wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394

//! High-level module abstraction

#[cfg(all(not(feature = "std"), feature = "alloc"))]
use alloc::{format, string::{String, ToString}, vec::Vec};

#[cfg(feature = "std")]
use std::{format, string::{String, ToString}, vec::Vec};

use crate::error::{Result, WraithError};
use crate::structures::pe::{
    DataDirectoryType, DosHeader, ExportDirectory, NtHeaders, NtHeaders32, NtHeaders64,
};
use crate::structures::{LdrDataTableEntry, ListEntry};
use crate::structures::pe::nt_headers::{NT_SIGNATURE, PE32_MAGIC};
use core::ptr::NonNull;

// max length for export/import names to prevent unbounded reads
const MAX_NAME_LENGTH: usize = 512;
// max reasonable number of exports to prevent DoS
const MAX_EXPORT_COUNT: usize = 0x10000;

/// immutable reference to a loaded module
pub struct Module<'a> {
    entry: &'a LdrDataTableEntry,
}

impl<'a> Module<'a> {
    /// create module from LDR_DATA_TABLE_ENTRY reference
    pub(crate) fn from_entry(entry: &'a LdrDataTableEntry) -> Self {
        Self { entry }
    }

    /// get module base address
    pub fn base(&self) -> usize {
        self.entry.base()
    }

    /// get module size in bytes
    pub fn size(&self) -> usize {
        self.entry.size()
    }

    /// get entry point address (may be 0 if no entry point)
    pub fn entry_point(&self) -> usize {
        self.entry.entry_point()
    }

    /// get full path to module
    pub fn full_path(&self) -> String {
        // SAFETY: full_dll_name is valid for loaded modules
        unsafe { self.entry.full_name() }
    }

    /// get module filename only (e.g., "ntdll.dll")
    pub fn name(&self) -> String {
        // SAFETY: base_dll_name is valid for loaded modules
        unsafe { self.entry.base_name() }
    }

    /// get name as lowercase for comparison
    pub fn name_lowercase(&self) -> String {
        self.name().to_lowercase()
    }

    /// check if address falls within this module
    pub fn contains(&self, address: usize) -> bool {
        self.entry.contains_address(address)
    }

    /// check if module name matches (case-insensitive)
    pub fn matches_name(&self, name: &str) -> bool {
        // SAFETY: name buffers are valid for loaded modules
        unsafe { self.entry.matches_name(name) }
    }

    /// get raw LDR entry reference
    pub fn as_ldr_entry(&self) -> &LdrDataTableEntry {
        self.entry
    }

    /// get DOS header
    pub fn dos_header(&self) -> Result<&DosHeader> {
        let base = self.base();
        if base == 0 {
            return Err(WraithError::NullPointer {
                context: "module base",
            });
        }

        // SAFETY: base points to valid PE image for loaded modules
        let dos = unsafe { &*(base as *const DosHeader) };

        if !dos.is_valid() {
            return Err(WraithError::InvalidPeFormat {
                reason: "invalid DOS signature".into(),
            });
        }

        Ok(dos)
    }

    /// get NT headers
    pub fn nt_headers(&self) -> Result<NtHeaders> {
        let dos = self.dos_header()?;

        // validate e_lfanew is reasonable
        if !dos.is_nt_offset_valid() {
            let lfanew = dos.e_lfanew; // copy from packed struct
            return Err(WraithError::InvalidPeFormat {
                reason: format!("invalid e_lfanew: {:#x}", lfanew),
            });
        }

        let nt_offset = dos.nt_headers_offset();

        // validate nt_offset is within module bounds (need space for NT headers)
        const MIN_NT_HEADERS_SIZE: usize = 256; // enough for signature + file header + optional header
        if nt_offset + MIN_NT_HEADERS_SIZE > self.size() {
            return Err(WraithError::InvalidPeFormat {
                reason: "e_lfanew points outside module bounds".into(),
            });
        }

        let nt_addr = self.base() + nt_offset;

        // SAFETY: validated that nt_addr is within module bounds
        let signature = unsafe { *(nt_addr as *const u32) };
        if signature != NT_SIGNATURE {
            return Err(WraithError::InvalidPeFormat {
                reason: "invalid NT signature".into(),
            });
        }

