wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

//! Import structures

#[cfg(all(not(feature = "std"), feature = "alloc"))]
use alloc::string::String;

#[cfg(feature = "std")]
use std::string::String;

#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct ImportDescriptor {
    pub original_first_thunk: u32, // RVA to INT (Import Name Table)
    pub time_date_stamp: u32,
    pub forwarder_chain: u32,
    pub name: u32,        // RVA to DLL name
    pub first_thunk: u32, // RVA to IAT (Import Address Table)
}

impl ImportDescriptor {
    /// check if this is the null terminator
    pub fn is_null(&self) -> bool {
        self.original_first_thunk == 0 && self.name == 0 && self.first_thunk == 0
    }
}

/// import lookup table entry (IMAGE_THUNK_DATA)
#[repr(C)]
#[derive(Clone, Copy)]
pub union ThunkData32 {
    pub forwarder_string: u32,
    pub function: u32,
    pub ordinal: u32,
    pub address_of_data: u32,
}

#[repr(C)]
#[derive(Clone, Copy)]
pub union ThunkData64 {
    pub forwarder_string: u64,
    pub function: u64,
    pub ordinal: u64,
    pub address_of_data: u64,
}

pub const IMAGE_ORDINAL_FLAG32: u32 = 0x80000000;
pub const IMAGE_ORDINAL_FLAG64: u64 = 0x8000000000000000;

/// parsed import entry
pub struct ImportLookupEntry {
    pub is_ordinal: bool,
    pub ordinal: u16,
    pub hint: u16,
    pub name: String,
}

/// import by name structure
#[repr(C)]
pub struct ImportByName {
    pub hint: u16,
    pub name: [u8; 1], // variable length
}