airborne/README.md

# Shellcode reflective DLL injection in Rust

Reflective DLL injection demo for fun and education. In simple terms reflective injection means that the given payload (i.e. an executable binary) will be mapped into a target process's memory without the payload ever needing to touch the target device's disk. In practical applications, there's significant scope for enhancing build sizes, obfuscation, and delivery logic.

If you're interested in the technical implementation, please check out [this blog post](https://golfed.xyz/blog/understanding-srdi/) I wrote.

### Project Structure

```shell
.
├── generator           # Shellcode generator (ties together bootstrap, loader, payload, and user data)
├── injector            # PoC injector (CreateRemoteThread)
├── payload             # PoC payload (calc.exe or MessageBoxW based on generator's flag)
├── reflective_loader   # sRDI implementation
└── common              # Common XOR and hashing functions
```

### Features

- ~14 kB reflective loader
- Hashed import names & indirect function calls
- XOR encrypted payload shellcode
- Shuffled and delayed IDT iteration (during IAT patching)

### Usage

The following command compiles the DLLs and executables into `target/release/`:

```shell
$ cargo build --release
```

1. Generate shellcode containing the loader and the payload:

```
Usage: generator.exe [OPTIONS] --loader <LOADER_PATH> --payload <PAYLOAD_PATH> --function <FUNCTION_NAME> --parameter <PARAMETER> --output <OUTPUT_PATH>

Options:
  -l, --loader <LOADER_PATH>      Path to the sRDI loader DLL
  -p, --payload <PAYLOAD_PATH>    Path to the payload DLL
  -f, --function <FUNCTION_NAME>  Name of the function to call in the payload DLL
  -n, --parameter <PARAMETER>     Parameter to pass to the function
  -o, --output <OUTPUT_PATH>      Path to the output file
      --flag <FLAG>               Flag to pass to the loader (by default DllMain is called) [default: 0]
  -h, --help                      Print help
  -V, --version                   Print version
```

2. Inject the created shellcode into target:

```
Usage: poc-injector.exe -p <PROCESS_NAME> -s <SHELLCODE_PATH> -k <KEYFILE_PATH>
```

3. Depending on the flag passed to the generator, either `DllMain` with `DLL_PROCESS_ATTACH` or user function with custom parameter is called:

<div align="center">
    <img src="docs/dllmain-exec.png" alt="Payload's DllMain execution with the default flag (0)" width="90%">
    <img src="docs/userfunction-exec.png" alt="Payload's user defined function execution with the modified flag (1)" width="90%">
</div>

### Credits

- Stephen Fewer ([@stephenfewer](https://github.com/stephenfewer)) for reflective DLL injection
- Nick Landers ([@monoxgas](https://github.com/monoxgas)) for shellcode generator
- [@memN0ps](https://github.com/memN0ps) for bootstrap shellcode
tested builds w/o loader-level obfuscation 2024-02-11 21:52:08 +01:00			`# Shellcode reflective DLL injection in Rust`
initial readme skeleton 2024-01-02 22:05:29 +01:00
docs: simplifications 2024-09-22 20:11:13 +02:00			`Reflective DLL injection demo for fun and education. In simple terms reflective injection means that the given payload (i.e. an executable binary) will be mapped into a target process's memory without the payload ever needing to touch the target device's disk. In practical applications, there's significant scope for enhancing build sizes, obfuscation, and delivery logic.`
include features & disclaimer to readme 2024-01-05 20:15:45 +01:00
docs: simplifications 2024-09-22 20:11:13 +02:00			`If you're interested in the technical implementation, please check out [this blog post](https://golfed.xyz/blog/understanding-srdi/) I wrote.`
include blog post link 2024-01-05 20:57:22 +01:00
include features & disclaimer to readme 2024-01-05 20:15:45 +01:00			`### Project Structure`

build size optimizations, streamlining 2024-01-04 19:00:24 +01:00			```shell
			`.`
			`├── generator # Shellcode generator (ties together bootstrap, loader, payload, and user data)`
updated docs with example scenarios 2024-02-13 20:02:51 +01:00			`├── injector # PoC injector (CreateRemoteThread)`
			`├── payload # PoC payload (calc.exe or MessageBoxW based on generator's flag)`
			`├── reflective_loader # sRDI implementation`
update name change to docs 2024-02-21 15:30:16 +01:00			`└── common # Common XOR and hashing functions`
build size optimizations, streamlining 2024-01-04 19:00:24 +01:00			```
initial readme skeleton 2024-01-02 22:05:29 +01:00
			`### Features`

