• Stars
    star
    253
  • Rank 160,776 (Top 4 %)
  • Language
    Nim
  • License
    BSD 3-Clause "New...
  • Created almost 3 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Nim implementation of reflective PE-Loading from memory

Nim-RunPE

A Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory - which I ported to Nim.

You'll need to install the following dependencies:

nimble install ptr_math winim

I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errors when using another version.

Compile

If you want to pass arguments on runtime or don't want to pass arguments at all compile via:

nim c NimRunPE.nim

If you want to hardcode custom arguments modify const exeArgs to your needs and compile with:

nim c -d:args NimRunPE.nim - this was contributed by @glynx, thanks! 😎

More Information

The technique itself it pretty old, but I didn't find a Nim implementation yet. So this has changed now. :)

alt text

If you plan to load e.g. Mimikatz with this technique - make sure to compile a version from source on your own, as the release binaries don't accept arguments after being loaded reflectively by this loader. Why? I really don't know it's strange but a fact. If you compile on your own it will still work:

alt text

My private Packer is also weaponized with this technique - but all Win32 functions are replaced with Syscalls there. That makes the technique stealthier.

More Repositories

1

WinPwn

Automation for internal Windows Penetrationtest / AD-Security
PowerShell
3,153
star
2

Pentest-Tools

2,063
star
3

Amsi-Bypass-Powershell

This repo contains some Amsi Bypass methods i found on different Blog Posts.
1,465
star
4

PowerSharpPack

PowerShell
1,380
star
5

OffensiveVBA

This repo covers some code execution and AV Evasion methods for Macros in Office documents
VBA
1,131
star
6

Creds

Some usefull Scripts and Executables for Pentest & Forensics
PowerShell
1,007
star
7

MultiPotato

C++
493
star
8

SharpImpersonation

A User Impersonation tool - via Token or Shellcode injection
C#
391
star
9

Invoke-SharpLoader

PowerShell
333
star
10

Caro-Kann

Encrypted shellcode Injection to avoid Kernel triggered memory scans
C
294
star
11

Ruy-Lopez

C
288
star
12

SharpNamedPipePTH

Pass the Hash to a named pipe for token Impersonation
C#
286
star
13

NimGetSyscallStub

Get fresh Syscalls from a fresh ntdll.dll copy
Nim
215
star
14

SharpVeeamDecryptor

Decrypt Veeam database passwords
C#
150
star
15

NamedPipePTH

Pass the Hash to a named pipe for token Impersonation
PowerShell
139
star
16

SyscallAmsiScanBufferBypass

AmsiScanBufferBypass using D/Invoke
C#
129
star
17

Nim_DInvoke

D/Invoke implementation in Nim
Nim
97
star
18

Excel-Phish

Phish password protected Excel-Files
VBA
93
star
19

Sharp-HackBrowserData

C# binary with embeded golang hack-browser-data
C#
93
star
20

Get-System-Techniques

PowerShell
85
star
21

NimShellcodeFluctuation

ShellcodeFluctuation PoC ported to Nim
Nim
74
star
22

RDPThiefInject

RDPThief donut shellcode inject into mstsc
C#
70
star
23

Invoke-Sharpcradle

Load C# Code straight to memory
PowerShell
54
star
24

Nim_CBT_Shellcode

CallBack-Techniques for Shellcode execution ported to Nim
Nim
53
star
25

LDAP-Signing-Scanner

A little scanner to check the LDAP Signing state
46
star
26

BitwardenDecryptBrute

Wordlist attacks on Bitwarden data.json files
Python
44
star
27

SharpOxidResolver

IOXIDResolver from AirBus Security/PingCastle
C#
40
star
28

SharpPolarBear

Privesc through import of Sheduled tasks + Hardlinks - CVE-2019-1069
C#
36
star
29

SharpByeBear

AppXSVC Service race condition - privilege escalation
C#
26
star
30

S3cur3Th1sSh1t

23
star
31

TeamViewerDecrypt

PowerShell
17
star
32

SharpLigolo

C# wrapper for ligolo
C#
16
star
33

Invoke-WMI-Information

Straight forward script for WMI information gathering (local or remote)
13
star
34

EmpEISDecrypt

Decrypt Matrix42 Empirum /EIS Passwords
C#
11
star
35

NimWinstaEveryoneAccess

Nim
10
star
36

darkamour_clone

Objective-C
9
star
37

WinFor

Powershell script to execute different forensic Powershell functions / tools on a compromised host
PowerShell
7
star
38

ssdp-poisoning

Python
7
star
39

MimiMisc

C
6
star
40

SSJI---JSGen

Just a copy from here: https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
Python
5
star
41

Hosts-File---AD-Tracking-Blocker

Hosts File for Blocking Advertising & Tracking Domains
3
star
42

nim-strenc

string encryption in Nim
Nim
2
star