diff --git a/.github/docs/dllmain-exec.png b/.github/docs/dllmain-exec.png new file mode 100644 index 0000000..a38ae60 Binary files /dev/null and b/.github/docs/dllmain-exec.png differ diff --git a/.github/docs/userfunction-exec.png b/.github/docs/userfunction-exec.png new file mode 100644 index 0000000..cadc0cc Binary files /dev/null and b/.github/docs/userfunction-exec.png differ diff --git a/README.md b/README.md index 5c7be01..cab2dcd 100644 --- a/README.md +++ b/README.md @@ -9,30 +9,54 @@ Reflective DLL injection demo for fun and education. In practical applications, ```shell . ├── generator # Shellcode generator (ties together bootstrap, loader, payload, and user data) -├── injector # PoC injector -├── payload # PoC payload (DllMain and PrintMessage) -└── reflective_loader # sRDI implementation +├── injector # PoC injector (CreateRemoteThread) +├── payload # PoC payload (calc.exe or MessageBoxW based on generator's flag) +├── reflective_loader # sRDI implementation +└── utils # Common XOR and hashing functions ``` ### Features -- Compact filesize (~14 kB) +- ~14 kB reflective loader - Hashed import names & indirect function calls -- Randomized payload export iteration & IAT patching -- XOR encryption for shellcode (shellcode generation specific keys) - -Check out [Alcatraz](https://github.com/weak1337/Alcatraz/) for additional obfuscation for the shellcode/injector. +- XOR encrypted payload shellcode +- Shuffled and delayed IDT iteration (during IAT patching) ### Usage -The following command compiles the DLLs and executables into `target`: +The following command compiles the DLLs and executables into `target/release/`: ```shell $ cargo build --release ``` -1. Generate shellcode containing the loader and the payload -2. Inject the created shellcode into target +1. Generate shellcode containing the loader and the payload: + +``` +Usage: airborne-generator.exe [OPTIONS] --loader --payload --function --parameter --output + +Options: +-l, --loader Path to the sRDI loader DLL +-p, --payload Path to the payload DLL +-f, --function Name of the function to call in the payload DLL +-n, --parameter Parameter to pass to the function +-o, --output Path to the output file +-f, --flag Flag to pass to the loader (by default DllMain is called) [default: 0] +-h, --help Print help +-V, --version Print version +``` + +2. Inject the created shellcode into target: + +``` +Usage: airborne-injector.exe -p -s -k +``` + +3. Depending on the flag passed to the generator, either payload's `DllMain` or user defined function will run: + +![Payload's DllMain execution with the default flag (0)](/.github/docs/dllmain-exec.png) + +![Payload's user defined function execution with the modified flag (1)](/.github/docs/userfunction-exec.png) ### Disclaimer diff --git a/injector/src/main.rs b/injector/src/main.rs index a8d525b..1b0712b 100644 --- a/injector/src/main.rs +++ b/injector/src/main.rs @@ -85,5 +85,7 @@ fn parse_args() -> Args { } fn print_usage() { - println!("Usage: injector.exe -p -s -k "); + println!( + "Usage: airborne-injector.exe -p -s -k " + ); }