前記

隨便編寫一個c#調(diào)用winapi并用vs生成dll,同時用csc生成exe

using System;
using System.Runtime.InteropServices;
namespace coleak
{class winfun{[DllImport("User32.dll")]public static extern int MessageBox(IntPtr h, string m, string c, uint type);[DllImport("kernel32.dll", EntryPoint = "Beep")]public static extern bool mymethod(uint frequency, uint duration);}class Program{static void Main(string[] args){winfun winfun = new winfun();winfun.MessageBox((IntPtr)0, "yueyy", "coleak",(uint) 0);Random random = new Random();for (int i = 0; i < 10000; i++){winfun.mymethod((uint)random.Next(10000), 100);}Console.ReadLine();}}
}
/*BOOL Beep(
DWORD dwFreq,
DWORD dwDuration
);
int MessageBox([in, optional] HWND hWnd,[in, optional] LPCTSTR lpText,[in, optional] LPCTSTR lpCaption,[in] UINT uType
);*/

優(yōu)點：隱藏導(dǎo)入表，僅存在mscoree.dll

缺點：在dnspy下均直接出源碼

nim攻防基礎(chǔ)

為了更加OPSEC，考慮使用nim代替c#核心部分，nim防止反編譯同時也不暴露導(dǎo)入函數(shù)

FFI

proc MessageBoxA*(hWnd: int, lpText: cstring, lpCaption: cstring, uType: int32): int32 {.discardable, dynlib: "user32", importc.}
MessageBoxA(0, "Hello, world !", "MessageBox Example", 0)proc WinExec*(lpCmdLine:cstring,uCmdShow:int32): int32 {.discardable,dynlib:"kernel32",importc.}
WinExec("calc.exe",0)proc printf(format: cstring): cint {.importc, varargs,discardable.}#discardable忽略返回值否則報錯
printf("My name is %s and I am %d years old!\n", "coleak", 20)proc mycmp(a, b: cstring): cint {.importc: "strcmp", nodecl.} #=proc strcmp(a, b: cstring): cint {.importc, nodecl.}
let cmp = strcmp("Easy!", "Easy!")
echo cmp

嵌入c

when not defined(c):{.error: "Must be compiled in c mode"}
{.emit: """
#include <stdio.h>
int Test() {char name[100]={0};scanf("%s",name);printf("嵌入成功,%s",name);return 0;} // end main 
""".}proc Test(): int{.importc: "Test", nodecl,discardable.}
when isMainModule:discard Test()

內(nèi)存加載

讀取字節(jié)流

import os
var buf: array[4096,byte]
var f: File
f = open(r"D:\c_project\nim\test.exe")
discard readBytes(f, buf,0,4096)
f.close()
echo buf

c.exe>aaa.txt

import winim/clr
import sugar
import os
var buf: array[4096,byte]
buf = [77, 90, ..., 0]
var assembly = load(buf)
var arr = toCLRVariant(commandLineParams(), VT_BSTR)
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

c#雖然沒有暴露導(dǎo)入信息，但是在hxd下會暴露字符串信息，因此在 Nim 編譯的可執(zhí)行文件中檢測 .NET 程序集仍然很容易，還可以用hxd輕松搜到nim加載的程序集中存在的user32.dll字符信息和exe關(guān)鍵詞

加解密、編碼

base64

import base64
import os
import strformat
func toByteSeq*(str: string): seq[byte] {.inline.} =# Converts a string to the corresponding byte sequence@(str.toOpenArrayByte(0, str.high))
let inFile: string = paramStr(1)
let inFileContents: string = readFile(inFile)
# To load this .NET assembly we need a byte array or sequence
var bytesequence: seq[byte] = toByteSeq(inFileContents)
let encoded = encode(bytesequence)
echo fmt"[*] Encoded: {encoded}"

import base64
import os
import strformat
import winim/clr
import sugar
import os
func toByteSeq*(str: string): seq[byte] {.inline.} =# Converts a string to the corresponding byte sequence@(str.toOpenArrayByte(0, str.high))
let encoded = r"TVqQAAMAAAAEAAAA//8...AAA=="
let decoded = decode(encoded)
let mys=toByteSeq(decoded)
var assembly = load(mys)
var arr = toCLRVariant(commandLineParams(), VT_BSTR)
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

