dr4k0nia/NixImports dr4k0nia/NixImports

  • Stars
    star
    201
  • Rank 193,536 (Top 4 %)
  • Language
    C#
  • License
    MIT License
  • Created over 1 year ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dr4k0nia/NixImports
github

dr4k0nia

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A .NET malware loader, using API-Hashing to evade static analysis

NixImports

A .NET malware loader, using API-Hashing and dynamic invoking to evade static analysis

How does it work?

NixImports uses my managed API-Hashing implementation HInvoke, to dynamically resolve most of it's called functions at runtime. To resolve the functions HInvoke requires two hashes the typeHash and the methodHash. These hashes represent the type name and the methods FullName, on runtime HInvoke parses the entire mscorlib to find the matching type and method. Due to this process, HInvoke does not leave any import references to the methods called trough it.

Another interesting feature of NixImports is that it avoids calling known methods as much as possible, whenever applicable NixImports uses internal methods instead of their wrappers. By using internal methods only we can evade basic hooks and monitoring employed by some security tools.

For a more detailed explanation checkout my blog post.

You can generate hashes for HInvoke using this tool

How to use

NixImports only requires a filepath to the .NET binary you want to pack with it.

NixImports.exe <filepath>

It will automatically generate a new executable called Loader.exe in it's root folder. The loader executable will contain your encoded payload and the stub code required to run it.

Tips for Defenders

If youre interested in detection engineering and possible detection of NixImports, checkout the last section of my blog post

Or click here for a basic yara rule covering NixImports.

More Repositories

1

Origami

Packer compressing .net assemblies, (ab)using the PE format for data storage
C#
153
star
2

XorStringsNET

Easy XOR string encryption for NET based binaries
C#
121
star
3

Unscrambler

Universal unpacker and fixer for a number of modded ConfuserEx protections
C#
101
star
4

MurkyStrings

A string obfuscator for .NET apps, built to evade static string analysis.
C#
98
star
5

tooling-playground

A collection of small scripts and tools for deobfuscation and malware analysis.
C#
66
star
6

Simple-Costura-Decompressor

Simple tool to extract and decompress embedded resources processed by Fody Costura
C#
62
star
7

FlatUI-Midnight

FlatUI Dark Reskin for Winforms .NET 4.0
C#
60
star
8

Greenline

Unpacker and Config Extractor for managed Redline Stealer payloads
C#
36
star
9

yara-rules

A collection of my yara rules
YARA
33
star
10

de4dot_gui

Simple GUI app to simplify manual string decryption with de4dot
C#
26
star
11

NoChallenge

A tool to automatically defeat .NET crackmes based on string equality comparisons
C#
20
star
12

DontPoisonMySource

Simple tool to check visual studio project files for Exec, PreBuildEvent and PostBuildEvent
C#
12
star
13

LagSwitch

C#
10
star
14

AHK-Dumper

Dumper for compiled AutoHotKey Scripts
C#
10
star
15

simple-string-encryption

Simple website to automatically generate string encryption/decryption routines for C#
HTML
10
star
16

dr4k0nia.github.io

SCSS
5
star
17

archived_dr4k0nia.github.io

SCSS
2
star