Nimjector

A process injection framework written in Nim. The tool heavily aims to teach process injection techniques while providing significant information on how the technique works. In addition, the tool does not only focus on crafting payloads, but also detecting different techniques on suspicious binaries.

Installation

Install the following packages first before compiling the tool:

$ git clone https://github.com/ar33zy/Nimjector.git
$ cd 
# Ensure mingw gcc is installed
$ sudo apt install mingw-w64
# Install nim modules
$ nimble install yaml docopt winim nimcrypto
# Compile the nimjector binary
$ nim c --skipProjCfg -d=release --cc:gcc --embedsrc=on --hints=on --app=console --cpu=amd64 --out=nimjector nimjector.nim

Usage

List

# For listing all techniques
$ ./nimjector list -t all

# For printing API calls used by the technique
$ ./nimjector list -t <technique> -c <all>

# Example:
$ ./nimjector list -t set_timer -c VirtualAlloc
[*] Listing API call description - VirtualAlloc
[!] VirtualAlloc is often used by malware to allocate memory as part of process injection. This function returns the memory address of the newly allocated space.

Red

Required fields:

image
technique

Optional fields:

print
encrypt
nt (NT API Calls)
syscalls (System Calls)
gstub (GetSyscallStub)

# For compiling a specific technique
$ ./nimjector red -t <technique_name> -i <shellcode>

# For printing the source code of the technique
$ ./nimjector red -t <technique_name> -i <shellcode> -P

# For applying shellcode encryption
$ ./nimjector red -t <technique_name> -i <shellcode> -e

# For applying call variations 
$ ./nimjector red -t <technique_name> -i <shellcode> [-n | -s | -g]

Blue

# For running the checks on a single binary
$ ./nimjector blue -f <binary>

Credits

ar33zy/Nimjector

Nimjector

Installation

Usage

List

Red

Blue

Credits

Blog Posts

Process Injection Repositories

System Calls

Others

API Calls Description