PickerPacker

Building Custom Execution Chains with Rust

What is this ???

PickerPacker is a extremely modular rust-based packer that allows you to mix and match various attack techniques ranging from execution types to different injections and AV/EDR evasion methods to essentially create your own payload execution chain.

While PickerPacker is specifically made for red-teaming in mind, it can be used for benign software packing too! Just you know... don't use the evasion features for that.

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀      ⠀⢀⣀⣀⣀⣀⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀     ⢀⣠⡶⠿⠿⠿⠭⢤⣀⣀⠉⣩⡟⠒⠦⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀     ⣠⠞⠉⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠀⠀⠀⠘⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀    ⠀ ⢰⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀     ⠀⠀⠀⠀⠀⠀⡾⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢻⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀     ⠀⠀⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    ⠀⣀⣤⣤⣀⡀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⡆⠀⠀⠀⠀⢀⣤⠤⠤⠤⢤⣀⠀⠀
   ⢰⠋⠀⠀⠀⠉⠙⠲⢤⣀⠀⠀⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⡄⢀⡴⠚⠉⠀⠀⠀⠀⠀⠈⢳⡄
   ⢸⡄⠀⠀⠀⠀⠀⠀⠀⠈⠑⢦⣧⣀⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣤⡴⠟⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡷
   ⠈⢳⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠻⢭⣉⠙⠛⠒⠲⠶⠶⠶⠶⠖⠒⠒⠒⠛⠉⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣸⠃
⠀    ⠀⠙⢶⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠲⢤⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡼⠃⠀
    ⠀⠀⠀⠀⠈⠙⠢⢄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠓⠦⢄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⠴⠋⠀⠀⠀
⠀    ⠀⠀⠀⠀⠀⠀⠀⠈⠉⠓⠒⠒⠂⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⣤⣤⠤⠤⠤⠤⠤⠤⠒⠚⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

           ██████╗ ██╗ ██████╗██╗  ██╗███████╗██████╗ 
           ██╔══██╗██║██╔════╝██║ ██╔╝██╔════╝██╔══██╗
           ██████╔╝██║██║     █████╔╝ █████╗  ██████╔╝
           ██╔═══╝ ██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗
           ██║     ██║╚██████╗██║  ██╗███████╗██║  ██║
           ╚═╝     ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝
             ██████╗  █████╗  ██████╗██╗  ██╗███████╗██████╗ 
             ██╔══██╗██╔══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗
             ██████╔╝███████║██║     █████╔╝ █████╗  ██████╔╝
             ██╔═══╝ ██╔══██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗
             ██║     ██║  ██║╚██████╗██║  ██╗███████╗██║  ██║
             ╚═╝     ╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝
    
        ✧･ﾟ:*✧･ﾟ:* Rust-Powered Customizable Packer *:･ﾟ✧*:･ﾟ✧
    
        Created by: Swayam Tejas Padhy (@Leek0gg)
        GitHub: https://github.com/Swayampadhy/PickerPacker

---

Why is this ??

I was looking into various packers and how they work for a research paper of mine while I realized that no packers existed which provided granular modularity in the execution of the payload i.e. letting the user pick and choose whatever they wanted for the execution chain .

While projects such as RustPacker, ProtectMyTooling exist, they are based on templates i.e. they have multiple options of execution chain sets but aren't granularly selective.

This led me to design PickerPacker which is granularly selective to the point that you can pick and choose each step of the payload's execution chain; creating unique and custom chains execution chains for yourself.

Now being the devil's advocate, being extremely granular is also not a good thing. For example: PickerPacker has 5 different ETW patching methods. Enabling them all at the same time is frankly stupid and just leads to more detection surface. Due to this, I have put some minor restrictions in the execution chain creation. But I will try to keep this as minimal as required.

I decided to develop this packer in rust because.... why not? I anyway wanted to learn rust and what's the best way to do that - Do a very complex rust project of course!! Who reads books Pffft (kidding).

On a sidenote, Rust is quickly becoming my favorite. While it can never replace C for me, it definitely is better than C++ or other languages that I have worked with in the past.

---

How to use this ??

PickerPacker is production-ready. So you can use it for your engagements if you want. I have tested the packer against various anti-malware solutions and the only ones to detect it are BkavPro (W64.AIDetectMalware) and Elastic (Medium confidence). Below is a virus total detection result of the final packed payload.

