OffensiveRust: Rust Weaponization for Red Team Engagements
OffensiveRust
My experiments in weaponizing Rust for implant development and general offensive operations.
Why Rust?
- It is faster than languages like C/C++
- It is a multi-purpose language, bearing excellent communities
- It has an amazing inbuilt dependency build management called Cargo
- It is LLVM based which makes it a very good candidate for bypassing static AV detection
- Super easy cross-compilation to Windows from *nix/MacOS only requires you to install the mingw toolchain, although certain libraries cannot be compiled successfully in other OSes.
Examples in this repo
| File | Description |
|---|---|
| Allocate_With_Syscalls | It uses NTDLL functions directly with the ntapi Library |
| Create_DLL | Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function |
| DeviceIoControl | Opens driver handle and executing DeviceIoControl |
| EnableDebugPrivileges | Enable SeDebugPrivilege in the current process |
| Shellcode_Local_inject | Executes shellcode directly in local process by casting pointer |
| Execute_With_CMD | Executes cmd by passing a command via Rust |
| ImportedFunctionCall | It imports minidump from dbghelp and executes it |
| Kernel_Driver_Exploit | Kernel Driver exploit for a simple buffer overflow |
| Named_Pipe_Client | Named Pipe Client |
| Named_Pipe_Server | Named Pipe Server |
| Process_Injection_CreateThread | Process Injection in running process with CreateThread |
| Process_Injection_CreateRemoteThread | Process Injection in remote process with CreateRemoteThread |
| Process_Injection_Self_EnumSystemGeoID | Self injector that uses the EnumSystemsGeoID API call to run shellcode. |
| Unhooking | Unhooking calls |
| asm_syscall | Obtaining PEB address via asm |
| base64_system_enum | Base64 encoding/decoding strings |
| http-https-requests | HTTP/S requests by ignoring cert check for GET/POST |
| patch_etw | Patch ETW |
| ppid_spoof | Spoof parent process for created process |
| tcp_ssl_client | TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling) |
| tcp_ssl_server | TCP Server, with port parameter(Requires openssl and perl to be installed for compiling) |
| wmi_execute | Executes WMI query to obtain the AV/EDRs in the host |
| Windows.h+ Bindings | This file contains structures of Windows.h plus complete customized LDR, PEB, etc.. that are undocumented officially by Microsoft, add at the top of your file include!(“../bindings.rs”); |
| UUID_Shellcode_Execution | Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode. |
| AMSI Bypass | AMSI Bypass on Local Process |
| Injection_AES_Loader | NtTestAlert Injection with AES decryption |
| Litcrypt_String_Encryption | Using the Litcrypt crate to encrypt literal strings at rest and in memory to defeat static AV. |
