An open API service indexing awesome lists of open source software.

https://github.com/affix/rusty-hollow

Unix Process hollowing in rust
https://github.com/affix/rusty-hollow

Last synced: over 1 year ago
JSON representation

Unix Process hollowing in rust

Awesome Lists containing this project

README

          

Process Hollowing on Unix with Rust
====================================

This repository provides an example of process hollowing on Unix systems implemented in Rust. Process hollowing is a technique often used in penetration testing and malware development where an executable process is started and its memory is replaced with arbitrary shellcode, effectively "hollowing out" the original process.

In this example, the process /bin/ls is hollowed and replaced with shellcode. By default, the shellcode executes the whoami command, generated using msfvenom.

## Features
- Demonstrates process hollowing on Unix systems using Rust.
- Uses ptrace for memory manipulation and process control.
- Executes arbitrary shellcode within the hollowed process.

## Shellcode Details
By default, the shellcode used in this example is a whoami shellcode, generated by msfvenom. It prints the current user's username when executed.

The shellcode is pre-generated and included directly in the code as a byte array:

```rust
let shellcode: [u8; 43] = [
0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f,
0x73, 0x68, 0x00, 0x99, 0x50, 0x54, 0x5f, 0x52, 0x66, 0x68, 0x2d, 0x63,
0x54, 0x5e, 0x52, 0xe8, 0x07, 0x00, 0x00, 0x00, 0x77, 0x68, 0x6f, 0x61,
0x6d, 0x69, 0x00, 0x56, 0x57, 0x54, 0x5e, 0x6a, 0x3b, 0x58, 0x0f, 0x05
];
```

This shellcode can be replaced with any custom shellcode for testing purposes.

## Prerequisites
- Rust: Ensure you have the Rust toolchain installed. Visit rust-lang.org for installation instructions.
- Unix-based OS: This example is designed for Unix systems (e.g., Linux).

## Generating Custom Shellcode
To generate your own shellcode (e.g., with msfvenom):

```bash
msfvenom -p linux/x64/exec CMD=whoami -f rust
```

Replace the default shellcode in the source code with your generated shellcode.

How It Works
- Forking a Child Process: The program forks the current process into a parent and child.
- Tracing the Child: The child process is started under ptrace for debugging.
- Executing /bin/ls: The child process executes /bin/ls using execve as a placeholder process.
- Injecting Shellcode: The parent process writes the shellcode to the child process's memory at its instruction pointer (RIP).
- Resuming the Process: The parent process resumes the execution of the hollowed child process, running the shellcode.

## Usage

Clone the repository:

```bash
git clone
cd
```

Build the project:

```bash
cargo build --release
```

Run the binary with root privileges:

```bash
sudo ./target/release/process_hollowing
```

Observe the output:

The parent process will print logs showing the memory manipulation and injection.
The hollowed process will execute the whoami shellcode, printing the username of the current user.

## #Example Output
```
I'm the parent! My child is 12345
Child stopped: Stopped(PtraceEvent)
RIP: 0x7fffabcde000
Writing shellcode to child process...
Wrote chunk to 0x7fffabcde000: 0x68732f2f6e69622f
...
Shellcode written!
root
```
## Disclaimer
This project is for educational purposes only. Misuse of this code can result in legal and ethical consequences. Always ensure you have explicit permission before using techniques like process hollowing.