Advanced Shellcode Loader with Anti-Debugging & Evasion
A sophisticated shellcode loader built in Rust with multiple evasion techniques
RustLoader is a shellcode loader written in Rust for security research. It implements multiple defense-evasion techniques to avoid detection by EDR/AV solutions, including debugger detection, ETW patching, human interaction simulation, and encrypted shellcode execution from heap memory.
| Technique | Implementation | File |
|---|---|---|
| Anti-Debugging | IsDebuggerPresent check at startup |
main.rs |
| Sandbox Evasion | Requires 5 real mouse clicks before execution | main.rs |
| ETW Blinding | Patches EtwEventWrite via PEB walk + inline ASM |
patch.rs |
| XOR Encryption | Shellcode encrypted at rest, decrypted in-memory | shellcode.rs |
| Heap Execution | Allocates executable heap, no VirtualAlloc calls |
shellcode.rs |
| Binary Stripping | LTO, symbol stripping, size optimization | Cargo.toml |
src/
├── main.rs — Entry point: anti-debug, click gate, orchestration
├── patch.rs — ETW patch via PEB traversal (inline x64 ASM)
├── shellcode.rs — Heap allocation, XOR decryption, shellcode execution
├── utils.rs — XOR cipher, sleep utilities
└── cipher.rs — Standalone encoder binary (random key generation)
main() → IsDebuggerPresent check
→ Wait for 5 mouse clicks (sandbox evasion)
→ patch_etw() → PEB walk → resolve ntdll → patch EtwEventWrite
→ execute() → HeapCreate(EXECUTABLE) → HeapAlloc
→ copy encrypted shellcode → XOR decrypt in-place
→ transmute to fn() → execute
- Rust stable toolchain (x86_64-pc-windows-msvc)
- Windows 10/11 x64
cargo run --bin encoding -- shellcode.bin[*] Random XOR key: 0x60
[!] Set XOR_KEY = 0x60 in src/shellcode.rs before building the loader
[+] Read 51200 bytes from 'shellcode.bin'
[+] Encrypted with key 0x60
[+] Written to 'encrypted.bin'
Set the generated key in src/shellcode.rs:
const XOR_KEY: u8 = 0x60; // Match the encoder outputcargo build --release --bin loaderThe optimized binary will be at target/release/loader.exe.
| Setting | Value | Purpose |
|---|---|---|
opt-level |
"z" |
Minimize binary size |
lto |
true |
Link-time optimization |
codegen-units |
1 |
Maximum optimization |
panic |
"abort" |
No unwinding overhead |
strip |
true |
Remove all symbols |
- ETW Patch:
xor rax, rax; ret(48 33 C0 C3) written toEtwEventWriteprologue - PEB Walk: Inline x64 ASM resolves
ntdll.dllbase viags:[0x60] → PEB → Ldr → InMemoryOrderModuleList - Heap Execution:
HeapCreate(HEAP_CREATE_ENABLE_EXECUTE)+HeapAllocavoidsVirtualAllochooks - No Debug Output: Release builds produce zero console output for stealth
This software is intended exclusively for educational and security research purposes. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse of this software.
For educational and authorized security testing purposes only.