Skip to content

malware-unicorn/rusty-memory-loadlibrary

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

rusty-memory-loadlibrary

Load DLLs from memory into another process with rust

  • x64bit Only
  • Largely based on fancycode/MemoryModule
  • Will map a DLL in another process' memory
  • Uses PEB to build most of the import table, if not will remotely load libraries with a classic dll injection (LoadLibraryA, VirtualAlloc LibName, CreateRemoteThread)
  • Uses WriteProcessMemory/ReadProcessMemory to write/read another process
  • Uses a shellcode wrapper for TLS & DllMain calls
  • Uses CreateRemoteThread (I recommend using EtwpCreateEtwThread instead)
  • Threw in a PPID spoof for testing with main

Prereqs

sudo apt-get install gcc-mingw-w64-x86-64
rustup target add x86_64-pc-windows-gnu

Build

cargo build --release --target x86_64-pc-windows-gnu

Example Usage:

Recommended for remote loading

let handle = _memory_loadlibary_remote(
    data.as_mut_ptr() as *mut c_void,
    data.len() as u32,
    process_info.p_handle,
);

Recommended for reflective loading

let handle = memory_loadlibary_remote(
    data.as_mut_ptr() as *mut c_void, 
    data.len() as u32, 
    NULL
);

Platform Info

  • Built with Ubuntu WSL
  • Tested on Windows 10
  • Tested reflective DLL injection with CobaltStrike, not remote DLL injection

References:

Future Plans:

  • TODO: Freeing memory allocs
  • TODO: Get proc address like in fancycode/MemoryModule
  • TODO: Unhooking NTDLL for writes & reads
  • TODO: Probably some code refactoring & better error handling

About

Load DLLs from memory with rust

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages