Skip to content

Karkas66/StarShot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
src
src
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
calc.bin
calc.bin
 
 

Repository files navigation

Starshot

Rust Windows License

A stealthy shellcode runner that hides payloads within randomized hash arrays that need to be "decrypted" in a compute intensive way to evade AV/EDR detection.

⚠️ EDUCATIONAL PURPOSES ONLY
This project is strictly for authorized penetration testing and security research in controlled environments. Misuse may violate computer fraud laws and ethical guidelines.

The Why

  • Inspired and developed during my self-study of the malware development course by Maldev Academy
  • Goal: Generate a more or less generic shellcode loader in Rust to bypass AVs and less advanced EDR/XDR solutions (successfully achieved!)
  • The Way: Stupid AVs tend to skip ressource intense function by patching loops and IF statements and analyze what happens after them. You can not skip this logic and preserve functionality, so it looks like a normal program to a stupid scanner
  • First iteration used plain C# code, but C# is very slow and easy to reverse engineer → redesigned to:
    • Rust code
    • use ready to build dependencys from Rusts toolchain (SHA, Gzip, ...)
    • Hide Strings with Litcrypt library (https://github.com/anvie/litcrypt.rs)
    • use a random ass api call to execute the shellcode
  • Parallel development of sister project HashArrayCrafter (Visual Studio C#) to generate the HashArray containing the hidden payload

Workflow

  1. The program reads the random array, size and the SHA-512 hash of the payload from dataarray.rs (generated by HashArrayCrafter).
  2. Starts a loop to Jump randomly around in the array and try to decompress a blob with the given size
  3. If the calculated SHA-512 hash of the current position is not the original Hash, it jumps to a different random position If the calculated SHA-512 hash matches the original one, the correct position is found
  4. Computing Data like, attempts, time and others are written to the commandline
  5. A memory region with the needed size for the payload is allocated
  6. Reconstructed Payload data is written to that region
  7. Region flags are Set to Execute Read
  8. Payload is executed by Callback

Usage

Clone the repository:

Optional: Use HashArrayCrafter to generate custom payload in src/dataarray.rs
// for testing
cargo run  
// for compiling exe
cargo build --release
// run
.\target\release\Starshot.exe

Notes

You can use my own project called CelestialSpark to generate shellcode for testing purposes.

Disclaimer

This project was created for educational and research purposes only.
Use responsibly and only in controlled lab environments. "With great power comes great responsibility" — Uncle Ben (and every infosec professional ever)

About

Rust shellcode runner with a lot of stealthy functionality to convince stupid AVs/EDRs that the code is clean. Needs sister project "HashArrayCrafter" to generate new Payload Data

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages