Shellcode reflective DLL injection in Rust
Go to file
2024-02-13 21:02:51 +02:00
.cargo tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
.github/docs updated docs with example scenarios 2024-02-13 21:02:51 +02:00
generator tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
injector updated docs with example scenarios 2024-02-13 21:02:51 +02:00
payload tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
reflective_loader loader-level obfuscation during IAT patching 2024-02-12 20:10:20 +02:00
utils loader-level obfuscation during IAT patching 2024-02-12 20:10:20 +02:00
.gitignore tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
Cargo.lock loader-level obfuscation during IAT patching 2024-02-12 20:10:20 +02:00
Cargo.toml tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
LICENSE tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
README.md updated docs with example scenarios 2024-02-13 21:02:51 +02:00

Shellcode reflective DLL injection in Rust

Reflective DLL injection demo for fun and education. In practical applications, there's significant scope for enhancing build sizes, obfuscation, and delivery logic.

A blog post describing the technicalities of sRDI.

Project Structure

.
├── generator           # Shellcode generator (ties together bootstrap, loader, payload, and user data)
├── injector            # PoC injector (CreateRemoteThread)
├── payload             # PoC payload (calc.exe or MessageBoxW based on generator's flag)
├── reflective_loader   # sRDI implementation
└── utils               # Common XOR and hashing functions

Features

  • ~14 kB reflective loader
  • Hashed import names & indirect function calls
  • XOR encrypted payload shellcode
  • Shuffled and delayed IDT iteration (during IAT patching)

Usage

The following command compiles the DLLs and executables into target/release/:

$ cargo build --release
  1. Generate shellcode containing the loader and the payload:
Usage: airborne-generator.exe [OPTIONS] --loader <LOADER_PATH> --payload <PAYLOAD_PATH> --function <FUNCTION_NAME> --parameter <PARAMETER> --output <OUTPUT_PATH>

Options:
-l, --loader <LOADER_PATH>      Path to the sRDI loader DLL
-p, --payload <PAYLOAD_PATH>    Path to the payload DLL
-f, --function <FUNCTION_NAME>  Name of the function to call in the payload DLL
-n, --parameter <PARAMETER>     Parameter to pass to the function
-o, --output <OUTPUT_PATH>      Path to the output file
-f, --flag <FLAG>               Flag to pass to the loader (by default DllMain is called) [default: 0]
-h, --help                      Print help
-V, --version                   Print version
  1. Inject the created shellcode into target:
Usage: airborne-injector.exe -p <process_name> -s <shellcode_path> -k <keyfile_path>
  1. Depending on the flag passed to the generator, either payload's DllMain or user defined function will run:

Payload's DllMain execution with the default flag (0)

Payload's user defined function execution with the modified flag (1)

Disclaimer

Information and code provided on this repository are for educational purposes only. The creator is in no way responsible for any direct or indirect damage caused due to the misuse of the information.

Credits