This repo is a proof concept of utilizing direct syscalls with Rust to avoid ntdll hooks placed by EDRs / Antiviruses.
At the time of writing, this can use known bad shellcode (a meterpreter shell), and bypass the majority of big name antimalware solutions. Having a custom reverse shell would make this far better.
Very simple, generate shellcode and pack it to a vector of u8. After this, place it to the DATA type in build.rs, and build. The build.rs encrypts the shellcode with random keys and packs in different sections of the resulting binary.
Using the binary is as simple as running it with the PID of your target process. You can inject to processes that aren't SecureObjects and are owned by your account without admin permissions, but setting SeDebugPrivilege to access SecureObjects does require admin privileges.
This is purely sceptical, but my assumption is that as Rust binaries haven't been around for as long as C/C++ binaries, especially in the malware scene. This results in normal techniques not being fingerprinted.
A process having syscalls should itself already be a huge red flag, but even that flag can be avoided as as they can just be generated on the fly with WriteProcesMemory or another similar tool.