So what’s the big deal?
• Python support Foreign Function Instruction
• It supports Ctypes.
• It provides C compatible data types, and allows
calling functions in DLLs or shared libraries. It can
be used to wrap these libraries in pure Python
• Smell profits!!!
• Alternative ways besides using import system
• Good for Post Exploitation
• Bypass AV
A Simple MessageBoxA
• From MSDN
• Required 4 argument,
How to understand quickly
• HWND – A handle to the owner window of the message box to be created.
If this parameter is NULL, the message box has no owner window. (SO we
set to Null, in Python Null is None)
• LPCTSR lpText - It’s a string for a Text
• LPCTSR lpCaption – It’s a string for the MessageBox Title
• UINT - Unsigned Integer .
_in_opt_ is a SAL Annotation saying you can put NULL as a value
SAL Annotation shortcut
Input to called function _In_ _In_opt_
Input to called function, and output to
Output to caller _Out_ _Out_opt_
Output of pointer to caller _Outptr_ _Outptr_opt_
How easy to pop up a MessageBox in
from ctypes import *
How to about WinExec?
• WinExec is a classical function since the age of Windows 16-
bit . Only 2 Args are needed.
• From MSDN
• We know lpCmdLine is a string for the Exectuable path but
what value should we place for uCmdShow?
uCmdShow from MSDN
To Spawn a calcfrom ctypes import *
How about Executing Shellcode?
• Many ways
– File Dropping Technique (BAD)
– Code Injection Technique(BAD)
– InMemory Technique (G000D)
• File Dropping Technique are bad , since antivirus/malware will
immedietely catch it up and trigeger
• Code Injection , affects the integrity of a binary. HIPS might trigger
• Why Shellcode? Becoz we can!!
• We are going to chain 4 API to execute our
• lpAddress = Null
• dwSize = length of shellcode can be use,
• flAllocation = MEM_COMMIT|MEM_RESERVED (0x3000)
• flProtect = PAGE_EXECUTE_READWRITE(0x40)
• hProcess = -1 * we writing in the same process
• lpBaseAddress = A Pointer to address return from VirtualALloc()
• lpBuffer = A pointer to our buffer
• nSize = we can use shellcode size and times 2 to be safe
• lpNUmberofBytesWritten = Null it..
• Everything is 0 except for (go figure it out