{"id":37823917,"url":"https://github.com/pygrum/gimmick","last_synced_at":"2026-01-16T15:44:02.286Z","repository":{"id":245187735,"uuid":"817397542","full_name":"pygrum/gimmick","owner":"pygrum","description":"Section-based payload obfuscation technique for x64","archived":false,"fork":false,"pushed_at":"2024-08-08T09:12:24.000Z","size":63,"stargazers_count":56,"open_issues_count":0,"forks_count":5,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-08-09T11:29:03.251Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pygrum.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-19T16:06:28.000Z","updated_at":"2024-08-08T09:12:28.000Z","dependencies_parsed_at":"2024-06-20T11:26:54.809Z","dependency_job_id":"be07ddab-d69c-4ada-80e0-83117606ad56","html_url":"https://github.com/pygrum/gimmick","commit_stats":null,"previous_names":["pygrum/gimmick"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/pygrum/gimmick","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pygrum%2Fgimmick","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pygrum%2Fgimmick/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pygrum%2Fgimmick/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pygrum%2Fgimmick/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pygrum","download_url":"https://codeload.github.com/pygrum/gimmick/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pygrum%2Fgimmick/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28479409,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-16T15:44:02.208Z","updated_at":"2026-01-16T15:44:02.271Z","avatar_url":"https://github.com/pygrum.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Gimmick\r\n\r\nA thread-safe, section-based payload obfuscation technique.\r\n\r\n## How it works\r\nThis technique allows safe, on-demand access to compile-time encrypted global variables and functions.\r\nHow? Gimmick provides an API to allow sections to be dynamically decrypted and accessed at runtime in a thread-safe way.\r\nIt also re-encrypts sections when no threads are using them.\r\nDepending on its usage, this technique introduces just a small window for your payload to exist fully decrypted in memory.\r\n\r\n\r\nTo **decrypt** a section, Gimmick checks for the following conditions:\r\n1. There are no other threads currently encrypting or decrypting the section simultaneously\r\n\r\nTo **encrypt** a section, Gimmick checks for the following conditions:\r\n1. There are no other threads currently encrypting or decrypting the section simultaneously\r\n2. There are no 'references' to the section\r\n\r\n\r\n## Extra features\r\n\r\n- PIC (Position Independent Code) friendly, with custom GetModuleHandle and GetProcAddress implementations\r\n- Dynamically loaded functions and modules that can be passed to a global instance at runtime.\r\n- Inbuilt RC4 implementation\r\n\r\n## Limitations\r\n- 64-bit only (for now)\r\n- If the executable is to be loaded by the OS, only sections that are untouched by Windows loader can be used to store data. \r\nThis technique is best used with an rDLL or Shellcode.\r\n- All sections are marked as encrypted on initialisation, as Gimmick has no awareness of section states before they have been accessed.\r\nIt will attempt to encrypt / decrypt any section referenced by the API. Only functions and variables designated a section with the `SEC`\r\nmacro should be called, provided that the section will also be encrypted with `crypt.py` after. This really shouldn't be an issue \r\n**provided that you only target the sections that you want to encrypt.**\r\n- Section page protections are flipped to RW briefly during encryption and decryption.\r\n\r\n## Run\r\nAn example multithreaded application is set up for POC purposes. It is compiled with MinGW gcc.\r\n1. `make build` or `make release`\r\n2. `./gimmick.exe`\r\n\r\n### Output\r\n```\r\n--- Starting threads\r\n[*][.xdata] attempting to decrypt section\r\n[*][.xdata] decrypting section\r\n[+][.xdata] done! releasing mutex and restoring protection.\r\n[+][.xdata] data is now available for use.\r\n[*][00007FF6EAE64000] -- executing callee function\r\n[*][.rodata] attempting to decrypt section\r\n[*][.rodata] decrypting section\r\n[*][.xdata] attempting to decrypt section\r\n[!][.xdata] section is already decrypted\r\n[*][00007FF6EAE64000] -- executing callee function\r\n[+][.rodata] done! releasing mutex and restoring protection.\r\n[+][.rodata] data is now available for use.\r\n[*][.rodata] attempting to decrypt section\r\n[!][.rodata] section is already decrypted\r\n[*][.rodata] attempting to decrypt section\r\n[!][.rodata] section is already decrypted\r\n[*][.rodata] attempting to decrypt section\r\n[!][.rodata] section is already decrypted\r\n[*][.rodata] attempting to re-encrypt section\r\n[!][.rodata] section is in use - no re-encryption was performed\r\n[*][.rodata] attempting to re-encrypt section\r\n[!][.rodata] section is in use - no re-encryption was performed\r\n[*][00007FF6EAE64000] -- exited with code 0xdead\r\n[*][.xdata] attempting to re-encrypt section\r\n[!][.xdata] section is in use - no re-encryption was performed\r\n[*][.rodata] attempting to re-encrypt section\r\n[!][.rodata] section is in use - no re-encryption was performed\r\n[*][.rodata] attempting to re-encrypt section\r\n[*][.rodata] re-encrypting section\r\n[+][.rodata] successfully re-encrypted section\r\n[*][00007FF6EAE64000] -- exited with code 0xdead\r\n[*][.xdata] attempting to re-encrypt section\r\n[*][.xdata] re-encrypting section\r\n[+][.xdata] successfully re-encrypted section\r\n```\r\n\r\n## Usage\r\nNOTE: This project is a Proof of Concept. It will likely be buggy, and I do NOT recommend using it as-is in production. \r\nYou may open a PR to fix existing issues, or simply fix these yourself privately.\r\n\r\n1. Add `gimmick.c`, `gimmick.h` and `ntdll.h` to your project\r\n2. Assign objects to desired sections with the `SEC` macro, separating different types (e.g. functions and variables)\r\n3. Initialise Gimmick context with `GkInitContext`, and free with `GkFreeSectionContext`\r\n4. Use `GkGet` (+`GkRelease`), `GkRun`, or `GkRunEx` to run functions or access variables assigned to encrypted sections\r\n5. Compile the file with -Os and other desired flags\r\n6. Choose sections that contain data accessed with Gimmick to encrypt (`crypt.py`) and encrypt them with the same key used\r\nfor Gimmick's context (edit in script)\r\n7. Run your executable\r\n\r\n## Disclaimer\r\nThis code is provided for educational and ethical\r\npurposes only. The authors and contributors are not responsible for any\r\nmisuse of the code, including but not limited to the unlawful creation or\r\ndistribution of malware. Use this code responsibly and in accordance\r\nwith all applicable laws and regulations.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpygrum%2Fgimmick","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpygrum%2Fgimmick","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpygrum%2Fgimmick/lists"}