create_file = [entry for entry in imp['kernel32.dll'] if entry.name == "CreateFileW"]
    
    result = iat_create_file[0].set_hook(createfile_callback)
    
    while True:
        pass
except:
    write_file(format_exc())
""" % (
    dumps(sys.path).replace("\\", "\\\\"),
    'err.log'
)

pm = pymem.Pymem('notepad.exe')
pm.inject_python_interpreter()
pm.inject_python_shellcode(shellcode)

Answer 2 · 2021-10-18T07:35:06.000Z

Hello !
Thank you for the issue.
Indeed, the hooking of remote process requires explicit PythonInjection.

There is something equivalent to your pymem alternative in PythonForWindows which is Process.execute_python(code).
This function will execute the python code and wait for its completion.
You can find some example is this sample : https://github.com/hakril/PythonForWindows/blob/master/samples/process/remote_process.py