OffensiveNim

OffensiveNim is a red teaming framework and post-exploitation toolkit developed in Nim. It provides a collection of low-level primitives and a Windows API wrapper designed for offensive security operations, including malware development and shellcode loading.

The project focuses on evasion and obfuscation through techniques such as API unhooking, direct system calls, and anti-debugging mechanisms. It features diverse payload delivery methods, including reflective binary loading, the execution of .NET assemblies via CLR hosting, and various shellcode injection techniques using fibers, COM objects, and remote process manipulation.

The framework covers a broad range of capabilities including credential and token extraction, system reconnaissance via Active Directory and WMI queries, and data exfiltration using HTTP and DNS tunneling. It also includes tools for privilege escalation testing, security monitoring disablement, and the implementation of symmetric AES-256 encryption for securing payloads.

Features

Red Team Tools - Serves as a full red teaming framework for developing custom offensive binaries and evasion tools.

Evasion Techniques - Bypasses endpoint detection and response systems by removing API hooks and using direct system calls.

Red Teaming Frameworks - Serves as a complete red teaming framework built in Nim for offensive security operations.

Evasion Tooling - Provides a comprehensive framework of utilities for bypassing security software through obfuscation and anti-debugging.

Indirect Process Execution - Employs indirect process execution and direct system calls to bypass standard API monitoring.

Process Injection Payloads - Provides the ability to allocate executable memory and inject shellcode into the current process.

Direct System Call Invocations - Invokes kernel functions directly to bypass user-mode hooks in system libraries for evasion.

Remote Thread Injection - Writes binary payloads to a remote process's memory and executes them via remote thread creation.

Resource-Based Shellcode Execution - Provides the capability to load and execute raw binary shellcode extracted from the executable's own resource sections.

Shellcode Loaders - Provides advanced mechanisms for executing arbitrary machine code in memory using fibers and reflective loading.

AMSI Bypasses - Overwrites the AMSI scanning function in memory to prevent the detection of malicious payloads.

Hook Removal - Implements EDR evasion by mapping clean copies of system libraries from disk to overwrite patched memory sections.

Credential Extraction Utilities - Extracts identity tokens and authentication secrets from running processes or local databases.

In-Memory Payload Execution - Loads and executes shellcode or .NET assemblies directly in memory to avoid disk artifacts.

CLR Hosting Loaders - Loads the .NET Common Language Runtime into unmanaged processes to execute assemblies reflectively.

Malware Development Kits - Provides low-level primitives and API wrappers specifically tailored for creating stealthy Windows malware.

Post-Exploitation Frameworks - Provides a comprehensive set of utilities for gathering system and network data after an initial compromise.

Post-Exploitation Toolkits - Ships a set of utilities for gathering data and maintaining access on hosts after initial compromise.

Privilege Escalation Techniques - Implements advanced methods for gaining elevated permissions by manipulating process tokens and system services.

Reflective Memory Executions - Maps portable executable sections and fixes import tables to run binaries directly from memory.

Security Software Evasion - Implements techniques to disable security mechanisms and unhook system libraries to evade antivirus and EDR systems.

Security Interface Disablers - Patches system components to disable security scanning interfaces like AMSI.

.NET Assembly Loaders - Executes .NET assemblies directly in memory via the Common Language Runtime to avoid disk persistence.

Evasion and Bypass Tools - Provides a suite of tools to detect and bypass debuggers, sandboxes, and other security analysis environments.

VBA Macro Embedding - Implements the insertion of VBA macros containing shellcode into Excel workbooks for payload delivery.

Windows DLL Generation - Builds dynamic link libraries with exported entry points and custom initialization logic.

Privileged Shell Executions - Duplicates access tokens from target processes to execute commands with stolen elevated privileges.

DNS Exfiltration Tools - Transmits base64 encoded file contents as DNS TXT record queries to bypass network restrictions.

Application Identity Spoofing - Creates suspended processes with fake parent IDs to disguise the execution's identity.

