Home

Awesome

<p align="center"> <img height="500" alt="OffensiveRust" src="https://github.com/trickster0/OffensiveRust/raw/master/offensiverust.png"> </p>

OffensiveRust

My experiments in weaponizing Rust for implant development and general offensive operations.

Table of Contents

Why Rust?

Examples in this repo

FileDescription
Allocate_With_SyscallsIt uses NTDLL functions directly with the ntapi Library
Create_DLLCreates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
DeviceIoControlOpens driver handle and executing DeviceIoControl
EnableDebugPrivilegesEnable SeDebugPrivilege in the current process
Shellcode_Local_injectExecutes shellcode directly in local process by casting pointer
Execute_With_CMDExecutes cmd by passing a command via Rust
ImportedFunctionCallIt imports minidump from dbghelp and executes it
Kernel_Driver_ExploitKernel Driver exploit for a simple buffer overflow
Named_Pipe_ClientNamed Pipe Client
Named_Pipe_ServerNamed Pipe Server
PEB_WalkDynamically resolve and invoke Windows APIs
Process_Injection_CreateThreadProcess Injection in running process with CreateThread
Process_Injection_CreateRemoteThreadProcess Injection in remote process with CreateRemoteThread
Process_Injection_Self_EnumSystemGeoIDSelf injector that uses the EnumSystemsGeoID API call to run shellcode.
UnhookingUnhooking calls
asm_syscallObtaining PEB address via asm
base64_system_enumBase64 encoding/decoding strings
http-https-requestsHTTP/S requests by ignoring cert check for GET/POST
patch_etwPatch ETW
ppid_spoofSpoof parent process for created process
tcp_ssl_clientTCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
tcp_ssl_serverTCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
wmi_executeExecutes WMI query to obtain the AV/EDRs in the host
Windows.h+ BindingsThis file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
UUID_Shellcode_ExecutionPlants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.
AMSI BypassAMSI Bypass on Local Process
Injection_AES_LoaderNtTestAlert Injection with AES decryption
Litcrypt_String_EncryptionUsing the Litcrypt crate to encrypt literal strings at rest and in memory to defeat static AV.
Api HookingApi Hooking using detour library
memfd_createExecute payloads from memory using the memfd_create technique (For Linux)
RC4_EncryptionRC4 Decrypted shellcode
Steal TokenSteal Token From Process
Keyboard HookingKeylogging by hooking keyboard with SetWindowsHookEx
memN0ps arsenal: shellcode_runner_classic-rsClassic shellcode runner/injector using ntapi
memN0ps arsenal: dll_injector_classic-rsClassic DLL Injection using windows-sys
memN0ps arsenal: module_stomping-rsModule Stomping / Module Overloading / DLL Hollowing using windows-sys
memN0ps arsenal: obfuscate_shellcode-rsSimple shellcode XOR and AES obfuscator
memN0ps arsenal: process_hollowing-rsProcess Hollowing using ntapi
memN0ps arsenal: rdi-rsReflective DLL Injection using windows-sys
memN0ps: eagle-rsRusty Rootkit: Windows Kernel Driver in Rust for Red Teamers using winapi and ntapi
memN0ps: psyscalls-rsRusty Parallel Syscalls library using winapi
memN0ps: mmapper-rsRusty Manual Mapper using winapi
memN0ps: srdi-rsRusty Shellcode Reflective DLL Injection using windows-sys
memN0ps: mordor-rs - freshycalls_syswhispersRusty FreshyCalls / SysWhispers1 / SysWhispers2 / SysWhispers3 library using windows-sys
memN0ps: mordor-rs - hells_halos_tartarus_gateRusty Hell's Gate / Halo's Gate / Tartarus' Gate Library using windows-sys
memN0ps: pemadness-rsRusty Portable Executable Parsing Library (PE Parsing Library) using windows-sys
memN0ps: mimiRustMimikatz made in Rust by @ThottySploit. The original author deleted their GitHub account, so it's been uploaded for community use.
memN0ps and trickster0: ekko-rsRusty Ekko - Sleep Obfuscation in Rust using windows-sys.

Compiling the examples in this repo

This repository does not provide binaries, you're gonna have to compile them yourself.

Install Rust
Simply download the binary and install.

This repo was compiled in Windows 10 so I would stick to it. As mentioned OpenSSL binaries will have depencency issues that will require OpenSSL and perl to be installed. For the TCP SSL client/server I recommend static build due to dependencies on the hosts you will execute the binaries. For creating a project, execute:
cargo new <name> This will automatically create the structured project folders with:

project
├── Cargo.toml
└── src
    └── main.rs

Cargo.toml is the file that contains the dependencies and the configuration for the compilation. main.rs is the main file that will be compiled along with any potential directories that contain libraries.

For compiling the project, go into the project directory and execute:
cargo build

This will use your default toolchain. If you want to build the final "release" version execute:
cargo build --release

For static binaries, in terminal before the build command execute:
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
set RUSTFLAGS=-C target-feature=+crt-static

In case it does not feel easy for you to read my code the way it is written,
you can also you the below command inside the project directory to format it in a better way
cargo fmt

Certain examples might not compile and give you some error, since it might require a nightly
build of Rust with the latest features. To install it just do:
rustup default nightly

The easiest place to find the dependencies or Crates as they are called.

Cross Compiling

Cross-Compiling requires to follow the instructions here By installing different toolchains, you can cross compile with the below command
cargo build --target <toolchain>

To see the installed toolchains on your system do:
rustup toolchain list

For checking all the available toolchains you can install in your system do:
rustup target list

For installing a new toolchain do:
rustup target add <toolchain_name>

Optimizing executables for size

This repo contains a lot of configuration options and ideas about reducing the file size. Static binaries are usually quite big.

Pitfalls I found myself falling into

Careful of \0 bytes, do not forget them for strings in memory, I spent a lot of my time but windbg always helped resolving it.

Interesting Rust libraries

OPSEC

Other projects I have have made in Rust

Projects in Rust that can be hepfull