Monday, April 30, 2012

Execute ShellCode Using Python

After writing shell code generally we use a C code like this to test our shell code.
char code[] = "shell code";
int main(int argc, char **argv)
  int (*func)();
  func = (int (*)()) code;

In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.ctypes is a foreign function library for Python. It provides C compatible data types, and allows calling functions in DLLs or shared libraries. It can be used to wrap these libraries in pure Python.

I will be using six Win32 APIs to execute the shell code. These Win32 apis are very important in dynamic memory management on windows platform. Here ctype will help us to directly interact with these required APIs.

The concept is like :

1)  First VirtualAlloc() will allow us to create a new executable memory region and copy our shellcode to it, and after that execute it.
2)  VirtualLock() locks the specified region of the process's virtual address space into physical memory, ensuring that subsequent access to the region will not incur a page fault.
It accepts a pointer to the base address of the region of pages to be locked and the size of the region to be locked, in bytes.
A simple example of this function can be found here in MSDN:

3)  RtlMoveMemory() function accepts 3 arguments , a pointer to the destination (returned form virtualAlloc()), Pointer to the memory to be copied and the number of bytes to be copied.

4)  CreateThread() accepts 6 arguments
In our case the third argument is very important.We need to pass a pointer to the application-defined function to be executed by the thread returned by VirtualAlloc().If the function succeeds, the return value is a handle to the new thread.

5)  WaitForSingleObject() function accepts 2 arguments 1st one is the handle to the object (Returned by CreateThread()) and the time-out interval, in milliseconds. If a nonzero value is specified, the function waits until the object is signaled or the interval elapses.

API Description (Source : MSDN)

VirtualAlloc function:
It reserves or commits a region of pages in the virtual address space of the calling process. Memory allocated by this function is automatically initialized to zero, unless MEM_RESET isspecified.

  __in_opt  LPVOID lpAddress,
  __in      SIZE_T dwSize,
  __in      DWORD flAllocationType,
  __in      DWORD flProtect

VirtualLock function:
It locks the specified region of the process's virtual address space into physical memory, ensuring that subsequent access to the region will not incur a page fault.

BOOL WINAPI VirtualLock(
  __in  LPVOID lpAddress,
  __in  SIZE_T dwSize

RtlMoveMemory routine:
The RtlMoveMemory routine moves memory either forward or backward, aligned or unaligned, in 4-byte blocks, followed by any remaining bytes.

VOID RtlMoveMemory(
  __in  VOID UNALIGNED *Destination,
  __in  const VOID UNALIGNED *Source,
  __in  SIZE_T Length

CreateThread function:
Creates a thread to execute within the virtual address space of the calling process.

  __in_opt   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in       SIZE_T dwStackSize,
  __in       LPTHREAD_START_ROUTINE lpStartAddress,
  __in_opt   LPVOID lpParameter,
  __in       DWORD dwCreationFlags,
  __out_opt  LPDWORD lpThreadId

WaitForSingleObject function:
Waits until the specified object is in the signaled state or the time-out interval elapses.

DWORD WINAPI WaitForSingleObject(
  __in  HANDLE hHandle,
  __in  DWORD dwMilliseconds

The python code goes here.

import ctypes
#x86/shikata_ga_nai succeeded with size 227 (iteration=1)
#Metasploit windows/exec calc.exe
shellcode = bytearray(
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),


  1. I really appreciate this post. I’ve been looking all over for this! Thank goodness I found it on Bing. You’ve made my day! Thx again!
    python Training institute in Bangalore
    python Training in Pune

  2. I am sure this post has helped me save many hours of browsing other related posts just to find what I was looking for. Many thanks!
    Python Online training
    Python Course institute in Bangalore

  3. Such an ideal piece of blog. It’s quite interesting to read content like this. I appreciate your blog
    Data Science Certification

  4. Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle.
    python training in bangalore

  5. Thank you for excellent article.You made an article that is interesting.
    Tavera car for rent in coimbatore|Indica car for rent in coimbatore|innova car for rent in coimbatore|mini bus for rent in coimbatore|tempo traveller for rent in coimbatore|kodaikanal tour package from chennai

    Keep on the good work and write more article like this...

    Great work !!!!Congratulations for this blog

  6. Nice blog post on Python. Python is used in data science as well.Please refer to my blog here.

    python training in hyderabad

  7. Thank you for providing the valuable information …
    If you want to connect with AI (Artificial Intelligence) World
    as like


    RPA (Robotic Process Automation)

    UiPath Training

    Blue Prism

    Data -Science

    ML(Machine Learning)
    related more information then meet on EmergenTeck Training Institute .

    Thank you.!

  8. This blog is very informative. It has very good information about python course training in banglore
    which will help user to be clear about the course and future oppurtunity.
    python training in banglore