Rust-for-Malware-Development

Persistence

Welcome to the Persistence directory of Rust-for-Malware-Development. Techniques that make a payload survive reboots, hide inside legitimate startup flows, or pretend to be spawned by a different parent than it really was.

Cargo Projects

• PPid_spoofing: Spawns a process whose parent looks like a chosen PID. Uses InitializeProcThreadAttributeList + UpdateProcThreadAttribute to hand a fake parent handle to CreateProcess. Useful for hiding lineage from EDR.

Standalone Snippets

• persistence_part1.rs — Walks through the basic Windows persistence primitives (Run keys, Startup folder, scheduled tasks).
• set_as_startup_program.rs — Registers the current binary so it runs every time the user logs on.
• Find_startup_apps.rs — Enumerates every program already configured to auto-start.
• StartupApproved.rs — Toggles the StartupApproved registry keys that Windows uses to allow or block autostart entries.
• COMAutoApprovalList.rs — Reads the COM elevation auto-approval list — a useful target list for UAC-bypass persistence.
• ppid_spoofing.rs — Single-file version of the PPID spoofing trick above.

How to Use

git clone https://github.com/Whitecat18/Rust-for-Malware-Development.git
cd Rust-for-Malware-Development/Persistence

For the Cargo project, cd into it and run cargo build --release. For the loose .rs snippets, drop the file into your own project’s src/ and call it from main.

This site is open source. Improve this page.