Threadless Module Stomping In Rust with some features

Overview

NovaLdr โšœ๏ธ

NovaLdr is a Threadless Module Stomping written in Rust, designed as a learning project while exploring the world of malware development. It uses advanced techniques like indirect syscalls and string encryption to achieve its functionalities. This project is not intended to be a complete or polished product but rather a journey into the technical aspects of malware, showcasing various techniques and features.

Features Overview ๐Ÿ’ก

  • Idirect Sycalls
  • String encryption
  • Shellcode encryption: simple XOR and converting the Shellcode bytes into MAC address
  • Threadless Execution
    • Threadless inject: Writes a trampoline into a specified function within a given DLL and redirects it to load another DLL.
    • JMPThreadHijack: Hijack a thread without calling SetThreadContext. Still needs improvement because I'm lazy and haven't implemented the whole thing well enough to maintain the original functionality of the thread. Just a quick and dirty PoC (Beware of payload execution control. Browsers tend to execute the payload multiple times)
  • Module Unlink
    • Overwrites the DOS header magic bytes.
    • Clears the DLL base addresses from the target process.
    • Eliminates DLL name strings from the target process.
    • Unlinks a module from the module list
  • Spawning Process: spawning suspended process with NtCreateUserProcess and Spoofing the PPID and Setting the process to Block DLL
  • Ntdll Unhooking: Remote and local Ntdll Unhooking using Parun's Fart technique
  • No GetModuleHandleA & GetProcAddress: Custome Function that using NT functions
  • Sleep Encrypt: custom sleep function that encrypts the stack during its sleep duration using a separate thread.

Usage: ๐Ÿ› ๏ธ

  • Generate Shellcode file: msfvenom -p windows/x64/messagebox TITLE=NovaLdr TEXT='In memory of all those murdered in the Nova party massacre 7.10.2023' ICON=WARNING EXITFUNC=thread -b '\xff\x00\x0b' -f raw -e none -o Nova_MSG.bin
  • Encrypt the shellcode file and convert it to MAC address format python bin2mac.py Nova_MSG.bin > nova_msg.txt
  • Copy the content of the output file and paste it to the main.rs file
  • Compile the program just run the file compile.bat

Disclaimer ๐Ÿ“ข

NovaLdr is intended for educational and research purposes only. The author is not responsible for any misuse or damage caused by this program. Always seek permission before testing it against any target.

Contributing ๐Ÿ“ˆ

As this project is a learning journey, contributions, suggestions, and enhancements are welcome to make NovaLdr a valuable resource for learning malware development in Rust.

Resources & Credit ๐Ÿ“

POC

Screenshot 2023-10-19 142856

PE-SIEVE

Screenshot 2023-10-19 142029

You might also like...
Basic template for an out-of-tree Linux kernel module written in Rust.

Rust out-of-tree module This is a basic template for an out-of-tree Linux kernel module written in Rust. Please note that: The Rust support is experim

A Rust-based Garry's Mod module for fetching environment variables.

gm_environ Using Environment Variables in Garry's Mod. Installation Download a copy of the module from the releases (or compile from source) Move the

Resolve JavaScript/TypeScript module with Rust

ES Resolve JavaScript/TypeScript module resolution in Rust Installation cargo add es_resolve Get Started use std::path::{Path, PathBuf}; use es_resolv

A Rust implementation of Haxe Module Manager (hmm)

hmm-rs A Rust implementation of Haxe Module Manager (hmm) Installation hmm-rs can be installed as a binary from crates.io: https://crates.io/crates/hm

The module graph logic for Deno CLI

deno_graph The module graph/dependency logic for the Deno CLI. This repository is a Rust crate which provides the foundational code to be able to buil

An experimental, work-in-progress PAM module for Tailscale

Experimental Tailscale PAM Module This is a very very experimental Tailscale PAM module that allows you to SSH using your Tailscale credentials. This

This PAM module provides ssh-agent based authentication

PAM-RSSH This PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you sudo on remote servers.

