byt3bl33d3r/NimDllSideload byt3bl33d3r/NimDllSideload

  • Stars
    star
    144
  • Rank 255,590 (Top 6 %)
  • Language
    Nim
  • License
    The Unlicense
  • Created almost 2 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
byt3bl33d3r/NimDllSideload
github

byt3bl33d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DLL sideloading/proxying with Nim!

Nim DLL Sideloading

This repo allows you to easily generate Nim DLLs you can use sideloading/proxy loading. If you're unfamiliar with what DLL sideloading is, take a gander at this blog post.

How do I use this?

Put the legit DLL (or multiple DLLs) you want to proxy into the build directory of this repo then run make.

This will generate two .dlls in the out directory:

  • The randomly named one is the original DLL that function calls will be proxied too
  • The other will be your payload

If sideloading is successful, you should see a message box popup and/or a file written to the desktop.

To actually "weaponize" the payload, you can take a look at the OffensiveNim repository for ideas and ready-to-go code snippets :).

How does it work?

  • dllproxy.nim is the proxy DLL that will execute your payload and proxy legit function calls to the original DLL(s)
  • gen_def.py parses the original DLL's export table and generates a Module-definition (.def) file.

The .def file then gets passed to the linker at compile time in order to proxy the legit function calls.

Bonus - Hide NimMain from a Nim DLL's export table

See this Microsoft article

Notice the last line of this .def file:

EXPORTS
	GetFileVersionInfoA=ZCnerzNI.GetFileVersionInfoA @1
	GetFileVersionInfoByHandle=ZCnerzNI.GetFileVersionInfoByHandle @2
	GetFileVersionInfoExA=ZCnerzNI.GetFileVersionInfoExA @3
	GetFileVersionInfoExW=ZCnerzNI.GetFileVersionInfoExW @4
	GetFileVersionInfoSizeA=ZCnerzNI.GetFileVersionInfoSizeA @5
	GetFileVersionInfoSizeExA=ZCnerzNI.GetFileVersionInfoSizeExA @6
	GetFileVersionInfoSizeExW=ZCnerzNI.GetFileVersionInfoSizeExW @7
	GetFileVersionInfoSizeW=ZCnerzNI.GetFileVersionInfoSizeW @8
	GetFileVersionInfoW=ZCnerzNI.GetFileVersionInfoW @9
	VerFindFileA=ZCnerzNI.VerFindFileA @10
	VerFindFileW=ZCnerzNI.VerFindFileW @11
	VerInstallFileA=ZCnerzNI.VerInstallFileA @12
	VerInstallFileW=ZCnerzNI.VerInstallFileW @13
	VerLanguageNameA=ZCnerzNI.VerLanguageNameA @14
	VerLanguageNameW=ZCnerzNI.VerLanguageNameW @15
	VerQueryValueA=ZCnerzNI.VerQueryValueA @16
	VerQueryValueW=ZCnerzNI.VerQueryValueW @17
	NimMain @19 NONAME PRIVATE

This last line basically tells the linker to remove the name of the NimMain function. Compiling the DLL and passing the above .def file to the linker results in the following entry if we take a look at the .dll's export table:

HiddenNimMain

More Repositories

1

CrackMapExec

A swiss army knife for pentesting networks
Python
7,779
star
2

MITMf

Framework for Man-In-The-Middle attacks
Python
3,472
star
3

OffensiveNim

My experiments in weaponizing Nim (https://nim-lang.org/)
Nim
2,438
star
4

SILENTTRINITY

An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
Boo
2,054
star
5

DeathStar

Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
Python
1,520
star
6

SprayingToolkit

Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Python
1,334
star
7

gcat

A PoC backdoor that uses Gmail as a C&C server
Python
1,302
star
8

ItWasAllADream

A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE
Python
725
star
9

WitnessMe

Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
Python
683
star
10

pth-toolkit

Modified version of the passing-the-hash tool collection made to work straight out of the box
Python
508
star
11

