Bitmancer is a library for Offensive Security Tooling development for the Windows operating system written in Nim. It aims to provide common APIs, routines, and macros with highly configurable, position-independent, standalone implementations.
If you're looking to develop an Implant, test a quick PoC, or write a brand new shiny tool - Bitmancer can help you get started!
Bitmancer partially uses winim for its types. To install, run:
nimble install winim
Bitmancer is not yet part of the nimble repository. For the timebeing, you can install it from Github by simply running:
nimble install
MingW and Nim will introduce dependencies on MSVCRT and Kernel32, as well as global variables used by Nim's System module. If you want to avoid these for position independent code, use the provided nim.cfg.
To compile:
nim c -d:mingw <Your_Nim_File>
For all modules:
import Bitmancer
If you need don't need NTDLL routines or syscalls, you can simply use:
import Bitmancer/core
For just the hashing procedures:
import Bitmancer/core/obfuscation/hash
- Compile Time defines simplified (YAML?)
- Examples
- Documentation
- Larger compile-time Hash Seed
- Tests!
- ApiSet Name Resolving
- Common APIs (GetProcAddress, GetModuleHandle, GetSystemTime, etc..)
- Hashing
- Compile Time
- Run Time
- Manual Mapper
- From Disk
- From Memory 🚧
- DLLs 🚧
- COFFs 🚧
- Nt* Syscalls
- Rtl* procedures
- NTLoader Database
- Red Black Trees (RTL_BALANCED_NODE)
- Portable Executable parsing and utilities
- SSN Enumeration
- Stack Strings
- Syscall Evasion Techniques
- Direct Syscalls
- Indirect Syscalls
- Anti-Debug Routines and Utilities
- Encryption
- Exception Handling
- Callbacks
- Instrumented
- Native
- Hooking Routines and Utilities
- More NTDLL Wrappers
- Sleep Evasion Techniques
- Stack Spoofing
- Syscall Evasion Techniques
- x86 Support
If there's a feature/technique you would like implemented, let me know!
Stack Strings:
var wStr {.stackStringW.} = "Hello!"
var cStr {.stackStringA.} = "World!"
If you're looking to generate a wrapper around a syscall not currently available, the basic flow is as follows:
## Import syscalls
import Bitmancer/syscalls
## For hashing
import Bitmancer/core/obfuscation/hash
## Define your type
type NtClose = proc(h: HANDLE): NTSTATUS {.stdcall, gcsafe.}
## Generate the wrapper
## Define configurations for how to retrieve and execute the syscall
## The procedure's symbol enumeration method - available options are:
## UseEAT - use the export address table to resolve the symbol
## UseIAT - use the import address table to resolve the symbol
## UseLdrThunks - use the NTLoader's LdrThunkSignatures to map a clean NTDLL to resolve symbols from
const symEnum = SymbolEnumeration.UseEAT
## The SSN enumeration method - available options are:
## HellsGate
## HalosGate
## TartarusGate
## ZwCounter
const ssnEnum = SsnEnumeration.HellsGate
## Finally, the execution method - available options are:
## Direct - use the direct syscall stub
## Indirect - use the indirect syscall stub
const exeEnum = SyscallExecution.Indirect
## Define an ident to use to identify the symbol
const NtCloseHash = ctDjb2 "NtClose"
## Retrive NTDLL
let Ntdll = ? NTDLL_BASE()
## Call ctGetNtSyscall, retrieving the NtSyscall object containing the SSN, pointer to the address of the function
## and a casted stub to your type.
let NtSyscall = ctGetNtSyscall[NtClose](Ntdll, ModuleHandle(NULL), NtCloseHash, symEnum, ssnEnum, exeEnum)
## Finally, call the wrapper!
NtCloseWrapper(h, NtSyscall.wSyscall, NtSyscall.pSyscall, NtSyscall.pFunction)
See the runShellCode example for a complete example.
More examples can also be found in ntdll.