updated docs with example scenarios 2024-02-13 20:02:51 +01:00			`- ~14 kB reflective loader`
include features & disclaimer to readme 2024-01-05 20:15:45 +01:00			`- Hashed import names & indirect function calls`
updated docs with example scenarios 2024-02-13 20:02:51 +01:00			`- XOR encrypted payload shellcode`
			`- Shuffled and delayed IDT iteration (during IAT patching)`
initial readme skeleton 2024-01-02 22:05:29 +01:00
build size optimizations, streamlining 2024-01-04 19:00:24 +01:00			`### Usage`

updated docs with example scenarios 2024-02-13 20:02:51 +01:00			The following command compiles the DLLs and executables into `target/release/`:
tested builds w/o loader-level obfuscation 2024-02-11 21:52:08 +01:00
			```shell
			`$ cargo build --release`
			```

updated docs with example scenarios 2024-02-13 20:02:51 +01:00			`1. Generate shellcode containing the loader and the payload:`

			```
updated the names of the workspace subprojects 2024-02-13 20:30:05 +01:00			`Usage: generator.exe [OPTIONS] --loader <LOADER_PATH> --payload <PAYLOAD_PATH> --function <FUNCTION_NAME> --parameter <PARAMETER> --output <OUTPUT_PATH>`
updated docs with example scenarios 2024-02-13 20:02:51 +01:00
			`Options:`
updated the names of the workspace subprojects 2024-02-13 20:30:05 +01:00			`-l, --loader <LOADER_PATH> Path to the sRDI loader DLL`
			`-p, --payload <PAYLOAD_PATH> Path to the payload DLL`
			`-f, --function <FUNCTION_NAME> Name of the function to call in the payload DLL`
			`-n, --parameter <PARAMETER> Parameter to pass to the function`
			`-o, --output <OUTPUT_PATH> Path to the output file`
removed possibly conflicting short option name 2024-02-13 21:17:07 +01:00			`--flag <FLAG> Flag to pass to the loader (by default DllMain is called) [default: 0]`
updated the names of the workspace subprojects 2024-02-13 20:30:05 +01:00			`-h, --help Print help`
			`-V, --version Print version`
updated docs with example scenarios 2024-02-13 20:02:51 +01:00			```

			`2. Inject the created shellcode into target:`

			```
updated the names of the workspace subprojects 2024-02-13 20:30:05 +01:00			`Usage: poc-injector.exe -p <PROCESS_NAME> -s <SHELLCODE_PATH> -k <KEYFILE_PATH>`
updated docs with example scenarios 2024-02-13 20:02:51 +01:00			```

note about payload parameters 2024-02-13 20:32:48 +01:00			3. Depending on the flag passed to the generator, either `DllMain` with `DLL_PROCESS_ATTACH` or user function with custom parameter is called:
updated docs with example scenarios 2024-02-13 20:02:51 +01:00
updated the names of the workspace subprojects 2024-02-13 20:30:05 +01:00			`<div align="center">`
refactor: rm dangling links after migration 2024-08-30 17:34:51 +02:00			`<img src="docs/dllmain-exec.png" alt="Payload's DllMain execution with the default flag (0)" width="90%">`
			`<img src="docs/userfunction-exec.png" alt="Payload's user defined function execution with the modified flag (1)" width="90%">`
updated the names of the workspace subprojects 2024-02-13 20:30:05 +01:00			`</div>`
build size optimizations, streamlining 2024-01-04 19:00:24 +01:00
initial readme skeleton 2024-01-02 22:05:29 +01:00			`### Credits`

			`- Stephen Fewer ([@stephenfewer](https://github.com/stephenfewer)) for reflective DLL injection`
			`- Nick Landers ([@monoxgas](https://github.com/monoxgas)) for shellcode generator`
initial shellcode generator version (untested) 2024-01-03 20:01:26 +01:00			`- [@memN0ps](https://github.com/memN0ps) for bootstrap shellcode`