2024-02-11 21:52:08 +01:00
# Shellcode reflective DLL injection in Rust
2024-01-02 22:05:29 +01:00
2024-09-22 20:11:13 +02:00
Reflective DLL injection demo for fun and education. In simple terms reflective injection means that the given payload (i.e. an executable binary) will be mapped into a target process's memory without the payload ever needing to touch the target device's disk. In practical applications, there's significant scope for enhancing build sizes, obfuscation, and delivery logic.
2024-01-05 20:15:45 +01:00
2024-09-22 20:11:13 +02:00
If you're interested in the technical implementation, please check out [this blog post ](https://golfed.xyz/blog/understanding-srdi/ ) I wrote.
2024-01-05 20:57:22 +01:00
2024-01-05 20:15:45 +01:00
### Project Structure
2024-01-04 19:00:24 +01:00
```shell
.
├── generator # Shellcode generator (ties together bootstrap, loader, payload, and user data)
2024-02-13 20:02:51 +01:00
├── injector # PoC injector (CreateRemoteThread)
├── payload # PoC payload (calc.exe or MessageBoxW based on generator's flag)
├── reflective_loader # sRDI implementation
2024-02-21 15:30:16 +01:00
└── common # Common XOR and hashing functions
2024-01-04 19:00:24 +01:00
```
2024-01-02 22:05:29 +01:00
### Features
2024-02-13 20:02:51 +01:00
- ~14 kB reflective loader
2024-01-05 20:15:45 +01:00
- Hashed import names & indirect function calls
2024-02-13 20:02:51 +01:00
- XOR encrypted payload shellcode
- Shuffled and delayed IDT iteration (during IAT patching)
2024-01-02 22:05:29 +01:00
2024-01-04 19:00:24 +01:00
### Usage
2024-02-13 20:02:51 +01:00
The following command compiles the DLLs and executables into `target/release/` :
2024-02-11 21:52:08 +01:00
```shell
$ cargo build --release
```
2024-02-13 20:02:51 +01:00
1. Generate shellcode containing the loader and the payload:
```
2024-02-13 20:30:05 +01:00
Usage: generator.exe [OPTIONS] --loader < LOADER_PATH > --payload < PAYLOAD_PATH > --function < FUNCTION_NAME > --parameter < PARAMETER > --output < OUTPUT_PATH >
2024-02-13 20:02:51 +01:00
Options:
2024-02-13 20:30:05 +01:00
-l, --loader < LOADER_PATH > Path to the sRDI loader DLL
-p, --payload < PAYLOAD_PATH > Path to the payload DLL
-f, --function < FUNCTION_NAME > Name of the function to call in the payload DLL
-n, --parameter < PARAMETER > Parameter to pass to the function
-o, --output < OUTPUT_PATH > Path to the output file
2024-02-13 21:17:07 +01:00
--flag < FLAG > Flag to pass to the loader (by default DllMain is called) [default: 0]
2024-02-13 20:30:05 +01:00
-h, --help Print help
-V, --version Print version
2024-02-13 20:02:51 +01:00
```
2. Inject the created shellcode into target:
```
2024-02-13 20:30:05 +01:00
Usage: poc-injector.exe -p < PROCESS_NAME > -s < SHELLCODE_PATH > -k < KEYFILE_PATH >
2024-02-13 20:02:51 +01:00
```
2024-02-13 20:32:48 +01:00
3. Depending on the flag passed to the generator, either `DllMain` with `DLL_PROCESS_ATTACH` or user function with custom parameter is called:
2024-02-13 20:02:51 +01:00
2024-02-13 20:30:05 +01:00
< div align = "center" >
2024-08-30 17:34:51 +02:00
< img src = "docs/dllmain-exec.png" alt = "Payload's DllMain execution with the default flag (0)" width = "90%" >
< img src = "docs/userfunction-exec.png" alt = "Payload's user defined function execution with the modified flag (1)" width = "90%" >
2024-02-13 20:30:05 +01:00
< / div >
2024-01-04 19:00:24 +01:00
2024-01-02 22:05:29 +01:00
### Credits
- Stephen Fewer ([@stephenfewer](https://github.com/stephenfewer)) for reflective DLL injection
- Nick Landers ([@monoxgas](https://github.com/monoxgas)) for shellcode generator
2024-01-03 20:01:26 +01:00
- [@memN0ps ](https://github.com/memN0ps ) for bootstrap shellcode