A collection of Rust programs showcasing some offensive-securtiy and evasions techniques
| Tool | Description | Reference(s) |
|---|---|---|
| ClipboardMon | Monitors the clipboard for changes and logs clipboard content or copies files depending on detected changes. | - |
| DumpMDEConfig | Enumerates Microsoft Defender to identify exclusion paths, allowed threats, protection history, and ASR (Attack Surface Reduction) rules enabled on the system. No admin privileges required. | Source |
| ElevateToken | Impersonates user tokens to create processes with elevated system privileges. | Token::elevate |
| HeapEnc | Demonstrates a simple example of heap encryption. | nimHeapEnc |
| HideDll | Hides DLLs in the current process and employs anti-analysis methods to prevent the DLL from being dumped by memory scanners. | - |
| HookFinder | Detects userland API hooks implemented by antivirus or EDR (Endpoint Detection and Response) software. | - |
| IoDllProxyLoad | Uses Windows thread pool API to proxy the loading and unloading of a DLL via an I/O completion callback function using named pipes. | IoDllProxyLoad weaponizing-windows-thread-pool-apis-proxying-dll-loads |
| NtCreateUserProcess | Spawns processes using NtCreateUserProcess, blocks DLLs, and performs PPID (Parent Process ID) spoofing. | ntcreateuserprocess_1 ntcreateuserprocess_2 |
| PatchlessAmsiBypass | Bypasses AMSI (Antimalware Scan Interface) utilizing hardware breakpoints, avoiding in-memory hooks. | patchless_amsi |
| PatchlessBypass | An improved version of PatchlessAmsiBypass, patches both ETW (Event Tracing for Windows) and AMSI on all threads. | PatchlessHook |
| SelfErase | Deletes the currently running file from disk. | self_remove delete-self-poc |
| SilentFart | Uses NTAPI to retrieve NTDLL and unhooks it without triggering the "PspCreateProcessNotifyRoutine" callback. | GhostFart |
| StackEncrypt | Shuffles and encrypts the stack, then sleeps using indirect syscalls to NtDelayExecution. | StackMask |
| UnhookNtdll | Implements the Perun's Fart technique in Rust using NtCreateUserProcess, supporting both local and remote execution. | arsenal-rs |
| USB_mon | Monitors USB devices and displays information about new devices connected to the system. | - |
| VEH-ProxyDll | Leverages the Vectored Exception Handler (VEH) to modify the context, particularly the RIP register, to invoke LoadLibraryA with the RCX register holding its argument (module name). Triggers exceptions using VirtualProtect to set pages to PAGE_GUARD. | VEH-DLL-proxy-load.c |
| Whoami_alt | Provides alternatives to the whoami command by utilizing uncommon WinAPI functions. | WhoIsWho WhoamiAlternatives |
| Whoami_alt2 | Additional alternatives to the whoami command, leveraging uncommon WinAPI functions. | WhoIsWho WhoamiAlternatives |
| Wifi-Dump | Dumps WiFi passwords using WinAPI. | - |