byt3bl33d3r/OffensiveNim byt3bl33d3r/OffensiveNim

  • Stars
    star
    2,438
  • Rank 18,125 (Top 0.4 %)
  • Language
    Nim
  • License
    BSD 2-Clause "Sim...
  • Created over 3 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
byt3bl33d3r/OffensiveNim
github

byt3bl33d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

My experiments in weaponizing Nim (https://nim-lang.org/)

OffensiveNim

OffensiveNim

My experiments in weaponizing Nim for implant development and general offensive operations.

Table of Contents

Why Nim?

  • Compiles directly to C, C++, Objective-C and Javascript.
  • Since it doesn't rely on a VM/runtime does not produce what I like to call "T H I C C malwarez" as supposed to other languages (e.g. Golang)
  • Python inspired syntax, allows rapid native payload creation & prototyping.
  • Has extremely mature FFI (Foreign Function Interface) capabilities.
  • Avoids making you actually write in C/C++ and subsequently avoids introducing a lot of security issues into your software.
  • Super easy cross compilation to Windows from *nix/MacOS, only requires you to install the mingw toolchain and passing a single flag to the nim compiler.
  • The Nim compiler and the generated executables support all major platforms like Windows, Linux, BSD and macOS. Can even compile to Nintendo switch , IOS & Android. See the cross-compilation section in the Nim compiler usage guide
  • You could technically write your implant and c2 backend both in Nim as you can compile your code directly to Javascript. Even has some initial support for WebAssembly's

Examples in this repo that work

File Description
pop_bin.nim Call MessageBox WinApi without using the Winim library
pop_winim_bin.nim Call MessageBox with the Winim libary
pop_winim_lib.nim Example of creating a Windows DLL with an exported DllMain
execute_assembly_bin.nim Hosts the CLR, reflectively executes .NET assemblies from memory
clr_host_cpp_embed_bin.nim Hosts the CLR by directly embedding C++ code, executes a .NET assembly from disk
scshell_c_embed_bin.nim Shows how to quickly weaponize existing C code by embedding SCShell (C) directly within Nim
fltmc_bin.nim Enumerates all Minifilter drivers
blockdlls_acg_ppid_spoof_bin.nim Creates a suspended process that spoofs its PPID to explorer.exe, also enables BlockDLLs and ACG
named_pipe_client_bin.nim Named Pipe Client
named_pipe_server_bin.nim Named Pipe Server
embed_rsrc_bin.nim Embeds a resource (zip file) at compile time and extracts contents at runtime
self_delete_bin.nim A way to delete a locked or current running executable on disk. Method discovered by @jonasLyk
encrypt_decrypt_bin.nim Encryption/Decryption using AES256 (CTR Mode) using the Nimcrypto library
amsi_patch_bin.nim Patches AMSI out of the current process
amsi_providerpatch_bin.nim Patches the AMSI Provider DLL (in this case MpOav.dll) to bypass AMSI. Published here
etw_patch_bin.nim Patches ETW out of the current process (Contributed by )
wmiquery_bin.nim Queries running processes and installed AVs using using WMI
out_compressed_dll_bin.nim Compresses, Base-64 encodes and outputs PowerShell code to load a managed dll in memory. Port of the orignal PowerSploit script to Nim.
dynamic_shellcode_local_inject_bin.nim POC to locally inject shellcode recovered dynamically instead of hardcoding it in an array.
shellcode_callback_bin.nim Executes shellcode using Callback functions
shellcode_bin.nim Creates a suspended process and injects shellcode with VirtualAllocEx/CreateRemoteThread. Also demonstrates the usage of compile time definitions to detect arch, os etc..
shellcode_fiber.nim Shellcode execution via fibers
shellcode_inline_asm_bin.nim Executes shellcode using inline assembly
ssdt_dump.nim Simple SSDT retrieval using runtime function table from exception directory. Technique inspired from MDSEC article
syscalls_bin.nim Shows how to make direct system calls
execute_powershell_bin.nim Hosts the CLR & executes PowerShell through an un-managed runspace
passfilter_lib.nim Log password changes to a file by (ab)using a password complexity filter
minidump_bin.nim Creates a memory dump of lsass using MiniDumpWriteDump
http_request_bin.nim Demonstrates a couple of ways of making HTTP requests
execute_sct_bin.nim .sct file Execution via GetObject()
scriptcontrol_bin.nim Dynamically execute VBScript and JScript using the MSScriptControl COM object
excel_com_bin.nim Injects shellcode using the Excel COM object and Macros
keylogger_bin.nim Keylogger using SetWindowsHookEx
memfd_python_interpreter_bin.nim Use memfd_create syscall to load a binary into an anonymous file and execute it with execve syscall.
uuid_exec_bin.nim Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.
unhookc.nim Unhooks ntdll.dll to evade EDR/AV hooks (embeds the C code template from ired.team)
unhook.nim Unhooks ntdll.dll to evade EDR/AV hooks (pure nim implementation)
taskbar_ewmi_bin.nim Uses Extra Window Memory Injection via Running Application property of TaskBar in order to execute the shellcode.
fork_dump_bin.nim (ab)uses Window's implementation of fork() and acquires a handle to a remote process using the PROCESS_CREATE_PROCESS access right. It then attempts to dump the forked processes memory using MiniDumpWriteDump()
ldap_query_bin.nim Perform LDAP queries via COM by using ADO's ADSI provider
sandbox_process_bin.nim This sandboxes a process by setting it's integrity level to Untrusted and strips important tokens. This can be used to "silently disable" a PPL process (e.g. AV/EDR)
list_remote_shares.nim Use NetShareEnum to list the share accessible by the current user
chrome_dump_bin.nim Read and decrypt cookies from Chrome's sqlite database
suspended_thread_injection.nim Shellcode execution via suspended thread injection
dns_exfiltrate.nim Simple DNS exfiltration via TXT record queries
rsrc_section_shellcode.nim Execute shellcode embedded in the .rsrc section of the binary
token_steal_cmd.nim Steal a token/impersonate and then run a command
anti_analysis_isdebuggerpresent.nim Simple anti-analysis that checks for a debugger
sandbox_domain_check.nim Simple sandbox evasion technique, that checks if computer is connected to domain or not
Hook.nim Offensive Hooking example for MessageBoxA

