Open shrek3n opened 1 month ago
itaymigdal
commented
1 month ago Glad to hear that you like the tool and find it useful. I did not know the tool/technique you shared, I'll check this out and maybe will implement here and in my other projects. Thanks for your feedback and for letting me know 🤟
m4ul3r
commented
4 weeks ago @shrek3n @itaymigdal I just noticed this.
I recently ported all of the variants over to Nim on my repo: https://github.com/m4ul3r/malware/tree/main/nim/thread_pool_injection
I can get around to porting it over to nimless - should be straight forward for me
One issue being this is reflective, and I haven't found a way to write nimless nim for DLL files - so i can tackle that first.
m4ul3r
commented
4 weeks ago Will have to clean up quite a few things, but it should be possible
Edit: I have it cleaned up and will work on pushing an example for it - although it has some manual intervention that could be automated
itaymigdal
commented
4 weeks ago @m4ul3r Really cool work 🙌. BTW, I tried to implement remote stomping here (using the poolparty technique), still no success.
m4ul3r
commented
4 weeks ago @itaymigdal I can give a shot at remote stomping for poolparty technique when i get a chance. I'm sure you saw my port of it; I think it's pretty robust in the usage and pretty portable (imo)
For an example of how portable it might be.. Check out this branch - It's a work in progress at the moment: https://github.com/m4ul3r/writing_nimless/tree/nimless_dll/src/0x12%20-%20nimless_DLL
I've got a working DLL (tested with rundll32), and Pool Party Worker Factory Start Routine working in an executable.
itaymigdal
commented
4 weeks ago @m4ul3r port of what? not sure. You have a lot of stuff going on there, I'm following :)
m4ul3r
commented
4 weeks ago @itaymigdal port of pool party here: https://github.com/m4ul3r/malware/tree/main/nim/thread_pool_injection
I followed Uriens code and it's very abstracted to just import nimpool and the type of variant to call.
When you mentioned remote stomping, do you mean function or module?
Feel free to message me on twitter and we can talk more or on discord.
itaymigdal
commented
4 weeks ago @m4ul3r I tried to reach you already at twitter and couldn't (so we discussed in comments of your post). Can you email me? itaymigdal9@gmail.com Linkedin is also an option (look at my Github profile). Regarding your questions, yes I saw briefly your implementation, looks really cool, havn't played with that yet. I tried to do remote function stomping, I played around a bit, and maybe I was close, but it was not successful. I have very short time to play around at the late evenings, so I haven't progressed a lot.
m4ul3r
commented
4 weeks ago @itaymigdal I'm not sure if this is what you had in mind or not, but I've thrown one together (copy and paste) https://github.com/m4ul3r/malware/blob/main/nim/thread_pool_injection/examples/remote_function_stomping.nim
I think my twitter dms were closed to non followers, but it should be open now
Love the tool and I am a big fan of using the thread pool injection method. I do however see that the common theme of using NIM it's being detected by AV at the nim runtime. A really good talk about this was done at BSIDESKC and would be cool to implement this as it does circumvent the severity and in some cases all AV detection. I firmly believe all the other functions you have will prove to be evasive against top tier EDRs.
https://www.youtube.com/watch?v=EXX3HmCG3pw
https://github.com/m4ul3r/writing_nimless