wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348

//! Inline hooking framework
//!
//! Provides comprehensive hooking capabilities including:
//! - Standard inline hooks (prologue replacement)
//! - Hot-patch style hooks
//! - Mid-function hooks with context
//! - Hook chaining with priorities
//! - IAT (Import Address Table) hooks
//! - EAT (Export Address Table) hooks
//! - VEH (Vectored Exception Handler) hooks
//! - VMT (Virtual Method Table) hooks
//!
//! # Architecture Support
//!
//! Both x86 and x86_64 are supported via the `Architecture` trait.
//! Use `NativeArch` for compile-time architecture selection.
//!
//! # Example
//!
//! ```ignore
//! use wraith::manipulation::inline_hook::{hook, NativeArch};
//!
//! // define the original function type
//! type TargetFn = extern "system" fn(i32) -> i32;
//!
//! // your detour function
//! extern "system" fn my_detour(x: i32) -> i32 {
//!     // do something
//!     // call original via trampoline
//!     unsafe { ORIGINAL.unwrap()(x) }
//! }
//!
//! static mut ORIGINAL: Option<TargetFn> = None;
//!
//! // install hook
//! let guard = hook::<NativeArch>(target_addr, my_detour as usize)?;
//! unsafe {
//!     ORIGINAL = Some(std::mem::transmute(guard.trampoline().unwrap()));
//! }
//!
//! // hook is active until guard is dropped
//! // or call guard.leak() to keep it permanently
//! ```
//!
//! # Hook Types
//!
//! ## Code Modification Hooks
//! - [`InlineHook`]: Standard prologue replacement hook
//! - [`HotPatchHook`]: Uses Windows hot-patching space (2-byte atomic)
//! - [`MidFunctionHook`]: Hook at arbitrary location with context
//! - [`HookChain`]: Multiple hooks on same target with priorities
//!
//! ## Table Modification Hooks
//! - [`IatHook`]: Import Address Table hook (per-module imports)
//! - [`EatHook`]: Export Address Table hook (affects GetProcAddress)
//! - [`VmtHook`]: Virtual Method Table hook (C++ virtual functions)
//! - [`ShadowVmt`]: Shadow VMT for instance-specific hooking
//!
//! ## Exception-Based Hooks
//! - [`VehHook`]: Vectored Exception Handler hook (hardware/software breakpoints)
//!
//! # Builder Pattern
//!
//! For more control, use the type-state builder:
//!
//! ```ignore
//! use wraith::manipulation::inline_hook::{HookBuilder, NativeArch};
//!
//! let guard = HookBuilder::<NativeArch, _>::new()
//!     .target(target_addr)?
//!     .detour(detour_addr)?
//!     .allocate_trampoline()?
//!     .build_trampoline()?
//!     .prepare()?
//!     .install()?;
//! ```

pub mod arch;
pub mod asm;
pub mod builder;
pub mod guard;
pub mod hook;
#[cfg(feature = "std")]
pub mod registry;
pub mod trampoline;

// re-exports
pub use arch::{Architecture, NativeArch, X64, X86};
pub use builder::{state as BuilderState, HookBuilder};
pub use guard::{HookGuard, HookState, StatefulHookGuard};
pub use hook::{Hook, HookChain, HotPatchHook, InlineHook, MidFunctionHook};
#[cfg(feature = "std")]
pub use registry::{HookRegistry, HookType, RegisteredHook};
pub use trampoline::ExecutableMemory;

// IAT hooks
pub use hook::iat::{IatHook, IatHookGuard, IatEntry, enumerate_iat_entries, find_iat_entry, hook_import, hook_import_all};

// EAT hooks
pub use hook::eat::{EatHook, EatHookBuilder, EatHookGuard, EatEntry, enumerate_eat_entries, find_eat_entry, find_eat_entry_by_ordinal};

// VEH hooks
pub use hook::veh::{VehHook, VehHookType, DebugRegister, BreakCondition, BreakLength, get_available_debug_register};

