search

janoglezcampos / rust_syscalls

Single stub direct and indirect syscalling with runtime SSN resolving for windows.
185 stars 26 forks source link

Hi I have a question #4

Closed bcdlbgm closed 1 year ago

bcdlbgm commented 1 year ago

Hello, I have a question. I have written code to read the LDR through syscalls. However, when I use this code in a library, I encounter the error C0000005. Interestingly, the same code works perfectly fine when used locally. I can't figure out why this is happening. code

main

    let pid = 16676;
    let  a  = unsafe { OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid) }.unwrap();
    println!("aaaaaa");
    // let p = unsafe { get_peb(a) }.unwrap();
    // let e = unsafe  {testt(a).unwrap()};
    // let mut ldr = unsafe { get_all_ldr_module(a) }.unwrap();
    let mut ldr = unsafe { get_module_list_address(a) };

get_module_list_address

pub unsafe fn get_module_list_address(hProcess:HANDLE) -> PVOID {
    let peb_addr = get_peb(hProcess).unwrap();

    let mut ldr = peb_addr.byte_add(0x18) as PVOID;

    let pvoid_len = size_of::<PVOID>();
    println!("read lsass peb ldr{:?}",peb_addr);
    let mut ldr_entry_address: PVOID = null_mut();
    let mut NumberOfBytesRead: PVOID = null_mut();

    let success = syscall!("NtReadVirtualMemory",hProcess,ldr,&mut ldr_entry_address as *mut PVOID,pvoid_len,0);
    if success!=0 {
        println!("{:x}",success);

        panic!()
    }

    let module_list_pointer = ldr_entry_address as *mut LdrData;
    let inmemorymodulelist  = ldr_entry_address.offset(0x20) as PVOID;
    let mut  module_list_addres: PVOID = null_mut();
    let success=  syscall!("NtReadVirtualMemory",hProcess,inmemorymodulelist,&mut module_list_addres as *mut PVOID,pvoid_len,0);
    if success!=0 {
        println!("{:x}",success);

        panic!()
    }

    return module_list_addres;
}

get_peb

pub unsafe fn get_peb(hPorcess:HANDLE) -> Option<*mut PEB> {
    let peb:*const u8;

    if hPorcess.0 ==0 {
        unsafe {
            asm!(
            "mov {0}, gs:0x60",
            out(reg) peb,
            options(nostack, nomem, preserves_flags),
            );
        }
        println!("self peb");
        return Some(peb as *mut  PEB);
    }

    let p = PROCESS_BASIC_INFORMATION::default();
    let process_information: PVOID = std::mem::transmute(&p);

    let success = syscall!("NtQueryInformationProcess",hPorcess,0,process_information,size_of::<PROCESS_BASIC_INFORMATION>() as u32,0 as *mut  u32);
    if success!=0 {
        println!("1 {}",success);

    }
    let pbi:*mut PROCESS_BASIC_INFORMATION;
    pbi = std::mem::transmute(process_information);
    let pbi = *pbi;
    return Some(pbi.PebBaseAddress as *mut PEB);
bcdlbgm commented 1 year ago

profile lto = true