The packer was also able to evade Elastic's agent in full detect and prevent mode. I was not able to test it against other EDRs as I don't have access to them (I am still a college student lol).

I think these detections are specifically due to the self-deletion anti-analysis. Self-deletion in Windows 11 using rust is a bit wonky in the sense that even if the file data is transferred to another data stream, the file handle isn't deleted up until that file-handle is used again to run the program. This raises the detection risk.

While PickerPacker is production-ready, this doesn't mean that it is finished yet. I am planning to add a lot more features in upcoming releases. Stay tuned to the GitHub repo for that.

---

How PickerPacker Works ??

PickerPacker has two main parts to it -

• The packer binary - This does the packing of the payload

• The template folder - This folder contains the source files for the final packed binary. Any changes to the behavior of the final packed binary is to be done here.

While designing this packer, I had the option of embedding the packer template into the packer binary or keep it separate. While embedding it inside the packer allows for easier distribution (everything is contained in a huge binary), adding more features to the packer and maintaining it becomes exponentially difficult as everything breaks even if I change one simple variable. Thus I decided to keep it separate. This can of course be changed in future releases if people want it.

Overall Flowchart Of PickerPacker

As seen in the above flowchart, PickerPacker takes in the selected features to compile as input from the user, analyzes them, prepares template files accordingly and finally compiles the final packed executable accordingly. See below expandable for more details.

Detailed Packer Working

Stage 1: Configuration & Argument Parsing

CLI Configuration Structure

#[derive(Parser, Debug)]
#[command(name = "PickerPacker", author = "Swayam Tejas Padhy (@Leek0gg)",
    about = "A customizable payload packer written in rust")]
pub struct PackerConfig {
    #[arg(short, long, required = true, value_name = "FILE")]
    pub input: String,
    
    #[arg(long, value_enum, default_value = "default")]
    pub execution: ExecutionMethod,
    
    #[arg(long, value_enum, default_value = "default")]
    pub injection: InjectionMethod,
    
    #[arg(long, value_enum, value_delimiter = ',')]
    pub checks: Vec<CheckMethod>,
    
    #[arg(long, value_enum, value_delimiter = ',')]
    pub evasion: Vec<EvasionMethod>,
    
    #[arg(long, value_enum)]
    pub encrypt: Option<EncryptionMethod>,
    
    #[arg(long, required_if_eq_any([("encrypt", "tinyaes"), ("encrypt", "ctaes")]))]
    pub key: Option<String>,
    
    #[arg(long, required_if_eq_any([("encrypt", "tinyaes"), ("encrypt", "ctaes")]))]
    pub iv: Option<String>,
}

What it does: Users configure the packer with various execution methods (fiber, callbacks, timers), injection methods (default, mapping, function stomping), anti-analysis checks (debugger, VM detection), and evasion techniques (AMSI/ETW bypasses). Optional AES-256 encryption requires hexadecimal key/IV parameters.​

---

Stage 2: Enumeration System

Execution Methods (Sample)

#[derive(Debug, Clone, Copy, PartialEq, Eq, ValueEnum)]
pub enum ExecutionMethod {
    #[value(name = "default")]
    Default,
    #[value(name = "fiber")]
    Fiber,
    #[value(name = "createtimerqueuetimer")]
    CreateTimerQueueTimer,
    // ... more execution methods
}

impl ExecutionMethod {
    pub fn feature_name(&self) -> &'static str {
        match self {
            ExecutionMethod::Default => "ShellcodeExecuteDefault",
            ExecutionMethod::Fiber => "ShellcodeExecuteFiber",
            ExecutionMethod::CreateTimerQueueTimer => "ShellcodeExecuteCreateTimerQueueTimer",
        }
    }
    
    pub fn display_name(&self) -> &'static str {
        match self {
            ExecutionMethod::Default => "Default Execution (Syscalls)",
            ExecutionMethod::Fiber => "Fiber Execution",
        }
    }
}

What it does: Each execution method maps to a Cargo feature flag (e.g., ShellcodeExecuteFiber). This enables feature-driven conditional compilation where only selected code paths are included in the final binary.​

Check Methods (Anti-Analysis)

