wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377

//! Remote thread creation and manipulation

#[cfg(all(not(feature = "std"), feature = "alloc"))]
use alloc::{format, string::String};

#[cfg(feature = "std")]
use std::{format, string::String};

use super::process::RemoteProcess;
use crate::error::{Result, WraithError};
use crate::manipulation::syscall::{
    get_syscall_table, nt_close, nt_success, DirectSyscall, ObjectAttributes,
};

/// thread creation flags
#[derive(Debug, Clone, Copy, Default)]
pub struct ThreadCreationFlags {
    pub flags: u32,
}

impl ThreadCreationFlags {
    /// create thread in running state
    pub const fn running() -> Self {
        Self { flags: 0 }
    }

    /// create thread in suspended state
    pub const fn suspended() -> Self {
        Self { flags: CREATE_SUSPENDED }
    }

    /// skip thread attach notifications (dangerous)
    pub const fn skip_attach() -> Self {
        Self { flags: THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH }
    }

    /// hide thread from debugger
    pub const fn hide_from_debugger() -> Self {
        Self { flags: THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER }
    }

    /// combine flags
    pub const fn with(self, other: Self) -> Self {
        Self { flags: self.flags | other.flags }
    }
}

/// options for remote thread creation
#[derive(Debug, Clone, Copy)]
pub struct RemoteThreadOptions {
    pub flags: ThreadCreationFlags,
    pub stack_size: usize,
    pub create_suspended: bool,
}

impl Default for RemoteThreadOptions {
    fn default() -> Self {
        Self {
            flags: ThreadCreationFlags::running(),
            stack_size: 0, // default stack size
            create_suspended: false,
        }
    }
}

impl RemoteThreadOptions {
    pub fn suspended() -> Self {
        Self {
            flags: ThreadCreationFlags::suspended(),
            stack_size: 0,
            create_suspended: true,
        }
    }

    pub fn with_stack_size(mut self, size: usize) -> Self {
        self.stack_size = size;
        self
    }
}

/// wrapper for a remote thread handle
pub struct RemoteThread {
    handle: usize,
    id: u32,
    owns_handle: bool,
}

impl RemoteThread {
    /// get the thread handle
    pub fn handle(&self) -> usize {
        self.handle
    }

    /// get the thread ID
    pub fn id(&self) -> u32 {
        self.id
    }

    /// wait for thread to complete
    pub fn wait(&self, timeout_ms: u32) -> Result<()> {
        let result = unsafe { WaitForSingleObject(self.handle, timeout_ms) };
        if result == WAIT_OBJECT_0 {
            Ok(())
        } else {
            Err(WraithError::RemoteThreadFailed {
                reason: format!("wait failed with result {}", result),
            })
        }
    }

    /// wait indefinitely for thread to complete
    pub fn wait_infinite(&self) -> Result<()> {
        self.wait(INFINITE)
    }

    /// get exit code (returns None if thread is still running)
    pub fn exit_code(&self) -> Result<Option<u32>> {
        let mut exit_code: u32 = 0;
        let result = unsafe { GetExitCodeThread(self.handle, &mut exit_code) };
        if result == 0 {
            return Err(WraithError::RemoteThreadFailed {
                reason: "GetExitCodeThread failed".into(),
            });
        }

        if exit_code == STILL_ACTIVE {
            Ok(None)
        } else {
            Ok(Some(exit_code))
        }
    }

    /// suspend the thread
    pub fn suspend(&self) -> Result<u32> {
        let result = unsafe { SuspendThread(self.handle) };
        if result == u32::MAX {
            Err(WraithError::ThreadSuspendResumeFailed {
                reason: "SuspendThread failed".into(),
            })
        } else {
            Ok(result)
        }
    }

    /// resume the thread
    pub fn resume(&self) -> Result<u32> {
        let result = unsafe { ResumeThread(self.handle) };
        if result == u32::MAX {
            Err(WraithError::ThreadSuspendResumeFailed {
                reason: "ResumeThread failed".into(),
            })
        } else {
            Ok(result)
        }
    }

    /// terminate the thread
    pub fn terminate(&self, exit_code: u32) -> Result<()> {
        let table = get_syscall_table()?;
        let syscall = DirectSyscall::from_table(table, "NtTerminateThread")?;

        // SAFETY: terminating a thread with valid handle
        let status = unsafe { syscall.call2(self.handle, exit_code as usize) };

        if nt_success(status) {
            Ok(())
        } else {
            Err(WraithError::SyscallFailed {
                name: "NtTerminateThread".into(),
                status,
            })
        }
    }

    /// leak the handle (don't close on drop)
    pub fn leak(mut self) -> usize {
        self.owns_handle = false;
        self.handle
    }
}

impl Drop for RemoteThread {
    fn drop(&mut self) {
        if self.owns_handle && self.handle != 0 {
            let _ = nt_close(self.handle);
        }
    }
}

// SAFETY: thread handle can be sent between threads
unsafe impl Send for RemoteThread {}
unsafe impl Sync for RemoteThread {}

