wraith-rs 0.1.8

Safe abstractions for Windows PEB/TEB manipulation and anti-detection techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223

//! Windows version detection and release mapping

use crate::arch::segment;
use crate::error::{Result, WraithError};
use core::cmp::Ordering;

/// represents a specific Windows version
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct WindowsVersion {
    pub major: u32,
    pub minor: u32,
    pub build: u32,
}

/// named Windows releases with known build numbers
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
pub enum WindowsRelease {
    Windows7,       // 7601
    Windows8,       // 9200
    Windows81,      // 9600
    Windows10_1507, // 10240
    Windows10_1511, // 10586
    Windows10_1607, // 14393
    Windows10_1703, // 15063
    Windows10_1709, // 16299
    Windows10_1803, // 17134
    Windows10_1809, // 17763
    Windows10_1903, // 18362
    Windows10_1909, // 18363
    Windows10_2004, // 19041
    Windows10_20H2, // 19042
    Windows10_21H1, // 19043
    Windows10_21H2, // 19044
    Windows10_22H2, // 19045
    Windows11_21H2, // 22000
    Windows11_22H2, // 22621
    Windows11_23H2, // 22631
    Windows11_24H2, // 26100
    Unknown,
}

impl WindowsVersion {
    /// minimum supported version (Windows 7 SP1)
    pub const MIN_SUPPORTED: Self = Self {
        major: 6,
        minor: 1,
        build: 7601,
    };

    /// get current Windows version from PEB
    ///
    /// reads OSMajorVersion, OSMinorVersion, OSBuildNumber from PEB
    pub fn current() -> Result<Self> {
        // SAFETY: segment::get_peb returns valid PEB pointer for current process
        let peb = unsafe { segment::get_peb() };
        if peb.is_null() {
            return Err(WraithError::InvalidPebAccess);
        }

        // offsets are consistent across all Windows versions for these fields
        // x64: OSMajorVersion @ 0x118, OSMinorVersion @ 0x11C, OSBuildNumber @ 0x120
        // x86: OSMajorVersion @ 0xA4, OSMinorVersion @ 0xA8, OSBuildNumber @ 0xAC

        #[cfg(target_arch = "x86_64")]
        let (major, minor, build) = unsafe {
            let major = (peb.add(0x118) as *const u32).read_unaligned();
            let minor = (peb.add(0x11C) as *const u32).read_unaligned();
            let build = (peb.add(0x120) as *const u16).read_unaligned() as u32;
            (major, minor, build)
        };

        #[cfg(target_arch = "x86")]
        let (major, minor, build) = unsafe {
            let major = (peb.add(0xA4) as *const u32).read_unaligned();
            let minor = (peb.add(0xA8) as *const u32).read_unaligned();
            let build = (peb.add(0xAC) as *const u16).read_unaligned() as u32;
            (major, minor, build)
        };

        let version = Self { major, minor, build };

        if version < Self::MIN_SUPPORTED {
            return Err(WraithError::UnsupportedWindowsVersion {
                major,
                minor,
                build,
            });
        }

        Ok(version)
    }

    /// map version to named release
    pub fn release(&self) -> WindowsRelease {
        match (self.major, self.minor, self.build) {
            (6, 1, _) => WindowsRelease::Windows7,
            (6, 2, _) => WindowsRelease::Windows8,
            (6, 3, _) => WindowsRelease::Windows81,
            (10, 0, b) if b >= 26100 => WindowsRelease::Windows11_24H2,
            (10, 0, b) if b >= 22631 => WindowsRelease::Windows11_23H2,
            (10, 0, b) if b >= 22621 => WindowsRelease::Windows11_22H2,
            (10, 0, b) if b >= 22000 => WindowsRelease::Windows11_21H2,
            (10, 0, b) if b >= 19045 => WindowsRelease::Windows10_22H2,
            (10, 0, b) if b >= 19044 => WindowsRelease::Windows10_21H2,
            (10, 0, b) if b >= 19043 => WindowsRelease::Windows10_21H1,
            (10, 0, b) if b >= 19042 => WindowsRelease::Windows10_20H2,
            (10, 0, b) if b >= 19041 => WindowsRelease::Windows10_2004,
            (10, 0, b) if b >= 18363 => WindowsRelease::Windows10_1909,
            (10, 0, b) if b >= 18362 => WindowsRelease::Windows10_1903,
            (10, 0, b) if b >= 17763 => WindowsRelease::Windows10_1809,
            (10, 0, b) if b >= 17134 => WindowsRelease::Windows10_1803,
            (10, 0, b) if b >= 16299 => WindowsRelease::Windows10_1709,
            (10, 0, b) if b >= 15063 => WindowsRelease::Windows10_1703,
            (10, 0, b) if b >= 14393 => WindowsRelease::Windows10_1607,
            (10, 0, b) if b >= 10586 => WindowsRelease::Windows10_1511,
            (10, 0, b) if b >= 10240 => WindowsRelease::Windows10_1507,
            _ => WindowsRelease::Unknown,
        }
    }