Examples that are a WIP

File Description
amsi_patch_2_bin.nim Patches AMSI out of the current process using a different method (WIP, help appreciated)
excel_4_com_bin.nim Injects shellcode using the Excel COM object and Excel 4 Macros (WIP)

Compiling the examples in this repo

This repository does not provide binaries, you're gonna have to compile them yourself. This repo was setup to cross-compile the example Nim source files to Windows from Linux or MacOS.

Easy Way (Recommended)

Use VSCode Devcontainers to automatically setup a development environment for you (See the Setting Up a Dev Environment section). Once that's done simply run make.

Hard way (For the bold)

Install Nim using your systems package manager (for Windows use the installer on the official website)

  • brew install nim
  • apt install nim
  • choco install nim

(Nim also provides a docker image on Dockerhub)

You should now have the nim & nimble commands available, the former is the Nim compiler and the latter is Nim's package manager.

Install the Mingw toolchain needed for cross-compilation to Windows (Not needed if you're compiling on Windows):

  • *nix: apt-get install mingw-w64
  • MacOS: brew install mingw-w64

Finally, install the magnificent Winim library, along with zippy and nimcrypto

  • nimble install winim zippy nimcrypto

Then cd into the root of this repository and run make.

You should find the binaries and dlls in the bin/ directory

Cross Compiling

See the cross-compilation section in the Nim compiler usage guide, for a lot more details.

Cross compiling to Windows from MacOs/*nix requires the mingw toolchain, usually a matter of just brew install mingw-w64 or apt install mingw-w64.

