Nimcrypt2: .NET, PE, & Raw Shellcode Packer/Loader Written in Nim

Nimcrypt2

Nimcrypt2 is yet another PE packer/loader designed to bypass AV/EDR. It is an improvement on my original Nimcrypt project, with the main improvements being the use of direct syscalls and the ability to load regular PE files as well as raw shellcode.

Before going any further, I must acknowledge those who did the VAST majority of work and research that this project depends on. Firstly, I must thank @byt3bl33d3r for his Offensive Nim repo, and @ShitSecure for all of the code snippets he’s publicly released. That is what the original version of this tool was created from, and the current version is no different. Particularly, the new PE loading functionality used in this tool is just an implementation of ShitSecure’s recently released Nim-RunPE code. I highly encourage sponsoring him for access to his own Nim PE Packer, which is no doubt a much better and more featureful version of this.

Additionally, I would like to thank @ajpc500 for his NimlineWhispers2 project that this tool uses for direct syscalls. I cannot stress enough how this project is simply an amalgamation of the public work of those previously mentioned, so all credit must go to them.

Features:

• NtQueueApcThread Shellcode Execution w/ PPID Spoofing & 3rd Party DLL Blocking
• Syscall Name Randomization
• Ability to load .NET and Regular PE Files
• AES Encryption with Dynamic Key Generation
• Sandbox Evasion

Tested and Confirmed Working on:

• Windows 11 (10.0.22000)
• Windows 10 21H2 (10.0.19044)
• Windows 10 21H1 (10.0.19043)
• Windows 10 20H2 (10.0.19042)
• Windows 10 19H2 (10.0.18363)
• Windows Server 2019 (10.0.17763)

Install & Use

Copyright (C) 2022 icyguider