BOF-Nim

oh yeah baby

I have an inkling it's possible, right now the problem seems to be getting the go function to be present in the Symbol table. No clue how to do this with the Nim compiler (yet).

Help welcome!~

Objectdump output from normal BOF compiled with x86_64-w64-mingw32-gcc:

hello.o:	file format COFF-x86-64

architecture: x86_64
start address: 0x0000000000000000

Export Table:
Sections:
Idx Name          Size     VMA              Type
  0 .text         00000030 0000000000000000 TEXT
  1 .data         00000000 0000000000000000 DATA
  2 .bss          00000000 0000000000000000 BSS
  3 .rdata        00000010 0000000000000000 DATA
  4 .xdata        0000000c 0000000000000000 DATA
  5 .pdata        0000000c 0000000000000000 DATA
  6 .rdata$zzz    00000020 0000000000000000 DATA

SYMBOL TABLE:
[ 0](sec -2)(fl 0x00)(ty   0)(scl  67) (nx 1) 0x00000000 .file
AUX hello.c
[ 2](sec  1)(fl 0x00)(ty  20)(scl   2) (nx 1) 0x00000000 go
AUX Unknown
[ 4](sec  1)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .text
AUX scnlen 0x2f nreloc 2 nlnno 0 checksum 0x0 assoc 0 comdat 0
[ 6](sec  2)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .data
AUX scnlen 0x0 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[ 8](sec  3)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .bss
AUX scnlen 0x0 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[10](sec  4)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .rdata
AUX scnlen 0x10 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[12](sec  5)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .xdata
AUX scnlen 0xc nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[14](sec  6)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .pdata
AUX scnlen 0xc nreloc 3 nlnno 0 checksum 0x0 assoc 0 comdat 0
[16](sec  7)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .rdata$zzz
AUX scnlen 0x12 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[18](sec  0)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000000 __imp_BeaconPrintf
RELOCATION RECORDS FOR [.text]:
0000000000000016 IMAGE_REL_AMD64_REL32 .rdata
0000000000000022 IMAGE_REL_AMD64_REL32 __imp_BeaconPrintf

RELOCATION RECORDS FOR [.pdata]:
0000000000000000 IMAGE_REL_AMD64_ADDR32NB .text
0000000000000004 IMAGE_REL_AMD64_ADDR32NB .text
0000000000000008 IMAGE_REL_AMD64_ADDR32NB .xdata

I used the following flags to compile hello.nim:

nim c --noLinking=on -d=danger -d=mingw -d=strip --passc=-flto --passl=-flto --opt=size --cpu=amd64 --out=hello.o hello.nim

You'll find the COFF file in your Nim cache folder as the compiler won't move it to your current folder automatically.

Object Dump output:

/Users/byt3bl33d3r/.cache/nim/hello_r/@mhello.nim.c.o:	file format COFF-x86-64

architecture: x86_64
start address: 0x0000000000000000

Export Table:
Sections:
Idx Name                                       Size     VMA              Type
  0 .text                                      00000000 0000000000000000 TEXT
  1 .data                                      00000000 0000000000000000 DATA
  2 .bss                                       00000000 0000000000000000 BSS
  3 .gnu.lto_.profile.e5a1d272ef3bfa6d         00000010 0000000000000000 DATA
  4 .gnu.lto_.icf.e5a1d272ef3bfa6d             0000003c 0000000000000000 DATA
  5 .gnu.lto_.jmpfuncs.e5a1d272ef3bfa6d        0000005f 0000000000000000 DATA
  6 .gnu.lto_.ipa_sra.e5a1d272ef3bfa6d         00000024 0000000000000000 DATA
  7 .gnu.lto_.inline.e5a1d272ef3bfa6d          00000069 0000000000000000 DATA
  8 .gnu.lto_.pureconst.e5a1d272ef3bfa6d       0000001f 0000000000000000 DATA
  9 .gnu.lto_.lto.e5a1d272ef3bfa6d             00000008 0000000000000000 DATA
 10 .gnu.lto_PreMainInner.2.e5a1d272ef3bfa6d   000000ef 0000000000000000 DATA
 11 .gnu.lto_PreMain.6.e5a1d272ef3bfa6d        000001da 0000000000000000 DATA
 12 .gnu.lto_NimMainInner.7.e5a1d272ef3bfa6d   000000ca 0000000000000000 DATA
 13 .gnu.lto_NimMain.8.e5a1d272ef3bfa6d        000001c7 0000000000000000 DATA
 14 .gnu.lto_main.9.e5a1d272ef3bfa6d           00000250 0000000000000000 DATA
 15 .gnu.lto_NimMainModule.10.e5a1d272ef3bfa6d 000000ca 0000000000000000 DATA
 16 .gnu.lto_.symbol_nodes.e5a1d272ef3bfa6d    000000a9 0000000000000000 DATA
 17 .gnu.lto_.refs.e5a1d272ef3bfa6d            00000025 0000000000000000 DATA
 18 .gnu.lto_.decls.e5a1d272ef3bfa6d           00000770 0000000000000000 DATA
 19 .gnu.lto_.symtab.e5a1d272ef3bfa6d          000001a0 0000000000000000 DATA
 20 .gnu.lto_.ext_symtab.e5a1d272ef3bfa6d      0000001f 0000000000000000 DATA
 21 .gnu.lto_.opts                             0000008b 0000000000000000 DATA