OffensiveDLR

Toolbox containing research notes & PoC code for weaponizing .NET's DLR
PowerShell
492
star
12

SpamChannel

Spoof emails from any of the +2 Million domains using MailChannels (DEFCON 31 Talk)
JavaScript
315
star
13

chrome-decrypter

Python script to decrypt saved Chrome usernames and passwords on windows
Python
265
star
14

arpspoof

Python clone of arpspoof that can poison hosts via arp-requests as well as arp-replies
Python
184
star
15

sslstrip2

A mirror of the original SSLstrip+ code by Leonardo Nve
Python
175
star
16

AnsiblePlaybooks

A collection of Ansible Playbooks that configure Kali to use Fish & install a number of tools
156
star
17

duckhunter

Converts a USB Rubber ducky script into a Kali Nethunter friendly format for the HID attack
Python
117
star
18

Slides

Slides from various talks that I've given over the years
116
star
19

DHCPShock

Spoofs a DHCP server and exploits all clients vulnerable to the 'ShellShock' bug
Python
83
star
20

BOF-Nim

Cobalt Strike BOF Files with Nim!
Nim
79
star
21

BeEF-API

Python library that facilitates interfacing with BeEF via it's RESTful API
Python
76
star
22

webview_d3

Generate graphs with NetworkX, natively visualize with D3.js and pywebview
Python
69
star
23

Naga

A C# stager for SILENTTRINITY (https://github.com/byt3bl33d3r/SILENTTRINITY)
C#
62
star
24

Invoke-AutoIt

Loads the AutoIt DLL and PowerShell assemblies into memory and executes the specified keystrokes
PowerShell
59
star
25

wifi-graper

Automatically get internetz from access points that have MAC based filtering enabled
Python
53
star
26

toby

Recursively searches a directory for any file containing a specified string
Python
44
star
27

CME-PowerShell-Scripts

A collection of modifed PowerShell Scripts for CrackMapExec (https://github.com/byt3bl33d3r/CrackMapExec)
PowerShell
43
star
28

MemeGenerator

Modern problems require modern solutions
Python
31
star
29

pythoncookie

My Python Cookiecutter project template
Dockerfile
30
star
30

tailscalesd

Prometheus Service Discovery for Tailscale (Python Edition)
Python
23
star
31

SponsorMonitor

Monitor Github Sponsors and automatically add/remove them to/from a Github Organization Team.
Python
23
star
32

Kaliya

A cross-platform stager for SILENTTRINITY (https://github.com/byt3bl33d3r/SILENTTRINITY)
C#
23
star
33

cmd2powershell

Converts a command to a base64 powershell compatible string
Python
22
star
34

Utinni

An async Python client library for Empire's RESTful API
Python
21
star
35

MITMf-opt-plugins

Optional plugins for MITMf
Python
14
star
36

hookme

Automatically exported from code.google.com/p/hookme
C#
13
star
37

jamaal-re-tools

Automatically exported from code.google.com/p/jamaal-re-tools
HTML
12
star
38

byt3bl33d3r.github.io

Trying to take the dum-dum out of security
HTML
10
star
39

BOF-Zig

Cobalt Strike BOF with Zig!
C
9
star
40

byt3bl33d3r

Github Profile Readme
8
star
41

LocoCrack

A loco version of BozoCrack with some improvements (https://github.com/juuso/BozoCrack)
Python
8
star
42

sergio-proxy

Original Sergio-Proxy code written by Ben Schmidt (@_supernothing)
Python
7
star
43

externalip

Prometheus client that exposes your external IP address
Python
6
star
44

conky-gr33n

Conky config for everyone who likes a lot of green
Lua
4
star
45

conky-r3d

Conky config for everyone who likes a lot of red
Lua
2
star
46

playwright-heap-snapshot

API and CLI tool to fetch and query Chome DevTools heap snapshots (Python & Playwright)
Python
2
star