No description
- Rust 99%
- Assembly 1%
Whitecat18
28e7fac1d3
Rust-for-Malware-Development is an collection of proof of concepts with techniques and advanced evasion methods |
||
|---|---|---|
| AMSI BYPASS | ||
| analysis | ||
| AntiDebugging | ||
| Api_Hooking | ||
| base_addr_locator | ||
| Basics | ||
| BlockHandle | ||
| Browser Creds Dumper | ||
| BSOD | ||
| Custom_Shellcode | ||
| Debug | ||
| Dirty_Vanity | ||
| dll_injection | ||
| DLL_Injector | ||
| drivers | ||
| Dynamic_Resolver | ||
| Early Cascade Injection | ||
| EDRChecker | ||
| Encryption Methods | ||
| Enumeration | ||
| Etw | ||
| Evasion | ||
| Exec_Extern | ||
| Extract_Shellcode | ||
| GhostingProcess | ||
| images | ||
| keylog_dropper | ||
| Keyloggers | ||
| KiUserExceptionDispatcherStepOver | ||
| link_obfuscator | ||
| lsass_dump | ||
| Malware-Samples | ||
| Malware_Tips | ||
| ManualRsrcDataFetching | ||
| MessageBoxes | ||
| Named_Pipe | ||
| NtApi | ||
| NtCreateUserProcess | ||
| NtSockets | ||
| PEB_Offset_finder | ||
| Persistence | ||
| poc | ||
| position independent | ||
| Process | ||
| Process-Injection | ||
| process_hollowing | ||
| Proxy-DLL-Loads | ||
| Reverse Shell | ||
| Self-Deletion-Techniques | ||
| shellcode_exec | ||
| Sleep_Obfuscations | ||
| stealer | ||
| Structs | ||
| syscalls | ||
| Test_phase | ||
| Threads | ||
| timer | ||
| uac-bypass-cmstp | ||
| UUID_Shellcode_Execution | ||
| VectoredOverloading | ||
| WaitingThreadHijacking | ||
| Windows_Threads | ||
| WinHTTP | ||
| .gitmodules | ||
| api_hooking.rs | ||
| CLEAN.md | ||
| CNAME | ||
| DEPENPENCIES.md | ||
| deps.md | ||
| docker.md | ||
| Dockerfile | ||
| evade_vm.rs | ||
| LICENSE | ||
| maldev_rust.png | ||
| README.md | ||
Rust for Malware Development
Rust for Malware Development
This repository contains source codes of various techniques used by malware authors, red teamers, threat actors, state-sponsored hacking groups etc. These techniques are well-researched and implemented in Rust.
Table of Contents
- CodeBase
- Walkthrough
- Malware Techniques
- Encryption Techniques
- Related Blogs
- Download Repository
- Contribution
- Credits/References
Malware Techniques
| Technique | Description |
|---|---|
| Process Injection | Process injection techniques |
| Process Injection 2 | Additional process injection snippets. |
| Process Ghosting | Process ghosting technique |
| Process Hypnosis | Process hypnosis techniques |
| Process Herpaderping | Process herpaderping |
| Parent Process Spoofing | create a process that appeas as it was spawn a parent process |
| Waiting Thread Hijacking | injection by overwriting the return address of a waiting thread |
| NtCreateUserProcess | Launch processes using NtCreateUserProcess API. |
| Dirty Vanity | Bypass EDR's by executing Shellcode by forking the process |
| Custom Shellcode | Custom Shellcode for Testing. |
| Tartarus Gate | Bypass EDRs by unhooking functions |
| Recycle Gate | Combination of Hells, Halos, Tartarus Gate |
| Named Pipes | Interprocess communication using named pipes on Windows. |
| Api Hooking | API Hooking Using Trampoline. |
| PE Analyzer | Extract PE information via CLI. |
| PEB Offset Finder | Find PEB Offsets for sstealth operations |
| BlockHandle | Block handles using SDDL PoC. |
| Dynamic Export Table PEB | Call Windows functions by searching memory. |
| Dynamic Resolver | Dynamically resolves and invokes WinAPI functions |
| API Hammering | API hammering techniques. |
| Early Cascade Injection | Early-cascade injection PoC in Rust. |
| Encryption Methods | Methods to encrypt and execute payloads. |
| Enumeration | Enumeration modules for efficiency. |
| Malware Samples | Malware based on real-world activities. |
| Metadata Modification | Extract and embed custom metadata in binaries. |
| Keyloggers | Custom keylogger implementations in Rust. |
| DLL Injection | DLL injection in Rust. |
| DLL Injector | Versatile DLL injector in Rust. |
| Code Snippets | Snippets for malware operations. |
| NTAPI Implementation | NTAPI usage snippets. |
| Early Expcetion Handler | Custom Expcetion Handler to bypass EDRs |
| Extract WiFi Passwords | Extract stored WiFi passwords on Windows. |
| Reverse Shell | Client-server reverse shell in Rust. |
| Thread Hijacking | Thread hijacking snippets. |
| Self Deletion | Techniques for self-deleting binaries. |
| Position Independent Series | Position-independent code in Rust. |
| Shellcode Execution | Shellcode execution using WinAPIs. |
