Giter Site home page Giter Site logo

nimhollow's Introduction

NimHollow

Playing around with the Process Hollowing technique using Nim.

Features:

  • Direct syscalls for triggering Windows Native API functions with NimlineWhispers or NimlineWhispers2.
  • Shellcode encryption/decryption with AES in CTR mode.
  • Simple sandbox detection methods from the OSEP course by @offensive-security.

DISCLAIMER. All information contained in this repository is provided for educational and research purposes only. The author is not responsible for any illegal use of this tool.

Usage

Installation:

~$ git clone --recurse-submodules https://github.com/snovvcrash/NimHollow && cd NimHollow
~$ git submodule update --init --recursive
~$ nimble install winim nimcrypto
~$ pip3 install -r requirements.txt
~$ sudo apt install upx -y

Example:

~$ msfvenom -p windows/x64/messagebox TITLE='MSF' TEXT='Hack the Planet!' EXITFUNC=thread -f raw -o shellcode.bin
~$ python3 NimHollow.py shellcode.bin -i 'C:\Windows\System32\svchost.exe' -o injector --upx --rm [--whispers2]

Help:

usage: NimHollow.py [-h] [-i IMAGE] [-o OUTPUT] [--whispers2] [--debug] [--upx] [--rm] shellcode_bin

positional arguments:
  shellcode_bin         path to the raw shellcode file

optional arguments:
  -h, --help            show this help message and exit
  -i IMAGE, --image IMAGE
                        process image to hollow (default "C:\Windows\System32\svchost.exe")
  -o OUTPUT, --output OUTPUT
                        output filename
  --whispers2           use NimlineWhispers2 to generate syscalls.nim
  --debug               do not strip debug messages from Nim binary
  --upx                 compress Nim binary with upx
  --rm                  remove Nim files after compiling the binary

Process Hollowing in Slides

1. Create the target process (e.g., svchost.exe) in a suspended state.

2. Query created process to extract its base address pointer from PEB (Process Environment Block).

3. Read 8 bytes of memory (for 64-bit architecture) pointed by the image base address pointer in order to get the actual value of the image base address.

4. Read 0x200 bytes of the loaded EXE image and parse PE structure to get the EntryPoint address.

5. Write the shellcode to the EntryPoint address and resume thread execution.

Credits

nimhollow's People

Contributors

snovvcrash avatar

Stargazers

SkyN9ne avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.