Search the Community

Nimcrypt2 is yet another PE packer/loader designed to bypass AV/EDR. It is an improvement on my original Nimcrypt project, with the main improvements being the use of direct syscalls and the ability to load regular PE files as well as raw shellcode. Before going any further, I must acknowledge those who did the VAST majority of work and research that this project depends on. Firstly, I must thank @byt3bl33d3r for his Offensive Nim repo, and @ShitSecure for all of the code snippets he's publicly released. That is what the original version of this tool was created from, and the current version is no different. Particularly, the new PE loading functionality used in this tool is just an implementation of ShitSecure's recently released Nim-RunPE code. As of 3/14/22, this code also uses his GetSyscallStub code for dynamic syscall usage. I highly encourage sponsoring him for access to his own Nim PE Packer, which is no doubt a much better and more featureful version of this. Features: NtQueueApcThread Shellcode Execution w/ PPID Spoofing & 3rd Party DLL Blocking NimlineWhispers2 & GetSyscallStub for Syscall Use Syscall Name Randomization Ability to load .NET and Regular PE Files AES Encryption with Dynamic Key Generation LLVM-Obfuscator Compatibility String Encryption Sandbox Evasion Tested and Confirmed Working on: Windows 11 (10.0.22000) Windows 10 21H2 (10.0.19044) Windows 10 21H1 (10.0.19043) Windows 10 20H2 (10.0.19042) Windows 10 19H2 (10.0.18363) Windows Server 2019 (10.0.17763) [hide][Hidden Content]]

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. Why on earth didn't I create a PR to SysWhispers2? The reason for SysWhispers3 to be a standalone version are many, but the most important are: SysWhispers3 is the de-facto "fork" used by Inceptor, and implements some utils class which are not relevant to the original version of the tool. SysWhispers2 is moving towards supporting NASM compilation (for gcc/mingw), while this version is specifically designed and tested to support MSVC (because Inceptor will stay a Windows-only framework for the near future). SysWhispers3 contains partially implemented features (such as egg-hunting) which would not be sensible to include in the original version of the tool. [hide][Hidden Content]]

SysWhispers helps with AV/EDR evasion by generating header/ASM files implants can use to make direct system calls. All core syscalls are supported and example generated files available in the example-output/ folder. Difference Between SysWhispers 1 and 2 The usage is almost identical to SysWhispers1 but you don’t have to specify which versions of Windows to support. Most of the changes are under the hood. It no longer relies on @j00ru‘s syscall tables and instead uses the “sorting by system call address” technique popularized by @modexpblog. This significantly reduces the size of the syscall stubs. The specific implementation in SysWhispers2 is a variation of @modexpblog’s code. One difference is that the function name hashes are randomized on each generation. @ElephantSe4l, who had published this technique earlier, has another implementation based in C++17 which is also worth checking out. The original SysWhispers repository is still up but maybe deprecated in the future. Introduction Various security products place hooks in user-mode API functions which allow them to redirect execution flow to their engines and detect suspicious behavior. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by @Cn33liz and his blog post has more technical details worth reading. SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe). The headers will also include the necessary type of definitions. [hide][Hidden Content]]