Injecting a python interpreter into any processΒΆ

Pymem allow you to inject python.dll into a target process and then map py_run_simple_string with a single call to inject_python_interpreter().

from pymem import Pymem

notepad = subprocess.Popen(['notepad.exe'])

pm = pymem.Pymem('notepad.exe')
pm.inject_python_interpreter()
filepath = os.path.join(os.path.abspath('.'), 'pymem_injection.txt')
filepath = filepath.replace("\\", "\\\\")
shellcode = """
f = open("{}", "w+")
f.write("pymem_injection")
f.close()
""".format(filepath)
pm.inject_python_shellcode(shellcode)
notepad.kill()

So what did that code do?

  1. we start notepad process and get its handle
  2. we hook pymem with notepad process
  3. we call inject_python_interpreter() which will:
  • dynamically finds the correct python dll and inject it
  • register py_run_simple_string
  1. then we inject some python code with inject_python_shellcode() which will:
  • VirtualAllocEx some space for the code to be written
  • write the actual payload into allocated space
  • execute py_run_simple_string so the python code gets interpreted within the notepad process
  1. finally we get rid of notepad process