Nim-RunPE , is a Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory – which I ported to Nim.
You’ll need to install the following dependencies:
nimble install ptr_math winim
I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errors when using another version.
If you want to pass arguments on runtime or don’t want to pass arguments at all compile via:
nim c NimRunPE.nim
If you want to hardcode custom arguments modify const exeArgs to your needs and compile with:
nim c -d:args NimRunPE.nim – this was contributed by @glynx, thanks
The technique itself it pretty old, but I didn’t find a Nim implementation yet. So this has changed now. 🙂
If you plan to load e.g. Mimikatz with this technique – make sure to compile a version from source on your own, as the release binaries don’t accept arguments after being loaded reflectively by this loader. Why? I really don’t know it’s strange but a fact. If you compile on your own it will still work:
My private Packer is also weaponized with this technique – but all Win32 functions are replaced with Syscalls there. That makes the technique stealthier.
Setting a static IP address on your server is a smart move. It ensures your…
Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…
Managing user accounts is one of the most basic system administration tasks on any Linux…
Wine (short for "Wine Is Not an Emulator") is a compatibility layer that lets you run…
KVM (Kernel-based Virtual Machine) is an open-source virtualization technology built into the Linux kernel. It lets…
Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…