        // check if 32 or 64 bit
        let magic_offset = nt_addr + 4 + 20; // after signature + file header
        let magic = unsafe { *(magic_offset as *const u16) };

        if magic == PE32_MAGIC {
            let headers = unsafe { &*(nt_addr as *const NtHeaders32) };
            Ok(NtHeaders::Headers32(*headers))
        } else {
            let headers = unsafe { &*(nt_addr as *const NtHeaders64) };
            Ok(NtHeaders::Headers64(*headers))
        }
    }

    /// convert RVA to absolute address
    pub fn rva_to_va(&self, rva: u32) -> usize {
        self.base() + rva as usize
    }

    /// convert absolute address to RVA
    pub fn va_to_rva(&self, va: usize) -> Option<u32> {
        if va >= self.base() && va < self.base() + self.size() {
            Some((va - self.base()) as u32)
        } else {
            None
        }
    }

    /// get export by name
    pub fn get_export(&self, name: &str) -> Result<usize> {
        let nt = self.nt_headers()?;
        let export_dir = nt
            .data_directory(DataDirectoryType::Export.index())
            .ok_or_else(|| WraithError::InvalidPeFormat {
                reason: "no export directory".into(),
            })?;

        if !export_dir.is_present() {
            return Err(WraithError::InvalidPeFormat {
                reason: "export directory not present".into(),
            });
        }

        // validate export directory RVA is within module
        if !self.is_rva_valid(export_dir.virtual_address, core::mem::size_of::<ExportDirectory>())
        {
            return Err(WraithError::InvalidPeFormat {
                reason: "export directory RVA outside module bounds".into(),
            });
        }

        let export_va = self.rva_to_va(export_dir.virtual_address);
        // SAFETY: validated RVA is within bounds
        let exports = unsafe { &*(export_va as *const ExportDirectory) };

        let num_names = exports.number_of_names as usize;
        let num_functions = exports.number_of_functions as usize;

        // sanity check export counts
        if num_names > MAX_EXPORT_COUNT || num_functions > MAX_EXPORT_COUNT {
            return Err(WraithError::InvalidPeFormat {
                reason: format!("unreasonable export count: {num_names} names, {num_functions} functions"),
            });
        }

        // validate array RVAs
        let names_size = num_names.saturating_mul(4);
        let ordinals_size = num_names.saturating_mul(2);
        let functions_size = num_functions.saturating_mul(4);

        if !self.is_rva_valid(exports.address_of_names, names_size)
            || !self.is_rva_valid(exports.address_of_name_ordinals, ordinals_size)
            || !self.is_rva_valid(exports.address_of_functions, functions_size)
        {
            return Err(WraithError::InvalidPeFormat {
                reason: "export table array RVA outside module bounds".into(),
            });
        }

        let names_va = self.rva_to_va(exports.address_of_names);
        let ordinals_va = self.rva_to_va(exports.address_of_name_ordinals);
        let functions_va = self.rva_to_va(exports.address_of_functions);

        // search for name
        for i in 0..num_names {
            // SAFETY: validated arrays are within bounds
            let name_rva = unsafe { *((names_va + i * 4) as *const u32) };

            // validate name RVA
            if !self.is_rva_valid(name_rva, 1) {
                continue; // skip invalid entries
            }

            let name_va = self.rva_to_va(name_rva);
            let export_name = match self.read_string_at(name_va) {
                Some(s) => s,
                None => continue, // skip unreadable names
            };

            if export_name == name {
                let ordinal = unsafe { *((ordinals_va + i * 2) as *const u16) } as usize;

                // validate ordinal is within functions array
                if ordinal >= num_functions {
                    return Err(WraithError::InvalidPeFormat {
                        reason: format!("ordinal {ordinal} exceeds function count {num_functions}"),
                    });
                }

                let func_rva = unsafe { *((functions_va + ordinal * 4) as *const u32) };

                // check for forwarded export
                if func_rva >= export_dir.virtual_address
                    && func_rva < export_dir.virtual_address + export_dir.size
                {
                    // forwarder string is at the func_rva location
                    let forwarder_va = self.rva_to_va(func_rva);
                    let forwarder = self.read_string_at(forwarder_va)
                        .unwrap_or("unknown")
                        .to_string();
                    return Err(WraithError::ForwardedExport { forwarder });
                }

                let func_va = self.rva_to_va(func_rva);
                return Ok(func_va);
            }
        }

        Err(WraithError::ModuleNotFound {
            name: format!("export {name} not found"),
        })
    }

