{"id":13578946,"url":"https://github.com/b1nhack/rust-shellcode","last_synced_at":"2025-04-05T20:32:46.529Z","repository":{"id":154018446,"uuid":"616477124","full_name":"b1nhack/rust-shellcode","owner":"b1nhack","description":"windows-rs shellcode loaders","archived":false,"fork":false,"pushed_at":"2024-07-11T08:57:46.000Z","size":107,"stargazers_count":347,"open_issues_count":0,"forks_count":49,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-04T23:03:47.147Z","etag":null,"topics":["bypass-antivirus","bypass-av","offensive-security","rust","shellcode-injection","shellcode-loader"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/b1nhack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-20T13:17:19.000Z","updated_at":"2025-04-01T22:13:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"6a686ef1-c0bf-4da3-832c-d64eb9cec9f6","html_url":"https://github.com/b1nhack/rust-shellcode","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/b1nhack%2Frust-shellcode","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/b1nhack%2Frust-shellcode/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/b1nhack%2Frust-shellcode/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/b1nhack%2Frust-shellcode/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/b1nhack","download_url":"https://codeload.github.com/b1nhack/rust-shellcode/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247399818,"owners_count":20932875,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass-antivirus","bypass-av","offensive-security","rust","shellcode-injection","shellcode-loader"],"created_at":"2024-08-01T15:01:35.246Z","updated_at":"2025-04-05T20:32:46.233Z","avatar_url":"https://github.com/b1nhack.png","language":"Rust","readme":"# 🤖 rust-shellcode 🤖\r\nThis project provides the underlying support for bypass av of offensive activities.  \r\nThe available Shellcode loaders include:\r\n* [asm](#asm)\r\n* [create_fiber](#create_fiber)\r\n* [create_process](#create_process)\r\n* [create_remote_thread](#create_remote_thread)\r\n* [create_remote_thread_native](#create_remote_thread_native)\r\n* [create_thread](#create_thread)\r\n* [create_thread_native](#create_thread_native)\r\n* [early_bird](#early_bird)\r\n* [etwp_create_etw_thread](#etwp_create_etw_thread)\r\n* [memmap2_transmute](#memmap2_transmute)\r\n* [module_stomping](#module_stomping)\r\n* [nt_queue_apc_thread_ex_local](#nt_queue_apc_thread_ex_local)\r\n* [rtl_create_user_thread](#rtl_create_user_thread)\r\n\r\n## Build\r\nThis is a rust project, you need install [rust](https://www.rust-lang.org/) first.  \r\nThen, you can build with follow command:\r\n\r\n```shell\r\ncargo build --release\r\n```\r\n\r\nBinarys in `target/release`\r\n\r\n## How to use\r\nThis project is just a basic demo, you need to choose the right loading method, \r\nencrypt the SHELLCODE, download the SHELLCODE from the internet, \r\nor use it with ETW patch, unhooking, etc.\r\n\r\n## asm\r\nSHELLCODE execute locally.\r\n1. link SHELLCODE to .text section\r\n2. inline asm using asm! macro\r\n3. call SHELLCODE\r\n\r\n## create_fiber\r\nSHELLCODE execute locally.\r\n1. convert current thread to fiber using `ConvertThreadToFiber`\r\n2. alloc memory using `VirtualAlloc`\r\n3. copy SHELLCODE to allocated memory using `std::ptr::copy`\r\n4. create a fiber using `CreateFiber`\r\n5. jump SHELLCODE using `SwitchToFiber`\r\n6. jump back\r\n\r\n## create_process\r\nSHELLCODE execute locally.\r\n1. create a process in `CREATE_SUSPENDED` state using `CreateProcessA`\r\n2. alloc remote memory using `VirtualAllocEx`\r\n3. copy SHELLCODE to allocated memory using `WriteProcessMemory`\r\n4. change memory permission to executable using `VirtualProtectEx`\r\n5. get `PROCESS_BASIC_INFORMATION` using `NtQueryInformationProcess`\r\n6. get `PEB` using `ReadProcessMemory`\r\n7. get `IMAGE_DOS_HEADER` using `ReadProcessMemory`\r\n8. get `IMAGE_FILE_HEADER` using `ReadProcessMemory`\r\n9. determine `IMAGE_FILE_HEADER.Machine` is x86 or x64\r\n10. get `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64]` using `ReadProcessMemory`\r\n11. let `entrypoint` = `ImageBaseAddress` + `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64].AddressOfEntryPoint`\r\n12. write a piece of assembly code to the `entrypoint` to jump to the SHELLCODE using `WriteProcessMemory`\r\n13. resume process's thread using `ResumeThread`\r\n14. close opened handle using `CloseHandle`\r\n\r\n## create_remote_thread\r\nSHELLCODE execute remotely.  \r\ninject `explorer.exe` by default.