wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313

//! Memory allocation for manual mapping

use crate::error::{Result, WraithError};

// memory allocation constants
const MEM_COMMIT: u32 = 0x1000;
const MEM_RESERVE: u32 = 0x2000;
const MEM_RELEASE: u32 = 0x8000;
const PAGE_READWRITE: u32 = 0x04;

/// allocated memory region for PE image
pub struct MappedMemory {
    base: *mut u8,
    size: usize,
}

impl MappedMemory {
    /// get base address
    pub fn base(&self) -> usize {
        self.base as usize
    }

    /// get allocated size
    pub fn size(&self) -> usize {
        self.size
    }

    /// get mutable slice to entire region
    pub fn as_slice_mut(&mut self) -> &mut [u8] {
        // SAFETY: base is valid for size bytes, we own the memory
        unsafe { core::slice::from_raw_parts_mut(self.base, self.size) }
    }

    /// get immutable slice to entire region
    pub fn as_slice(&self) -> &[u8] {
        // SAFETY: base is valid for size bytes, we own the memory
        unsafe { core::slice::from_raw_parts(self.base, self.size) }
    }

    /// write data at offset
    pub fn write_at(&mut self, offset: usize, data: &[u8]) -> Result<()> {
        if offset + data.len() > self.size {
            return Err(WraithError::WriteFailed {
                address: (self.base as usize + offset) as u64,
                size: data.len(),
            });
        }

        // SAFETY: bounds checked, we own the memory
        unsafe {
            core::ptr::copy_nonoverlapping(data.as_ptr(), self.base.add(offset), data.len());
        }
        Ok(())
    }

    /// read value at offset
    pub fn read_at<T: Copy>(&self, offset: usize) -> Result<T> {
        if offset + core::mem::size_of::<T>() > self.size {
            return Err(WraithError::ReadFailed {
                address: (self.base as usize + offset) as u64,
                size: core::mem::size_of::<T>(),
            });
        }

        // SAFETY: bounds checked, read_unaligned handles alignment
        Ok(unsafe { (self.base.add(offset) as *const T).read_unaligned() })
    }

    /// write value at offset
    pub fn write_value_at<T>(&mut self, offset: usize, value: T) -> Result<()> {
        if offset + core::mem::size_of::<T>() > self.size {
            return Err(WraithError::WriteFailed {
                address: (self.base as usize + offset) as u64,
                size: core::mem::size_of::<T>(),
            });
        }

        // SAFETY: bounds checked, write_unaligned handles alignment
        unsafe {
            (self.base.add(offset) as *mut T).write_unaligned(value);
        }
        Ok(())
    }

    /// set memory protection for a region
    pub fn protect(&self, offset: usize, size: usize, protection: u32) -> Result<u32> {
        if offset + size > self.size {
            return Err(WraithError::ProtectionChangeFailed {
                address: (self.base as usize + offset) as u64,
                size,
            });
        }

        let mut old_protect: u32 = 0;

        // SAFETY: address is within our allocated range
        let result = unsafe {
            VirtualProtect(
                self.base.add(offset) as *mut _,
                size,
                protection,
                &mut old_protect,
            )
        };

        if result == 0 {
            return Err(WraithError::ProtectionChangeFailed {
                address: (self.base as usize + offset) as u64,
                size,
            });
        }

        Ok(old_protect)
    }

    /// free the allocated memory
    pub fn free(self) -> Result<()> {
        // SAFETY: self.base was allocated with VirtualAlloc
        let result = unsafe { VirtualFree(self.base as *mut _, 0, MEM_RELEASE) };

        if result == 0 {
            return Err(WraithError::from_last_error("VirtualFree"));
        }

        // prevent Drop from double-freeing
        core::mem::forget(self);
        Ok(())
    }

    /// get pointer at offset
    pub fn ptr_at(&self, offset: usize) -> *mut u8 {
        // SAFETY: caller responsible for bounds
        unsafe { self.base.add(offset) }
    }
}

impl Drop for MappedMemory {
    fn drop(&mut self) {
        // SAFETY: self.base was allocated with VirtualAlloc
        unsafe {
            VirtualFree(self.base as *mut _, 0, MEM_RELEASE);
        }
    }
}

// SAFETY: we own the memory, safe to move between threads
unsafe impl Send for MappedMemory {}
unsafe impl Sync for MappedMemory {}

