NimPackt-v1: Nim-based packer for .NET executables and raw shellcode

by do son · Published · Updated

Nim-based raw shellcode

NimPackt-v1 – A Nim-based packer for .NET executables and raw shellcode

NimPackt is a Nim-based packer for .NET (C#) executables and shellcode targeting Windows. It automatically wraps the payload in a Nim binary that is compiled to Native C and as such harder to detect and reverse engineer. There are two main execution methods:

  • Execute-Assembly re-packs a .NET executable and runs it, optionally applying evasive measures such as API unhooking, AMSI patching, or disabling ETW.
  • Shinject takes raw a .bin file with raw, position-independent shellcode and executes it locally or in a remote process, optionally using direct syscalls to trigger the shellcode or patching API hooks to evade EDR.

Currently, NimPackt has the following features.

  • Uses static syscalls to patch execute to evade EDR
  • Unhooks user-mode APIs for the spawned thread by refreshing NTDLL.dll using ShellyCoat
  • Patches Event Tracing for Windows (ETW)
  • Patches the Anti-Malware Scan Interface (AMSI)
  • AES-encrypts payload with a random key to preventing static analysis or fingerprinting
  • Compiles to exe or dll
  • Supports cross-platform compilation (from both Linux and Windows)
  • Integrates with CobaltStrike for ezpz payload generation 😎

A great source for C#-based binaries for offensive tooling can be found here. It is highly recommended to compile the C# binaries yourself. Even though embedded binaries are encrypted, you should obfuscate sensitive binaries (such as Mimikatz) to lower the risk of detection.

Install & Use

Copyright (c) 2022 Cas van Cooten (@chvancooten)

Tags: Nim-based raw shellcode