可以換成別的方式加密.NET 程序集，用于運行時解密

后記

C#類型轉(zhuǎn)換表

Windows	C#
BOOL	int
BOOLEAN	byte
BYTE	byte
UCHAR	byte
UINT8	byte
CCHAR	byte
CHAR	sbyte
CHAR	sbyte
INT8	sbyte
CSHORT	short
INT16	short
SHORT	short
ATOM	ushort
UINT16	ushort
USHORT	ushort
WORD	ushort
INT	int
INT32	int
LONG	int
LONG32	int
CLONG	uint
DWORD	uint
DWORD32	uint
UINT	uint
UINT32	uint
ULONG	uint
ULONG32	uint
INT64	long
LARGE_INTEGER	long
LONG64	long
LONGLONG	long
QWORD	long
DWORD64	ulong
UINT64	ulong
ULONG64	ulong
ULONGLONG	ulong
ULARGE_INTEGER	ulong
HRESULT	int
NTSTATUS	int

nim基礎(chǔ)

語法速記

一、分支允許使用逗號分隔的值列表

let name = readLine(stdin)
case name
of "":echo "Poor soul, you lost your name?"
of "name":echo "Very funny, your name is name."
of "Dave", "Frank":echo "Cool name!"
else:echo "Hi, ", name, "!"

二、of全覆蓋

from strutils import parseInt
echo "A number please: "
let n = parseInt(readLine(stdin))
case n
of 0..2, 4..7: echo "The number is in the set: {0, 1, 2, 4, 5, 6, 7}"
of 3, 8: echo "The number is 3 or 8"
else: discard

三、迭代器

echo "Counting down from 10 to 1: "
for i in countup(1, 5):echo i
for i in countdown(6, 2):echo i
for i in 10..19:echo i
for i in 1..<19:echo i

四、塊語句

block myblock:echo "entering block"while true:echo "looping"break # 跳出循環(huán),但不跳出塊echo "still in block"block myblock2:echo "entering block"while true:echo "looping"break myblock2 # 跳出塊 (和循環(huán))echo "still in block"

五、縮進原則

# 單個賦值語句不需要縮進:
if x: x = false# 嵌套if語句需要縮進:
if x:if y:y = falseelse:y = true# 需要縮進, 因為條件后有兩個語句：
if x:x = falsey = false

六、函數(shù)

proc yes(question: string): bool =echo question, " (y/n)"while true:case readLine(stdin)of "y", "Y", "yes", "Yes": return trueof "n", "N", "no", "No": return falseelse: echo "Please be clear: yes or no"if yes("Should I delete all your important files?"):echo "I'm sorry , I'm afraid I can't do that."
else:echo "I think you know what the problem is just as well as I do."proc add(a:int,b:int):int=return a+becho add(1,89)proc sumTillNegative(x: varargs[int]): int =for i in x:if i < 0:returnresult = result + iecho sumTillNegative() # echos 0
echo sumTillNegative(3, 4, 5) # echos 12

函數(shù)定義格式看起來很繁瑣，返回值類型放在: bool =

result 總在過程的結(jié)尾自動返回如果退出時沒有 return語句

七、傳實參

proc divmod(a, b: int; res: var int,remainder:var int) =res = a div b        # 整除remainder = a mod b  # 整數(shù)取模操作var x, y=111divmod(8, 5, x, y) # 修改x和y
echo x
echo y

傳遞實參用var修飾

八、忽略返回值discard

proc p(x, y: int): int {.discardable.} =return x + yvar c:int
c=p(3, 4) # now valid
echo c
p(3, 4)

九、數(shù)組初始化

typeIntArray = array[0..7, int] # 一個索引為0..7的數(shù)組QuickArray = array[6, int]  # 一個索引為0..5的數(shù)組
varx: IntArray
x = [1, 5, 3, 4, 5, 77,9,8]
for i in low(x)..high(x):echo x[i]
for i in x:echo ifor i, v in @[3, 7, 5]:echo "index: ", $i, ", value:", $v
# --> index: 0, value:3
# --> index: 1, value:4
# --> index: 2, value:5

十、結(jié)構(gòu)體

typePerson = objectname: stringage: intvar person1 = Person(name: "Peter", age: 30)echo person1.name # "Peter"
echo person1.age  # 30var person2 = person1 # 復(fù)制person 1

十一、讀寫文件

#字節(jié)流
import os
var buf: array[100,byte]
var f: File
f = open("D:\\c_project\\nim\\d.exe")
discard readBytes(f, buf,0,9)
f.close()
echo buf#文本文件
var file:File
file = open(r"D:\c_project\nim\d.txt")
echo file.readAll()
file.close()let text = "Cats are very cool!"
writeFile("cats.txt", text)

十二、絕對路徑默認目錄為shell路徑