Crate dinvk

Expand description

§dinvk 🦀

Dynamically invoke arbitrary code in Rust with full support for #[no_std] and multiple architectures: x64, x86, WoW64, ARM64.

This crate is a Rust reimplementation of DInvoke with extra features.

§Features

Dynamic API resolution (dinvoke!).
Indirect syscalls (Hells Gate / Halos Gate / Tartarus Gate).
Syscall redirection to other DLLs (e.g. win32u.dll, vertdll.dll).
PE parsing, proxy DLL loading.
Multiple hashing algorithms for API resolution.
#[no_std] compatibility.

§Examples

§1. Dynamically Invoke Arbitrary Code

use dinvk::{
    data::HeapAllocFn,
    dinvoke, GetModuleHandle,
    GetProcessHeap
};

const HEAP_ZERO_MEMORY: u32 = 8;

fn main() {
    let kernel32 = GetModuleHandle("KERNEL32.DLL", None);
    let addr = dinvoke!(
        kernel32,
        "HeapAlloc",
        HeapAllocFn,
        GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        0x200
    );

    println!("[+] Address: {:?}", addr);
}

§2. Indirect Syscall

use std::{ffi::c_void, ptr::null_mut};
use dinvk::{NtCurrentProcess, NT_SUCCESS, syscall};
use dinvk::data::NTSTATUS;

fn main() -> Result<(), NTSTATUS> {
    let mut addr = null_mut::<c_void>();
    let mut size = 0x1000;

    let status = syscall!(
        "NtAllocateVirtualMemory",
        NtCurrentProcess(),
        &mut addr,
        0,
        &mut size,
        0x3000,
        0x40
    ).ok_or(-1)?;

    if !NT_SUCCESS(status) {
        eprintln!("[-] NtAllocateVirtualMemory failed: {status:?}");
        return Err(status);
    }

    println!("[+] Allocated at: {:?}", addr);
    Ok(())
}

§3. Hashing APIs

use dinvk::hash::*;

println!("jenkins: {}", jenkins("dinvk"));
println!("djb2:    {}", djb2("dinvk"));
println!("fnv1a:   {}", fnv1a("dinvk"));

§4. Proxy DLL Loading

use dinvk::LdrProxy;

// Use RtlQueueWorkItem to indirectly load DLL
LdrProxy::new("xpsservices.dll").work();

// Or RtlCreateTimer
LdrProxy::new("xpsservices.dll").timer();

// Or RtlRegisterWait
LdrProxy::new("xpsservices.dll").register_wait();

§More Information

For updates, usage guides, and examples, visit the repository.

Modules§

breakpoint: Hardware breakpoint management utilities (only for x86/x86_64 targets).
data: Structures and types used across the library.
hash: Runtime hash functions.
ldr: Module containing dynamic module loader proxy.
pe: PE Parsing

Macros§

dinvoke: Macro to dynamically invoke a function from a specified module.
link: Declares an external function from a dynamically linked library.
println: Prints output to the Windows console using ConsoleWriter.
syscall: Macro to perform a system call (syscall) by dynamically resolving its function name.

Structs§

ConsoleWriter: ConsoleWriter is a custom implementation of core::fmt::Write that writes formatted strings directly to the Windows console.
LdrProxy: A helper struct to interact with dynamic module loading with Windows APIs via Proxy.

Enums§

Dll: Represents different dynamic link libraries (DLLs) that contain system call functions.

Functions§

AddVectoredExceptionHandler: Wrapper for the AddVectoredExceptionHandler function from KERNEL32.DLL.
GetCurrentProcessId: Returns the process ID of the calling process from the TEB.
GetCurrentThreadId: Returns the thread ID of the calling thread from the TEB.
GetModuleHandle: Resolves the base address of a module loaded in memory by name or hash.
GetProcAddress: Retrieves the address of an exported function from a loaded module.
GetProcessHeap: Returns the default heap handle for the current process from the PEB.
GetStdHandle: Wrapper for the GetStdHandle function from KERNEL32.DLL.
HeapAlloc: Wrapper for the HeapAlloc function from KERNEL32.DLL.
HeapCreate: Wrapper for the HeapCreate function from KERNEL32.DLL.
HeapFree: Wrapper for the HeapFree function from KERNEL32.DLL.
LoadLibraryA: Wrapper for the LoadLibraryA function from KERNEL32.DLL.
NT_SUCCESS: Evaluates to TRUE if the return value specified by nt_status is a success type (0 − 0x3FFFFFFF) or an informational type (0x40000000 − 0x7FFFFFFF). This function is taken from ntdef.h in the WDK.
NtAllocateVirtualMemory: Wrapper for the NtAllocateVirtualMemory function from NTDLL.DLL.
NtCreateThreadEx: Wrapper for the NtCreateThreadEx function from NTDLL.DLL.
NtCurrentPeb: Retrieves a pointer to the Process Environment Block (PEB) of the current process.
NtCurrentProcess: Returns a pseudo-handle to the current process ((HANDLE)-1).
NtCurrentTeb: Retrieves a pointer to the Thread Environment Block (TEB) of the current thread.
NtCurrentThread: Returns a pseudo-handle to the current thread ((HANDLE)-2).
NtGetThreadContext: Wrapper for the NtGetThreadContext function from NTDLL.DLL.
NtProtectVirtualMemory: Wrapper for the NtProtectVirtualMemory function from NTDLL.DLL.
NtSetThreadContext: Wrapper for the NtSetThreadContext function from NTDLL.DLL.
NtWriteVirtualMemory: Wrapper for the NtWriteVirtualMemory function from NTDLL.DLL.
RemoveVectoredExceptionHandler: Wrapper for the RemoveVectoredExceptionHandler function from KERNEL32.DLL.
__readgsqword: Reads a u64 value from the GS segment at the specified offset.
get_ntdll_address: Retrieves the base address of the ntdll.dll module.
get_syscall_address: Retrieves the syscall address from a given function address.
resolve_api_set_map: Resolves ApiSet contracts (e.g., api-ms-win-core-*) to the actual implementing DLLs.
shuffle: Randomly shuffles the elements of a mutable slice in-place using a pseudo-random number generator seeded by the CPU’s timestamp counter (rdtsc).
ssn: Resolves the System Service Number (SSN) for a given function name within a module.

Crate dinvk

Crate dinvk Copy item path

§dinvk 🦀

§Features

§Examples

§1. Dynamically Invoke Arbitrary Code

§2. Indirect Syscall

§3. Hashing APIs

§4. Proxy DLL Loading

§More Information

Modules§

Macros§

Structs§

Enums§

Functions§

Crate dinvk