    /// check if current version is at least the given release
    pub fn is_at_least(&self, release: WindowsRelease) -> bool {
        self.release() >= release
    }

    /// check if this version has the LdrpHashTable (Windows 8+)
    pub fn supports_hash_table(&self) -> bool {
        self.is_at_least(WindowsRelease::Windows8)
    }

    /// check if this version has the LdrpModuleBaseAddressIndex (Win8+)
    pub fn supports_base_address_index(&self) -> bool {
        self.is_at_least(WindowsRelease::Windows8)
    }

    /// check if Windows 11 (different PEB layout in some areas)
    pub fn is_windows_11(&self) -> bool {
        self.build >= 22000
    }
}

impl PartialOrd for WindowsVersion {
    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
        Some(self.cmp(other))
    }
}

impl Ord for WindowsVersion {
    fn cmp(&self, other: &Self) -> Ordering {
        match self.major.cmp(&other.major) {
            Ordering::Equal => match self.minor.cmp(&other.minor) {
                Ordering::Equal => self.build.cmp(&other.build),
                ord => ord,
            },
            ord => ord,
        }
    }
}

impl core::fmt::Display for WindowsVersion {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        write!(f, "{}.{}.{}", self.major, self.minor, self.build)
    }
}

impl core::fmt::Display for WindowsRelease {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        match self {
            Self::Windows7 => write!(f, "Windows 7"),
            Self::Windows8 => write!(f, "Windows 8"),
            Self::Windows81 => write!(f, "Windows 8.1"),
            Self::Windows10_1507 => write!(f, "Windows 10 1507"),
            Self::Windows10_1511 => write!(f, "Windows 10 1511"),
            Self::Windows10_1607 => write!(f, "Windows 10 1607"),
            Self::Windows10_1703 => write!(f, "Windows 10 1703"),
            Self::Windows10_1709 => write!(f, "Windows 10 1709"),
            Self::Windows10_1803 => write!(f, "Windows 10 1803"),
            Self::Windows10_1809 => write!(f, "Windows 10 1809"),
            Self::Windows10_1903 => write!(f, "Windows 10 1903"),
            Self::Windows10_1909 => write!(f, "Windows 10 1909"),
            Self::Windows10_2004 => write!(f, "Windows 10 2004"),
            Self::Windows10_20H2 => write!(f, "Windows 10 20H2"),
            Self::Windows10_21H1 => write!(f, "Windows 10 21H1"),
            Self::Windows10_21H2 => write!(f, "Windows 10 21H2"),
            Self::Windows10_22H2 => write!(f, "Windows 10 22H2"),
            Self::Windows11_21H2 => write!(f, "Windows 11 21H2"),
            Self::Windows11_22H2 => write!(f, "Windows 11 22H2"),
            Self::Windows11_23H2 => write!(f, "Windows 11 23H2"),
            Self::Windows11_24H2 => write!(f, "Windows 11 24H2"),
            Self::Unknown => write!(f, "Unknown"),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_version_comparison() {
        let win10 = WindowsVersion {
            major: 10,
            minor: 0,
            build: 19041,
        };
        let win11 = WindowsVersion {
            major: 10,
            minor: 0,
            build: 22000,
        };
        assert!(win10 < win11);
    }

    #[test]
    fn test_release_mapping() {
        let win11 = WindowsVersion {
            major: 10,
            minor: 0,
            build: 22621,
        };
        assert_eq!(win11.release(), WindowsRelease::Windows11_22H2);
    }
}