#[derive(Debug, Clone, Copy, PartialEq, Eq, ValueEnum)]
pub enum CheckMethod {
    #[value(name = "dbgprocessdebugflags")]
    AntiDebugProcessDebugFlags,
    #[value(name = "dbghardwarebreakpoints")]
    AntiDebugHardwareBreakpoints,
    #[value(name = "vmcpu")]
    AntiVMCPU,
    #[value(name = "vmram")]
    AntiVMRAM,
    #[value(name = "domainjoined")]
    DomainJoined,
    // ... more methods
}

What it does: Anti-analysis techniques detect debuggers via PEB flags, hardware breakpoints, and VMs via CPU count, RAM size, USB history, and screen resolution.​

---

Stage 3: Payload Processing & Encryption

Payload Encryption

pub fn process_payload(data: Vec<u8>, config: &PackerConfig) -> Vec<u8> {
    match config.encrypt {
        Some(EncryptionMethod::TinyAES) => {
            let key_bytes = hex_to_bytes(&config.aes_key()).expect("Invalid key format");
            let iv_bytes = hex_to_bytes(&config.aes_iv()).expect("Invalid IV format");
            
            if key_bytes.len() != 32 {
                panic!("Key must be exactly 32 bytes");
            }
            if iv_bytes.len() != 16 {
                panic!("IV must be exactly 16 bytes");
            }
            
            match aes_encrypt_payload(&data, &key_bytes, &iv_bytes) {
                Some(encrypted) => {
                    println!("[+] Payload encrypted with TinyAES ({} bytes)", encrypted.len());
                    println!("[!] Usage: PickerPacker_Packed.exe --key {} --iv {}", 
                             config.aes_key(), config.aes_iv());
                    encrypted
                }
                None => panic!("Failed to encrypt payload"),
            }
        }
        None => data,  // Return plaintext if no encryption
    }
}

What it does: If encryption is enabled, the payload is converted to AES-256-CBC encrypted bytes. The user must preserve the key and IV for runtime decryption.​

Payload Embedding

pub fn embed_payload(loader_stub: &mut String, payload: &[u8], _config: &PackerConfig) {
    let payload_placeholder = "const ENCPAYLOAD: &[u8] = &[];";
    let replacement = format!("const ENCPAYLOAD: &[u8] = &{:?};", payload);
    
    // Replace placeholder with actual payload bytes
    if let Some(pos) = loader_stub.find(payload_placeholder) {
        loader_stub.replace_range(pos..pos + payload_placeholder.len(), &replacement);
    }
}

What it does: The template contains a placeholder constant for the payload. This function searches and replaces it with the actual payload formatted as Rust byte array literals (e.g., &[0x90, 0x90, ...]), embedding the payload directly into source code.​

---

Stage 4: Template File Management

Template Module Registry

rustpub struct TemplateModule {
    pub name: &'static str,
    pub source_file: &'static str,
    pub dest_file: &'static str,
}

pub const TEMPLATE_MODULES: &[TemplateModule] = &[
    TemplateModule {
        name: "execution_mod",
        source_file: "./template/execution/mod.rs",
        dest_file: "./loader/src/execution/mod.rs",
    },
    TemplateModule {
        name: "execution_execution",
        source_file: "./template/execution/execution.rs",
        dest_file: "./loader/src/execution/execution.rs",
    },
    // ... more modules for injections, checks, evasion, encryption
];

What it does: Centralized registry of all template files. Each file maps to a specific feature (execution methods, injections, checks, evasion techniques).​

Conditional Module Inclusion

fn should_include_module(module_name: &str, config: &PackerConfig) -> bool {
    match module_name {
        "execution_mod" | "execution_execution" | "execution_injection" => true,
        "benign" => true,
        "aes" => config.encrypt.is_some(),
        "crypto" | "args" => config.encrypt.is_some(),
        "checks_mod" | "checks_antidebug" | "checks_antivm" => !config.checks.is_empty(),
        "evasion_mod" | "evasion_amsi" | "evasion_etw" => !config.evasion.is_empty(),
        _ => false,
    }
}

What it does: Only includes template files necessary for the selected features. Encryption modules only copy if encryption is enabled. Anti-analysis modules only include if checks are enabled.​

