https://github.com/b1nhack/rust-shellcode

windows-rs shellcode loaders
https://github.com/b1nhack/rust-shellcode

bypass-antivirus bypass-av offensive-security rust shellcode-injection shellcode-loader

Last synced: 8 days ago
JSON representation

windows-rs shellcode loaders

• Host: GitHub
• URL: https://github.com/b1nhack/rust-shellcode
• Owner: b1nhack
• License: mit
• Created: 2023-03-20T13:17:19.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-07-11T08:57:46.000Z (4 months ago)
• Last Synced: 2024-08-01T15:30:41.101Z (3 months ago)
• Topics: bypass-antivirus, bypass-av, offensive-security, rust, shellcode-injection, shellcode-loader
• Language: Rust
• Homepage:
• Size: 104 KB
• Stars: 244
• Watchers: 3
• Forks: 32
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# 🤖 rust-shellcode 🤖

This project provides the underlying support for bypass av of offensive activities.  

The available Shellcode loaders include:

* [asm](#asm)

* [create_fiber](#create_fiber)

* [create_process](#create_process)

* [create_remote_thread](#create_remote_thread)

* [create_remote_thread_native](#create_remote_thread_native)

* [create_thread](#create_thread)

* [create_thread_native](#create_thread_native)

* [early_bird](#early_bird)

* [etwp_create_etw_thread](#etwp_create_etw_thread)

* [memmap2_transmute](#memmap2_transmute)

* [module_stomping](#module_stomping)

* [nt_queue_apc_thread_ex_local](#nt_queue_apc_thread_ex_local)

* [rtl_create_user_thread](#rtl_create_user_thread)

## Build

This is a rust project, you need install [rust](https://www.rust-lang.org/) first.  

Then, you can build with follow command:

```shell

cargo build --release

```

Binarys in `target/release`

## How to use

This project is just a basic demo, you need to choose the right loading method, 

encrypt the SHELLCODE, download the SHELLCODE from the internet, 

or use it with ETW patch, unhooking, etc.

## asm

SHELLCODE execute locally.

1. link SHELLCODE to .text section

2. inline asm using asm! macro

3. call SHELLCODE

## create_fiber

SHELLCODE execute locally.

1. convert current thread to fiber using `ConvertThreadToFiber`

2. alloc memory using `VirtualAlloc`

3. copy SHELLCODE to allocated memory using `std::ptr::copy`

4. create a fiber using `CreateFiber`

5. jump SHELLCODE using `SwitchToFiber`

6. jump back

## create_process

SHELLCODE execute locally.

1. create a process in `CREATE_SUSPENDED` state using `CreateProcessA`

2. alloc remote memory using `VirtualAllocEx`

3. copy SHELLCODE to allocated memory using `WriteProcessMemory`

4. change memory permission to executable using `VirtualProtectEx`

5. get `PROCESS_BASIC_INFORMATION` using `NtQueryInformationProcess`

6. get `PEB` using `ReadProcessMemory`

7. get `IMAGE_DOS_HEADER` using `ReadProcessMemory`

8. get `IMAGE_FILE_HEADER` using `ReadProcessMemory`

9. determine `IMAGE_FILE_HEADER.Machine` is x86 or x64

10. get `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64]` using `ReadProcessMemory`

11. let `entrypoint` = `ImageBaseAddress` + `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64].AddressOfEntryPoint`

12. write a piece of assembly code to the `entrypoint` to jump to the SHELLCODE using `WriteProcessMemory`

13. resume process's thread using `ResumeThread`

14. close opened handle using `CloseHandle`

## create_remote_thread

SHELLCODE execute remotely.  

inject `explorer.exe` by default.