UUID-Encoded Shellcode Loading - Converts binary payloads into UUID strings to load them into heap memory via system callbacks.

Trampoline-Based Hook Engines - Implements a jump trampoline mechanism to intercept and redirect target function execution to custom handlers.

Binary Memory Dumping - Provides the ability to locate a specific system process and write its full memory contents to a file.

Inline Assembly Payload Execution - Executes binary shellcode using inline assembly to circumvent memory allocation monitoring.

Android Runtime API Hooking - Restores original ntdll bytes by mapping a fresh copy from disk to bypass API hooks.

COM Integration - Leverages the Windows COM object model to execute scripts and perform LDAP queries.

Macro-Based Shellcode Execution - Enables the execution of machine code by leveraging Excel 4.0 macros to perform system-level memory allocation.

Native Function Invocations - Provides capabilities to invoke native operating system functions via foreign interfaces for low-level operations.

Process Handle Acquisition - Provides mechanisms to obtain handles to remote processes using specific creation methods to bypass security.

Process Relationship Spoofing - Assigns a target process as the parent of a new process to hide the true origin of execution.

Suspended Thread Injection - Writes shellcode into a remote process and executes it by resuming a previously suspended thread.

Service Binary Path Hijacking - Modifies system service binary paths to run a custom payload before restoring the original path.

PowerShell - Executes PowerShell commands within a process by leveraging the .NET Common Language Runtime.

Thread Environment Block Access - Accesses the TEB address using direct assembly to bypass API monitoring.

Windows API Wrappers - Includes a comprehensive wrapper for the Windows API to simplify low-level process and memory operations.

Anti-Sandbox Techniques - Checks for network domain membership to identify and avoid execution within security sandbox environments.

Browser-Based Data Extraction - Reads and decrypts stored cookies from browser databases using local system keys.

Data Encryption - Transforms data into ciphertext using AES256-CTR mode and SHA256-derived keys.

Data Exfiltration Tools - Provides utilities to send stolen information to remote servers via DNS and HTTP protocols.

Debugger Detection - Includes mechanisms to detect debuggers using Thread Local Storage callbacks to prevent analysis.

Forensic Artifact Removal - Includes a feature to remove the currently running executable from disk to eliminate forensic traces.

Hardware Breakpoint Patching - Intercepts function execution by configuring CPU debug registers to redirect control flow.

Script-Based DLL Loaders - Encodes managed DLLs into scripts that load the binary directly into memory for stealthy execution.

Scripting Language Executions - Implements execution of VBScript and JScript code directly from memory using the IActiveScript interface.

Keystroke Logging - Includes a keylogger to record keystrokes for stealing passwords and sensitive data.

Directory Querying - Retrieves user and object information from a domain controller using LDAP filters.

Process Sandboxing - Implements process isolation by removing token privileges and setting the integrity level to Untrusted.

COM Scriptlet Execution - Fetches scriptlet files from remote URLs and executes them through the system's script component runtime.

COM Object Payloads - Runs payloads by leveraging system COM objects and script controls to execute code.

Runtime Memory Manipulation - Provides capabilities for dumping memory from remote processes and performing live memory manipulation.

Security Logging Evasion - Prevents system event logging by overwriting the memory of the event tracing function.

Symmetric Encryption - Secures payloads and configuration strings using AES-256 symmetric encryption.

CTR Mode Implementations - Secures data and payloads using the AES-256 cipher in counter mode for confidentiality.

Shellcode Execution via Fibers - Runs machine code in a new fiber to decouple the execution flow from the main process thread.

Dynamic Library Exports - Implements the export of internal logic as shared binary libraries to facilitate remote process injection.

Command Execution Engines - Provides utilities to programmatically run scripts, assembly code, and COM objects to interact with the operating system.

WMI Data Acquisition - Uses Windows Management Instrumentation to retrieve lists of running processes and installed antivirus software.

byt3bl33d3rOffensiveNim

Features

Star history