S3cur3Th1sSh1t/Nim-RunPE

Stars
253
Rank 154,842 (Top 4 %)
Language
Nim
License
BSD 3-Clause "New...
Created about 2 years ago
Updated over 1 year ago

S3cur3Th1sSh1t/Nim-RunPE

S3cur3Th1sSh1t

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

A Nim implementation of reflective PE-Loading from memory

Nim-RunPE

A Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory - which I ported to Nim.

You'll need to install the following dependencies:

nimble install ptr_math winim

I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errors when using another version.

Compile

If you want to pass arguments on runtime or don't want to pass arguments at all compile via:

nim c NimRunPE.nim

If you want to hardcode custom arguments modify const exeArgs to your needs and compile with:

nim c -d:args NimRunPE.nim - this was contributed by @glynx, thanks! 😎

More Information

The technique itself it pretty old, but I didn't find a Nim implementation yet. So this has changed now. :)

If you plan to load e.g. Mimikatz with this technique - make sure to compile a version from source on your own, as the release binaries don't accept arguments after being loaded reflectively by this loader. Why? I really don't know it's strange but a fact. If you compile on your own it will still work:

My private Packer is also weaponized with this technique - but all Win32 functions are replaced with Syscalls there. That makes the technique stealthier.

WinPwn

Automation for internal Windows Penetrationtest / AD-Security

Pentest-Tools

Amsi-Bypass-Powershell

This repo contains some Amsi Bypass methods i found on different Blog Posts.

PowerSharpPack

OffensiveVBA

This repo covers some code execution and AV Evasion methods for Macros in Office documents

Creds

Some usefull Scripts and Executables for Pentest & Forensics

MultiPotato

SharpImpersonation

A User Impersonation tool - via Token or Shellcode injection

Invoke-SharpLoader

Caro-Kann

Encrypted shellcode Injection to avoid Kernel triggered memory scans

Ruy-Lopez

SharpNamedPipePTH

Pass the Hash to a named pipe for token Impersonation

NimGetSyscallStub

Get fresh Syscalls from a fresh ntdll.dll copy

SharpVeeamDecryptor

Decrypt Veeam database passwords

NamedPipePTH

Pass the Hash to a named pipe for token Impersonation

SyscallAmsiScanBufferBypass

AmsiScanBufferBypass using D/Invoke

Nim_DInvoke

D/Invoke implementation in Nim

Excel-Phish

Phish password protected Excel-Files

Sharp-HackBrowserData

C# binary with embeded golang hack-browser-data

Get-System-Techniques

NimShellcodeFluctuation

ShellcodeFluctuation PoC ported to Nim

RDPThiefInject

RDPThief donut shellcode inject into mstsc

Invoke-Sharpcradle

Load C# Code straight to memory

Nim_CBT_Shellcode

CallBack-Techniques for Shellcode execution ported to Nim

LDAP-Signing-Scanner

A little scanner to check the LDAP Signing state

BitwardenDecryptBrute

Wordlist attacks on Bitwarden data.json files

SharpOxidResolver

IOXIDResolver from AirBus Security/PingCastle

SharpPolarBear

Privesc through import of Sheduled tasks + Hardlinks - CVE-2019-1069

SharpByeBear

AppXSVC Service race condition - privilege escalation

S3cur3Th1sSh1t

TeamViewerDecrypt

SharpLigolo

C# wrapper for ligolo

Invoke-WMI-Information

Straight forward script for WMI information gathering (local or remote)

EmpEISDecrypt

Decrypt Matrix42 Empirum /EIS Passwords

NimWinstaEveryoneAccess

darkamour_clone

WinFor

Powershell script to execute different forensic Powershell functions / tools on a compromised host

ssdp-poisoning

MimiMisc

SSJI---JSGen

Just a copy from here: https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py

Hosts-File---AD-Tracking-Blocker

Hosts File for Blocking Advertising & Tracking Domains