DEV Community

windasunnie
windasunnie

Posted on

1

Building a Reverse Shell in Rust Using PEB Techniques

#rust #peb

This post documents my exploration of implementing a reverse shell in Rust, starting from a standard API approach, and gradually shifting toward a stealthier variant that leverages manual parsing of the Process Environment Block (PEB). The goal is to reduce detection by Antivirus (AV) and Endpoint Detection and Response (EDR) engines.

Initial Implementation: Traditional API Call Chain

To begin, I created a basic reverse shell using the typical Windows API calls. The logic flow is straightforward and relies on functions exposed by common system libraries like Ws2_32.dll and kernel32.dll.

Reverse Shell Flow 

WSASocket
↓
inet_pton
↓
connect
↓
GetSystemDirectoryA
↓
Initialize STARTUPINFOA
↓
Set lpCommandLine
↓
Initialize SECURITY_ATTRIBUTES
↓
CreateProcessA
↓
Finish
Enter fullscreen mode Exit fullscreen mode
  • WSASocket / connect / inet_pton: Used to set up a TCP connection to the remote host.
  • GetSystemDirectoryA: Retrieves the system path, used to locate cmd.exe.
  • STARTUPINFOA / SECURITY_ATTRIBUTES / CreateProcessA: Used to spawn a new process (cmd.exe) with redirected input/output over the socket.

After compiling the shell, I submitted the resulting binary to VirusTotal. The community score was 28/72 — meaning 28 out of 72 AV/EDR engines flagged the executable as malicious. Most detections explicitly identified it as a reverse shell, which is expected due to the predictable API usage.

Image description

Improved Version: PEB-Based API Resolution

To evade static detection signatures, I rewrote the shell to resolve necessary APIs dynamically by walking the PEB instead of relying on the standard Windows API imports. This eliminates the need for a conventional import table and makes detection more difficult for AV engines relying on heuristic patterns or IAT analysis.

Revised Flow with Manual API Resolution 

WSAStartup (resolved from PEB)
↓
WSASocket (resolved from PEB)
↓
inet_pton (resolved from PEB)
↓
connect (resolved from PEB)
↓
GetSystemDirectoryA (resolved from PEB)
↓
Initialize STARTUPINFOA
↓
Set lpCommandLine
↓
Initialize SECURITY_ATTRIBUTES
↓
CreateProcessA (resolved from PEB)
↓
Finish
Enter fullscreen mode Exit fullscreen mode
  • All API addresses were resolved manually by parsing the export tables of kernel32.dll and Ws2_32.dll, accessed through the PEB.
  • No functions were declared in the import table, making the binary significantly harder to analyze via static disassembly or automated AV heuristics.

The resulting binary was again uploaded to VirusTotal. This time, the detection score dropped drastically to 2/72, with only Google and IKARUS flagging the file as suspicious. This demonstrates a significant improvement in stealthiness — achieved purely through API obfuscation and avoiding direct imports.

Image description

Today, I obtained a new VirusTotal scan result — this time, the detection score dropped to 11 out of 66.

Image description

Heroku
 Promoted

Heroku

The AI PaaS for deploying, managing, and scaling apps.

Heroku tackles the toil — patching and upgrading, 24/7 ops and security, build systems, failovers, and more. Stay focused on building great data-driven applications.

Get Started

Top comments (0)

profile
TigerData (Creators of TimescaleDB)
 Promoted

Tiger Data image

🐯 🚀 Timescale is now TigerData: Building the Modern PostgreSQL for the Analytical and Agentic Era

We’ve quietly evolved from a time-series database into the modern PostgreSQL for today’s and tomorrow’s computing, built for performance, scale, and the agentic future.

So we’re changing our name: from Timescale to TigerData. Not to change who we are, but to reflect who we’ve become. TigerData is bold, fast, and built to power the next era of software.

Read more

👋 Kindness is contagious

Explore this compelling article, highly praised by the collaborative DEV Community. All developers, whether just starting out or already experienced, are invited to share insights and grow our collective expertise.

A quick “thank you” can lift someone’s spirits—drop your kudos in the comments!

On DEV, sharing experiences sparks innovation and strengthens our connections. If this post resonated with you, a brief note of appreciation goes a long way.

Get Started