WingNews logo WingNews
top | item 27869008

Nim on the Attack: Process Injection Using Nim and the Windows API

77 points| sunnyP | 4 years ago |huskyhacks.dev

20 comments

order

auxym|4 years ago

Interesting to see Nim used here. I participate a bit in its community because it's a fun language, but I had not yet heard that it was used in opsec circles.

Const-me|4 years ago

I wonder why people are writing shell codes for that?

When I need to inject my code into another process, I write a DLL and only inject LoadLibrary function call. Much more reliable this way: the OS applies relocation table, I have C and C++ runtimes in the injected code, the result is compatible with ASLR, if my DLL has other DLL dependencies the OS will load them first, etc.

dataflow|4 years ago

One reason (not the only one) is if you write a DLL then you need an EXE to be able to spawn it on-demand. That results in 2 files to deal with which is rather inconvenient. Actually 3 files if you want to be both x64- and x86-compatible.

jbluepolarbear|4 years ago

How do you account for dll checksum? Every C++ app I’ve worked on that relies on a dll would checksum the dll against a list of acceptable versions. If the checksum failed the dll wasn’t loaded and the app would close.

Alekhine|4 years ago

What exactly do you mean by compatible with ASLR? And would you mind going into a little detail on how injecting a DLL works, compared to what's being done here?

Sorry to bother, just very interested in this stuff!

kcartlidge|4 years ago

I followed the link to the Nim site and downloaded the official 64 bit version.

Windows Defender (Win10) reports a severe threat in nim-1.4.8\bin\vccexe.exe - Trojan:Win32/Wacatac.B!ml - which allows remote code execution.

It may be a false positive - but the whole post is about exploits so I'll probably not risk it.

HuskyHacks|4 years ago

Hey, OP here! Sorry about Defender flagging on this. I'm putting it through some tests and will tweet the Nim devs to see why this is an issue. I've used Nim for a while now and never had any problems. And from some light googling, it looks like this is a known false positive issue. In any case, apologies for the scare!