// VMT hooks
pub use hook::vmt::{VmtHook, VmtHookGuard, VmtHookBuilder, ShadowVmt, VmtObject, get_vtable, get_vtable_entry, estimate_vtable_size};

#[cfg(target_arch = "x86_64")]
pub use hook::mid::HookContext;
#[cfg(target_arch = "x86")]
pub use hook::mid::HookContext;
pub use hook::mid::MidHookFn;

use crate::error::Result;

/// install an inline hook with native architecture
///
/// this is the simplest way to install a hook. returns a guard that
/// automatically restores the original function when dropped.
///
/// # Arguments
/// * `target` - address of the function to hook
/// * `detour` - address of the detour function
///
/// # Returns
/// `HookGuard` that restores the original on drop
///
/// # Example
/// ```ignore
/// let guard = hook::<NativeArch>(target, detour)?;
/// let trampoline = guard.trampoline().unwrap();
/// ```
pub fn hook<A: Architecture>(target: usize, detour: usize) -> Result<HookGuard<A>> {
    InlineHook::<A>::new(target, detour).install()
}

/// install an inline hook using the native architecture
#[cfg(target_arch = "x86_64")]
pub fn hook_native(target: usize, detour: usize) -> Result<HookGuard<X64>> {
    hook::<X64>(target, detour)
}

#[cfg(target_arch = "x86")]
pub fn hook_native(target: usize, detour: usize) -> Result<HookGuard<X86>> {
    hook::<X86>(target, detour)
}

/// install a hot-patch hook
///
/// uses the Windows hot-patching mechanism for minimal disruption.
/// only works on functions compiled with /hotpatch.
pub fn hotpatch<A: Architecture>(target: usize, detour: usize) -> Result<HookGuard<A>> {
    HotPatchHook::<A>::new(target, detour).install()
}

/// check if a function is hot-patchable
pub fn is_hot_patchable(target: usize) -> bool {
    hook::hotpatch::is_hot_patchable(target)
}

/// install a mid-function hook
///
/// hooks at an arbitrary location within a function.
/// the detour receives a context pointer with all registers.
pub fn mid_hook<A: Architecture>(
    address: usize,
    detour: MidHookFn,
) -> Result<HookGuard<A>> {
    MidFunctionHook::<A>::new(address, detour).install()
}

/// create a hook chain on a target function
///
/// allows multiple hooks on the same target with priority ordering.
pub fn create_chain<A: Architecture>(target: usize) -> Result<HookChain<A>> {
    HookChain::new(target)
}

/// convenience function to hook by module export name
#[cfg(feature = "navigation")]
pub fn hook_export<A: Architecture>(
    module: &str,
    export: &str,
    detour: usize,
) -> Result<HookGuard<A>> {
    use crate::navigation::ModuleQuery;
    use crate::structures::Peb;

    let peb = Peb::current()?;
    let query = ModuleQuery::new(&peb);
    let module = query.find_by_name(module)?;
    let target = module.get_export(export)?;

    hook::<A>(target, detour)
}

/// convenience function to hook export using native architecture
#[cfg(all(feature = "navigation", target_arch = "x86_64"))]
pub fn hook_export_native(
    module: &str,
    export: &str,
    detour: usize,
) -> Result<HookGuard<X64>> {
    hook_export::<X64>(module, export, detour)
}

#[cfg(all(feature = "navigation", target_arch = "x86"))]
pub fn hook_export_native(
    module: &str,
    export: &str,
    detour: usize,
) -> Result<HookGuard<X86>> {
    hook_export::<X86>(module, export, detour)
}

// ============================================================================
// IAT Hook convenience functions
// ============================================================================

