janoglezcampos / rust_syscalls Goto Github PK
View Code? Open in Web Editor NEWSingle stub direct and indirect syscalling with runtime SSN resolving for windows.
rust_syscalls's People
Contributors
Stargazers
Watchers
Forkers
0xrobert gmh5225 cvlabsio topotam y11en yeah9782 th3bak3r binlux vmctx cirosec g-goessel rasta-mouse an0x03e8 nariod apkc ptkatz noorahsmith l4rryxz extraconcentratedjuice hide067 chucksploit ehuff700 terrarier2111 cgmossarust_syscalls's Issues
Help request : syscall with NtCreateThreadEx
Hello mate,
I am using your repo for different projects. In my RustPacker, I am writing a template that uses rust_syscalls for shellcode injection. I successfully ported all my NTAPI calls, except NtCreateThreadEx.
I tried the following:
let mut thread_handle : *mut c_void = null_mut();
let handle = process_handle as *mut c_void;
let write_thread = syscall!("NtCreateThreadEx", &mut thread_handle, GENERIC_ALL, null_mut(), handle, allocstart, null_mut(), 0, 0, 0, 0, null_mut());
but this, gives the folllowing error:
However, the normal NTAPI call with the same arguments compiles and works when executed:
let write_thread = NtCreateThreadEx(&mut thread_handle, GENERIC_ALL, null_mut(), handle, allocstart, null_mut(), 0, 0, 0, 0, null_mut());
Did you try to use rust_syscalls with the NtCreateThreadEx NTAPI call? More generally, how do you convert the NTAPI call arguments to be compatible with your project ?
All the best !
Nariod
Hi I have a question
Hello, I have a question. I have written code to read the LDR through syscalls. However, when I use this code in a library, I encounter the error C0000005. Interestingly, the same code works perfectly fine when used locally. I can't figure out why this is happening.
code
main
let pid = 16676;
let a = unsafe { OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid) }.unwrap();
println!("aaaaaa");
// let p = unsafe { get_peb(a) }.unwrap();
// let e = unsafe {testt(a).unwrap()};
// let mut ldr = unsafe { get_all_ldr_module(a) }.unwrap();
let mut ldr = unsafe { get_module_list_address(a) };
get_module_list_address
pub unsafe fn get_module_list_address(hProcess:HANDLE) -> PVOID {
let peb_addr = get_peb(hProcess).unwrap();
let mut ldr = peb_addr.byte_add(0x18) as PVOID;
let pvoid_len = size_of::<PVOID>();
println!("read lsass peb ldr{:?}",peb_addr);
let mut ldr_entry_address: PVOID = null_mut();
let mut NumberOfBytesRead: PVOID = null_mut();
let success = syscall!("NtReadVirtualMemory",hProcess,ldr,&mut ldr_entry_address as *mut PVOID,pvoid_len,0);
if success!=0 {
println!("{:x}",success);
panic!()
}
let module_list_pointer = ldr_entry_address as *mut LdrData;
let inmemorymodulelist = ldr_entry_address.offset(0x20) as PVOID;
let mut module_list_addres: PVOID = null_mut();
let success= syscall!("NtReadVirtualMemory",hProcess,inmemorymodulelist,&mut module_list_addres as *mut PVOID,pvoid_len,0);
if success!=0 {
println!("{:x}",success);
panic!()
}
return module_list_addres;
}
get_peb
pub unsafe fn get_peb(hPorcess:HANDLE) -> Option<*mut PEB> {
let peb:*const u8;
if hPorcess.0 ==0 {
unsafe {
asm!(
"mov {0}, gs:0x60",
out(reg) peb,
options(nostack, nomem, preserves_flags),
);
}
println!("self peb");
return Some(peb as *mut PEB);
}
let p = PROCESS_BASIC_INFORMATION::default();
let process_information: PVOID = std::mem::transmute(&p);
let success = syscall!("NtQueryInformationProcess",hPorcess,0,process_information,size_of::<PROCESS_BASIC_INFORMATION>() as u32,0 as *mut u32);
if success!=0 {
println!("1 {}",success);
}
let pbi:*mut PROCESS_BASIC_INFORMATION;
pbi = std::mem::transmute(process_information);
let pbi = *pbi;
return Some(pbi.PebBaseAddress as *mut PEB);
Issue with ntapi module imports
When trying to import the project there is an issue with the ntapi dependency where the modules being called could not be found despite existing in the source file.
`error[E0432]: unresolved import `ntapi::ntldr`
--> rust_syscalls/src/syscall_resolve.rs:6:12
|
6 | use ntapi::ntldr::PLDR_DATA_TABLE_ENTRY;
| ^^^^^ could not find `ntldr` in `ntapi`
error[E0432]: unresolved import `ntapi::ntpebteb`
--> rust_syscalls/src/syscall_resolve.rs:7:12
|
7 | use ntapi::ntpebteb::{PPEB, TEB};
| ^^^^^^^^ could not find `ntpebteb` in `ntapi`
error[E0432]: unresolved import `ntapi::ntpsapi`
--> rust_syscalls/src/syscall_resolve.rs:8:12
|
8 | use ntapi::ntpsapi::PPEB_LDR_DATA;
| ^^^^^^^ could not find `ntpsapi` in `ntapi`
error[E0433]: failed to resolve: could not find `shared` in `winapi`
--> rust_syscalls/src/syscall_resolve.rs:11:13
|
11 | use winapi::shared::minwindef::{PUSHORT, PWORD};
| ^^^^^^ could not find `shared` in `winapi`
error[E0433]: failed to resolve: could not find `shared` in `winapi`
--> rust_syscalls/src/syscall_resolve.rs:12:13
|
12 | use winapi::shared::ntdef::{NULL, PLIST_ENTRY, PUCHAR, PVOID, ULONG};
| ^^^^^^ could not find `shared` in `winapi`
error[E0433]: failed to resolve: could not find `um` in `winapi`
--> rust_syscalls/src/syscall_resolve.rs:13:13
|
13 | use winapi::um::winnt::{
| ^^ could not find `um` in `winapi`
error[E0433]: failed to resolve: could not find `um` in `winapi`
--> rust_syscalls/src/syscall_resolve.rs:53:17
|
53 | use winapi::um::winnt::NT_TIB;
| ^^ could not find `um` in `winapi`
error[E0432]: unresolved import `ntapi::FIELD_OFFSET`
--> rust_syscalls/src/syscall_resolve.rs:9:5
|
9 | use ntapi::FIELD_OFFSET;
| ^^^^^^^^^^^^^^^^^^^ no `FIELD_OFFSET` in the root
error: cannot determine resolution for the macro `FIELD_OFFSET`
--> rust_syscalls/src/syscall_resolve.rs:54:22
|
54 | let teb_offset = FIELD_OFFSET!(NT_TIB, _Self) as u32;
| ^^^^^^^^^^^^
|
= note: import resolution is stuck, try simplifying macro imports
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.