So you decided to go the Rusty way for your implementation.
Download & install Rust from the website.
cargo will expect a src folder in your current working directory containing an main.rs file. So create this new directory and copy packertemplate.rs into it with the name main.rs.
As we are using cargo for dependency management, we can than simply use cargo build --release with the Cargo.toml in our current working directory. All dependencies will be installed automatically.
The packertemplate.rs code is meant to be used as the start for automating the process of
- Encrypting input payloads (Shellcode, C# Assemblies, PE files)
- Building/Updating the needed Loader code
- (Optional) Embedding the encrypted payload inside of the code
- Compiling the loader, so that we have our final packed binary/dll
All the sub-folders contain potential features, that you can embed/integrate into the Loader. So if you want to for example start with Shellcode packing, check out the shellcodeexecute folder. We recommend, to use compiler flags in the loader instead of concatenating string snippets on runtime for the final code.
Encryption/decryption is always the same (which is for this reason also a good IoC and/or AV signature code base).
The provided code base avoids detections for entropy by loading the encrypted payload from a dedicated file on runtime. This also acts as Sandbox-Evasion, because most Sandboxes or Emulators tend to analyze the executable only don't embed other files for analysis.
All provided samples use nimvoke for indirect syscall execution. Therefore you don't need to take care for potential Userland-Hooks at all as those are bypassed.
- 👊 intermediate 👊 : rust_syscalls is using Hells Gate instead of Tartarus Gate for SSN retrieval. This won't work against some EDRs and needs adjustments. However, there already is public code to accomplish this for your help ;-)
- ✌️ easy ✌️ : Build together your first features, e.G. shellcode input with SandBox + AntiDebug checks
- ✌️ easy ✌️ : If you want to embed the encrypted payload, you need to tackle entropy. Entropy can for example be lowered down by using "encodings" such as UUID, MAC, IP.
- ✌️ easy ✌️ : As an alternative, load the encrypted payload from a dedicated file on runtime to decrypt it afterward.
- ✌️ easy ✌️ : Build Sideloading DLLs using Third Party tools such as Koppeling
- 👊 intermediate 👊 : If you prefer to inject payloads, integrate ThreadlessInject/Poolparty
- 👊 intermediate 👊 : PE loading is not done with indirect syscalls. Change this.
- ✌️ easy ✌️ : Alternative Sandbox Evasion stubs / better AntiDebug techniques
- 👊 intermediate 👊 : Use Hardware Breakpoints for AMSI/ETW evasion instead of simple patches
- ✌️ easy ✌️ : Integrate
realencryption instead of XOR - ✌️ easy ✌️ : Randomize the encryption key for each packed binary
- ✌️ easy ✌️ : Module Stomping
- ✌️ easy ✌️ : Environmental keying on a target domain/hostname
https://github.com/yamakadi/clroxide