Directory Setup

pub fn setup_loader_directory() -> Result<(), std::io::Error> {
    let loader_exists = std::path::Path::new("loader").exists();
    if !loader_exists {
        println!("[*] Loader directory not found, creating...");
    }
    
    std::fs::create_dir_all("loader")?;
    std::fs::create_dir_all("loader/src")?;
    std::fs::create_dir_all("loader/src/execution")?;
    std::fs::create_dir_all("loader/src/checks")?;
    std::fs::create_dir_all("loader/src/evasion")?;
    
    let template_cargo = "template/Cargo.toml";
    let loader_cargo = "loader/Cargo.toml";
    if std::path::Path::new(template_cargo).exists() {
        std::fs::copy(template_cargo, loader_cargo)?;
    }
    Ok(())
}

What it does: Creates the loader project directory structure and copies the Cargo.toml manifest (which contains all feature flags for conditional compilation).​

---

Stage 5: Compilation

Dynamic Cargo Command Building

rustpub fn build_compile_command(config: &PackerConfig) -> String {
    let mut compile_command = "build --release ".to_string();
    
    // Add execution and injection features (always present)
    compile_command.push_str(&format!("--features {} ", config.execution.feature_name()));
    compile_command.push_str(&format!("--features {} ", config.injection.feature_name()));
    
    // Add check features
    for check in &config.checks {
        compile_command.push_str(&format!("--features {} ", check.feature_name()));
    }
    
    // Add evasion features
    for evasion in &config.evasion {
        compile_command.push_str(&format!("--features {} ", evasion.feature_name()));
    }
    
    if let Some(encryption) = config.encrypt {
        compile_command.push_str(&format!("--features {} ", encryption.feature_name()));
    }
    
    compile_command.push_str("--manifest-path ./loader/Cargo.toml");
    compile_command.push_str(" --target x86_64-pc-windows-msvc");
    compile_command
}

What it does: Dynamically constructs the Cargo command with selected features.

Example output:

cargo build --release --features ShellcodeExecuteEnumDesktopWindows --features InjectionFunctionStomping --features CheckAntiDebugProcessDebugFlags --featuresCheckAntiDebugSystemDebugControl --features CheckAntiDebugRemoteDebugger --features CheckAntiDebugNtGlobalFlag --features CheckAntiDebugProcessList --features CheckAntiDebugHardwareBreakpoints --features EvasionETWSimple --features EvasionAMSISimplePatch --features EvasionNtdllUnhooking --features CTAES --manifest-path ./loader/Cargo.toml --target x86_64-pc-windows-msvc

Execution & Error Handling

pub fn compile_loader(compile_command: &str) -> Result<(), Box<dyn std::error::Error>> {
    let parts: Vec<&str> = compile_command.split_whitespace().collect();
    let output = Command::new("cargo")
        .args(&parts)
        .output()?;
    
    if !output.status.success() {
        let stderr = String::from_utf8_lossy(&output.stderr);
        return Err(format!("Compilation failed:\n{}", stderr).into());
    }
    
    Ok(())
}

What it does: Invokes Cargo as a subprocess to compile the loader with all selected features. Only included code paths are compiled into the binary.​

---

Stage 6: Output

Main Workflow

rustfn main() {
    print_banner();
    
    let config = PackerConfig::from_args();
    display_feature_summary(&config);
    
    let mut loader_stub = load_template().expect("Failed to load template");
    let payload_data = read_payload_file(&config.input).expect("Failed to read payload");
    
    let processed_payload = process_payload(payload_data, &config);
    embed_payload(&mut loader_stub, &processed_payload, &config);
    
    setup_loader_directory().expect("Failed to setup loader");
    copy_template_files(&config).expect("Failed to copy templates");
    write_loader_stub(&loader_stub).expect("Failed to write stub");
    
    let compile_command = build_compile_command(&config);
    compile_loader(&compile_command).expect("Compilation failed");
    
    let dest_path = move_and_rename_executable().expect("Failed to move executable");
    println!("[+] Packed executable created: {}", dest_path);
}

What it does: The complete workflow: parse config → read payload → encrypt (if enabled) → embed into template → copy conditional modules → compile with features → output PickerPacker_Packed.exe.​

Executable Relocation

rustpub fn move_and_rename_executable() -> Result<String, std::io::Error> {
    #[cfg(target_os = "windows")]
    let source = ".\\loader\\target\\x86_64-pc-windows-msvc\\release\\PickerPacker.exe";
    
    #[cfg(target_os = "linux")]
    let source = "./loader/target/x86_64-pc-windows-gnu/release/PickerPacker.exe";
    
    let dest = "PickerPacker_Packed.exe";
    std::fs::rename(source, dest)?;
    Ok(dest.to_string())
}

What it does: Moves the compiled executable from the build directory to the root folder, renamed as PickerPacker_Packed.exe for user convenience.​

The template folder contains the source code that is selectively compiled during final packer compilation. You can check out the template code here.

