|
1 | | -# rust-shellcode |
| 1 | +# rust-shellcode |
| 2 | + |
| 3 | +## asm |
| 4 | + |
| 5 | +shellcode execute locally. |
| 6 | +1. link shellcode to .text section |
| 7 | +2. inline asm using asm! macro |
| 8 | +3. call shellcode |
| 9 | + |
| 10 | +## create_fiber |
| 11 | + |
| 12 | +shellcode execute locally. |
| 13 | +1. convert current thread to fiber using `ConvertThreadToFiber` |
| 14 | +2. alloc memory using `VirtualAlloc` |
| 15 | +3. copy shellcode to allocated memory using `std::ptr::copy` |
| 16 | +4. create a fiber using `CreateFiber` |
| 17 | +5. jump shellcode using `SwitchToFiber` |
| 18 | +6. jump back |
| 19 | + |
| 20 | +## create_remote_thread |
| 21 | + |
| 22 | +shellcode execute remotely. |
| 23 | +inject `explorer.exe` default. |
| 24 | +1. get pid by process name using crate `sysinfo` |
| 25 | +2. get handle using `OpenProcess` |
| 26 | +3. alloc remote memory using `VirtualAllocEx` |
| 27 | +4. copy shellcode to allocated memory using `WriteProcessMemory` |
| 28 | +5. change memory permission to executable using `VirtualProtectEx` |
| 29 | +6. execute shellcode using `CreateRemoteThread` |
| 30 | +7. close opened handle using `CloseHandle` |
| 31 | + |
| 32 | +## create_thread |
| 33 | + |
| 34 | +shellcode execute locally. |
| 35 | +1. alloc remote memory using `VirtualAlloc` |
| 36 | +2. copy shellcode to allocated memory using `std::ptr::copy` |
| 37 | +3. change memory permission to executable using `VirtualProtect` |
| 38 | +4. execute shellcode using `CreateThread` |
| 39 | +5. waiting thread exit using `WaitForSingleObject` |
| 40 | + |
| 41 | +## create_thread_native |
| 42 | + |
| 43 | +shellcode execute locally. |
| 44 | +this is same with create_thread, but without crate `windows-sys` |
| 45 | +using crate `libloading` get functions from dlls. |
| 46 | + |
| 47 | +## etwp_create_etw_thread |
| 48 | + |
| 49 | +shellcode execute locally. |
| 50 | +1. get `EtwpCreateEtwThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress` |
| 51 | +2. alloc remote memory using `VirtualAlloc` |
| 52 | +3. copy shellcode to allocated memory using `std::ptr::copy` |
| 53 | +4. change memory permission to executable using `VirtualProtect` |
| 54 | +5. execute shellcode using `EtwpCreateEtwThread` |
| 55 | +6. waiting thread exit using `WaitForSingleObject` |
| 56 | + |
| 57 | +## nt_queue_apc_thread_ex_local |
| 58 | + |
| 59 | +shellcode execute locally. |
| 60 | +1. get `NtQueueApcThreadEx` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress` |
| 61 | +2. alloc remote memory using `VirtualAlloc` |
| 62 | +3. copy shellcode to allocated memory using `std::ptr::copy` |
| 63 | +4. change memory permission to executable using `VirtualProtect` |
| 64 | +5. get current thread handle using `GetCurrentThread` |
| 65 | +6. execute shellcode using `NtQueueApcThreadEx` |
| 66 | + |
| 67 | +## rtl_create_user_thread |
| 68 | + |
| 69 | +shellcode execute remotely. |
| 70 | +1. get `RtlCreateUserThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress` |
| 71 | +2. get pid by process name using crate `sysinfo` |
| 72 | +3. get handle using `OpenProcess` |
| 73 | +4. alloc remote memory using `VirtualAllocEx` |
| 74 | +5. copy shellcode to allocated memory using `WriteProcessMemory` |
| 75 | +6. change memory permission to executable using `VirtualProtectEx` |
| 76 | +7. execute shellcode using `RtlCreateUserThread` |
| 77 | +8. close opened handle using `CloseHandle` |
0 commit comments