wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

//! Version-specific structure offsets

mod win7;
mod win10;
mod win11;

use crate::error::Result;
use crate::version::{WindowsRelease, WindowsVersion};

/// PEB field offsets
#[derive(Debug, Clone, Copy)]
pub struct PebOffsets {
    pub being_debugged: usize,
    pub ldr: usize,
    pub process_parameters: usize,
    pub image_base: usize,
    pub nt_global_flag: usize,
    pub process_heap: usize,
    pub number_of_processors: usize,
    pub os_major_version: usize,
    pub os_minor_version: usize,
    pub os_build_number: usize,
}

/// TEB field offsets
#[derive(Debug, Clone, Copy)]
pub struct TebOffsets {
    pub seh_frame: usize, // ExceptionList
    pub stack_base: usize,
    pub stack_limit: usize,
    pub tls_slots: usize,
    pub peb: usize,
    pub client_id: usize,
    pub last_error: usize,
}

impl PebOffsets {
    /// get offsets for given Windows version
    pub fn for_version(version: &WindowsVersion) -> Result<&'static Self> {
        let release = version.release();

        if release == WindowsRelease::Windows7 {
            Ok(&win7::PEB_OFFSETS)
        } else if release >= WindowsRelease::Windows11_21H2 {
            Ok(&win11::PEB_OFFSETS)
        } else {
            // Win8, Win8.1, Win10 all use similar offsets
            Ok(&win10::PEB_OFFSETS)
        }
    }
}

impl TebOffsets {
    /// get offsets for given Windows version
    pub fn for_version(version: &WindowsVersion) -> Result<&'static Self> {
        match version.release() {
            WindowsRelease::Windows7 => Ok(&win7::TEB_OFFSETS),
            _ => Ok(&win10::TEB_OFFSETS), // TEB is more stable across versions
        }
    }
}