1. get pid by process name using crate `sysinfo`

2. get handle using `OpenProcess`

3. alloc remote memory using `VirtualAllocEx`

4. copy SHELLCODE to allocated memory using `WriteProcessMemory`

5. change memory permission to executable using `VirtualProtectEx`

6. execute SHELLCODE using `CreateRemoteThread`

7. close opened handle using `CloseHandle`

## create_remote_thread_native

SHELLCODE execute remotely.  

inject `explorer.exe` by default.  

this is same with [create_remote_thread](#create_remote_thread), but without crate `windows-sys`  

using crate `libloading` get functions from dlls.

## create_thread

SHELLCODE execute locally.

1. alloc remote memory using `VirtualAlloc`

2. copy SHELLCODE to allocated memory using `std::ptr::copy`

3. change memory permission to executable using `VirtualProtect`

4. execute SHELLCODE using `CreateThread`

5. waiting thread exit using `WaitForSingleObject`

## create_thread_native

SHELLCODE execute locally.  

this is same with [create_thread](#create_thread), but without crate `windows-sys`  

using crate `libloading` get functions from dlls.

## early_bird

SHELLCODE execute remotely.  

create and inject `svchost.exe` by default.

1. create a process using `CreateProcessA`

2. alloc remote memory using `VirtualAllocEx`

3. copy SHELLCODE to allocated memory using `WriteProcessMemory`

4. change memory permission to executable using `VirtualProtectEx`

5. execute process using `QueueUserAPC`

6. resume process's thread using `ResumeThread`

7. close opened handle using `CloseHandle`

## etwp_create_etw_thread

SHELLCODE execute locally.

1. get `EtwpCreateEtwThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`

2. alloc remote memory using `VirtualAlloc`

3. copy SHELLCODE to allocated memory using `std::ptr::copy`

4. change memory permission to executable using `VirtualProtect`

5. execute SHELLCODE using `EtwpCreateEtwThread`

6. waiting thread exit using `WaitForSingleObject`

## memmap2_transmute

SHELLCODE execute locally.

1. alloc memory using crate `memmap2`

2. copy SHELLCODE using `copy_from_slice` function from `MmapMut` struct

3. change memory permission to executable using `make_exec` funtion from `MmapMut` struct

4. convert memory pointer to fn type using `transmute`

5. execute fn

## module_stomping

SHELLCODE execute remotely.  

inject `notepad.exe` by default.

1. get pid by process name using crate `sysinfo`

2. get handle using `OpenProcess`

3. alloc remote memory using `VirtualAllocEx`

4. copy dll path to allocated memory using `WriteProcessMemory`

5. get `LoadLibraryA` addr using `GetProcAddress` with `GetModuleHandleA`

6. load dll using `CreateRemoteThread`

7. wait created remote thread using `WaitForSingleObject`

8. get modules using `EnumProcessModules`

9. get module name using `GetModuleBaseNameA`

10. alloc memory using `HeapAlloc`

11. get entry_point using `ReadProcessMemory`

12. copy SHELLCODE to dll entry_point using `WriteProcessMemory`

13. execute SHELLCODE using `CreateRemoteThread`

14. close opened handle using `CloseHandle`

## nt_queue_apc_thread_ex_local

SHELLCODE execute locally.

1. get `NtQueueApcThreadEx` function from `ntdll` using `LoadLibraryA` and `GetProcAddress`

2. alloc remote memory using `VirtualAlloc`

3. copy SHELLCODE to allocated memory using `std::ptr::copy`

4. change memory permission to executable using `VirtualProtect`

5. get current thread handle using `GetCurrentThread`

6. execute SHELLCODE using `NtQueueApcThreadEx`

## rtl_create_user_thread

SHELLCODE execute remotely.  

inject `explorer.exe` by default.

1. get `RtlCreateUserThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`

2. get pid by process name using crate `sysinfo`

3. get handle using `OpenProcess`

4. alloc remote memory using `VirtualAllocEx`

5. copy SHELLCODE to allocated memory using `WriteProcessMemory`

6. change memory permission to executable using `VirtualProtectEx`

7. execute SHELLCODE using `RtlCreateUserThread`

8. close opened handle using `CloseHandle`