wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

//! TEB (Thread Environment Block) structure

use super::offsets::TebOffsets;
use crate::arch::segment;
use crate::error::{Result, WraithError};
use crate::version::WindowsVersion;
use core::ptr::NonNull;

/// safe wrapper around TEB access
pub struct Teb {
    ptr: NonNull<u8>,
    offsets: &'static TebOffsets,
}

impl Teb {
    /// get TEB for current thread
    pub fn current() -> Result<Self> {
        let ptr = unsafe { segment::get_teb() };
        let ptr = NonNull::new(ptr).ok_or(WraithError::InvalidTebAccess)?;

        let version = WindowsVersion::current()?;
        let offsets = TebOffsets::for_version(&version)?;

        Ok(Self { ptr, offsets })
    }

    /// raw TEB pointer
    pub fn as_ptr(&self) -> *mut u8 {
        self.ptr.as_ptr()
    }

    /// get process ID
    pub fn process_id(&self) -> u32 {
        unsafe {
            let addr = self.ptr.as_ptr().add(self.offsets.client_id);
            // ClientId.UniqueProcess is first field
            #[cfg(target_arch = "x86_64")]
            {
                *(addr as *const u64) as u32
            }
            #[cfg(target_arch = "x86")]
            {
                *(addr as *const u32)
            }
        }
    }

    /// get thread ID
    pub fn thread_id(&self) -> u32 {
        unsafe {
            let addr = self.ptr.as_ptr().add(self.offsets.client_id);
            // ClientId.UniqueThread is second field
            #[cfg(target_arch = "x86_64")]
            {
                let tid_addr = addr.add(8);
                *(tid_addr as *const u64) as u32
            }
            #[cfg(target_arch = "x86")]
            {
                let tid_addr = addr.add(4);
                *(tid_addr as *const u32)
            }
        }
    }

    /// get PEB pointer from TEB
    pub fn peb(&self) -> *mut u8 {
        unsafe {
            let addr = self.ptr.as_ptr().add(self.offsets.peb);
            #[cfg(target_arch = "x86_64")]
            {
                *(addr as *const u64) as *mut u8
            }
            #[cfg(target_arch = "x86")]
            {
                *(addr as *const u32) as *mut u8
            }
        }
    }

    /// get last error value
    pub fn last_error(&self) -> u32 {
        unsafe {
            let addr = self.ptr.as_ptr().add(self.offsets.last_error);
            *(addr as *const u32)
        }
    }

    /// set last error value
    pub fn set_last_error(&mut self, value: u32) {
        unsafe {
            let addr = self.ptr.as_ptr().add(self.offsets.last_error);
            *(addr as *mut u32) = value;
        }
    }

    /// get stack base
    pub fn stack_base(&self) -> usize {
        unsafe {
            let addr = self.ptr.as_ptr().add(self.offsets.stack_base);
            #[cfg(target_arch = "x86_64")]
            {
                *(addr as *const u64) as usize
            }
            #[cfg(target_arch = "x86")]
            {
                *(addr as *const u32) as usize
            }
        }
    }

    /// get stack limit
    pub fn stack_limit(&self) -> usize {
        unsafe {
            let addr = self.ptr.as_ptr().add(self.offsets.stack_limit);
            #[cfg(target_arch = "x86_64")]
            {
                *(addr as *const u64) as usize
            }
            #[cfg(target_arch = "x86")]
            {
                *(addr as *const u32) as usize
            }
        }
    }
}