{"id":13577495,"url":"https://github.com/eset/nimfilt","last_synced_at":"2025-04-06T06:06:50.003Z","repository":{"id":231590433,"uuid":"781467224","full_name":"eset/nimfilt","owner":"eset","description":"A collection of modules and scripts to help with analyzing Nim binaries","archived":false,"fork":false,"pushed_at":"2024-10-07T18:26:02.000Z","size":74,"stargazers_count":73,"open_issues_count":1,"forks_count":7,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-30T05:04:20.640Z","etag":null,"topics":["demangling","ida","ida-plugin","ida-pro","idapython","malware-analysis","nim","nim-lang","nim-language","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eset.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-03T12:45:35.000Z","updated_at":"2025-03-24T08:47:24.000Z","dependencies_parsed_at":"2024-04-04T19:44:32.848Z","dependency_job_id":"8a7a98fe-df6f-4504-a454-56bcf7d59f1b","html_url":"https://github.com/eset/nimfilt","commit_stats":null,"previous_names":["eset/nimfilt"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2Fnimfilt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2Fnimfilt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2Fnimfilt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2Fnimfilt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eset","download_url":"https://codeload.github.com/eset/nimfilt/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247441043,"owners_count":20939239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["demangling","ida","ida-plugin","ida-pro","idapython","malware-analysis","nim","nim-lang","nim-language","reverse-engineering"],"created_at":"2024-08-01T15:01:21.938Z","updated_at":"2025-04-06T06:06:49.985Z","avatar_url":"https://github.com/eset.png","language":"Python","readme":"# Nimfilt\n\nNimfilt is a collection of modules and scripts to help with analyzing [Nim](https://github.com/nim-lang/Nim/) binaries. It started out as a CLI demangling tool inspired by `c++filt`. It evolved into a larger set of tools for analyzing Nim, but the original name stuck.\n\n - `nimfilt.py`: a Python module that implements demangling for Nim. It can also be run as basic CLI tool.\n - `id_nim_binary.yar`: a set of YARA rules to identify Nim ELF and PE binaries.\n - `nimfilt_ida.py`: Nimfilt for IDA, an IDApython script to help reverse-engineers handle Nim binaries.\n - `nimfilt_ghidra.py`: Nimfilt for Ghidra, a GhidraScript to help reverse-engineers handle Nim binaries.\n\n\n## Context\n\nNim is compiled to another language (usually C/C++) before being compiled to a native executable. It also doesn't include a large runtime. However, the process still leaves some Nim-specific artefacts and specificites in in the produced binary.\n\nFor one, method and module names are mangled using, Nim's own name scheme which is distinct from C++'s. This scheme isn't documented so I relied on the source code of the [Nim compiler](https://github.com/nim-lang/Nim). Most of this name mangling in implemented in `compiler/msgs.nim` and `compiler/ccgtypes.nim`.\n\n\n## Nimfilt for IDA\n\nThe IDAPython script can be run as a one-off or installed as a plugin.\n\nIf running as a script, simply launch it from the Nimfilt project directory. It is recommended to do so after auto-analysis has completed and you've loaded any additional FLIRT signatures.\n\n### Plugin setup using [Sark](https://github.com/tmr232/Sark)'s plugin loader\n\nAdd `\u003cnimfilt_project_dir\u003e/nimfilt_ida.py` to your your `plugins.list` as per their instruction on [installing plugins](https://sark.readthedocs.io/en/latest/plugins/installation.html).\n\n### Manual plugin setup\n\n1. Copy `nimfilt.py` to a directory that is included in your IDAPython's `PYTHONPATH` (commonly `\u003cIDA_install_dir\u003e/python/` or `%APPDATA%/Hex-Rays/IDA Pro/python/3/`).\n2. Copy `nimfilt_ida.py` to your IDAPython plugin directory (usually `\u003cIDA_install_dir\u003e/plugins/`)\n\n### Usage\n\n*Note: The current version of Nimfilt for IDA only supports one command which runs all analyses.*\n\nNavigate to Edit -\u003e Plugins -\u003e Nimfilt and click on it.\n\nYou can set Nimfilt to automatically execute when a loaded file is recognized as a Nim binary. To do so, set the `AUTO_RUN` global variable to `True` in `nimfilt_ida.py`\n\n\n## Nimflit for Ghidra\n\nThe GhidraScript is a one-off script.\n\nIf running as a script, simply launch it from the Nimfilt project directory. It is recommended to do so after auto-analysis has completed and you've loaded any additional FLIRT signatures.\n\n### Manual pluging setup\n\nCopy `nimfilt.py` and `nimfilt_ghidra.py` to your `ghidra_script` directory (usually `$HOME/ghidra_scripts`)\n\n### Usage\n\n*Note: The current version of Nimfilt for Ghidra only supports one command which runs all analyses.*\n\nNavigate to Window -\u003e Script Manager. Find the `nimfilt_ghidra.py` script in the list. Select it and click the `Run` button.\n\n## Running tests\n\nNimfilt uses the [unittest](https://docs.python.org/3/library/unittest.html) package from the Python standard library for unit testing. You can run the test suite using the following command: `python -m unittest test/*.py`.\n\n\n## Features\n\nCurrent features include:\n\n - Identifying if a loaded file is a Nim binary.\n - Demangling Nim function and package names.\n - Demangling Nim package init function names.\n - Organizing functions into directories by package.\n - Identifying, typing and renaming Nim strings.\n\n\n## TODO/Known issues\n\n - [ ] Handle double mangling (C++ and Nim) for executables compiled with `cpp`\n - [ ] Simplify module paths\n - [ ] IDA Script: Format `Init` function' module paths to match regular function format\n - [ ] IDA Script: Group packages under root-level directories: Nimble, STD and local/main\n - [ ] IDA Script: Use simplified pkg name when renaming functions\n\n\n## Similar and related work\n\n[AlphaGolang](https://github.com/SentineLabs/AlphaGolang) is a project that fulfills a similar role for Go binaries. While none of AlphaGolang's code was used directly in Nimfilt, it served as a general inspiration and was useful in understanding IDA's folder API.\n\n[Nim-IDA-FLIRT-Generator](https://github.com/Cisco-Talos/Nim-IDA-FLIRT-Generator) is another project that helps with reverse-engineering Nim binaries. It does so by greatly simplifying the process of creating IDA FLIRT signatures for Nim. It nicely complements Nimfilt for binaries that lack symbols: First generate then apply your FLIRT signatures, then run Nimfilt for the best results.\n","funding_links":[],"categories":["Python","nim"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feset%2Fnimfilt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feset%2Fnimfilt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feset%2Fnimfilt/lists"}