    /// check if RVA + size is within module bounds
    fn is_rva_valid(&self, rva: u32, size: usize) -> bool {
        let rva = rva as usize;
        rva < self.size() && size <= self.size() - rva
    }

    /// safely read a null-terminated string at address within module
    fn read_string_at(&self, addr: usize) -> Option<&str> {
        let base = self.base();
        let end = base + self.size();

        if addr < base || addr >= end {
            return None;
        }

        let max_len = (end - addr).min(MAX_NAME_LENGTH);
        let ptr = addr as *const u8;

        // find null terminator within bounds
        let mut len = 0;
        while len < max_len {
            // SAFETY: addr is within module bounds, iterating up to max_len
            let byte = unsafe { *ptr.add(len) };
            if byte == 0 {
                break;
            }
            len += 1;
        }

        if len == 0 || len >= max_len {
            return None; // empty or no null terminator found
        }

        // SAFETY: we've verified bounds and found null terminator
        let bytes = unsafe { core::slice::from_raw_parts(ptr, len) };
        core::str::from_utf8(bytes).ok()
    }

    /// get export by ordinal
    pub fn get_export_by_ordinal(&self, ordinal: u16) -> Result<usize> {
        let nt = self.nt_headers()?;
        let export_dir = nt
            .data_directory(DataDirectoryType::Export.index())
            .ok_or_else(|| WraithError::InvalidPeFormat {
                reason: "no export directory".into(),
            })?;

        if !export_dir.is_present() {
            return Err(WraithError::InvalidPeFormat {
                reason: "export directory not present".into(),
            });
        }

        let export_va = self.rva_to_va(export_dir.virtual_address);
        // SAFETY: export directory is present and valid
        let exports = unsafe { &*(export_va as *const ExportDirectory) };

        let index = ordinal as usize - exports.base as usize;
        if index >= exports.number_of_functions as usize {
            return Err(WraithError::InvalidPeFormat {
                reason: "ordinal out of range".into(),
            });
        }

        let functions_va = self.rva_to_va(exports.address_of_functions);
        let func_rva = unsafe { *((functions_va + index * 4) as *const u32) };

        Ok(self.rva_to_va(func_rva))
    }
}

/// owned handle to a module (allows modifications)
pub struct ModuleHandle {
    entry: NonNull<LdrDataTableEntry>,
}

impl ModuleHandle {
    /// create handle from raw LDR entry pointer
    ///
    /// # Safety
    /// pointer must be valid LDR_DATA_TABLE_ENTRY
    pub unsafe fn from_raw(ptr: *mut LdrDataTableEntry) -> Option<Self> {
        NonNull::new(ptr).map(|entry| Self { entry })
    }

    /// get raw pointer
    pub fn as_ptr(&self) -> *mut LdrDataTableEntry {
        self.entry.as_ptr()
    }

    /// borrow as immutable Module
    pub fn as_module(&self) -> Module<'_> {
        // SAFETY: entry pointer is valid for lifetime of handle
        Module::from_entry(unsafe { self.entry.as_ref() })
    }

    /// get mutable access to LDR entry (for unlinking)
    ///
    /// # Safety
    /// caller must ensure no other references exist
    pub unsafe fn as_entry_mut(&mut self) -> &mut LdrDataTableEntry {
        unsafe { self.entry.as_mut() }
    }

    /// get pointers to all three list links
    pub fn get_link_pointers(&self) -> ModuleLinkPointers {
        // SAFETY: entry is valid
        let entry = unsafe { self.entry.as_ref() };
        ModuleLinkPointers {
            in_load_order: &entry.in_load_order_links as *const _ as *mut ListEntry,
            in_memory_order: &entry.in_memory_order_links as *const _ as *mut ListEntry,
            in_initialization_order: &entry.in_initialization_order_links as *const _
                as *mut ListEntry,
        }
    }
}

// ModuleHandle doesn't impl Drop - it's a reference, not ownership

// SAFETY: ModuleHandle is a pointer to process-wide structure
unsafe impl Send for ModuleHandle {}
unsafe impl Sync for ModuleHandle {}

/// pointers to module's list entry links
pub struct ModuleLinkPointers {
    pub in_load_order: *mut ListEntry,
    pub in_memory_order: *mut ListEntry,
    pub in_initialization_order: *mut ListEntry,
}