Shellcode reflective DLL injection in Rust
567e36a9f3
1.) shuffle Import Directory Table entries (image import descriptors) 2.) delay the relocation of each import a random duration 3.) conditional execution based on ordinal/name 4.) indirect function call via pointer |
||
|---|---|---|
| .cargo | ||
| generator | ||
| injector | ||
| payload | ||
| reflective_loader | ||
| utils | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| LICENSE | ||
| README.md | ||
Shellcode reflective DLL injection in Rust
Reflective DLL injection demo for fun and education. In practical applications, there's significant scope for enhancing build sizes, obfuscation, and delivery logic.
A blog post describing the technicalities of sRDI.
Project Structure
.
├── generator # Shellcode generator (ties together bootstrap, loader, payload, and user data)
├── injector # PoC injector
├── payload # PoC payload (DllMain and PrintMessage)
└── reflective_loader # sRDI implementation
Features
- Compact filesize (~14 kB)
- Hashed import names & indirect function calls
- Randomized payload export iteration & IAT patching
- XOR encryption for shellcode (shellcode generation specific keys)
Check out Alcatraz for additional obfuscation for the shellcode/injector.
Usage
The following command compiles the DLLs and executables into target:
$ cargo build --release
- Generate shellcode containing the loader and the payload
- Inject the created shellcode into target
Disclaimer
Information and code provided on this repository are for educational purposes only. The creator is in no way responsible for any direct or indirect damage caused due to the misuse of the information.
Credits
- Stephen Fewer (@stephenfewer) for reflective DLL injection
- Nick Landers (@monoxgas) for shellcode generator
- @memN0ps for bootstrap shellcode