Single stub direct and indirect syscalling with runtime SSN resolving for windows.

Overview

RUST_SYSCALLS

Single stub direct and indirect syscalling with runtime SSN resolving for windows.


Features:

  • One single line for all your syscalls
  • Function name hashing at compilation time
  • Direct or indirect sycalls
  • x86_64, WOW64 and x86 native support
  • Designed to allow the implementation of custom SSN fetching methods (check the end of this readme for more info)

How to use:

  1. Add the git repository / local path to the library to your dependencies:

    rust_syscalls = {git = "https://github.com/janoglezcampos/rust_syscalls"}

    or

    rust_syscalls = {path = <path to library folder>}

  2. Choose direct or indirect method by setting _DIRECT_ or _INDIRECT_ as a feature:

    rust_syscalls = {path = <path to library folder>}, features = ["_INDIRECT_"]}

  3. Import

    use rust_syscalls::syscall;

  4. Syscall:

    NTSTATUS status = syscall!("NtClose", handle);


Example:

#![allow(non_snake_case)]
use ntapi::ntapi_base::CLIENT_ID;
use rust_syscalls::syscall;

use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, HANDLE, NULL, NTSTATUS, PVOID};
use winapi::um::winnt::{PROCESS_VM_WRITE, PROCESS_VM_READ, MEMORY_BASIC_INFORMATION};
use std::mem::size_of;

fn main(){
    let pid             : u64      = 3268; //Process PID
    let currentProcess  : HANDLE = -1isize as _;
    let mem_info_len    : usize = size_of::<MEMORY_BASIC_INFORMATION>() as _;

    let mut handle      : HANDLE   = NULL;
    let mut status      : NTSTATUS;

    let mem_info: MEMORY_BASIC_INFORMATION = MEMORY_BASIC_INFORMATION {
        BaseAddress: NULL,
        AllocationBase: NULL,
        AllocationProtect: 0,
        RegionSize: 0,
        State: 0,
        Protect: 0,
        Type: 0,
    };

    let oa : OBJECT_ATTRIBUTES = OBJECT_ATTRIBUTES {
        Length: size_of::<OBJECT_ATTRIBUTES>() as _,
        RootDirectory: NULL,
        ObjectName: NULL as _,
        Attributes: 0,
        SecurityDescriptor: NULL,
        SecurityQualityOfService: NULL
    };

    let cid : CLIENT_ID = CLIENT_ID {
        UniqueProcess: pid as _,
        UniqueThread: 0 as _
    };

    unsafe {
        status = syscall!("NtOpenProcess", &mut handle, PROCESS_VM_WRITE | PROCESS_VM_READ, &oa, &cid);
    }
    
    println!("\n\t[-] NtOpenProcess status: {:#02X}", status);

    if status != 0 {
        return;
    }

    unsafe {
        status = syscall!("NtQueryVirtualMemory", currentProcess, &pid, 0, &mem_info, mem_info_len, NULL as PVOID);
    }
    
    println!("\n\t[-] NtQueryVirtualMemory status: {:#02X}", status);
    
    if status != 0 {
        return;
    }

    println!("\n\t[-] Protect value: {:#02X}\n\t", mem_info.Protect);

    unsafe {
        status = syscall!("NtClose", handle);
    }
    
    println!("\t[-] NtClose       status: {:#02X}", status);
}

Implementing new SSN and syscall addresses runtime resolving methods:

All the code required to do the SSN and address fetching is included in the file src\syscall_resolve.rs.

There is one core function used to retrieve the values called get_ssn, with 4 implementations, where the received argument is the result of calling crate::obf!(\<your function name\>), and the return values are the ssn (u16), and, in case of indirect syscalling, the address of the syscall/sysenter instruction that you want to use.

  • x86_64 direct:

    fn get_ssn(hash: u32) -> (u16);

  • x86_64 indirect:

    fn get_ssn(hash: u32) -> (u16, u64);

  • x86 direct:

    fn get_ssn(hash: u32) -> (u16);

  • x86 indirect:

    fn get_ssn(hash: u32) -> (u16, u32);

Just reimplement this functions with your desired fetching method.


