A truly Position Independent Code (PIC) NimPlant C2 beacon written in C, without reflective loading.
^{Built with ♥ by Tijme Gommers – Buy me a coffee via PayPal.}

Abstract • Progress • Getting started • Issues & requests • License & copyright

---

Abstract

A minimal Proof-of-Concept (PoC) NimPlant C2 beacon in plain C, designed to be truly Position Independent Code (PIC), without relying on reflective loader such as Donut and sRDI. By manually resolving imports, storing required data on the stack, and executing without fixed addresses, the beacon compiles directly to PIC. As advantage, the beacon is much smaller in size compared to using a NimPlant beacon with a reflective loader (30kb vs 800kb). It is built on Relocatable, a boilerplate to develop raw and truly Position Independent Code (PIC).

⚠️ This minimal Proof-of-Concept (PoC) was developed to showcase Kong Loader (to be released at BlackHat Asia on the 3rd of April 2025). It is a Minimum Viable Product (MVP) and is definitely not production and opsec safe. Memory is not being used safely either, possibly causing memory leaks and vulnerabilities in the code. ⚠️

Getting started

Clone this repository first. Install the dependencies, then review the code.

Dependencies

• MinGW

Modify the code

Adjust the implant settings in the __main function from ./src/main.c to your needs.

Compiling

make

Usage

Load ./dst/shellcode.bin using your shellcode loader (technique) of choice. An example loader that you can use is Kong Loader, which will be released at BlackHat Asia on the 3rd of April 2025.

Another option is to convert it to a c-code array using xxd.

xxd -i dst/shellcode.bin

This outputs about ~30kb of truly Position Independent Code (PIC) to be used in your own loader.

Progress

As stated, this is just a minimal Proof-of-Concept (PoC) showcasing a beacon in truly Position Independent Code (PIC). Not all functionalities and commands that you are used to in Nimplant beacons are available yet.

• [✅] Implant initialization functionality.
• [✅] Implant registration functionality.
• [✅] AES encryption of data passed via JSON.
• [✅] Retrieve metadata and send back to Nimplant server.
• [✅] Support implant command cat.
• [✅] Support implant command cd.
• [✅] Support implant command cp.
• [✅] Support implant command ls.
• [✅] TODO: Support implant command mv.
• [✅] Support implant command pwd.
• [✅] TODO: Support implant command shell.
• [✅] Support implant command whoami.
• [⚠️] TODO: Support all implant configuration options.
• [⚠️] TODO: Support jitter if sleep is used.
• [⚠️] TODO: Support incremental delay if server not reachable.
• [⚠️] TODO: Basic opsec such as string obfuscation.
• [⚠️] TODO: Low coupling, high cohesion.
• [⚠️] TODO: Support implant command curl.
• [⚠️] TODO: Support implant command download.
• [⚠️] TODO: Support implant command env.
• [⚠️] TODO: Support implant command execute-assembly.
• [⚠️] TODO: Support implant command get-av.
• [⚠️] TODO: Support implant command get-domain.
• [⚠️] TODO: Support implant command get-local-admin.
• [⚠️] TODO: Support implant command inline-execute.
• [⚠️] TODO: Support implant command mkdir.
• [⚠️] TODO: Support implant command powershell.
• [⚠️] TODO: Support implant command ps.
• [⚠️] TODO: Support implant command reg.
• [⚠️] TODO: Support implant command rm.
• [⚠️] TODO: Support implant command run.
• [⚠️] TODO: Support implant command screenshot.
• [⚠️] TODO: Support implant command shinject.
• [⚠️] TODO: Support implant command sleep.
• [⚠️] TODO: Support implant command upload.
• [⚠️] TODO: Support implant command wget.

Issues & requests

Issues or new feature requests can be reported via the issue tracker. Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.

License & copyright

Copyright (c) 2025 Tijme Gommers. This project is released under the GNU General Public License, version 2.0. View LICENSE.md for the full license.