Shellcode reflective DLL injection in Rust
Go to file
2024-02-21 16:29:18 +02:00
.cargo tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
.github/docs updated the names of the workspace subprojects 2024-02-13 21:30:05 +02:00
common rename cryptoutils lib 2024-02-21 16:29:18 +02:00
generator rename cryptoutils lib 2024-02-21 16:29:18 +02:00
injector rename cryptoutils lib 2024-02-21 16:29:18 +02:00
payload updated the names of the workspace subprojects 2024-02-13 21:30:05 +02:00
reflective_loader rename cryptoutils lib 2024-02-21 16:29:18 +02:00
.gitignore tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
Cargo.lock rename cryptoutils lib 2024-02-21 16:29:18 +02:00
Cargo.toml rename cryptoutils lib 2024-02-21 16:29:18 +02:00
LICENSE tested builds w/o loader-level obfuscation 2024-02-11 22:52:08 +02:00
README.md removed possibly conflicting short option name 2024-02-13 22:17:07 +02:00

Shellcode reflective DLL injection in Rust

Reflective DLL injection demo for fun and education. In practical applications, there's significant scope for enhancing build sizes, obfuscation, and delivery logic.

A blog post describing the technicalities of sRDI.

Project Structure

.
├── generator           # Shellcode generator (ties together bootstrap, loader, payload, and user data)
├── injector            # PoC injector (CreateRemoteThread)
├── payload             # PoC payload (calc.exe or MessageBoxW based on generator's flag)
├── reflective_loader   # sRDI implementation
└── utils               # Common XOR and hashing functions

Features

  • ~14 kB reflective loader
  • Hashed import names & indirect function calls
  • XOR encrypted payload shellcode
  • Shuffled and delayed IDT iteration (during IAT patching)

Usage

The following command compiles the DLLs and executables into target/release/:

$ cargo build --release
  1. Generate shellcode containing the loader and the payload:
Usage: generator.exe [OPTIONS] --loader <LOADER_PATH> --payload <PAYLOAD_PATH> --function <FUNCTION_NAME> --parameter <PARAMETER> --output <OUTPUT_PATH>

Options:
  -l, --loader <LOADER_PATH>      Path to the sRDI loader DLL
  -p, --payload <PAYLOAD_PATH>    Path to the payload DLL
  -f, --function <FUNCTION_NAME>  Name of the function to call in the payload DLL
  -n, --parameter <PARAMETER>     Parameter to pass to the function
  -o, --output <OUTPUT_PATH>      Path to the output file
      --flag <FLAG>               Flag to pass to the loader (by default DllMain is called) [default: 0]
  -h, --help                      Print help
  -V, --version                   Print version
  1. Inject the created shellcode into target:
Usage: poc-injector.exe -p <PROCESS_NAME> -s <SHELLCODE_PATH> -k <KEYFILE_PATH>
  1. Depending on the flag passed to the generator, either DllMain with DLL_PROCESS_ATTACH or user function with custom parameter is called:
Payload's DllMain execution with the default flag (0) Payload's user defined function execution with the modified flag (1)

Disclaimer

Information and code provided on this repository are for educational purposes only. The creator is in no way responsible for any direct or indirect damage caused due to the misuse of the information.

Credits