a very rough work-in-progress adventure into learning nim by cobbling resources together to create a shellcode loader that implements common EDR/AV evasion techniques.
This is a mess and is for research purposes only! Please don’t expect it to compile and run without your own modifications.
- Replace the byte array in
loader.nimwith your own x64 shellcode
- Compile the EXE and run it:
nim c -d:danger -d:strip --opt:size "loader.nim"
- Probably adjust which process you want to inject into by looking in the .nim files of the injection folder method you’re using…
- Direct syscalls dynamically resolved from NTDLL (Thanks @ShitSecure)
- AMSI and ETW patching (Thanks @byt3bl33d3r)
- NTDLL unhooking (Thanks @MrUn1k0d3r)
- CreateRemoteThread injection (Thanks @byt3bl33d3r, @ShitSecure)
- Consider using denim by @LittleJoeTables for obfuscator-llvm nim compilation support!
References & Inspiration
- OffensiveNim by Marcello Salvati (@byt3bl33d3r)
- NimlineWhispers2 by Alfie Champion (@ajpc500)
- SysWhispers3 by klezVirus (@KlezVirus)
- NimPackt-v1 by Cas van Cooten (@chvancooten)
- unhook_bof.c by Mr. Un1k0d3r (@MrUn1k0d3r)
- NimGetSyscallStub by S3cur3Th1sSh1t (@ShitSecure)
- NimHollow by snovvcrash (@snovvcrash)
Source : KitPloit – PenTest Tools!