You then just have to pass the -d=mingw flag to the nim compiler.

E.g. nim c -d=mingw --app=console --cpu=amd64 source.nim

Interfacing with C/C++

See the insane FFI section in the Nim manual.

If you're familiar with csharps P/Invoke it's essentially the same concept albeit a looks a tad bit uglier:

Calling MessageBox example

type
    HANDLE* = int
    HWND* = HANDLE
    UINT* = int32
    LPCSTR* = cstring

proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): int32 
  {.discardable, stdcall, dynlib: "user32", importc: "MessageBoxA".}

MessageBox(0, "Hello, world !", "Nim is Powerful", 0)

For any complex Windows API calls use the Winim library, saves an insane amount of time and doesn't add too much to the executable size (see below) depending on how you import it.

Even has COM support!!!

Creating Windows DLLs with an exported DllMain

Big thanks to the person who posted this on the Nim forum.

The Nim compiler tries to create a DllMain function for you automatically at compile time whenever you tell it to create a windows DLL, however, it doesn't actually export it for some reason. In order to have an exported DllMain you need to pass --nomain and define a DllMain function yourself with the appropriate pragmas (stdcall, exportc, dynlib).

You need to also call NimMain from your DllMain to initialize Nim's garbage collector. (Very important, otherwise your computer will literally explode).

Example:

import winim/lean

proc NimMain() {.cdecl, importc.}

proc DllMain(hinstDLL: HINSTANCE, fdwReason: DWORD, lpvReserved: LPVOID) : BOOL {.stdcall, exportc, dynlib.} =
  NimMain()
  
  if fdwReason == DLL_PROCESS_ATTACH:
    MessageBox(0, "Hello, world !", "Nim is Powerful", 0)

  return true

To compile:

nim c -d=mingw --app=lib --nomain --cpu=amd64 mynim.dll

Creating XLLs

You can make an XLL (an Excel DLL, imagine that) with an auto open function that can be used for payload delivery. The following code creates a simple for an XLL that has an auto open function and all other boilerplate code needed to compile as a link library. The POC compiles as a DLL, you can then change the extension to .xll and it will open in Excel and run the payload when double clicked:

#[
    Compile:
        nim c -d=mingw --app=lib --nomain --cpu=amd64 nim_xll.nim
        
    Will compile as a DLL, you can then just change the extension to .xll
]#

import winim/lean

proc xlAutoOpen() {.stdcall, exportc, dynlib.} =
    MessageBox(0, "Hello, world !", "Nim is Powerful", 0)

proc NimMain() {.cdecl, importc.}

proc DllMain(hinstDLL: HINSTANCE, fdwReason: DWORD, lpvReserved: LPVOID) : BOOL {.stdcall, exportc, dynlib.} =
  NimMain()

  return true

There are many other sneaky things that can be done with XLLs. See more examples of XLL tradecraft here.

Optimizing executables for size

Taken from the Nim's FAQ page

For the biggest size decrease use the following flags -d:danger -d:strip --opt:size

Additionally, I've found you can squeeze a few more bytes out by passing --passc=-flto --passl=-flto to the compiler. Also take a look at the Makefile in this repo.

These flags decrease sizes dramatically: the shellcode injection example goes from 484.3 KB to 46.5 KB when cross-compiled from MacOSX!

Reflectively Loading Nim Executables

Huge thanks to @Shitsecure for figuring this out!

By default, Nim doesn't generate PE's with a relocation table which is needed by most tools that reflectively load EXE's.

To generate a Nim executable with a relocation section you need to pass a few additional flags to the linker.

Specifically: --passL:-Wl,--dynamicbase

Full example command:

nim c --passL:-Wl,--dynamicbase my_awesome_malwarez.nim

Executable size difference when using the Winim library vs without

Incredibly enough the size difference is pretty negligible. Especially when you apply the size optimizations outlined above.

The two examples pop_bin.nim and pop_winim_bin.nim were created for this purpose.

