Nim-RunPE - A Nim Implementation Of Reflective PE-Loading From Memory
2022-9-11 19:30:0 Author: www.kitploit.com(查看原文) 阅读量:49 收藏

A Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory - which I ported to Nim.

You'll need to install the following dependencies:

nimble install ptr_math winim

I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errors when using another version.

Compile

If you want to pass arguments on runtime or don't want to pass arguments at all compile via:

nim c NimRunPE.nim

If you want to hardcode custom arguments modify const exeArgs to your needs and compile with:

nim c -d:args NimRunPE.nim - this was contributed by @glynx, thanks!

😎

More Information

The technique itself it pretty old, but I didn't find a Nim implementation yet. So this has changed now. :)

If you plan to load e.g. Mimikatz with this technique - make sure to compile a version from source on your own, as the release binaries don't accept arguments after being loaded reflectively by this loader. Why? I really don't know it's strange but a fact. If you compile on your own it will still work:

My private Packer is also weaponized with this technique - but all Win32 functions are replaced with Syscalls there. That makes the technique stealthier.

Nim-RunPE - A Nim Implementation Of Reflective PE-Loading From Memory Nim-RunPE - A Nim Implementation Of Reflective PE-Loading From Memory Reviewed by Zion3R on 8:30 AM Rating: 5


文章来源: http://www.kitploit.com/2022/09/nim-runpe-nim-implementation-of.html
如有侵权请联系:admin#unsafe.sh