COCONUT Secure VM Service Module

This is the source code repository for the COCONUT Secure VM Service Module (SVSM), a software which aims to provide secure services and device emulations to guest operating systems in confidential virtual machines (CVMs). It requires AMD Secure Encrypted Virtualization with Secure Nested Paging (AMD SEV-SNP), especially the VM Privilege Level (VMPL) feature.

Custom module for showing the weather in Waybar, using the great wttr.io
Custom module for showing the weather in Waybar, using the great wttr.io

wttrbar a simple but detailed weather indicator for Waybar using wttr.in. Installation Compile yourself using cargo build --release, or download the p

Comments
  • JMPThreadHijack Comments

    JMPThreadHijack Comments

    Saw your comments about this being a collaboration and thought why not.. I leveraged GPT-4 in relation to your comments about JMPThreadHijack. While I know how to leverage AI to code and I am not well placed to actually test this out. Sorry. Still quite new to pentesting and while AI is helping I am still learning.

    I hope you find the additional code useful/insightful. Some new Libs added. Lines 190 and 527 is where the additions we added are.

    Warm regards, HoLAI

    opened by R00dNet 2
Owner
Red Team | Malware Dev
null
Mod for pxtone Collage that adds some shiny features

ptcMod Mod for pxtone Collage that adds some shiny features READ THIS FIRST The program is extremely invasive to ptCollage. This project makes extensi

David M. 6 Sep 17, 2022
A run-codes cli front end with some extra features

run-cli Run-cli A run-codes cli front end with some extra features Report Bug ยท Request Feature Table of Contents About The Project Built With Getting

Matheus Vieira 13 Nov 16, 2022
Lightweight alternative Discord client with a smaller footprint and some fancy extensible features.

Dorion Dorion is an alternative Discord client aimed and lower-spec or storage-sensitive PCs that supports themes, plugins, and more! Table of Content

SpikeHD 20 Jan 2, 2023
Simple low-level web server to serve file uploads with some shell scripting-friendly features

http_file_uploader Simple low-level web server to serve file uploads with some shell scripting-friendly features. A bridge between Web's multipart/for

Vitaly Shukela 2 Oct 27, 2022
Some Steam patches, fixing broken Steam features on Asus Rog Ally

Ally Steam Patches Ally Steam Patches is a tool designed to enhance your Steam experience by applying patches to the Steam client. Installation To ins

MIkhail Kozlov 2 Jul 10, 2023
Some Steam patches, fixing broken Steam features on Asus Rog Ally

โš™๏ธ Steam Patch Steam Patch is a tool designed to enhance your Steam experience by applying patches to the Steam client. ?? Installation To install Ste

MIkhail Kozlov 3 Jul 18, 2023
Rust library for regular expressions using "fancy" features like look-around and backreferences

fancy-regex A Rust library for compiling and matching regular expressions. It uses a hybrid regex implementation designed to support a relatively rich

fancy-regex 302 Jan 3, 2023
Rust implementation of PowerSession, with new features and enhancements

PowerSession Record a Session in PowerShell. PowerShell version of asciinema based on Windows Pseudo Console(ConPTY) This is a new Rust implemented ve

Watfaq Technologies Pty Ltd 43 Dec 26, 2022
Estratto is a powerful and user-friendly Rust library designed for extracting rich audio features from digital audio signals.

estratto ใ€œ An Audio Feature Extraction Library estratto is a powerful and user-friendly Rust library designed for extracting rich audio features from

Amber J Blue 5 Aug 25, 2023
A cross-platform graphical process/system monitor with a customizable interface and a multitude of features

A cross-platform graphical process/system monitor with a customizable interface and a multitude of features. Supports Linux, macOS, and Windows. Inspired by both gtop and gotop.

Clement Tsang 5.8k Jan 8, 2023