Rust-for-Malware-Development
Process Injection using NtCreateSection + NtMapViewOfSection
Overview
This PoC program implements a process injection technique using Windows NT system calls:
- NtCreateSection
- NtMapViewOfSection
- RtlCreateUserThread
Download NtMapViewOfSection PoC: Download
How does it work ?
- Setup:
- Takes a target PID as a command-line argument
- Defines a shellcode array
- NTDLL Access:
- Loads ntdll.dll and gets function pointers for NtCreateSection, NtMapViewOfSection, and RtlCreateUserThread
- Section Creation:
- Creates a 4096-byte memory section with NtCreateSection
- Sets it with execute/read/write permissions
- Memory Mapping:
- Maps the section into the current process with read/write permissions
- Maps the same section into the target process with execute/read permissions
- This creates a shared memory region between processes
- Injection:
- Copies the shellcode into the local mapped section
- Since the section is shared, this makes it available in the target process
- Execution:
- Creates a new thread in the target process using RtlCreateUserThread
- Sets the thread’s starting address to the shellcode location
- The shellcode executes in the target process’s context
- Cleanup:
- Closes all handles to prevent resource leaks
Requirements
- rustc 1.85.1 (4eb161250 2025-03-15)
- Rust toolchain (stable-x86_64-pc-windows-msvc (default))
- Target process PID
Usage
cargo run --release <Target PiD>
Credits / References
- https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection
Author: @5mukx