The former defines the MessageBox WinAPI call manually and the latter uses the Winim library (specifically winim/lean which is only the core SDK, see here), results:

byt3bl33d3r@ecl1ps3 OffensiveNim % ls -lah bin
-rwxr-xr-x  1 byt3bl33d3r  25K Nov 20 18:32 pop_bin_32.exe
-rwxr-xr-x  1 byt3bl33d3r  32K Nov 20 18:32 pop_bin_64.exe
-rwxr-xr-x  1 byt3bl33d3r  26K Nov 20 18:33 pop_winim_bin_32.exe
-rwxr-xr-x  1 byt3bl33d3r  34K Nov 20 18:32 pop_winim_bin_64.exe

If you import the entire Winim library with import winim/com it adds only around ~20ish KB which considering the amount of functionality it abstracts is 100% worth that extra size:

byt3bl33d3r@ecl1ps3 OffensiveNim % ls -lah bin
-rwxr-xr-x  1 byt3bl33d3r  42K Nov 20 19:20 pop_winim_bin_32.exe
-rwxr-xr-x  1 byt3bl33d3r  53K Nov 20 19:20 pop_winim_bin_64.exe

Opsec Considerations

Because of how Nim resolves DLLs dynamically using LoadLibrary using it's FFI none of your external imported functions will actually show up in the executables static imports (see this blog post for more on this):

If you compile Nim source to a DLL, seems like you'll always have an exported NimMain, no matter if you specify your own DllMain or not (??). This could potentially be used as a signature, don't know how many shops are actually using Nim in their development stack. Definitely stands out.

Converting C code to Nim

https://github.com/nim-lang/c2nim

Used it to translate a bunch of small C snippets, haven't tried anything major.

Language Bridges

Debugging

Use the repr() function in combination with echo, supports almost all (??) data types, even structs!

See this blog post for more

Setting up a dev environment

This repository supports VSCode Devcontainers which allows you to develop in a Docker container. This automates setting up a development environment for you.

  1. Install VSCode and Docker desktop
  2. Clone this repo and open it in VSCode
  3. Install the Visual Studio Code Remote - Containers extension
  4. Open the command pallete and select Remote-Containers: Reopen in Container command

VScode will now build the Docker image (will take a bit) and put you right into your pre-built Nim dev environment!

Pitfalls I found myself falling into

  • When calling winapi's with Winim and trying to pass a null value, make sure you pass the NULL value (defined within the Winim library) as supposed Nim's builtin nil value. (Ugh)

  • To get the OS handle to the created file after calling open() on Windows, you need to call f.getOsFileHandle() not f.getFileHandle() cause reasons.

  • The Nim compiler does accept arguments in the form -a=value or --arg=value even tho if you look at the usage it only has arguments passed as -a:value or --arg:value. (Important for Makefiles)

  • When defining a byte array, you also need to indicate at least in the first value that it's a byte array, bit weird but ok (https://forum.nim-lang.org/t/4322)

Byte array in C#:

byte[] buf = new byte[5] {0xfc,0x48,0x81,0xe4,0xf0,0xff}

Byte array in Nim:

var buf: array[5, byte] = [byte 0xfc,0x48,0x81,0xe4,0xf0,0xff]

Interesting Nim libraries

Nim for implant dev links

Contributors

Virtual hug to everyone who contributed ❤️

More Repositories

1

CrackMapExec

A swiss army knife for pentesting networks
Python
7,779
star
2

MITMf

Framework for Man-In-The-Middle attacks
Python
3,472
star
3

SILENTTRINITY

An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
Boo
2,054
star
4

DeathStar

Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
Python
1,520
star
5

SprayingToolkit

Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Python
1,334
star
6

gcat

A PoC backdoor that uses Gmail as a C&C server
Python
1,302
star
7

ItWasAllADream

A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE
Python
725
star
8

WitnessMe

Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
Python
683
star
9

pth-toolkit

Modified version of the passing-the-hash tool collection made to work straight out of the box
Python
508
star
10

