Site icon API Security Blog

Nim-Loader – WIP Shellcode Loader In Nim With EDR Evasion Techniques

[![](https://blogger.googleusercontent.com/img/a/AVvXsEghoAwSP8tfQ0sIRJuF9bla0dxRrdW1lPn96pxum-o5IHa7VkI95mmOfDO5j3BktycKqlFVVdOpyf3jpwf-tFUn2R0pmrTikJme–EpMM14WUufp3PCZmJo-7mMiAaADeKvExN71KOWHN8JteTPPrGwHdZAuktozFqYa6N-BjBkPQGmzZ_2rcHOIXvw=w640-h502)]()

a very rough work-in-progress adventure into learning nim by cobbling resources together to create a shellcode loader that implements common EDR/AV evasion techniques.

_This is a mess and is for [research]( “research” ) purposes only! Please don’t expect it to compile and run without your own modifications._

_
_

### Instructions

* Replace the byte array in `loader.nim` with your own x64 shellcode
* Compile the EXE and run it: `nim c -d:danger -d:strip –opt:size “loader.nim”`
* Probably adjust which process you want to inject into by looking in the .nim files of the [injection]( “injection” ) folder method you’re using…

### Completed Features

* Direct [syscalls]( “syscalls” ) dynamically resolved from NTDLL (Thanks @ShitSecure)
* AMSI and ETW [patching]( “patching” ) (Thanks @byt3bl33d3r)
* NTDLL unhooking (Thanks @MrUn1k0d3r)
* CreateRemoteThread injection (Thanks @byt3bl33d3r, @ShitSecure)

### WIP Features

* Process Hollowing Technique (Thanks @snovvcrash)
* Shellcode encryption/decryption using [AES in CTR mode]( (Thanks @snovvcrash)
* Replace all compatible API calls with syscalls
* Add template [generator]( “generator” ) and compiler, cmdline args for shellcode, injection methods, process paths, etc.

### Obfuscation

* Consider using [denim]( “denim” ) by @LittleJoeTables for obfuscator-llvm nim compilation support!

### References & Inspiration

* OffensiveNim by Marcello Salvati (@byt3bl33d3r)
* NimlineWhispers2 by Alfie Champion (@ajpc500)
* SysWhispers3 by klezVirus (@KlezVirus)
* NimPackt-v1 by Cas van Cooten (@chvancooten)
* unhook_bof.c by Mr. Un1k0d3r (@MrUn1k0d3r)
* NimGetSyscallStub by S3cur3Th1sSh1t (@ShitSecure)
* NimHollow by snovvcrash (@snovvcrash)

### Examples

[]( “WIP shellcode loader in nim with EDR evasion techniques (8)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEghoAwSP8tfQ0sIRJuF9bla0dxRrdW1lPn96pxum-o5IHa7VkI95mmOfDO5j3BktycKqlFVVdOpyf3jpwf-tFUn2R0pmrTikJme–EpMM14WUufp3PCZmJo-7mMiAaADeKvExN71KOWHN8JteTPPrGwHdZAuktozFqYa6N-BjBkPQGmzZ_2rcHOIXvw=w640-h502)]()

**[Download Nim-Loader]( “Download Nim-Loader” )**Read More

Exit mobile version