Thanks to SysWhispers3 for being a strong pilar on the development of this library

You might also like...
A small oscilloscope UI for the Owon HDS series portable oscilloscopes (Windows 10+, x86_64 only)
A small oscilloscope UI for the Owon HDS series portable oscilloscopes (Windows 10+, x86_64 only)

owowon - A small oscilloscope UI for the Owon HDS series portable oscilloscopes Screenshot of the program, reading a 10 MHz sinewave generated by the

Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data sources
Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data sources

Kepler — Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data so

Steals browser passwords and cookies and sends to webhook.
Steals browser passwords and cookies and sends to webhook.

Browser-Stealer Steals browser passwords and cookies and sends to webhook. Donating Educational Purposes Only This code is made so you can learn from

Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️
🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️

Recon Find, locate, and query files for ops and security experts Key Features • How To Use • Download • Contributing • License Key Features Query with

Semi-automatic OSINT framework and package manager

sn0int sn0int (pronounced /snoɪnt/) is a semi-automatic OSINT framework and package manager. It was built for IT security professionals and bug hunter

A Comprehensive Web Fuzzer and Content Discovery Tool

rustbuster A Comprehensive Web Fuzzer and Content Discovery Tool Introduction Check the blog post: Introducing Rustbuster — A Comprehensive Web Fuzzer

A simple menu to keep all your most used one-liners and scripts in one place
A simple menu to keep all your most used one-liners and scripts in one place

Dama Desktop Agnostic Menu Aggregate This program aims to be a hackable, easy to use menu that can be paired to lightweight window managers in order t

link is a command and control framework written in rust
link is a command and control framework written in rust

link link is a command and control framework written in rust. Currently in alpha. Table of Contents Introduction Features Feedback Build Process Ackno

Comments
  • Bugfix incorrect crate reference

    Bugfix incorrect crate reference

    • change crate to $crate to always refer to the rust_syscalls crate. Fixes unresolved import s when used in submodules. Example:
    mod poc {
        use rust_syscalls::syscall;
        pub fn poc() {
            unsafe { syscall!("NtClose", -1) };
        }
    }
    
    fn main() {
        poc::poc();
    }
    

    Results in:

    error[E0433]: failed to resolve: unresolved import
     --> src/main.rs:4:18
      |
    4 |         unsafe { syscall!("NtClose", -1) };
      |                  ^^^^^^^^^^^^^^^^^^^^^^^
      |                  |
      |                  unresolved import
      |                  help: a similar path exists: `rust_syscalls::syscall`
      |
      = note: this error originates in the macro `syscall` (in Nightly builds, run with -Z macro-backtrace for more info)
    
    For more information about this error, try `rustc --explain E0433`.
    
    • Bump NTAPI to 0.4.0
    opened by cirosec 0
Owner
Yxel
Telecom student, maldev wannabe.
Yxel
Rapidly Search and Hunt through Windows Event Logs

Rapidly Search and Hunt through Windows Event Logs Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows

F-Secure Countercept 1.8k Dec 28, 2022
A tiny program that locates and extracts public save files from Windows to your local directory!

Save Game Extractor | Download Save Game Extractor is a tool that automatically locates and copies save files for Windows games in public directories.

popcar2 6 Dec 23, 2021
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022
Checks whether the process is running as root/sudo/admin permission in Windows and Unix systems

Is_sudo Checks if program is running as sudo in unix systems, or using admin permission in windows. Usage use is_sudo::check; use is_sudo::RunningAs;

Spark 2 Aug 12, 2022
Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for pentesters. Written in Rust.

Ronflex Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for penteste

null 5 Apr 17, 2023
Small container runtime for threat detection

confine Containers, but for dynamic malware analysis confine is a container runtime for dynamically analyzing suspicious executables. Given a sample s

Alan 7 Jun 6, 2022
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. MimiRust is a program based on the wdigest attack vector

Thotty 0 Nov 29, 2022
Binary coverage tool without binary modification for Windows

Summary Mesos is a tool to gather binary code coverage on all user-land Windows targets without need for source or recompilation. It also provides an

null 381 Dec 22, 2022
Rslide - A web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app console or the browser. Currently only supports Windows.

rslide rslide is a web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app conso

Jason Dongheng Lee 3 Jan 1, 2022
Memory hacking library for windows.

Memory hacking library for windows.

sy1ntexx 40 Jan 3, 2023