| Sleep Obfuscation | Sleep obfuscation implementation. |
| Direct Syscalls | Direct syscall implementation using STUB methods. |
| Indirect Syscalls | Indirect syscall implementation using STUB methods. |
| Parallel Syscalls | Parallel Syscall implementation. |
| BSOD | Triggers a Blue Screen of Death. |
| Persistence | Persistence techniques. |
| UAC Bypass CMSTP | UAC bypass by elevating CMSTP.exe. |
| Malware DSA | Malware using data structures and algorithms. |
| Shellcode Obfuscation | Obfuscate shellcode using IPv4, IPv6, MAC, UUID formats. |
| EDR Checker | Detect EDR tools, AV software, and security applications. |
| Timer | Time-based execution control mechanism. |
| Keylogger Dropper | Downloads and executes keylogger in the background. |
| Rand_Fill | Deletes files and fills disk with random bytes. |
| Encryfer-X | Ransomware combining multiple PoC techniques. |
| GitHub Stealers | Steal credentials using GitHub API. |
| Telegram Operator | Telegram Operator to Run EXEs and executes Commands |
| AMSI Byapss Techniques | AMSI Bypass Techniques. |
| ManulaRsrcDataFetching | function to replace FindResource & LoadResource & LockResource & SizeofResource windows apis. |
| Anti-VM CPU Fan Detection | Find if the system has CPU FAN. Works only on PC. |
| Proxy DLL Load | PoC of Proxying DLL Loads To Hide From ETWTI Stack Tracing |
| Anti Debugging | Anti-Debugging Methods |
| ETW | Etw Methods |
| Debug Library | Simple Debug code to print statements during debug builds only |
Encryption Techniques
| Technique | Description |
|---|---|
| AES Encryption | Encrypt/decrypt shellcodes using AES. |
| RC4 Encryption | Encrypt/decrypt shellcodes using RC4. |
| XOR Encryption | Encrypt/decrypt shellcodes using XOR. |
| Khufu Encryption | Encrypt/decrypt using Khufu algorithm. |
| ECC Encryption | Encrypt/decrypt shellcodes using ECC. |
| Camellia Cipher | Encryption using Camellia cipher. |
| NullxFigure | Parse null bytes into shellcode. |
| A5/1 Cipher | Encrypt shellcode using modified A5/1 cipher. |
| Madryga Algorithm | Encrypt/decrypt shellcodes using Madryga Algorithm. |
| Lucifer Algorithm | Encrypt/decrypt shellcodes using Lucifer algorithm. |
| DFC Algorithm | Encrypt/execute payloads using DFC algorithm. |
| Payload Shuffling | Payload shuffling techniques. |
| SystemFunction032/033 | Encrypt/decrypt shellcode using undocumented WinAPI. |
Custom Crates
| Name | Description |
|---|---|
| Static Encrypt | Encrypt String literals at compile time using Different Algorithms |
| Dynamic API Parsing | Parses PEB to locate ntdll.dll exports at runtime and resolves API using hashes. |
| LazyDLLSideload | Generate DLL proxy/sideload projects. |
| Dyncvoke | dynamic Windows API invocation. |
Walkthrough
- New to Rust? Follow the compilation guide.
- Compile Source Code: See README.
- Clean PoCs Recursively: Use commands.
- Cross-Compilation with Docker: Refer to README.
Related Blogs
- Malware Development Essentials Part 1
- DLL Injection Using Rust
- Rust for Cybersecurity and Red Teaming
- Advanced Rust Strategies for Windows
Download as .Zip File
Download the repository: Link
Contributing to Rust for Malware Development
We welcome contributions to the Rust for Malware Development repository. To contribute, please follow these steps:
- Fork the repository.
- Create a new branch:
git checkout -b <branch_name>. - Make your changes and commit them:
git commit -m '<commit_message>'. - Push your changes to your branch:
git push origin <branch_name>. - Submit a pull request.
If you have any questions about contributing, refer to the GitHub documentation.
Credits / References
I would like to express my sincere gratitude to the creators of remarkable projects and fascinating techniques, who provided me with the tools and inspiration needed to create this extraordinary repository.
Each PoC includes a Credits/Resource section to acknowledge and respect the original creators and their contributions to the community.
Other Essential Resources:
- https://ired.team
- https://github.com/microsoft/windows-rs
- https://github.com/retep998/winapi-rs
- https://github.com/MSxDOS/ntapi
- https://github.com/janoglezcampos/rust_syscalls
- https://github.com/rust-osdev/uefi-rs
- https://discord.gg/rust-lang-community
- https://github.com/anvie/litcrypt.rs
- https://balwurk.com/shellcode-evasion-using-webassembly-and-rust
License
This project is licensed under the MIT License