Which parts of the template code are compiled is dictated by a neat rust feature named - Rust Features. Rust features ensures that only the features that are selected during compilation are the ones that are included in the final compilation. Almost every code in the template folder is feature-gated except some bare essential code. This allows for compile-time modularity.

A Snippet of the Extensive Feature List In PickerPacker

Which features to be included in each compilation is dictated by the packer. The packer creates a cargo sub-process, takes in the desired feature inputs from the user, pushes appropriate compile flags to the sub-process and runs the cargo compile command. This results in the compilation of a packed executable with your unique desired execution chain features.

---

So How to use it ??

Basic Command Structure

.\PickerPacker.exe --input <shellcode_file> [OPTIONS]

Command-Line Options

Option	Description	Example
--input <FILE>	Required. Path to shellcode file	--input calc.bin
--execution <METHOD>	Execution technique (default: default)	--execution fiber
--injection <METHOD>	Injection method (default: default)	--injection modulestomping
--checks <CHECKS>	Comma-separated check methods	--checks dbgprocesslist,vmcpu
--evasion <EVASION>	Comma-separated evasion techniques	--evasion amsisimple,etwwinapi
--encrypt <METHOD>	Encryption algorithm (tinyaes or ctaes)	--encrypt tinyaes
--key <HEX>	AES key (64 hex chars / 32 bytes)	--key ABC123...
--iv <HEX>	AES IV (32 hex chars / 16 bytes)	--iv DEF456...

Usage Examples

1️⃣ Basic Execution

.\PickerPacker.exe --input shellcode.bin

2️⃣ With Execution Method

.\PickerPacker.exe --input shellcode.bin --execution fiber

3️⃣ With Injection Method

.\PickerPacker.exe --input shellcode.bin --execution enumwindows --injection modulestomping

4️⃣ With Anti-Debug Checks

.\PickerPacker.exe --input shellcode.bin --checks dbgprocesslist,vmcpu,vmram

5️⃣ With Evasion Techniques

.\PickerPacker.exe --input shellcode.bin --evasion amsisimple,etwwinapi,ntdllunhook

6️⃣ With Encryption

# Generate random key and IV (PowerShell)
$key = -join ((1..64) | ForEach-Object { '{0:x}' -f (Get-Random -Maximum 16) })
$iv = -join ((1..32) | ForEach-Object { '{0:x}' -f (Get-Random -Maximum 16) })

# Pack with encryption
.\PickerPacker.exe --input shellcode.bin --encrypt tinyaes --key $key --iv $iv

7️⃣ Kitchen Sink (All Features)

.\PickerPacker.exe --input shellcode.bin `
  --execution fiber `
  --injection modulestomping `
  --checks dbgprocesslist,vmcomprehensive,domainjoined `
  --evasion amsihwbp,etwpeventwrite2,ntdllunhook,selfdelete `
  --encrypt ctaes `
  --key <your_64_hex_key> `
  --iv <your_32_hex_iv>

Running the Packed Executable

# If Compiled Without Encryption
.\PickerPacker_Packed.exe      # No additional arguments needed 

# If Compiled With Encryption
.\PickerPacker_Packed.exe --key <key value> --iv <iv value>

Please keep in mind that some CLI options may change in future versions. I will update them both in the Github repo and here accordingly.

---

Credits & Acknowledgments

• rtecCyberSec/Packer_Development - Primary inspiration for this project

• janoglezcampos/rust_syscalls - Indirect syscall implementation

This project incorporates techniques and code snippets from:

• Maldev Academy - Malware development educational resources

• Whitecat18/Rust-for-Malware-Development - Rust malware development examples

• joaoviictorti/RustRedOps - Offensive Rust techniques

If you want to contribute to this project, see CONTRIBUTING.md.