Added embed_rsrc_bin.nim

byt3bl33d3r · byt3bl33d3r · commit 983297f23938 · 2021-04-12T03:01:50.000-06:00
diff --git a/README.md b/README.md
@@ -53,6 +53,7 @@ My experiments in weaponizing [Nim](https://nim-lang.org/) for implant developme
 | [blockdlls_acg_ppid_spoof_bin.nim](../master/src/blockdlls_acg_ppid_spoof_bin.nim) | Creates a suspended process that spoofs its PPID to explorer.exe, also enables BlockDLLs and ACG |
 | [named_pipe_client_bin.nim](../master/src/named_pipe_client_bin.nim) | Named Pipe Client |
 | [named_pipe_server_bin.nim](../master/src/named_pipe_server_bin.nim) | Named Pipe Server |
+| [embed_rsrc_bin.nim](../master/src/embed_rsrc_bin.nim) | Embeds a resource (zip file) at compile time and extracts contents at runtime |
 | [self_delete_bin.nim](../master/src/self_delete_bin.nim) | A way to delete a locked or current running executable on disk. Method discovered by [@jonasLyk](https://twitter.com/jonasLyk/status/1350401461985955840) |
 | [encrypt_decrypt_bin.nim](../master/src/encrypt_decrypt_bin.nim) | Encryption/Decryption using AES256 (CTR Mode) using the [Nimcrypto](https://github.com/cheatfate/nimcrypto) library |
 | [amsi_patch_bin.nim](../master/src/amsi_patch_bin.nim) | Patches AMSI out of the current process |
diff --git a/rsrc/super_secret_stuff.zip b/rsrc/super_secret_stuff.zip
diff --git a/src/embed_rsrc_bin.nim b/src/embed_rsrc_bin.nim
@@ -0,0 +1,27 @@
+#[
+    Author: Marcello Salvati, Twitter: @byt3bl33d3r
+    License: BSD 3-Clause
+]#
+
+import zippy/ziparchives
+import strformat
+import streams
+import os
+
+const MY_RESOURCE = slurp("../rsrc/super_secret_stuff.zip")
+
+let path: string = getEnv("LOCALAPPDATA") / "Temp"
+
+proc extractStuff(): bool =
+    var archive = ZipArchive()
+    let dataStream = newStringStream(MY_RESOURCE)
+
+    archive.open(dataStream)
+    archive.extractAll(path)
+    archive.clear()
+
+    return true
+
+echo fmt"[*] Path to extract to: {path}"
+if extractStuff():
+    echo fmt"[*] extracted"
