A Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory – which I ported to Nim.
You’ll need to install the following dependencies:
nimble install ptr_math winim
I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errors when using another version.
Compile
If you want to pass arguments on runtime or don’t want to pass arguments at all compile via:
nim c NimRunPE.nim
If you want to hardcode custom arguments modify const exeArgs to your needs and compile with:
nim c -d:args NimRunPE.nim – this was contributed by @glynx, thanks!
😎
More Information
The technique itself it pretty old, but I didn’t find a Nim implementation yet. So this has changed now. 🙂
If you plan to load e.g. Mimikatz with this technique – make sure to compile a version from source on your own, as the release binaries don’t accept arguments after being loaded reflectively by this loader. Why? I really don’t know it’s strange but a fact. If you compile on your own it will still work:
Â
My private Packer is also weaponized with this technique – but all Win32 functions are replaced with Syscalls there. That makes the technique stealthier.
