PartyLoader icon indicating copy to clipboard operation
PartyLoader copied to clipboard
verified publisher icon itaymigdal

Feature request nimless nim

Open shrek3n opened this issue 1 year ago • 9 comments

Love the tool and I am a big fan of using the thread pool injection method. I do however see that the common theme of using NIM it's being detected by AV at the nim runtime. A really good talk about this was done at BSIDESKC and would be cool to implement this as it does circumvent the severity and in some cases all AV detection. I firmly believe all the other functions you have will prove to be evasive against top tier EDRs.

https://www.youtube.com/watch?v=EXX3HmCG3pw

https://github.com/m4ul3r/writing_nimless

shrek3n avatar May 11 '24 18:05 shrek3n

Glad to hear that you like the tool and find it useful. I did not know the tool/technique you shared, I'll check this out and maybe will implement here and in my other projects. Thanks for your feedback and for letting me know 🤟

itaymigdal avatar May 11 '24 18:05 itaymigdal

@shrek3n @itaymigdal I just noticed this.

I recently ported all of the variants over to Nim on my repo: https://github.com/m4ul3r/malware/tree/main/nim/thread_pool_injection

I can get around to porting it over to nimless - should be straight forward for me

One issue being this is reflective, and I haven't found a way to write nimless nim for DLL files - so i can tackle that first.

m4ul3r avatar May 19 '24 22:05 m4ul3r

Will have to clean up quite a few things, but it should be possible image

Edit: I have it cleaned up and will work on pushing an example for it - although it has some manual intervention that could be automated image

m4ul3r avatar May 19 '24 23:05 m4ul3r

@m4ul3r Really cool work 🙌. BTW, I tried to implement remote stomping here (using the poolparty technique), still no success.

itaymigdal avatar May 20 '24 04:05 itaymigdal

@itaymigdal I can give a shot at remote stomping for poolparty technique when i get a chance. I'm sure you saw my port of it; I think it's pretty robust in the usage and pretty portable (imo)

For an example of how portable it might be.. Check out this branch - It's a work in progress at the moment: https://github.com/m4ul3r/writing_nimless/tree/nimless_dll/src/0x12%20-%20nimless_DLL

I've got a working DLL (tested with rundll32), and Pool Party Worker Factory Start Routine working in an executable.

image

m4ul3r avatar May 20 '24 04:05 m4ul3r

@m4ul3r port of what? not sure. You have a lot of stuff going on there, I'm following :)

itaymigdal avatar May 20 '24 05:05 itaymigdal

@itaymigdal port of pool party here: https://github.com/m4ul3r/malware/tree/main/nim/thread_pool_injection

I followed Uriens code and it's very abstracted to just import nimpool and the type of variant to call.

When you mentioned remote stomping, do you mean function or module?

Feel free to message me on twitter and we can talk more or on discord.

m4ul3r avatar May 20 '24 06:05 m4ul3r

@m4ul3r I tried to reach you already at twitter and couldn't (so we discussed in comments of your post). Can you email me? [email protected] Linkedin is also an option (look at my Github profile). Regarding your questions, yes I saw briefly your implementation, looks really cool, havn't played with that yet. I tried to do remote function stomping, I played around a bit, and maybe I was close, but it was not successful. I have very short time to play around at the late evenings, so I haven't progressed a lot.

itaymigdal avatar May 20 '24 06:05 itaymigdal

@itaymigdal I'm not sure if this is what you had in mind or not, but I've thrown one together (copy and paste) https://github.com/m4ul3r/malware/blob/main/nim/thread_pool_injection/examples/remote_function_stomping.nim

I think my twitter dms were closed to non followers, but it should be open now

m4ul3r avatar May 20 '24 06:05 m4ul3r