wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194

//! Global hook registry
//!
//! Tracks all installed hooks for management and conflict detection.

use std::collections::HashMap;
use std::sync::Mutex;

/// global hook registry singleton
static REGISTRY: Mutex<Option<HookRegistry>> = Mutex::new(None);

/// information about a registered hook
#[derive(Debug, Clone)]
pub struct RegisteredHook {
    /// target function address
    pub target: usize,
    /// detour function address
    pub detour: usize,
    /// trampoline address (if available)
    pub trampoline: Option<usize>,
    /// type of hook
    pub hook_type: HookType,
    /// when the hook was installed
    pub installed_at: std::time::Instant,
    /// whether the hook is currently active
    pub active: bool,
}

/// type of hook
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum HookType {
    /// standard inline hook (prologue replacement)
    Inline,
    /// hot-patch style hook
    HotPatch,
    /// mid-function hook
    MidFunction,
    /// hook in a chain
    Chained,
}

/// hook registry for tracking installed hooks
#[derive(Default)]
pub struct HookRegistry {
    /// hooks by target address
    by_target: HashMap<usize, RegisteredHook>,
    /// target address by detour address
    by_detour: HashMap<usize, usize>,
}

impl HookRegistry {
    /// create a new registry
    pub fn new() -> Self {
        Self::default()
    }

    /// register a new hook
    pub fn register(&mut self, hook: RegisteredHook) {
        let target = hook.target;
        let detour = hook.detour;

        self.by_detour.insert(detour, target);
        self.by_target.insert(target, hook);
    }

    /// unregister a hook by target address
    pub fn unregister(&mut self, target: usize) -> Option<RegisteredHook> {
        if let Some(hook) = self.by_target.remove(&target) {
            self.by_detour.remove(&hook.detour);
            Some(hook)
        } else {
            None
        }
    }

    /// get hook info by target address
    pub fn get(&self, target: usize) -> Option<&RegisteredHook> {
        self.by_target.get(&target)
    }

    /// get hook info by target address (mutable)
    pub fn get_mut(&mut self, target: usize) -> Option<&mut RegisteredHook> {
        self.by_target.get_mut(&target)
    }

    /// check if an address is hooked
    pub fn is_hooked(&self, target: usize) -> bool {
        self.by_target.contains_key(&target)
    }

    /// find target by detour address
    pub fn find_by_detour(&self, detour: usize) -> Option<usize> {
        self.by_detour.get(&detour).copied()
    }

    /// get all registered hooks
    pub fn all(&self) -> impl Iterator<Item = &RegisteredHook> {
        self.by_target.values()
    }

    /// get count of registered hooks
    pub fn count(&self) -> usize {
        self.by_target.len()
    }

    /// clear all hooks (does not actually remove them, just clears registry)
    pub fn clear(&mut self) {
        self.by_target.clear();
        self.by_detour.clear();
    }

    /// set hook active state
    pub fn set_active(&mut self, target: usize, active: bool) -> bool {
        if let Some(hook) = self.by_target.get_mut(&target) {
            hook.active = active;
            true
        } else {
            false
        }
    }
}

/// get the global registry (initializes if needed)
pub fn get_registry() -> std::sync::MutexGuard<'static, Option<HookRegistry>> {
    let mut guard = REGISTRY.lock().unwrap();
    if guard.is_none() {
        *guard = Some(HookRegistry::new());
    }
    guard
}

/// execute a function with the registry
pub fn with_registry<F, R>(f: F) -> R
where
    F: FnOnce(&mut HookRegistry) -> R,
{
    let mut guard = get_registry();
    let registry = guard.as_mut().unwrap();
    f(registry)
}

/// register a hook in the global registry
pub fn register_hook(
    target: usize,
    detour: usize,
    trampoline: Option<usize>,
    hook_type: HookType,
) {
    with_registry(|registry| {
        registry.register(RegisteredHook {
            target,
            detour,
            trampoline,
            hook_type,
            installed_at: std::time::Instant::now(),
            active: true,
        });
    });
}

/// unregister a hook from the global registry
pub fn unregister_hook(target: usize) -> Option<RegisteredHook> {
    with_registry(|registry| registry.unregister(target))
}

/// check if a target is hooked
pub fn is_hooked(target: usize) -> bool {
    with_registry(|registry| registry.is_hooked(target))
}

/// get hook info for a target
pub fn get_hook_info(target: usize) -> Option<RegisteredHook> {
    with_registry(|registry| registry.get(target).cloned())
}

/// get all hooks targeting a module's address range
pub fn get_hooks_in_range(start: usize, end: usize) -> Vec<RegisteredHook> {
    with_registry(|registry| {
        registry
            .all()
            .filter(|h| h.target >= start && h.target < end)
            .cloned()
            .collect()
    })
}

/// get count of active hooks
pub fn active_hook_count() -> usize {
    with_registry(|registry| registry.all().filter(|h| h.active).count())
}

/// get total hook count
pub fn total_hook_count() -> usize {
    with_registry(|registry| registry.count())
}