OffensiveRust, my experiments in weaponizing Rust for implant development and general offensive operations.
Why Rust?
mingw
toolchain, although certain libraries cannot be compiled successfully in other OSes.File | Description |
---|---|
Allocate_With_Syscalls | It uses NTDLL functions directly with the ntapi Library |
Create_DLL | Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function |
DeviceIoControl | Opens driver handle and executing DeviceIoControl |
EnableDebugPrivileges | Enable SeDebugPrivilege in the current process |
Shellcode_Local_inject | Executes shellcode directly in local process by casting pointer |
Execute_With_CMD | Executes cmd by passing a command via Rust |
ImportedFunctionCall | It imports minidump from dbghelp and executes it |
Kernel_Driver_Exploit | Kernel Driver exploit for a simple buffer overflow |
Named_Pipe_Client | Named Pipe Client |
Named_Pipe_Server | Named Pipe Server |
Process_Injection_CreateThread | Process Injection in remote process with CreateRemoteThread |
Unhooking | Unhooking calls |
asm_syscall | Obtaining PEB address via asm |
base64_system_enum | Base64 encoding/decoding strings |
http-https-requests | HTTP/S requests by ignoring cert check for GET/POST |
patch_etw | Patch ETW |
ppid_spoof | Spoof parent process for created process |
tcp_ssl_client | TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling) |
tcp_ssl_server | TCP Server, with port parameter(Requires openssl and perl to be installed for compiling) |
wmi_execute | Executes WMI query to obtain the AV/EDRs in the host |
Windows.h+ Bindings | This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!(“../bindings.rs”); |
UUID_Shellcode_Execution | Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode. |
Compiling the examples in this repo
This repository does not provide binaries, you’re gonna have to compile them yourself.
Install Rust
Simply download the binary and install.
This repo was compiled in Windows 10 so I would stick to it. As mentioned OpenSSL binaries will have depencency issues that will require OpenSSL and perl to be installed. For the TCP SSL client/server I recommend static build due to dependencies on the hosts you will execute the binaries. For creating a project, execute:cargo new <name>
This will automatically create the structured project folders with:
project
├── Cargo.toml
└── src
└── main.rs
Cargo.toml is the file that contains the dependencies and the configuration for the compilation. main.rs is the main file that will be compiled along with any potential directories that contain libraries.
For compiling the project, go into the project directory and execute:cargo build
This will use your default toolchain. If you want to build the final “release” version execute:cargo build --release
For static binaries, in terminal before the build command execute:"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
set RUSTFLAGS=-C target-feature=+crt-static
In case it does not feel easy for you to read my code the way it is written,
you can also you the below command inside the project directory to format it in a better waycargo fmt
Certain examples might not compile and give you some error, since it might require a nightly
build of Rust with the latest features. To install it just do:rustup default nightly
The easiest place to find the dependencies or Crates as they are called.
Cross-Compiling requires to follow the instructions here By installing different toolchains, you can cross compile with the below commandcargo build --target <toolchain>
To see the installed toolchains on your system do:rustup toolchain list
For checking all the available toolchains you can install in your system do:rustup target list
For installing a new toolchain do:rustup target add <toolchain_name>
Optimizing executables for size
This repo contains a lot of configuration options and ideas about reducing the file size. Static binaries are usually quite big.
Pitfalls I found myself falling into
Careful of \0 bytes, do not forget them for strings in memory, I spent a lot of my time but windbg always helped resolving it.
--remap-path-prefix {your home directory}={some random identifier}
. You can use bash variables to get your home directory and generate a random placeholder: --remap-path-prefix "$HOME"="$RANDOM"
. (By Yamakadi)cargo-features = ["strip"]
.cargo build --release -Z build-std=std,panic_abort -Z build-std-features=panic_immediate_abort --target x86_64-pc-windows-msvc
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…