\r\n1. get pid by process name using crate `sysinfo`\r\n2. get handle using `OpenProcess`\r\n3. alloc remote memory using `VirtualAllocEx`\r\n4. copy SHELLCODE to allocated memory using `WriteProcessMemory`\r\n5. change memory permission to executable using `VirtualProtectEx`\r\n6. execute SHELLCODE using `CreateRemoteThread`\r\n7. close opened handle using `CloseHandle`\r\n\r\n## create_remote_thread_native\r\nSHELLCODE execute remotely.  \r\ninject `explorer.exe` by default.  \r\nthis is same with [create_remote_thread](#create_remote_thread), but without crate `windows-sys`  \r\nusing crate `libloading` get functions from dlls.\r\n\r\n## create_thread\r\nSHELLCODE execute locally.\r\n1. alloc remote memory using `VirtualAlloc`\r\n2. copy SHELLCODE to allocated memory using `std::ptr::copy`\r\n3. change memory permission to executable using `VirtualProtect`\r\n4. execute SHELLCODE using `CreateThread`\r\n5. waiting thread exit using `WaitForSingleObject`\r\n\r\n## create_thread_native\r\nSHELLCODE execute locally.  \r\nthis is same with [create_thread](#create_thread), but without crate `windows-sys`  \r\nusing crate `libloading` get functions from dlls.\r\n\r\n## early_bird\r\nSHELLCODE execute remotely.  \r\ncreate and inject `svchost.exe` by default.\r\n1. create a process using `CreateProcessA`\r\n2. alloc remote memory using `VirtualAllocEx`\r\n3. copy SHELLCODE to allocated memory using `WriteProcessMemory`\r\n4. change memory permission to executable using `VirtualProtectEx`\r\n5. execute process using `QueueUserAPC`\r\n6. resume process's thread using `ResumeThread`\r\n7. close opened handle using `CloseHandle`\r\n\r\n## etwp_create_etw_thread\r\nSHELLCODE execute locally.\r\n1. get `EtwpCreateEtwThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`\r\n2. alloc remote memory using `VirtualAlloc`\r\n3. copy SHELLCODE to allocated memory using `std::ptr::copy`\r\n4. change memory permission to executable using `VirtualProtect`\r\n5. execute SHELLCODE using `EtwpCreateEtwThread`\r\n6. waiting thread exit using `WaitForSingleObject`\r\n\r\n## memmap2_transmute\r\nSHELLCODE execute locally.\r\n1. alloc memory using crate `memmap2`\r\n2. copy SHELLCODE using `copy_from_slice` function from `MmapMut` struct\r\n3. change memory permission to executable using `make_exec` funtion from `MmapMut` struct\r\n4. convert memory pointer to fn type using `transmute`\r\n5. execute fn\r\n\r\n## module_stomping\r\nSHELLCODE execute remotely.  \r\ninject `notepad.exe` by default.\r\n1. get pid by process name using crate `sysinfo`\r\n2. get handle using `OpenProcess`\r\n3. alloc remote memory using `VirtualAllocEx`\r\n4. copy dll path to allocated memory using `WriteProcessMemory`\r\n5. get `LoadLibraryA` addr using `GetProcAddress` with `GetModuleHandleA`\r\n6. load dll using `CreateRemoteThread`\r\n7. wait created remote thread using `WaitForSingleObject`\r\n8. get modules using `EnumProcessModules`\r\n9. get module name using `GetModuleBaseNameA`\r\n10. alloc memory using `HeapAlloc`\r\n11. get entry_point using `ReadProcessMemory`\r\n12. copy SHELLCODE to dll entry_point using `WriteProcessMemory`\r\n13. execute SHELLCODE using `CreateRemoteThread`\r\n14. close opened handle using `CloseHandle`\r\n\r\n## nt_queue_apc_thread_ex_local\r\nSHELLCODE execute locally.\r\n1. get `NtQueueApcThreadEx` function from `ntdll` using `LoadLibraryA` and `GetProcAddress`\r\n2. alloc remote memory using `VirtualAlloc`\r\n3. copy SHELLCODE to allocated memory using `std::ptr::copy`\r\n4. change memory permission to executable using `VirtualProtect`\r\n5. get current thread handle using `GetCurrentThread`\r\n6. execute SHELLCODE using `NtQueueApcThreadEx`\r\n\r\n## rtl_create_user_thread\r\nSHELLCODE execute remotely.  \r\ninject `explorer.exe` by default.\r\n1. get `RtlCreateUserThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`\r\n2. get pid by process name using crate `sysinfo`\r\n3. get handle using `OpenProcess`\r\n4. alloc remote memory using `VirtualAllocEx`\r\n5. copy SHELLCODE to allocated memory using `WriteProcessMemory`\r\n6. change memory permission to executable using `VirtualProtectEx`\r\n7. execute SHELLCODE using `RtlCreateUserThread`\r\n8. close opened handle using `CloseHandle`\r\n","funding_links":[],"categories":["Rust"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fb1nhack%2Frust-shellcode","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fb1nhack%2Frust-shellcode","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fb1nhack%2Frust-shellcode/lists"}