The Nim programming language has turn into more and more engaging to malware builders resulting from its sturdy compiler and its potential to work simply with different languages. Nim’s compiler can compile Nim to JavaScript, C, C++, and Goal-C, and cross-compile for main working methods equivalent to Home windows, Linux, macOS, Android, and iOS. Moreover, Nim helps importing capabilities and symbols from the languages talked about above, and importing from dynamically linked libraries for Home windows and shared libraries for Linux. Nim wrapper modules are additionally obtainable, equivalent to Winim, that make interplay with the working system painless. All these capabilities enable straightforward integration of Nim into improvement pipelines utilizing these languages and enhance the event of recent instruments, each benign and malicious.
It’s no shock, then, that ESET Analysis has seen an ongoing use of malware developed in Nim within the wild. Way back to 2019, Sednit was noticed utilizing a malicious downloader written in Nim. One other infamous group taking part in the Nim sport, and the impetus for growing Nimfilt, is the Mustang Panda APT group. ESET Analysis recorded Mustang Panda utilizing Nim in its toolset for the primary time in a marketing campaign in opposition to a governmental group in Slovakia in August 2023. The malicious DLL detected – and used as a part of the group’s traditional trident Korplug loader – was written in Nim.
For researchers tasked with reverse engineering such binaries, Nimfilt is a robust instrument to hurry up evaluation. Whereas Nimfilt might be run as a Python script each on the command line (with a subset of its performance) and in Hex-Rays’ IDA program, it will likely be offered right here primarily as a Python plugin for IDA.
Initializing Nimfilt in IDA
When IDA is first opened, it hundreds and initializes any plugins within the IDA plugins listing. Through the initialization of Nimfilt, the plugin makes use of primary heuristics to find out whether or not the disassembled binary was compiled with the Nim compiler. If one of many following checks is handed, Nimfilt determines that this compiler was used:
- The binary accommodates each of the next strings:
- The binary accommodates any of the next well-known Nim perform names:
- NimMain
- NimMainInner
- NimMainModule
- The binary accommodates not less than two of the next error message strings:
- @worth out of vary
- @division by zero
- @over- or underflow
- @index out of bounds
YARA guidelines are supplied together with Nimfilt that make comparable checks to find out whether or not an ELF or PE file has been compiled with Nim. Collectively, these checks are way more sturdy than the strategy taken by different instruments, equivalent to Detect It Straightforward, which presently solely checks the .rdata part of PE information for the string io.nim or deadly.nim.
As the ultimate initialization step, if Nimfilt’s AUTO_RUN flag is ready to true, the plugin runs instantly. In any other case, Nimfilt might be run as normal from IDA’s plugins menu, as proven in Determine 1.
Demangling with Nimfilt
Nim makes use of a customized title mangling scheme that Nimfilt can decode. Throughout a run, Nimfilt iterates via every perform title within the binary, checking whether or not the title is a Nim package deal or perform title. Found names are renamed to their demangled types.
Apparently, these names can leak details about the developer’s atmosphere, in a lot the identical means as PDB paths. That is because of the Nim compiler including the file path to the title throughout mangling – Nimfilt reveals the trail upon demangling.
For instance, perform names from third-party packages are saved as absolute paths in the course of the mangling course of. Determine 2 reveals a perform title that’s saved as an absolute path revealing the model and checksum of the nimSHA2 package deal used, together with the developer’s set up path for nimble – Nim’s default package deal supervisor.
python nimfilt.py GET_UINT32_BE__6758Z85sersZ85serOnameZOnimbleZpkgs50Znim837265504548O49O494554555453d57a4852c515056c5452eb5354b51fa5748f5253545748505752cc56fdZnim83726550_u68
C:/Customers/Consumer.title/.nimble/pkgs2/nimSHA2-0.1.1-6765d9a04c328c64eb56b3fa90f45690294cc8fd/nimSHA2::GET_UINT32_BE u68
Determine 2. Demangling the title of a perform from a third-party package deal
In distinction, Determine 3 reveals the title of a perform from a regular Nim package deal saved as a relative path (that’s, relative to the Nim set up path).
python nimfilt.py toHex__pureZstrutils_u2067
pure/strutils::toHex u2067
Determine 3. Demangling the title of a perform from a regular Nim package deal
Nonetheless, names aren’t at all times mangled in the identical means. Determine 4 reveals that the identical perform title above from the nimSHA2 package deal is saved on Linux as a relative path.
python nimfilt.py GET_UINT32_BE__OOZOOZOOZhomeZalexZOnimbleZpkgs50Znim837265504548O49O494554555453d57a4852c515056c5452eb5354b51fa5748f5253545748505752cc56fdZnim83726550_u49
Determine 4. Demangling the title of a perform from a third-party package deal on Linux
Bundle initialization capabilities are mangled in a very completely different means: the package deal title is saved as a file path (together with the file extension) positioned earlier than the perform title and an escaping scheme is used to signify sure characters like ahead slashes, hyphens, and dots. Upon demangling, Nimfilt cleans up the package deal title by eradicating the .nim file extension, as proven in Determine 5.
python nimfilt.py atmdotdotatsdotdotatsdotnimbleatspkgsatswinimminus3dot9dot1atswinimatsincatswinbasedotnim_DatInit000
Determine 5. Demangling the title of an initialization perform from a third-party package deal
Determine 6 reveals how names of initialization capabilities from native packages are saved as absolute paths.
python nimfilt.py atmCatcatstoolsatsNimatsnimminus2dot0dot0atslibatssystemdotnim_Init000
C:/instruments/Nim/nim-2.0.0/lib/system::Init000
Determine 6. Demangling the title of an initialization perform from a local package deal
In IDA, Nimfilt’s title demangling course of is adopted by the creation of directories within the Capabilities window to prepare capabilities in response to their package deal title or path, as proven in Determine 7.
Making use of structs to Nim strings
The final motion carried out throughout a run of Nimfilt is making use of C-style structs to Nim strings. Simply as strings in another programming languages are objects slightly than null-terminated sequences of bytes, so are strings in Nim. Determine 8 reveals how the string ABCDEF seems in IDA earlier than and after working Nimfilt. Notice that in disassembled type, a Nim-compiled binary makes use of the prefix _TM as part of the non permanent title of some variables; these are sometimes Nim strings.
Nimfilt iterates via every deal with within the .rdata or .rodata section, and in another read-only information section, searching for Nim strings. Structs are utilized to any found strings; the struct accommodates a size discipline and a pointer to the payload consisting of the characters within the string.
Wrap-up
On its strategy to being compiled as an executable, Nim supply code is usually translated to C or C++; nonetheless, this course of doesn’t solely take away all traces of Nim. By taking a journey via the Nim compiler supply code, we now have unraveled a few of the paths taken within the compilation course of and have been thus in a position to construct Nimfilt as a Python instrument, and IDA plugin, to help on this untangling.
In brief, whether or not or not you might be new to Nim, turning to Nimfilt will make your reverse engineering work with Nim-compiled binaries virtually immediately simpler and extra centered. Not at all, nonetheless, is Nimfilt’s improvement at a standstill; we’re engaged on extra options to deal with double mangling, and enhance the formatting of demangled names and the grouping of package deal names.
Nimfilt’s supply code and documentation can be found in a repository hosted on ESET’s GitHub group at https://github.com/eset/nimfilt.
