Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/b1tg/rust-windows-shellcode
Windows shellcode development in Rust
https://github.com/b1tg/rust-windows-shellcode
offensive-security rust shellcode shellcode-development
Last synced: 10 days ago
JSON representation
Windows shellcode development in Rust
- Host: GitHub
- URL: https://github.com/b1tg/rust-windows-shellcode
- Owner: b1tg
- Created: 2021-02-05T14:14:30.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2021-02-06T15:20:12.000Z (almost 4 years ago)
- Last Synced: 2024-10-17T12:25:23.360Z (24 days ago)
- Topics: offensive-security, rust, shellcode, shellcode-development
- Language: Rust
- Homepage:
- Size: 294 KB
- Stars: 276
- Watchers: 7
- Forks: 31
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Write Windows Shellcode in Rust
## Project overview
Windows shellcode project is located in `shellcode/`, it can build into a PE file with only `.text` section
and has no external dependencies.![shellcode.exe in pe-bear](./images/show_in_pe_bear.png)
Then we can dump the `.text` section and do some patches to make it position-independent. this idea
was from [hasherezade](https://twitter.com/hasherezade)'s project [masm_shc](https://github.com/hasherezade/masm_shc).## How to build it
(Only tested on Win10 x64)
### Build shellcode binary
```sh
rustup default nightly-x86_64-pc-windows-msvc
cd shellcode/
cargo build --release
```If everthing goes well, we will get `shellcode\target\x86_64-pc-windows-msvc\release\shellcode.exe`
### Dump .text section and do some patches
We patch at the start of `.text` section, make it jump to entry point. In this way, we can have some strings store in the merged section, or we have to use `u8` and `u16` bytes array on stack to represent string.
```sh
cd ..
cargo run
```We will get `shellcode\target\x86_64-pc-windows-msvc\release\shellcode.bin`, this is the final shellcode file.
### Test shellcode
Test the shellcode use your favorite shellcode loader, i use my own little tool [rs_shellcode](https://github.com/b1tg/rs_shellcode) for demonstration.
```sh
git clone https://github.com/b1tg/rs_shellcode
cd rs_shellcode/
cargo build
./target/debug/rs_shellcode.exe -f "shellcode\target\x86_64-pc-windows-msvc\release\shellcode.bin"
```This demo shellcode will popup a message box and print some log use `OutputDebugStringA`, you can check it out in [debugview](https://docs.microsoft.com/en-us/sysinternals/downloads/debugview) or windbg.
![run shellcode](./images/run_shellcode.png)
## References
- https://github.com/mcountryman/min-sized-rust-windows
- https://github.com/hasherezade/masm_shc
- https://github.com/Trantect/win_driver_example
- https://not-matthias.github.io/kernel-driver-with-rust/
- https://github.com/pravic/winapi-kmd-rs
- https://github.com/johnthagen/min-sized-rust