RUST_SYSCALLS
Single stub direct and indirect syscalling with runtime SSN resolving for windows.
Features:
- One single line for all your syscalls
- Function name hashing at compilation time
- Direct or indirect sycalls
- x86_64, WOW64 and x86 native support
- Designed to allow the implementation of custom SSN fetching methods (check the end of this readme for more info)
How to use:
-
Add the git repository / local path to the library to your dependencies:
rust_syscalls = {git = "https://github.com/janoglezcampos/rust_syscalls"}or
rust_syscalls = {path = <path to library folder>} -
Choose direct or indirect method by setting
_DIRECT_or_INDIRECT_as a feature:rust_syscalls = {path = <path to library folder>}, features = ["_INDIRECT_"]} -
Import
use rust_syscalls::syscall; -
Syscall:
NTSTATUS status = syscall!("NtClose", handle);
Example:
#![allow(non_snake_case)]
use ntapi::ntapi_base::CLIENT_ID;
use rust_syscalls::syscall;
use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, HANDLE, NULL, NTSTATUS, PVOID};
use winapi::um::winnt::{PROCESS_VM_WRITE, PROCESS_VM_READ, MEMORY_BASIC_INFORMATION};
use std::mem::size_of;
fn main(){
let pid : u64 = 3268; //Process PID
let currentProcess : HANDLE = -1isize as _;
let mem_info_len : usize = size_of::<MEMORY_BASIC_INFORMATION>() as _;
let mut handle : HANDLE = NULL;
let mut status : NTSTATUS;
let mem_info: MEMORY_BASIC_INFORMATION = MEMORY_BASIC_INFORMATION {
BaseAddress: NULL,
AllocationBase: NULL,
AllocationProtect: 0,
RegionSize: 0,
State: 0,
Protect: 0,
Type: 0,
};
let oa : OBJECT_ATTRIBUTES = OBJECT_ATTRIBUTES {
Length: size_of::<OBJECT_ATTRIBUTES>() as _,
RootDirectory: NULL,
ObjectName: NULL as _,
Attributes: 0,
SecurityDescriptor: NULL,
SecurityQualityOfService: NULL
};
let cid : CLIENT_ID = CLIENT_ID {
UniqueProcess: pid as _,
UniqueThread: 0 as _
};
unsafe {
status = syscall!("NtOpenProcess", &mut handle, PROCESS_VM_WRITE | PROCESS_VM_READ, &oa, &cid);
}
println!("\n\t[-] NtOpenProcess status: {:#02X}", status);
if status != 0 {
return;
}
unsafe {
status = syscall!("NtQueryVirtualMemory", currentProcess, &pid, 0, &mem_info, mem_info_len, NULL as PVOID);
}
println!("\n\t[-] NtQueryVirtualMemory status: {:#02X}", status);
if status != 0 {
return;
}
println!("\n\t[-] Protect value: {:#02X}\n\t", mem_info.Protect);
unsafe {
status = syscall!("NtClose", handle);
}
println!("\t[-] NtClose status: {:#02X}", status);
}
Implementing new SSN and syscall addresses runtime resolving methods:
All the code required to do the SSN and address fetching is included in the file src\syscall_resolve.rs.
There is one core function used to retrieve the values called get_ssn, with 4 implementations, where the received argument is the result of calling crate::obf!(\<your function name\>), and the return values are the ssn (u16), and, in case of indirect syscalling, the address of the syscall/sysenter instruction that you want to use.
-
x86_64 direct:
fn get_ssn(hash: u32) -> (u16);
-
x86_64 indirect:
fn get_ssn(hash: u32) -> (u16, u64);
-
x86 direct:
fn get_ssn(hash: u32) -> (u16);
-
x86 indirect:
fn get_ssn(hash: u32) -> (u16, u32);
Just reimplement this functions with your desired fetching method.
Thanks to SysWhispers3 for being a strong pilar on the development of this library
7 Jan 22, 2023
101 Nov 12, 2022
3 Sep 27, 2021
712 Nov 28, 2022
11 Dec 16, 2022
1.4k Dec 31, 2022
467 Dec 26, 2022
47 Jul 23, 2022
427 Dec 24, 2022
1.8k Dec 28, 2022
6 Dec 23, 2021
2 Sep 25, 2022
2 Aug 12, 2022
5 Apr 17, 2023
7 Jun 6, 2022
0 Nov 29, 2022
381 Dec 22, 2022
3 Jan 1, 2022
40 Jan 3, 2023