wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318

//! RAII hook guard for automatic cleanup
//!
//! Provides automatic restoration of hooked functions when the guard is dropped,
//! similar to UnlinkGuard in the unlink module.

#[cfg(all(not(feature = "std"), feature = "alloc"))]
use alloc::vec::Vec;

#[cfg(feature = "std")]
use std::vec::Vec;

use crate::error::{Result, WraithError};
use crate::util::memory::ProtectionGuard;
use super::arch::Architecture;
use super::trampoline::ExecutableMemory;
use core::marker::PhantomData;

const PAGE_EXECUTE_READWRITE: u32 = 0x40;

/// RAII guard for an installed inline hook
///
/// when dropped, automatically restores the original function bytes
/// unless `leak()` was called.
pub struct HookGuard<A: Architecture> {
    /// address of the hooked function
    target: usize,
    /// address of the detour function
    detour: usize,
    /// original bytes that were overwritten
    original_bytes: Vec<u8>,
    /// trampoline memory (if allocated)
    trampoline: Option<ExecutableMemory>,
    /// whether to restore on drop
    auto_restore: bool,
    /// architecture marker
    _arch: PhantomData<A>,
}

impl<A: Architecture> HookGuard<A> {
    /// create a new hook guard
    pub(crate) fn new(
        target: usize,
        detour: usize,
        original_bytes: Vec<u8>,
        trampoline: Option<ExecutableMemory>,
    ) -> Self {
        Self {
            target,
            detour,
            original_bytes,
            trampoline,
            auto_restore: true,
            _arch: PhantomData,
        }
    }

    /// get the target (hooked) function address
    pub fn target(&self) -> usize {
        self.target
    }

    /// get the detour function address
    pub fn detour(&self) -> usize {
        self.detour
    }

    /// get the trampoline address (call this to invoke the original function)
    ///
    /// returns None if no trampoline was allocated
    pub fn trampoline(&self) -> Option<usize> {
        self.trampoline.as_ref().map(|t| t.base())
    }

    /// get the original bytes that were overwritten
    pub fn original_bytes(&self) -> &[u8] {
        &self.original_bytes
    }

    /// check if auto-restore is enabled
    pub fn will_auto_restore(&self) -> bool {
        self.auto_restore
    }

    /// set whether to auto-restore on drop
    pub fn set_auto_restore(&mut self, restore: bool) {
        self.auto_restore = restore;
    }

    /// disable auto-restore and keep the hook active permanently
    ///
    /// consumes the guard without restoring the original function.
    /// the trampoline memory is leaked and remains valid.
    pub fn leak(mut self) {
        self.auto_restore = false;
        if let Some(trampoline) = self.trampoline.take() {
            trampoline.leak();
        }
        core::mem::forget(self);
    }

    /// manually restore the original function
    ///
    /// consumes the guard and restores the hooked function to its original state.
    pub fn restore(self) -> Result<()> {
        self.restore_internal()?;
        // prevent double-restore in Drop
        core::mem::forget(self);
        Ok(())
    }

    /// temporarily disable the hook
    ///
    /// restores original bytes but keeps the guard and trampoline alive
    /// for re-enabling later.
    pub fn disable(&mut self) -> Result<()> {
        let _guard = ProtectionGuard::new(
            self.target,
            self.original_bytes.len(),
            PAGE_EXECUTE_READWRITE,
        )?;

        // SAFETY: protection changed to RWX, original bytes length matches what we overwrote
        unsafe {
            core::ptr::copy_nonoverlapping(
                self.original_bytes.as_ptr(),
                self.target as *mut u8,
                self.original_bytes.len(),
            );
        }

        flush_icache(self.target, self.original_bytes.len())?;

        Ok(())
    }

    /// re-enable a previously disabled hook
    ///
    /// writes the hook stub back to the target function.
    pub fn enable(&mut self, hook_bytes: &[u8]) -> Result<()> {
        if hook_bytes.len() != self.original_bytes.len() {
            return Err(WraithError::WriteFailed {
                address: self.target as u64,
                size: hook_bytes.len(),
            });
        }

        let _guard = ProtectionGuard::new(
            self.target,
            hook_bytes.len(),
            PAGE_EXECUTE_READWRITE,
        )?;

