So you decided to go the Nim way for your implementation.
Download & install Nim from the website. Version 2.0.4 should be fine at the time of publication for this repository.
Windows: Download & install MinGW-w64.
Linux:
apt-get install mingw-w64
Install dependencies
nimble install ptr_math checksums NimProtect winim https://github.com/nbaertsch/nimvoke
The packertemplate.nim code is meant to be used as the start for automating the process of
- Encrypting input payloads (Shellcode, C# Assemblies, PE files)
- Building/Updating the needed Loader code
- (Optional) Embedding the encrypted payload inside of the code
- Compiling the loader, so that we have our final packed binary/dll
All the sub-folders contain potential features, that you can embed/integrate into the Loader. So if you want to for example start with Shellcode packing, check out the shellcodeexecute folder. We recommend, to use compiler flags in the loader instead of concatenating string snippets on runtime for the final code - however exemplary code for both is provided.
Encryption/decryption is always the same (which is for this reason also a good IoC and/or AV signature code base).
The provided code base avoids detections for entropy by loading the encrypted payload from a dedicated file on runtime. This also acts as Sandbox-Evasion, because most Sandboxes or Emulators tend to analyze the executable only don't embed other files for analysis.
All provided samples use nimvoke for indirect syscall execution. Therefore you don't need to take care for potential Userland-Hooks at all as those are bypassed.
- ✌️ easy ✌️ : Build together your first features, e.G. shellcode input with SandBox + AntiDebug checks
- ✌️ easy ✌️ : If you want to embed the encrypted payload, you need to tackle entropy. Entropy can for example be lowered down by using "encodings" such as UUID, MAC, IP. These examples need to be adjusted for Nim arrays.
- ✌️ easy ✌️ : As an alternative, load the encrypted payload from a dedicated file on runtime to decrypt it afterward.
- ✌️ easy ✌️ : Build Sideloading DLLs using Third Party tools such as Koppeling or Custom definition file generation
- 👊 intermediate 👊 : If you prefer to inject payloads, integrate ThreadlessInject/Poolparty
- 👊 intermediate 👊 : PE loading is not done with indirect syscalls. Change this.
- ✌️ easy ✌️ : Alternative Sandbox Evasion stubs / better AntiDebug techniques
- 👊 intermediate 👊 : Use Hardware Breakpoints for AMSI/ETW evasion instead of simple patches
- ✌️ easy ✌️ : Integrate
realencryption instead of XOR - ✌️ easy ✌️ : Module Stomping
- ✌️ easy ✌️ : Environmental keying on a target domain/hostname