wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

//! NT headers (IMAGE_NT_HEADERS)

use super::data_directory::DataDirectory;

pub const NT_SIGNATURE: u32 = 0x00004550; // "PE\0\0"
pub const PE32_MAGIC: u16 = 0x10b;
pub const PE32PLUS_MAGIC: u16 = 0x20b;

#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct FileHeader {
    pub machine: u16,
    pub number_of_sections: u16,
    pub time_date_stamp: u32,
    pub pointer_to_symbol_table: u32,
    pub number_of_symbols: u32,
    pub size_of_optional_header: u16,
    pub characteristics: u16,
}

#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct OptionalHeader32 {
    pub magic: u16,
    pub major_linker_version: u8,
    pub minor_linker_version: u8,
    pub size_of_code: u32,
    pub size_of_initialized_data: u32,
    pub size_of_uninitialized_data: u32,
    pub address_of_entry_point: u32,
    pub base_of_code: u32,
    pub base_of_data: u32,
    pub image_base: u32,
    pub section_alignment: u32,
    pub file_alignment: u32,
    pub major_operating_system_version: u16,
    pub minor_operating_system_version: u16,
    pub major_image_version: u16,
    pub minor_image_version: u16,
    pub major_subsystem_version: u16,
    pub minor_subsystem_version: u16,
    pub win32_version_value: u32,
    pub size_of_image: u32,
    pub size_of_headers: u32,
    pub check_sum: u32,
    pub subsystem: u16,
    pub dll_characteristics: u16,
    pub size_of_stack_reserve: u32,
    pub size_of_stack_commit: u32,
    pub size_of_heap_reserve: u32,
    pub size_of_heap_commit: u32,
    pub loader_flags: u32,
    pub number_of_rva_and_sizes: u32,
    pub data_directory: [DataDirectory; 16],
}

#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct OptionalHeader64 {
    pub magic: u16,
    pub major_linker_version: u8,
    pub minor_linker_version: u8,
    pub size_of_code: u32,
    pub size_of_initialized_data: u32,
    pub size_of_uninitialized_data: u32,
    pub address_of_entry_point: u32,
    pub base_of_code: u32,
    pub image_base: u64,
    pub section_alignment: u32,
    pub file_alignment: u32,
    pub major_operating_system_version: u16,
    pub minor_operating_system_version: u16,
    pub major_image_version: u16,
    pub minor_image_version: u16,
    pub major_subsystem_version: u16,
    pub minor_subsystem_version: u16,
    pub win32_version_value: u32,
    pub size_of_image: u32,
    pub size_of_headers: u32,
    pub check_sum: u32,
    pub subsystem: u16,
    pub dll_characteristics: u16,
    pub size_of_stack_reserve: u64,
    pub size_of_stack_commit: u64,
    pub size_of_heap_reserve: u64,
    pub size_of_heap_commit: u64,
    pub loader_flags: u32,
    pub number_of_rva_and_sizes: u32,
    pub data_directory: [DataDirectory; 16],
}

#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct NtHeaders32 {
    pub signature: u32,
    pub file_header: FileHeader,
    pub optional_header: OptionalHeader32,
}

#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct NtHeaders64 {
    pub signature: u32,
    pub file_header: FileHeader,
    pub optional_header: OptionalHeader64,
}

/// architecture-independent NT headers access
pub enum NtHeaders {
    Headers32(NtHeaders32),
    Headers64(NtHeaders64),
}

impl NtHeaders {
    /// get number of sections
    pub fn number_of_sections(&self) -> u16 {
        match self {
            Self::Headers32(h) => h.file_header.number_of_sections,
            Self::Headers64(h) => h.file_header.number_of_sections,
        }
    }

    /// get entry point RVA
    pub fn entry_point(&self) -> u32 {
        match self {
            Self::Headers32(h) => h.optional_header.address_of_entry_point,
            Self::Headers64(h) => h.optional_header.address_of_entry_point,
        }
    }

    /// get image base
    pub fn image_base(&self) -> u64 {
        match self {
            Self::Headers32(h) => h.optional_header.image_base as u64,
            Self::Headers64(h) => h.optional_header.image_base,
        }
    }

    /// get size of image
    pub fn size_of_image(&self) -> u32 {
        match self {
            Self::Headers32(h) => h.optional_header.size_of_image,
            Self::Headers64(h) => h.optional_header.size_of_image,
        }
    }

    /// get section alignment
    pub fn section_alignment(&self) -> u32 {
        match self {
            Self::Headers32(h) => h.optional_header.section_alignment,
            Self::Headers64(h) => h.optional_header.section_alignment,
        }
    }

    /// get data directory by index
    pub fn data_directory(&self, index: usize) -> Option<&DataDirectory> {
        match self {
            Self::Headers32(h) => h.optional_header.data_directory.get(index),
            Self::Headers64(h) => h.optional_header.data_directory.get(index),
        }
    }

    /// check if 64-bit
    pub fn is_64bit(&self) -> bool {
        matches!(self, Self::Headers64(_))
    }
}