        // SAFETY: protection changed, size matches
        unsafe {
            core::ptr::copy_nonoverlapping(
                hook_bytes.as_ptr(),
                self.target as *mut u8,
                hook_bytes.len(),
            );
        }

        flush_icache(self.target, hook_bytes.len())?;

        Ok(())
    }

    /// internal restore implementation
    fn restore_internal(&self) -> Result<()> {
        let _guard = ProtectionGuard::new(
            self.target,
            self.original_bytes.len(),
            PAGE_EXECUTE_READWRITE,
        )?;

        // SAFETY: protection changed, original_bytes verified at hook install time
        unsafe {
            core::ptr::copy_nonoverlapping(
                self.original_bytes.as_ptr(),
                self.target as *mut u8,
                self.original_bytes.len(),
            );
        }

        flush_icache(self.target, self.original_bytes.len())?;

        Ok(())
    }
}

impl<A: Architecture> Drop for HookGuard<A> {
    fn drop(&mut self) {
        if self.auto_restore {
            // ignore errors during drop
            let _ = self.restore_internal();
        }
    }
}

// SAFETY: HookGuard contains process-wide memory addresses
// the hook state is shared across threads anyway
unsafe impl<A: Architecture> Send for HookGuard<A> {}
unsafe impl<A: Architecture> Sync for HookGuard<A> {}

/// hook state for enable/disable tracking
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum HookState {
    /// hook is active
    Enabled,
    /// hook is temporarily disabled
    Disabled,
}

/// stateful hook guard that tracks enable/disable state
pub struct StatefulHookGuard<A: Architecture> {
    guard: HookGuard<A>,
    hook_bytes: Vec<u8>,
    state: HookState,
}

impl<A: Architecture> StatefulHookGuard<A> {
    /// create from guard and hook bytes
    pub(crate) fn new(guard: HookGuard<A>, hook_bytes: Vec<u8>) -> Self {
        Self {
            guard,
            hook_bytes,
            state: HookState::Enabled,
        }
    }

    /// get current state
    pub fn state(&self) -> HookState {
        self.state
    }

    /// check if enabled
    pub fn is_enabled(&self) -> bool {
        self.state == HookState::Enabled
    }

    /// disable the hook
    pub fn disable(&mut self) -> Result<()> {
        if self.state == HookState::Enabled {
            self.guard.disable()?;
            self.state = HookState::Disabled;
        }
        Ok(())
    }

    /// enable the hook
    pub fn enable(&mut self) -> Result<()> {
        if self.state == HookState::Disabled {
            self.guard.enable(&self.hook_bytes)?;
            self.state = HookState::Enabled;
        }
        Ok(())
    }

    /// toggle hook state
    pub fn toggle(&mut self) -> Result<()> {
        match self.state {
            HookState::Enabled => self.disable(),
            HookState::Disabled => self.enable(),
        }
    }

    /// get target address
    pub fn target(&self) -> usize {
        self.guard.target()
    }

    /// get detour address
    pub fn detour(&self) -> usize {
        self.guard.detour()
    }

    /// get trampoline address
    pub fn trampoline(&self) -> Option<usize> {
        self.guard.trampoline()
    }

    /// leak the hook (keep it active permanently)
    pub fn leak(self) {
        self.guard.leak();
    }

    /// restore and consume
    pub fn restore(self) -> Result<()> {
        self.guard.restore()
    }
}

/// flush instruction cache
fn flush_icache(address: usize, size: usize) -> Result<()> {
    let result = unsafe {
        FlushInstructionCache(
            GetCurrentProcess(),
            address as *const _,
            size,
        )
    };

    if result == 0 {
        Err(WraithError::from_last_error("FlushInstructionCache"))
    } else {
        Ok(())
    }
}

#[link(name = "kernel32")]
extern "system" {
    fn FlushInstructionCache(
        hProcess: *mut core::ffi::c_void,
        lpBaseAddress: *const core::ffi::c_void,
        dwSize: usize,
    ) -> i32;

    fn GetCurrentProcess() -> *mut core::ffi::c_void;
}