wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218

//! Thread enumeration

#[cfg(all(not(feature = "std"), feature = "alloc"))]
use alloc::vec::Vec;

#[cfg(feature = "std")]
use std::vec::Vec;

use crate::arch::segment;
use crate::error::{Result, WraithError};

/// information about the current thread from TEB
#[derive(Debug, Clone)]
pub struct ThreadInfo {
    pub thread_id: u32,
    pub teb_address: usize,
    pub stack_base: usize,
    pub stack_limit: usize,
}

impl ThreadInfo {
    /// get info for current thread from TEB
    pub fn current() -> Result<Self> {
        // SAFETY: get_teb always returns valid TEB for current thread
        let teb = unsafe { segment::get_teb() };
        if teb.is_null() {
            return Err(WraithError::InvalidTebAccess);
        }

        #[cfg(target_arch = "x86_64")]
        let (tid, stack_base, stack_limit) = {
            // SAFETY: TEB offsets are well-known for x64
            let tid = unsafe { segment::get_current_tid() };
            let stack_base = unsafe { *(teb.add(0x08) as *const u64) } as usize;
            let stack_limit = unsafe { *(teb.add(0x10) as *const u64) } as usize;
            (tid, stack_base, stack_limit)
        };

        #[cfg(target_arch = "x86")]
        let (tid, stack_base, stack_limit) = {
            // SAFETY: TEB offsets are well-known for x86
            let tid = unsafe { segment::get_current_tid() };
            let stack_base = unsafe { *(teb.add(0x04) as *const u32) } as usize;
            let stack_limit = unsafe { *(teb.add(0x08) as *const u32) } as usize;
            (tid, stack_base, stack_limit)
        };

        Ok(Self {
            thread_id: tid,
            teb_address: teb as usize,
            stack_base,
            stack_limit,
        })
    }

    /// check if an address is on this thread's stack
    pub fn is_on_stack(&self, address: usize) -> bool {
        // stack grows downward: limit < address < base
        address >= self.stack_limit && address < self.stack_base
    }
}

/// iterator over threads in current process
pub struct ThreadIterator {
    snapshot: *mut core::ffi::c_void,
    first: bool,
    target_pid: u32,
}

impl ThreadIterator {
    /// create new thread iterator for current process
    pub fn new() -> Result<Self> {
        // SAFETY: get_current_pid always returns valid PID
        let current_pid = unsafe { segment::get_current_pid() };
        Self::for_process(current_pid)
    }

    /// enumerate threads for a specific process
    pub fn for_process(pid: u32) -> Result<Self> {
        // SAFETY: CreateToolhelp32Snapshot is safe to call with valid flags
        let snapshot = unsafe { CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0) };

        if snapshot == INVALID_HANDLE_VALUE {
            return Err(WraithError::from_last_error("CreateToolhelp32Snapshot"));
        }

        Ok(Self {
            snapshot,
            first: true,
            target_pid: pid,
        })
    }
}

impl Iterator for ThreadIterator {
    type Item = ThreadEntry;

    fn next(&mut self) -> Option<Self::Item> {
        let mut entry = ThreadEntry32 {
            size: core::mem::size_of::<ThreadEntry32>() as u32,
            ..Default::default()
        };

        loop {
            // SAFETY: snapshot is valid, entry is correctly sized
            let success = if self.first {
                self.first = false;
                unsafe { Thread32First(self.snapshot, &mut entry) }
            } else {
                unsafe { Thread32Next(self.snapshot, &mut entry) }
            };

            if success == 0 {
                return None;
            }

            // filter to target process
            if entry.owner_process_id == self.target_pid {
                return Some(ThreadEntry {
                    thread_id: entry.thread_id,
                    owner_process_id: entry.owner_process_id,
                    base_priority: entry.base_priority,
                });
            }
        }
    }
}

impl Drop for ThreadIterator {
    fn drop(&mut self) {
        if self.snapshot != INVALID_HANDLE_VALUE {
            // SAFETY: snapshot is valid handle
            unsafe {
                CloseHandle(self.snapshot);
            }
        }
    }
}

/// thread entry from enumeration
#[derive(Debug, Clone)]
pub struct ThreadEntry {
    pub thread_id: u32,
    pub owner_process_id: u32,
    pub base_priority: i32,
}

// internal structures for toolhelp
#[repr(C)]
#[derive(Default)]
struct ThreadEntry32 {
    size: u32,
    usage: u32,
    thread_id: u32,
    owner_process_id: u32,
    base_priority: i32,
    delta_priority: i32,
    flags: u32,
}

const TH32CS_SNAPTHREAD: u32 = 0x00000004;
const INVALID_HANDLE_VALUE: *mut core::ffi::c_void = -1isize as *mut _;

#[link(name = "kernel32")]
extern "system" {
    fn CreateToolhelp32Snapshot(flags: u32, process_id: u32) -> *mut core::ffi::c_void;
    fn Thread32First(snapshot: *mut core::ffi::c_void, entry: *mut ThreadEntry32) -> i32;
    fn Thread32Next(snapshot: *mut core::ffi::c_void, entry: *mut ThreadEntry32) -> i32;
    fn CloseHandle(handle: *mut core::ffi::c_void) -> i32;
}

/// get list of all thread IDs in current process
pub fn get_thread_ids() -> Result<Vec<u32>> {
    Ok(ThreadIterator::new()?.map(|t| t.thread_id).collect())
}

/// count threads in current process
pub fn thread_count() -> Result<usize> {
    Ok(ThreadIterator::new()?.count())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_current_thread() {
        let info = ThreadInfo::current().expect("should get thread info");
        assert!(info.thread_id > 0);
        assert!(info.stack_base > info.stack_limit);
    }

    #[test]
    fn test_thread_iterator() {
        let threads: Vec<_> = ThreadIterator::new()
            .expect("should create iterator")
            .collect();

        // should have at least one thread (ourselves)
        assert!(!threads.is_empty());
    }

    #[test]
    fn test_get_thread_ids() {
        let ids = get_thread_ids().expect("should get thread ids");
        assert!(!ids.is_empty());

        // current thread should be in the list
        let current = ThreadInfo::current().expect("should get current thread");
        assert!(ids.contains(&current.thread_id));
    }

    #[test]
    fn test_thread_count() {
        let count = thread_count().expect("should get thread count");
        assert!(count >= 1);
    }
}