updated docs with example scenarios

This commit is contained in:
17ms 2024-02-13 21:02:51 +02:00
parent 567e36a9f3
commit 10cbe12a39
4 changed files with 38 additions and 12 deletions

BIN
.github/docs/dllmain-exec.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 217 KiB

BIN
.github/docs/userfunction-exec.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 215 KiB

View File

@ -9,30 +9,54 @@ Reflective DLL injection demo for fun and education. In practical applications,
```shell ```shell
. .
├── generator # Shellcode generator (ties together bootstrap, loader, payload, and user data) ├── generator # Shellcode generator (ties together bootstrap, loader, payload, and user data)
├── injector # PoC injector ├── injector # PoC injector (CreateRemoteThread)
├── payload # PoC payload (DllMain and PrintMessage) ├── payload # PoC payload (calc.exe or MessageBoxW based on generator's flag)
└── reflective_loader # sRDI implementation ├── reflective_loader # sRDI implementation
└── utils # Common XOR and hashing functions
``` ```
### Features ### Features
- Compact filesize (~14 kB) - ~14 kB reflective loader
- Hashed import names & indirect function calls - Hashed import names & indirect function calls
- Randomized payload export iteration & IAT patching - XOR encrypted payload shellcode
- XOR encryption for shellcode (shellcode generation specific keys) - Shuffled and delayed IDT iteration (during IAT patching)
Check out [Alcatraz](https://github.com/weak1337/Alcatraz/) for additional obfuscation for the shellcode/injector.
### Usage ### Usage
The following command compiles the DLLs and executables into `target`: The following command compiles the DLLs and executables into `target/release/`:
```shell ```shell
$ cargo build --release $ cargo build --release
``` ```
1. Generate shellcode containing the loader and the payload 1. Generate shellcode containing the loader and the payload:
2. Inject the created shellcode into target
```
Usage: airborne-generator.exe [OPTIONS] --loader <LOADER_PATH> --payload <PAYLOAD_PATH> --function <FUNCTION_NAME> --parameter <PARAMETER> --output <OUTPUT_PATH>
Options:
-l, --loader <LOADER_PATH> Path to the sRDI loader DLL
-p, --payload <PAYLOAD_PATH> Path to the payload DLL
-f, --function <FUNCTION_NAME> Name of the function to call in the payload DLL
-n, --parameter <PARAMETER> Parameter to pass to the function
-o, --output <OUTPUT_PATH> Path to the output file
-f, --flag <FLAG> Flag to pass to the loader (by default DllMain is called) [default: 0]
-h, --help Print help
-V, --version Print version
```
2. Inject the created shellcode into target:
```
Usage: airborne-injector.exe -p <process_name> -s <shellcode_path> -k <keyfile_path>
```
3. Depending on the flag passed to the generator, either payload's `DllMain` or user defined function will run:
![Payload's DllMain execution with the default flag (0)](/.github/docs/dllmain-exec.png)
![Payload's user defined function execution with the modified flag (1)](/.github/docs/userfunction-exec.png)
### Disclaimer ### Disclaimer

View File

@ -85,5 +85,7 @@ fn parse_args() -> Args {
} }
fn print_usage() { fn print_usage() {
println!("Usage: injector.exe -p <process_name> -s <shellcode_path> -k <keyfile_path>"); println!(
"Usage: airborne-injector.exe -p <process_name> -s <shellcode_path> -k <keyfile_path>"
);
} }