dll-syringe
A windows dll injection library written in Rust.
Supported scenarios
Injector Process | Target Process | Supported? |
---|---|---|
32-bit | 32-bit | Yes |
32-bit | 64-bit | No |
64-bit | 32-bit | Yes (requires feature into-x86-from-x64 ) |
64-bit | 64-bit | Yes |
Usage
Inject & Eject
This crate allows you to inject and eject a DLL into a target process.
The example below will inject and then eject injection_payload.dll
into the process called "ExampleProcess".
use ;
// find target process by name
let target_process = find_first_by_name.unwrap;
// create a new syringe for the target process
let syringe = for_process;
// inject the payload into the target process
let injected_payload = syringe.inject.unwrap;
// do something else
// eject the payload from the target (optional)
syringe.eject.unwrap;
Remote Procedure Calls (RPC)
This crate supports two mechanisms for rpc. Both only work one-way for calling exported functions in the target process and are only intended for one-time initialization usage. For extended communication a dedicated rpc library should be used.
RemotePayloadProcedure |
RemoteRawProcedure |
|
---|---|---|
Feature | rpc-payload |
rpc-raw |
Argument and Return Requirements | Serialize + DeserializeOwned |
Copy , Argument size has to be smaller than usize in target process |
Function Definition | Using macro payload_procedure! |
Any extern "system" or extern "C" with #[no_mangle] |
RemotePayloadProcedure
A rpc mechanism based on bincode
.
The target procedure must be defined using the payload_procedure!
macro (requires the payload-utils
feature).
The definition of an exported add
function could look like this:
!
payload_procedure
The code of the injector/caller could looks like this:
use ;
// find target process by name
let target_process = find_first_by_name.unwrap;
// create a new syringe for the target process
let syringe = for_process;
// inject the payload into the target process
let injected_payload = syringe.inject.unwrap;
let remote_add = unsafe .unwrap.unwrap;
let result = remote_add.call.unwrap;
println!; // prints 6
// eject the payload from the target (optional)
syringe.eject.unwrap;
RemoteRawProcedure
This mechanism is based on dynamically generated assembly code.
The target procedure can be any exported function as long as it uses either the system
or C
calling convention.
This means that even Win32 functions can be called directly.
The definition of an exported add
function could look like this:
extern "system"
The code of the injector/caller could looks like this:
use ;
// find target process by name
let target_process = find_first_by_name.unwrap;
// create a new syringe for the target process
let syringe = for_process;
// inject the payload into the target process
let injected_payload = syringe.inject.unwrap;
let remote_add = unsafe .unwrap.unwrap;
let result = remote_add.call.unwrap;
println!; // prints 6
// eject the payload from the target (optional)
syringe.eject.unwrap;
License
Licensed under MIT license (LICENSE or http://opensource.org/licenses/MIT)
Attribution
Inspired by Reloaded.Injector from Sewer.