SYMBOL TABLE:
[ 0](sec -2)(fl 0x00)(ty   0)(scl  67) (nx 1) 0x00000000 .file
AUX @mhello.nim.c
[ 2](sec  1)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .text
AUX scnlen 0x0 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[ 4](sec  2)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .data
AUX scnlen 0x0 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[ 6](sec  3)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .bss
AUX scnlen 0x0 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[ 8](sec  4)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.profile.e5a1d272ef3bfa6d
AUX scnlen 0x10 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[10](sec  5)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.icf.e5a1d272ef3bfa6d
AUX scnlen 0x3c nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[12](sec  6)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.jmpfuncs.e5a1d272ef3bfa6d
AUX scnlen 0x5f nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[14](sec  7)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.ipa_sra.e5a1d272ef3bfa6d
AUX scnlen 0x24 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[16](sec  8)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.inline.e5a1d272ef3bfa6d
AUX scnlen 0x69 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[18](sec  9)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.pureconst.e5a1d272ef3bfa6d
AUX scnlen 0x1f nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[20](sec 10)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.lto.e5a1d272ef3bfa6d
AUX scnlen 0x8 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[22](sec 11)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_PreMainInner.2.e5a1d272ef3bfa6d
AUX scnlen 0xef nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[24](sec 12)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_PreMain.6.e5a1d272ef3bfa6d
AUX scnlen 0x1da nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[26](sec 13)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_NimMainInner.7.e5a1d272ef3bfa6d
AUX scnlen 0xca nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[28](sec 14)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_NimMain.8.e5a1d272ef3bfa6d
AUX scnlen 0x1c7 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[30](sec 15)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_main.9.e5a1d272ef3bfa6d
AUX scnlen 0x250 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[32](sec 16)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_NimMainModule.10.e5a1d272ef3bfa6d
AUX scnlen 0xca nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[34](sec 17)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.symbol_nodes.e5a1d272ef3bfa6d
AUX scnlen 0xa9 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[36](sec 18)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.refs.e5a1d272ef3bfa6d
AUX scnlen 0x25 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[38](sec 19)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.decls.e5a1d272ef3bfa6d
AUX scnlen 0x770 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[40](sec 20)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.symtab.e5a1d272ef3bfa6d
AUX scnlen 0x1a0 nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[42](sec 21)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.ext_symtab.e5a1d272ef3bfa6d
AUX scnlen 0x1f nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[44](sec 22)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .gnu.lto_.opts
AUX scnlen 0x8b nreloc 0 nlnno 0 checksum 0x0 assoc 0 comdat 0
[46](sec  0)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000001 __gnu_lto_slim

Output from Cobalt Strike when running the Nim BOF:

Load Aseprite files for animated sprites in raylib.

raylib-aseprite Load Aseprite .aseprite files for animated sprites in raylib. Features Load Aseprite files directly for use in raylib Draw individual

30 Dec 20, 2022

Disassembling .class files

jvmdisassembler Contribution You can contribute by creating an issue or pull request. Please keep the code clean and readable. All contributed code mu

6 Jun 20, 2022

This is a collection of tools for creating and manipulating BitTorrent v2 torrent files

torrent tools This is a collection of tools for creating and manipulating BitTorrent v2 torrent files. torrent-new can create hybrid torrents, but the

9 Nov 12, 2022

Atomically exchange two files in Linux

Atomically exchange two files in Linux.

9 Aug 4, 2022

RapidObj is an easy-to-use, single-header C++17 library that loads and parses Wavefront .obj files.

RapidObj About Integration Prerequisites Manual Integration CMake Integration API RapidObj Result Next Steps OS Support Third Party Tools and Resource

108 Jan 2, 2023

libnpy is a simple C++ library for reading and writing of numpy's .npy files.

C++ library for reading and writing of numpy's .npy files

203 Dec 30, 2022

A combined suite of utilities for manipulating binary data files.

BinaryTools A combined suite of utilities for manipulating binary data files. It was developed for use on Windows but might compile on other systems.

6 Oct 1, 2022

A tool for Pikmin 1 model files

MODConv A Pikmin 1 model format converter Functionality NOTE: these are not command-line parameters, the program has a built-in input parser load (inp

4 Oct 20, 2021

Authenticode Hash Calculator for PE32/PE32+ files

AuthHashCalc Authenticode Hash Calculator for PE32/PE32+ files System Requirements x86/x64 Windows 7/8/8.1/10/11 Administrative privilges are not requ