OffensiveNim

My experiments in weaponizing Nim for implant development and general offensive operations.

OffensiveNim

Why Nim?

Compiles directly to C, C++, Objective-C and Javascript.
Since it doesn't rely on a VM/runtime does not produce what I like to call "T H I C C malwarez" as supposed to other languages (e.g. Golang)
Python inspired syntax, allows rapid native payload creation & prototyping.
Has extremely mature FFI (Foreign Function Interface) capabilities.
Avoids making you actually write in C/C++ and subsequently avoids introducing a lot of security issues into your software.
Super easy cross compilation to Windows from *nix/MacOS, only requires you to install the mingw toolchain and passing a single flag to the nim compiler.
The Nim compiler and the generated executables support all major platforms like Windows, Linux, BSD and macOS. Can even compile to Nintendo switch , IOS & Android. See the cross-compilation section in the Nim compiler usage guide
You could technically write your implant and c2 backend both in Nim as you can compile your code directly to Javascript. Even has some initial support for WebAssembly's

Examples in this repo that work

| File | Description | | --- | --- | | pop_bin.nim | Call MessageBox WinApi without using the Winim library | | pop_winim_bin.nim | Call MessageBox with the Winim libary | | pop_winim_lib.nim | Example of creating a Windows DLL with an exported DllMain | | execute_assembly_bin.nim | Hosts the CLR, reflectively executes .NET assemblies from memory | | clr_host_cpp_embed_bin.nim | Hosts the CLR by directly embedding C++ code, executes a .NET assembly from disk | | scshell_c_embed_bin.nim | Shows how to quickly weaponize existing C code by embedding SCShell (C) directly within Nim | | fltmc_bin.nim | Enumerates all Minifilter drivers | | blockdlls_acg_ppid_spoof_bin.nim | Creates a suspended process that spoofs its PPID to explorer.exe, also enables BlockDLLs and ACG | | named_pipe_client_bin.nim | Named Pipe Client | | named_pipe_server_bin.nim | Named Pipe Server | | embed_rsrc_bin.nim | Embeds a resource (zip file) at compile time and extracts contents at runtime | | self_delete_bin.nim | A way to delete a locked or current running executable on disk. Method discovered by @jonasLyk | | encrypt_decrypt_bin.nim | Encryption/Decryption using AES256 (CTR Mode) using the Nimcrypto library | | amsi_patch_bin.nim | Patches AMSI out of the current process | | amsi_providerpatch_bin.nim | Patches the AMSI Provider DLL (in this case MpOav.dll) to bypass AMSI. Published here | | etw_patch_bin.nim | Patches ETW out of the current process (Contributed by ) | | wmiquery_bin.nim | Queries running processes and installed AVs using using WMI | | out_compressed_dll_bin.nim | Compresses, Base-64 encodes and outputs PowerShell code to load a managed dll in memory. Port of the orignal PowerSploit script to Nim. | | dynamic_shellcode_local_inject_bin.nim | POC to locally inject shellcode recovered dynamically instead of hardcoding it in an array. | | shellcode_callback_bin.nim | Executes shellcode using Callback functions | | shellcode_bin.nim | Creates a suspended process and injects shellcode with VirtualAllocEx/CreateRemoteThread. Also demonstrates the usage of compile time definitions to detect arch, os etc..| | shellcode_fiber.nim | Shellcode execution via fibers | | shellcode_inline_asm_bin.nim | Executes shellcode using inline assembly | | ssdt_dump.nim | Simple SSDT retrieval using runtime function table from exception directory. Technique inspired from MDSEC article | | syscalls_bin.nim | Shows how to make direct system calls | | execute_powershell_bin.nim | Hosts the CLR & executes PowerShell through an un-managed runspace | | passfilter_lib.nim | Log password changes to a file by (ab)using a password complexity filter | | minidump_bin.nim | Creates a memory dump of lsass using MiniDumpWriteDump | | http_request_bin.nim | Demonstrates a couple of ways of making HTTP requests | | execute_sct_bin.nim | .sct file Execution via GetObject() | | scriptcontrol_bin.nim | Dynamically execute VBScript and JScript using the MSScriptControl COM object | | excel_com_bin.nim | Injects shellcode using the Excel COM object and Macros | | keylogger_bin.nim | Keylogger using SetWindowsHookEx | | memfd_python_interpreter_bin.nim | Use memfd_create syscall to load a binary into an anonymous file and execute it with execve syscall. | | uuid_exec_bin.nim | Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode. | | unhookc.nim | Unhooks ntdll.dll to evade EDR/AV hooks (embeds the C code template from ired.team) | | unhook.nim | Unhooks ntdll.dll to evade EDR/AV hooks (pure nim implementation) | | taskbar_ewmi_bin.nim | Uses Extra Window Memory Injection via Running Application property of TaskBar in order to execute the shellcode. | | fork_dump_bin.nim | (ab)uses Window's implementation of fork() and acquires a handle to a remote process using the PROCESS_CREATE_PROCESS access right. It then attempts to dump the forked processes memory using MiniDumpWriteDump() | | ldap_query_bin.nim | Perform LDAP queries via COM by using ADO's ADSI provider | | sandbox_process_bin.nim | This sandboxes a process by setting it's integrity level to Untrusted and strips important tokens. This can be used to "silently disable" a PPL process (e.g. AV/EDR) | | list_remote_shares.nim | Use NetShareEnum to list the share accessible by the current user | | chrome_dump_bin.nim | Read and decrypt cookies from Chrome's sqlite database| | suspended_thread_injection.nim | Shellcode execution via suspended thread injection | | dns_exfiltrate.nim | Simple DNS exfiltration via TXT record queries | | rsrc_section_shellcode.nim | Execute shellcode embedded in the .rsrc section of the

OffensiveNim

Install / Use

README

OffensiveNim

Table of Contents

Why Nim?

Examples in this repo that work