/// create a remote thread in the target process
pub fn create_remote_thread(
    process: &RemoteProcess,
    start_address: usize,
    parameter: usize,
    options: RemoteThreadOptions,
) -> Result<RemoteThread> {
    // use NtCreateThreadEx for more control
    let table = get_syscall_table()?;
    let syscall = DirectSyscall::from_table(table, "NtCreateThreadEx")?;

    let mut thread_handle: usize = 0;
    let obj_attr = ObjectAttributes::new();

    let create_flags = if options.create_suspended {
        options.flags.flags | CREATE_SUSPENDED
    } else {
        options.flags.flags
    };

    // SAFETY: all pointers point to valid stack data
    let status = unsafe {
        syscall.call_many(&[
            &mut thread_handle as *mut usize as usize, // ThreadHandle
            THREAD_ALL_ACCESS as usize,                 // DesiredAccess
            &obj_attr as *const _ as usize,             // ObjectAttributes
            process.handle(),                           // ProcessHandle
            start_address,                              // StartRoutine
            parameter,                                  // Argument
            create_flags as usize,                      // CreateFlags
            0,                                          // ZeroBits
            options.stack_size,                         // StackSize
            0,                                          // MaximumStackSize
            0,                                          // AttributeList
        ])
    };

    if nt_success(status) {
        // get thread ID
        let tid = get_thread_id(thread_handle)?;
        Ok(RemoteThread {
            handle: thread_handle,
            id: tid,
            owns_handle: true,
        })
    } else {
        Err(WraithError::RemoteThreadFailed {
            reason: format!("NtCreateThreadEx failed with status {:#x}", status as u32),
        })
    }
}

/// create remote thread using Win32 API (simpler but more detectable)
pub fn create_remote_thread_win32(
    process: &RemoteProcess,
    start_address: usize,
    parameter: usize,
    suspended: bool,
) -> Result<RemoteThread> {
    let mut thread_id: u32 = 0;
    let flags = if suspended { CREATE_SUSPENDED } else { 0 };

    let handle = unsafe {
        CreateRemoteThread(
            process.handle(),
            core::ptr::null(),
            0,
            start_address,
            parameter,
            flags,
            &mut thread_id,
        )
    };

    if handle == 0 {
        return Err(WraithError::RemoteThreadFailed {
            reason: format!("CreateRemoteThread failed: {}", unsafe { GetLastError() }),
        });
    }

    Ok(RemoteThread {
        handle,
        id: thread_id,
        owns_handle: true,
    })
}

fn get_thread_id(thread_handle: usize) -> Result<u32> {
    let table = get_syscall_table()?;
    let syscall = DirectSyscall::from_table(table, "NtQueryInformationThread")?;

    #[repr(C)]
    struct ThreadBasicInfo {
        exit_status: i32,
        teb_base: usize,
        client_id: ClientId,
        affinity_mask: usize,
        priority: i32,
        base_priority: i32,
    }

    #[repr(C)]
    struct ClientId {
        unique_process: usize,
        unique_thread: usize,
    }

    let mut info = core::mem::MaybeUninit::<ThreadBasicInfo>::uninit();
    let mut return_length: u32 = 0;

    // SAFETY: buffer is correctly sized
    let status = unsafe {
        syscall.call5(
            thread_handle,
            0, // ThreadBasicInformation
            info.as_mut_ptr() as usize,
            core::mem::size_of::<ThreadBasicInfo>(),
            &mut return_length as *mut u32 as usize,
        )
    };

    if nt_success(status) {
        let info = unsafe { info.assume_init() };
        Ok(info.client_id.unique_thread as u32)
    } else {
        // fallback to GetThreadId if syscall fails
        let tid = unsafe { GetThreadId(thread_handle) };
        if tid != 0 {
            Ok(tid)
        } else {
            Err(WraithError::RemoteThreadFailed {
                reason: "failed to get thread ID".into(),
            })
        }
    }
}

// thread access rights
const THREAD_ALL_ACCESS: u32 = 0x1F03FF;

// thread creation flags
const CREATE_SUSPENDED: u32 = 0x00000004;
const THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH: u32 = 0x00000002;
const THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER: u32 = 0x00000004;

// wait constants
const WAIT_OBJECT_0: u32 = 0;
const INFINITE: u32 = 0xFFFFFFFF;
const STILL_ACTIVE: u32 = 259;

#[link(name = "kernel32")]
extern "system" {
    fn CreateRemoteThread(
        hProcess: usize,
        lpThreadAttributes: *const core::ffi::c_void,
        dwStackSize: usize,
        lpStartAddress: usize,
        lpParameter: usize,
        dwCreationFlags: u32,
        lpThreadId: *mut u32,
    ) -> usize;

    fn WaitForSingleObject(hHandle: usize, dwMilliseconds: u32) -> u32;
    fn GetExitCodeThread(hThread: usize, lpExitCode: *mut u32) -> i32;
    fn SuspendThread(hThread: usize) -> u32;
    fn ResumeThread(hThread: usize) -> u32;
    fn GetThreadId(Thread: usize) -> u32;
    fn GetLastError() -> u32;
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_thread_creation_flags() {
        let flags = ThreadCreationFlags::suspended();
        assert_eq!(flags.flags, CREATE_SUSPENDED);

        let combined = ThreadCreationFlags::suspended()
            .with(ThreadCreationFlags::hide_from_debugger());
        assert!(combined.flags & CREATE_SUSPENDED != 0);
    }
}