OffensiveNimxxx

My experiments in weaponizing Nim for implant development and general offensive operations.

Table of Contents

• OffensiveNim
  • Table of Contents
  • Why Nim?
  • Examples in this repo that work
  • Examples that are a WIP
  • Compiling the examples in this repo
  • Easy Way (Recommended)
  • Hard way (For the bold)
  • Cross Compiling
  • Interfacing with C/C++
  • Creating Windows DLLs with an exported DllMain
  • Creating XLLs
  • Optimizing executables for size
  • Reflectively Loading Nim Executables
  • Executable size difference when using the Winim library vs without
  • Opsec Considerations
  • Writing Nim without the Nim Runtime
  • Converting C code to Nim
  • Language Bridges
  • Debugging
  • Setting up a dev environment
  • Pitfalls I found myself falling into
  • Interesting Nim libraries
  • Nim for implant dev links
  • Contributors

Why Nim?

• Compiles directly to C, C++, Objective-C and Javascript.
• Since it doesn't rely on a VM/runtime does not produce what I like to call "T H I C C malwarez" as supposed to other languages (e.g. Golang)
• Python inspired syntax, allows rapid native payload creation & prototyping.
• Has extremely mature FFI (Foreign Function Interface) capabilities.
• Avoids making you actually write in C/C++ and subsequently avoids introducing a lot of security issues into your software.
• Super easy cross compilation to Windows from *nix/MacOS, only requires you to install the mingw toolchain and passing a single flag to the nim compiler.
• The Nim compiler and the generated executables support all major platforms like Windows, Linux, BSD and macOS. Can even compile to Nintendo switch , IOS & Android. See the cross-compilation section in the Nim compiler usage guide
• You could technically write your implant and c2 backend both in Nim as you can compile your code directly to Javascript. Even has some initial support for WebAssembly's

Examples in this repo that work

| File | Description | | --- | --- | | pop_bin.nim | Call MessageBox WinApi without using the Winim library | | popwinimbin.nim | Call MessageBox with the Winim libary | | popwinimlib.nim | Example of creating a Windows DLL with an exported DllMain | | executeassemblybin.nim | Hosts the CLR, reflectively executes .NET assemblies from memory | | clrhostcppembedbin.nim | Hosts the CLR by directly embedding C++ code, executes a .NET assembly from disk | | scshellcembed_bin.nim | Shows how to quickly weaponize existing C code by embedding SCShell (C) directly within Nim | | fltmc_bin.nim | Enumerates all Minifilter drivers | | blockdllsacgppidspoofbin.nim | Creates a suspended process that spoofs its PPID to explorer.exe, also enables BlockDLLs and ACG | | namedpipeclient_bin.nim | Named Pipe Client | | namedpipeserver_bin.nim | Named Pipe Server | | embedrsrcbin.nim | Embeds a resource (zip file) at compile time and extracts contents at runtime | | selfdeletebin.nim | A way to delete a locked or current running executable on disk. Method discovered by @jonasLyk | | encryptdecryptbin.nim | Encryption/Decryption using AES256 (CTR Mode) using the Nimcrypto library | | amsipatchbin.nim | Patches AMSI out of the current process | | amsiproviderpatchbin.nim | Patches the AMSI Provider DLL (in this case MpOav.dll) to bypass AMSI. Published here | | etwpatchbin.nim | Patches ETW out of the current process (Contributed by ) | | wmiquery_bin.nim | Queries running processes and installed AVs using using WMI | | outcompresseddll_bin.nim | Compresses, Base-64 encodes and outputs PowerShell code to load a managed dll in memory. Port of the orignal PowerSploit script to Nim. | | dynamicshellcodelocalinjectbin.nim | POC to locally inject shellcode recovered dynamically instead of hardcoding it in an array. | | shellcodecallbackbin.nim | Executes shellcode using Callback functions | | shellcode_bin.nim | Creates a suspended process and injects shellcode with VirtualAllocEx/CreateRemoteThread. Also demonstrates the usage of compile time definitions to detect arch, os etc..| | shellcode_fiber.nim | Shellcode execution via fibers | | shellcodeinlineasm_bin.nim | Executes shellcode using inline assembly | | ssdt_dump.nim | Simple SSDT retrieval using runtime function table from exception directory. Technique inspired from MDSEC article | | syscalls_bin.nim | Shows how to make direct system calls | | executepowershellbin.nim | Hosts the CLR & executes PowerShell through an un-managed runspace | | passfilter_lib.nim | Log password changes to a file by (ab)using a password complexity filter | | minidump_bin.nim | Creates a memory dump of lsass using MiniDumpWriteDump | | httprequestbin.nim | Demonstrates a couple of ways of making HTTP requests | | executesctbin.nim | .sct file Execution via GetObject() | | scriptcontrol_bin.nim | Dynamically execute VBScript and JScript using the MSScriptControl COM object | | excelcombin.nim | Injects shellcode using the Excel COM object and Macros | | keylogger_bin.nim | Keylogger using SetWindowsHookEx | | memfdpythoninterpreter_bin.nim | Use memfd_create syscall to load a binary into an anonymous file and execute it with execve syscall. | | uuidexecbin.nim | Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode. | | unhookc.nim | Unhooks ntdll.dll to evade EDR/AV hooks (embeds the C code template from ired.team) | | unhook.nim | Unhooks ntdll.dll to evade EDR/AV hooks (pure nim implementation) | | taskbarewmibin.nim | Uses Extra Window Memory Injection via Running Application property of TaskBar in order to execute the shellcode. | | forkdumpbin.nim | (ab)uses Window's implementation of fork() and acquires a handle to a remote process using the PROCESSCREATEPROCESS access right. It then attempts to dump the forked processes memory using MiniDumpWriteDump() | | ldapquerybin.nim | Perform LDAP queries via COM by using ADO's ADSI provider | | sandboxprocessbin.nim | This sandboxes a process by setting it's integrity level to Untrusted and strips important tokens. This can be used to "silently disable" a PPL process (e.g. AV/EDR) | | listremoteshares.nim | Use NetShareEnum to list the share accessible by the current user | | chromedumpbin.nim | Read and decrypt cookies from Chrome's sqlite database| | suspendedthreadinjection.nim | Shellcode execution via suspended thread injection | | dns_exfiltrate.nim | Simple DNS exfiltration via TXT record queries | | rsrcsectionshellcode.nim | Execute shellcode embedded in the .rsrc section of the binary | | tokenstealcmd.nim | Steal a token/impersonate and then run a command | | antianalysisisdebuggerpresent.nim | Simple anti-analysis that checks for a debugger | | sandboxdomaincheck.nim | Simple sandbox evasion technique, that checks if computer is connected to domain or not | | Hook.nim | Offensive Hooking example for MessageBoxA | | anti_debug.nim | Showcasing two anti debugging techniques | | antidebugvia_tls.nim | Anti-debugging vis TLS | | localpeexecution.nim | Execute exe and dll files in memory | | stackstringallocation.nim | Allocate c and wide strings on the stack using arrays | | hardware_breakpoints.nim | Hook functions using hardware breakpoints |

Thanks to bytlebleeder