a really tough work-in-progress journey into studying nim by cobbling sources collectively to create a shellcode loader that implements widespread EDR/AV evasion strategies.
This can be a mess and is for analysis functions solely! Please do not count on it to compile and run with out your individual modifications.
Directions
- Exchange the byte array in
loader.nimwith your individual x64 shellcode - Compile the EXE and run it:
nim c -d:hazard -d:strip --opt:dimension "loader.nim" - In all probability alter which course of you wish to inject into by trying within the .nim information of the injection folder methodology you are utilizing…
Accomplished Options
- Direct syscalls dynamically resolved from NTDLL (Thanks @ShitSecure)
- AMSI and ETW patching (Thanks @byt3bl33d3r)
- NTDLL unhooking (Thanks @MrUn1k0d3r)
- CreateRemoteThread injection (Thanks @byt3bl33d3r, @ShitSecure)
WIP Options
Obfuscation
- Think about using denim by @LittleJoeTables for obfuscator-llvm nim compilation help!
References & Inspiration
- OffensiveNim by Marcello Salvati (@byt3bl33d3r)
- NimlineWhispers2 by Alfie Champion (@ajpc500)
- SysWhispers3 by klezVirus (@KlezVirus)
- NimPackt-v1 by Cas van Cooten (@chvancooten)
- unhook_bof.c by Mr. Un1k0d3r (@MrUn1k0d3r)
- NimGetSyscallStub by S3cur3Th1sSh1t (@ShitSecure)
- NimHollow by snovvcrash (@snovvcrash)
Examples