OffensiveDLR

Toolbox containing research notes & PoC code for weaponizing .NET's DLR
PowerShell
492
star
11

SpamChannel

Spoof emails from any of the +2 Million domains using MailChannels (DEFCON 31 Talk)
JavaScript
305
star
12

chrome-decrypter

Python script to decrypt saved Chrome usernames and passwords on windows
Python
265
star
13

arpspoof

Python clone of arpspoof that can poison hosts via arp-requests as well as arp-replies
Python
184
star
14

sslstrip2

A mirror of the original SSLstrip+ code by Leonardo Nve
Python
175
star
15

AnsiblePlaybooks

A collection of Ansible Playbooks that configure Kali to use Fish & install a number of tools
156
star
16

NimDllSideload

DLL sideloading/proxying with Nim!
Nim
144
star
17

duckhunter

Converts a USB Rubber ducky script into a Kali Nethunter friendly format for the HID attack
Python
117
star
18

Slides

Slides from various talks that I've given over the years
116
star
19

DHCPShock

Spoofs a DHCP server and exploits all clients vulnerable to the 'ShellShock' bug
Python
83
star
20

BOF-Nim

Cobalt Strike BOF Files with Nim!
Nim
79
star
21

BeEF-API

Python library that facilitates interfacing with BeEF via it's RESTful API
Python
76
star
22

webview_d3

Generate graphs with NetworkX, natively visualize with D3.js and pywebview
Python
69
star
23

Naga

A C# stager for SILENTTRINITY (https://github.com/byt3bl33d3r/SILENTTRINITY)
C#
62
star
24

Invoke-AutoIt

Loads the AutoIt DLL and PowerShell assemblies into memory and executes the specified keystrokes
PowerShell
59
star
25

wifi-graper

Automatically get internetz from access points that have MAC based filtering enabled
Python
53
star
26

toby

Recursively searches a directory for any file containing a specified string
Python
44
star
27

CME-PowerShell-Scripts

A collection of modifed PowerShell Scripts for CrackMapExec (https://github.com/byt3bl33d3r/CrackMapExec)
PowerShell
43
star
28

MemeGenerator

Modern problems require modern solutions
Python
31
star
29

pythoncookie

My Python Cookiecutter project template
Dockerfile
30
star
30

tailscalesd

Prometheus Service Discovery for Tailscale (Python Edition)
Python
23
star
31

SponsorMonitor

Monitor Github Sponsors and automatically add/remove them to/from a Github Organization Team.
Python
23
star
32

Kaliya

A cross-platform stager for SILENTTRINITY (https://github.com/byt3bl33d3r/SILENTTRINITY)
C#
23
star
33

cmd2powershell

Converts a command to a base64 powershell compatible string
Python
22
star
34

Utinni

An async Python client library for Empire's RESTful API
Python
21
star
35

MITMf-opt-plugins

Optional plugins for MITMf
Python
14
star
36

hookme

Automatically exported from code.google.com/p/hookme
C#
13
star
37

jamaal-re-tools

Automatically exported from code.google.com/p/jamaal-re-tools
HTML
12
star
38

byt3bl33d3r.github.io

Trying to take the dum-dum out of security
HTML
10
star
39

BOF-Zig

Cobalt Strike BOF with Zig!
C
9
star
40

byt3bl33d3r

Github Profile Readme
8
star
41

LocoCrack

A loco version of BozoCrack with some improvements (https://github.com/juuso/BozoCrack)
Python
8
star
42

sergio-proxy

Original Sergio-Proxy code written by Ben Schmidt (@_supernothing)
Python
7
star
43

externalip

Prometheus client that exposes your external IP address
Python
6
star
44

conky-gr33n

Conky config for everyone who likes a lot of green
Lua
4
star
45

conky-r3d

Conky config for everyone who likes a lot of red
Lua
2
star