/// hook an import in the current module's IAT
///
/// # Arguments
/// * `import_dll` - the DLL containing the function (e.g., "kernel32.dll")
/// * `function_name` - the function to hook
/// * `detour` - address of the detour function
///
/// # Example
/// ```ignore
/// let hook = iat_hook("kernel32.dll", "CreateFileW", my_create_file as usize)?;
/// ```
#[cfg(feature = "navigation")]
pub fn iat_hook(import_dll: &str, function_name: &str, detour: usize) -> Result<IatHook> {
    hook_import(import_dll, function_name, detour)
}

/// hook an import in a specific module's IAT
#[cfg(feature = "navigation")]
pub fn iat_hook_in(
    target_module: &str,
    import_dll: &str,
    function_name: &str,
    detour: usize,
) -> Result<IatHook> {
    IatHook::new(target_module, import_dll, function_name, detour)
}

// ============================================================================
// EAT Hook convenience functions
// ============================================================================

/// hook an export in a module's EAT
///
/// # Arguments
/// * `module_name` - the module containing the export (e.g., "kernel32.dll")
/// * `function_name` - the function to hook
/// * `detour` - address of the detour function
///
/// # Note
/// Detour must be within ±2GB of module for RVA encoding.
///
/// # Example
/// ```ignore
/// let hook = eat_hook("ntdll.dll", "NtQueryInformationProcess", my_detour as usize)?;
/// ```
#[cfg(feature = "navigation")]
pub fn eat_hook(module_name: &str, function_name: &str, detour: usize) -> Result<EatHook> {
    EatHook::new(module_name, function_name, detour)
}

// ============================================================================
// VEH Hook convenience functions
// ============================================================================

/// create a VEH hook using a hardware breakpoint
///
/// automatically selects an available debug register.
///
/// # Arguments
/// * `target` - address to hook
/// * `detour` - address of the detour function
///
/// # Example
/// ```ignore
/// let hook = veh_hook_hardware(target_addr, my_detour as usize)?;
/// ```
pub fn veh_hook_hardware(target: usize, detour: usize) -> Result<VehHook> {
    let dr = get_available_debug_register()?;
    VehHook::hardware(target, detour, dr)
}

/// create a VEH hook using INT3 software breakpoint
///
/// # Arguments
/// * `target` - address to hook
/// * `detour` - address of the detour function
pub fn veh_hook_int3(target: usize, detour: usize) -> Result<VehHook> {
    VehHook::int3(target, detour)
}

// ============================================================================
// VMT Hook convenience functions
// ============================================================================

/// hook a virtual function in an object's VMT
///
/// # Safety
/// Object must be a valid C++ object with a vtable.
///
/// # Arguments
/// * `object` - pointer to the C++ object
/// * `index` - vtable index of the function
/// * `detour` - address of the detour function
///
/// # Example
/// ```ignore
/// let hook = unsafe { vmt_hook(object_ptr, 5, my_detour as usize)? };
/// let original: fn() = unsafe { std::mem::transmute(hook.original()) };
/// ```
pub unsafe fn vmt_hook(object: *const (), index: usize, detour: usize) -> Result<VmtHook> {
    // SAFETY: caller ensures object is valid C++ polymorphic object
    unsafe { VmtHook::new(object, index, detour) }
}

/// create a shadow VMT for instance-specific hooking
///
/// # Safety
/// Object must be a valid C++ object with a vtable.
///
/// # Arguments
/// * `object` - pointer to the C++ object
/// * `vtable_size` - number of entries in the vtable
pub unsafe fn shadow_vmt<T>(object: *mut (), vtable_size: usize) -> Result<ShadowVmt<T>> {
    // SAFETY: caller ensures object is valid C++ polymorphic object with vtable_size entries
    unsafe { ShadowVmt::new(object, vtable_size) }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_native_arch_defined() {
        // just verify NativeArch type is available
        let _: usize = NativeArch::JMP_REL_SIZE;
        let _: usize = NativeArch::JMP_ABS_SIZE;
        let _: usize = NativeArch::PTR_SIZE;
    }
}