wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209

//! Kernel-mode error types

use core::fmt;

/// NTSTATUS type alias
pub type NtStatus = i32;

/// kernel-mode specific errors
#[derive(Debug)]
pub enum KmError {
    /// NT status code error
    NtStatus(NtStatus),

    /// pool allocation failed
    PoolAllocationFailed {
        size: usize,
        pool_type: u32,
    },

    /// MDL operation failed
    MdlOperationFailed {
        reason: &'static str,
    },

    /// physical memory access failed
    PhysicalMemoryFailed {
        address: u64,
        size: usize,
    },

    /// virtual memory operation failed
    VirtualMemoryFailed {
        address: u64,
        size: usize,
        reason: &'static str,
    },

    /// process operation failed
    ProcessOperationFailed {
        pid: u32,
        reason: &'static str,
    },

    /// device creation failed
    DeviceCreationFailed {
        reason: &'static str,
    },

    /// symbolic link creation failed
    SymbolicLinkFailed {
        reason: &'static str,
    },

    /// IOCTL operation failed
    IoctlFailed {
        code: u32,
        reason: &'static str,
    },

    /// invalid parameter
    InvalidParameter {
        context: &'static str,
    },

    /// buffer too small
    BufferTooSmall {
        required: usize,
        provided: usize,
    },

    /// access denied
    AccessDenied {
        context: &'static str,
    },

    /// invalid address
    InvalidAddress {
        address: u64,
    },

    /// not implemented
    NotImplemented {
        feature: &'static str,
    },
}

impl fmt::Display for KmError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::NtStatus(status) => write!(f, "NTSTATUS error: {status:#x}"),
            Self::PoolAllocationFailed { size, pool_type } => {
                write!(f, "pool allocation failed: {size} bytes, type {pool_type}")
            }
            Self::MdlOperationFailed { reason } => {
                write!(f, "MDL operation failed: {reason}")
            }
            Self::PhysicalMemoryFailed { address, size } => {
                write!(f, "physical memory access failed at {address:#x} ({size} bytes)")
            }
            Self::VirtualMemoryFailed { address, size, reason } => {
                write!(f, "virtual memory operation failed at {address:#x} ({size} bytes): {reason}")
            }
            Self::ProcessOperationFailed { pid, reason } => {
                write!(f, "process operation failed for PID {pid}: {reason}")
            }
            Self::DeviceCreationFailed { reason } => {
                write!(f, "device creation failed: {reason}")
            }
            Self::SymbolicLinkFailed { reason } => {
                write!(f, "symbolic link creation failed: {reason}")
            }
            Self::IoctlFailed { code, reason } => {
                write!(f, "IOCTL {code:#x} failed: {reason}")
            }
            Self::InvalidParameter { context } => {
                write!(f, "invalid parameter in {context}")
            }
            Self::BufferTooSmall { required, provided } => {
                write!(f, "buffer too small: need {required} bytes, got {provided}")
            }
            Self::AccessDenied { context } => {
                write!(f, "access denied: {context}")
            }
            Self::InvalidAddress { address } => {
                write!(f, "invalid address: {address:#x}")
            }
            Self::NotImplemented { feature } => {
                write!(f, "not implemented: {feature}")
            }
        }
    }
}

/// result type for kernel operations
pub type KmResult<T> = core::result::Result<T, KmError>;

/// common NTSTATUS codes
pub mod status {
    use super::NtStatus;

    pub const STATUS_SUCCESS: NtStatus = 0;
    pub const STATUS_UNSUCCESSFUL: NtStatus = 0xC0000001_u32 as i32;
    pub const STATUS_NOT_IMPLEMENTED: NtStatus = 0xC0000002_u32 as i32;
    pub const STATUS_INVALID_HANDLE: NtStatus = 0xC0000008_u32 as i32;
    pub const STATUS_INVALID_PARAMETER: NtStatus = 0xC000000D_u32 as i32;
    pub const STATUS_NO_SUCH_DEVICE: NtStatus = 0xC000000E_u32 as i32;
    pub const STATUS_NO_SUCH_FILE: NtStatus = 0xC000000F_u32 as i32;
    pub const STATUS_ACCESS_DENIED: NtStatus = 0xC0000022_u32 as i32;
    pub const STATUS_BUFFER_TOO_SMALL: NtStatus = 0xC0000023_u32 as i32;
    pub const STATUS_OBJECT_NAME_NOT_FOUND: NtStatus = 0xC0000034_u32 as i32;
    pub const STATUS_OBJECT_NAME_COLLISION: NtStatus = 0xC0000035_u32 as i32;
    pub const STATUS_INSUFFICIENT_RESOURCES: NtStatus = 0xC000009A_u32 as i32;
    pub const STATUS_INVALID_DEVICE_REQUEST: NtStatus = 0xC0000010_u32 as i32;
    pub const STATUS_INFO_LENGTH_MISMATCH: NtStatus = 0xC0000004_u32 as i32;
    pub const STATUS_PARTIAL_COPY: NtStatus = 0x8000000D_u32 as i32;
    pub const STATUS_NO_MEMORY: NtStatus = 0xC0000017_u32 as i32;

    /// check if NTSTATUS indicates success
    #[inline]
    pub const fn nt_success(status: NtStatus) -> bool {
        status >= 0
    }

    /// check if NTSTATUS indicates an informational status
    #[inline]
    pub const fn nt_information(status: NtStatus) -> bool {
        (status as u32) >> 30 == 1
    }

    /// check if NTSTATUS indicates a warning
    #[inline]
    pub const fn nt_warning(status: NtStatus) -> bool {
        (status as u32) >> 30 == 2
    }

    /// check if NTSTATUS indicates an error
    #[inline]
    pub const fn nt_error(status: NtStatus) -> bool {
        (status as u32) >> 30 == 3
    }
}

impl From<NtStatus> for KmError {
    fn from(status: NtStatus) -> Self {
        KmError::NtStatus(status)
    }
}

impl KmError {
    /// convert to NTSTATUS for returning from driver dispatch functions
    pub fn to_ntstatus(&self) -> NtStatus {
        match self {
            Self::NtStatus(s) => *s,
            Self::PoolAllocationFailed { .. } => status::STATUS_INSUFFICIENT_RESOURCES,
            Self::MdlOperationFailed { .. } => status::STATUS_UNSUCCESSFUL,
            Self::PhysicalMemoryFailed { .. } => status::STATUS_ACCESS_DENIED,
            Self::VirtualMemoryFailed { .. } => status::STATUS_ACCESS_DENIED,
            Self::ProcessOperationFailed { .. } => status::STATUS_UNSUCCESSFUL,
            Self::DeviceCreationFailed { .. } => status::STATUS_UNSUCCESSFUL,
            Self::SymbolicLinkFailed { .. } => status::STATUS_UNSUCCESSFUL,
            Self::IoctlFailed { .. } => status::STATUS_UNSUCCESSFUL,
            Self::InvalidParameter { .. } => status::STATUS_INVALID_PARAMETER,
            Self::BufferTooSmall { .. } => status::STATUS_BUFFER_TOO_SMALL,
            Self::AccessDenied { .. } => status::STATUS_ACCESS_DENIED,
            Self::InvalidAddress { .. } => status::STATUS_INVALID_PARAMETER,
            Self::NotImplemented { .. } => status::STATUS_NOT_IMPLEMENTED,
        }
    }
}