/// allocate memory for PE image, trying preferred base first
pub fn allocate_image(size: usize, preferred_base: usize) -> Result<MappedMemory> {
    // try preferred base first
    let mut base = unsafe {
        VirtualAlloc(
            preferred_base as *mut _,
            size,
            MEM_COMMIT | MEM_RESERVE,
            PAGE_READWRITE,
        )
    };

    // fall back to any available address
    if base.is_null() {
        base = unsafe {
            VirtualAlloc(
                core::ptr::null_mut(),
                size,
                MEM_COMMIT | MEM_RESERVE,
                PAGE_READWRITE,
            )
        };
    }

    if base.is_null() {
        return Err(WraithError::AllocationFailed {
            size,
            protection: PAGE_READWRITE,
        });
    }

    // zero the memory
    // SAFETY: base is valid for size bytes
    unsafe {
        core::ptr::write_bytes(base, 0, size);
    }

    Ok(MappedMemory {
        base: base as *mut u8,
        size,
    })
}

/// allocate memory at specific address (fails if not available)
pub fn allocate_at(base: usize, size: usize) -> Result<MappedMemory> {
    let ptr = unsafe {
        VirtualAlloc(
            base as *mut _,
            size,
            MEM_COMMIT | MEM_RESERVE,
            PAGE_READWRITE,
        )
    };

    // must get exact address requested
    if ptr.is_null() || ptr as usize != base {
        if !ptr.is_null() {
            // got wrong address, free it
            unsafe {
                VirtualFree(ptr, 0, MEM_RELEASE);
            }
        }
        return Err(WraithError::AllocationFailed {
            size,
            protection: PAGE_READWRITE,
        });
    }

    // zero the memory
    // SAFETY: ptr is valid for size bytes
    unsafe {
        core::ptr::write_bytes(ptr, 0, size);
    }

    Ok(MappedMemory {
        base: ptr as *mut u8,
        size,
    })
}

/// allocate memory anywhere (no preference)
pub fn allocate_anywhere(size: usize) -> Result<MappedMemory> {
    let base = unsafe {
        VirtualAlloc(
            core::ptr::null_mut(),
            size,
            MEM_COMMIT | MEM_RESERVE,
            PAGE_READWRITE,
        )
    };

    if base.is_null() {
        return Err(WraithError::AllocationFailed {
            size,
            protection: PAGE_READWRITE,
        });
    }

    // zero the memory
    // SAFETY: base is valid for size bytes
    unsafe {
        core::ptr::write_bytes(base, 0, size);
    }

    Ok(MappedMemory {
        base: base as *mut u8,
        size,
    })
}

#[link(name = "kernel32")]
extern "system" {
    fn VirtualAlloc(
        address: *mut core::ffi::c_void,
        size: usize,
        allocation_type: u32,
        protection: u32,
    ) -> *mut core::ffi::c_void;

    fn VirtualFree(address: *mut core::ffi::c_void, size: usize, free_type: u32) -> i32;

    fn VirtualProtect(
        address: *mut core::ffi::c_void,
        size: usize,
        protection: u32,
        old_protection: *mut u32,
    ) -> i32;
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_allocate_anywhere() {
        let mem = allocate_anywhere(0x1000).expect("should allocate");
        assert!(mem.base() != 0);
        assert_eq!(mem.size(), 0x1000);
        mem.free().expect("should free");
    }

    #[test]
    fn test_read_write() {
        let mut mem = allocate_anywhere(0x1000).expect("should allocate");

        mem.write_value_at(0, 0xDEADBEEFu32).expect("should write");
        let val: u32 = mem.read_at(0).expect("should read");
        assert_eq!(val, 0xDEADBEEF);

        let data = [1u8, 2, 3, 4];
        mem.write_at(0x100, &data).expect("should write bytes");
        let slice = mem.as_slice();
        assert_eq!(&slice[0x100..0x104], &data);
    }

    #[test]
    fn test_protect() {
        let mem = allocate_anywhere(0x1000).expect("should allocate");

        const PAGE_READONLY: u32 = 0x02;
        let old = mem.protect(0, 0x1000, PAGE_READONLY).expect("should protect");
        assert_eq!(old, PAGE_READWRITE);
    }
}