XOR shellcode loader in Rust

I asked chatGPT to provide a brief introduction to this post and found the suggested title interesting and a useful segue: ‘Rust – Powering Shellcode Loaders with Safety and Performance’.

So ‘what is Rust’ and ‘why am I hearing about it more’? Microsoft has some very helpful free online learning on Rust. I have only recently started learning Rust and have found this resource invaluable.

I initially went looking for code to base the loader on and came across b1nhack‘s GitHub repository (see resources and references) which had multiple examples. Basing the Rust code on the create_thread example, I was able to get a successful meterpreter session on my development environment.

However, this was only my development environment with Windows Defender disabled. Uploading the executable to KleenScan 11/40 engines detected the executable as malicious.

Let’s try adding XOR encryption to the shellcode and loader, and see if this improves results in KleenScan.

Dramatically improved results. I have similar loaders written in C however have high detections on KleenScan unless I add encoding such as Base64. In this example XOR encryption of a meterpreter shellcode included in a shellcode loader written in Rust had very low detections without requiring additional encoding.

Conclusion

Rust is becoming more popular and it is most likely we will see more malware written in this language. It is increasingly becoming more important for security professionals to be familiar with Rust.

References and Resources

https://learn.microsoft.com/en-us/training/modules/rust-introduction/2-rust-overview
https://github.com/b1nhack/rust-shellcode