STRLCPY/Offensive-Rust

added iat hooking
winsecurity committed 1 year ago

61dc5ae0

1 parent 9398ae60

■ ■ ■ ■ ■ ■

iathooking/.gitignore

1 + /target
2 +

All occurrences

■ ■ ■ ■ ■ ■

iathooking/.vscode/launch.json

1	+	{
2	+	// Use IntelliSense to learn about possible attributes.
3	+	// Hover to view descriptions of existing attributes.
4	+	// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
5	+	"version": "0.2.0",
6	+	"configurations": [
7	+	{
8	+	"type": "lldb",
9	+	"request": "launch",
10	+	"name": "Debug executable 'iathooking'",
11	+	"cargo": {
12	+	"args": [
13	+	"build",
14	+	"--bin=iathooking",
15	+	"--package=iathooking"
16	+	],
17	+	"filter": {
18	+	"name": "iathooking",
19	+	"kind": "bin"
20	+	}
21	+	},
22	+	"args": [],
23	+	"cwd": "${workspaceFolder}"
24	+	},
25	+	{
26	+	"type": "lldb",
27	+	"request": "launch",
28	+	"name": "Debug unit tests in executable 'iathooking'",
29	+	"cargo": {
30	+	"args": [
31	+	"test",
32	+	"--no-run",
33	+	"--bin=iathooking",
34	+	"--package=iathooking"
35	+	],
36	+	"filter": {
37	+	"name": "iathooking",
38	+	"kind": "bin"
39	+	}
40	+	},
41	+	"args": [],
42	+	"cwd": "${workspaceFolder}"
43	+	}
44	+	]
45	+	}

■ ■ ■ ■ ■ ■

iathooking/Cargo.lock

1	+	# This file is automatically @generated by Cargo.
2	+	# It is not intended for manual editing.
3	+	version = 3
4	+
5	+	[[package]]
6	+	name = "iathooking"
7	+	version = "0.1.0"
8	+	dependencies = [
9	+	"winapi",
10	+	]
11	+
12	+	[[package]]
13	+	name = "winapi"
14	+	version = "0.3.9"
15	+	source = "registry+https://github.com/rust-lang/crates.io-index"
16	+	checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
17	+	dependencies = [
18	+	"winapi-i686-pc-windows-gnu",
19	+	"winapi-x86_64-pc-windows-gnu",
20	+	]
21	+
22	+	[[package]]
23	+	name = "winapi-i686-pc-windows-gnu"
24	+	version = "0.4.0"
25	+	source = "registry+https://github.com/rust-lang/crates.io-index"
26	+	checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
27	+
28	+	[[package]]
29	+	name = "winapi-x86_64-pc-windows-gnu"
30	+	version = "0.4.0"
31	+	source = "registry+https://github.com/rust-lang/crates.io-index"
32	+	checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
33	+

■ ■ ■ ■ ■ ■

iathooking/Cargo.toml

1	+	[package]
2	+	name = "iathooking"
3	+	version = "0.1.0"
4	+	edition = "2021"
5	+
6	+	# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
7	+
8	+	[dependencies]
9	+	winapi = {version="0.3.9",features =[
10	+	"libloaderapi","memoryapi","processthreadsapi",
11	+	"handleapi","errhandlingapi","tlhelp32","winuser"
12	+	]}
13	+

■ ■ ■ ■ ■ ■

iathooking/src/main.rs

1	+	use std::collections::HashMap;
2	+	use std::fmt::Write;
3	+	use std::io::Read;
4	+
5	+	use winapi::shared::windef::HWND__;
6	+	use winapi::um::handleapi::CloseHandle;
7	+	use winapi::um::processthreadsapi::*;
8	+	use winapi::um::memoryapi::*;
9	+	use winapi::um::libloaderapi::*;
10	+	use winapi::um::winnt::IMAGE_IMPORT_BY_NAME;
11	+	use winapi::um::winuser::*;
12	+	use winapi::um::winuser::MessageBoxA;
13	+	use winapi::ctypes::*;
14	+	use winapi::um::tlhelp32::*;
15	+
16	+
17	+
18	+	pub fn FillStructureFromArray<T, U>(base: &mut T, arr: &[U]) -> usize {
19	+	unsafe {
20	+	//println!("{}",std::mem::size_of::<T>());
21	+	//println!("{}",std::mem::size_of_val(arr));
22	+	if std::mem::size_of::<T>() != std::mem::size_of_val(arr) {
23	+	println!("{}", std::mem::size_of::<T>());
24	+	println!("{}", std::mem::size_of_val(arr));
25	+	panic!("sizes are not equal to copy");
26	+	}
27	+
28	+	let mut handle = GetCurrentProcess();
29	+	let mut byteswritten = 0;
30	+	let res = WriteProcessMemory(
31	+	handle,
32	+	base as mut _ as mut c_void,
33	+	arr as const _ as const c_void,
34	+	std::mem::size_of::<T>(),
35	+	&mut byteswritten,
36	+	);
37	+
38	+	return byteswritten;
39	+	}
40	+	}
41	+
42	+	pub fn FillStructureFromMemory<T>(
43	+	dest: &mut T,
44	+	src: *const c_void,
45	+	prochandle: *mut c_void,
46	+	) -> usize {
47	+	unsafe {
48	+	let bytestoread: usize = std::mem::size_of::<T>();
49	+	//println!("size of structure is {}",bytestoread);
50	+	let mut buffer: Vec<u8> = vec![0; bytestoread];
51	+	let mut byteswritten = 0;
52	+
53	+	let res = ReadProcessMemory(
54	+	prochandle,
55	+	src,
56	+	buffer.as_mut_ptr() as *mut c_void,
57	+	bytestoread,
58	+	&mut byteswritten,
59	+	);
60	+	//println!("array being filled: {:x?}",&buffer);
61	+	FillStructureFromArray(dest, &buffer);
62	+
63	+	return byteswritten;
64	+	}
65	+	}
66	+
67	+	/pub fn ReadStringFromMemory(phandle:mut c_void,baseaddress:*const c_void,) -> String{
68	+
69	+	let mut temp:Vec<u8> = vec![0;100];
70	+	let mut bytesread:usize = 0;
71	+	unsafe{
72	+	let mut i = 0;
73	+	loop{
74	+	let res =ReadProcessMemory(phandle,
75	+	(baseaddress as isize+i) as *const c_void,
76	+	(temp.as_mut_ptr() as usize + i as usize) as *mut c_void,
77	+	1,
78	+	&mut bytesread );
79	+
80	+
81	+	if temp[i as usize]==0{
82	+	//println!("{:x?}",i);
83	+	break;
84	+	}
85	+	i +=1;
86	+	}
87	+	let dllname =String::from_utf8_lossy(&temp);
88	+	dllname.to_string()
89	+	}
90	+	}*/
91	+
92	+
93	+
94	+	pub fn ReadStringFromMemory(prochandle: mut c_void, base: const c_void) -> String {
95	+	unsafe {
96	+	let mut i: isize = 0;
97	+	let mut s = String::new();
98	+	loop {
99	+	let mut a: [u8; 1] = [0];
100	+	ReadProcessMemory(
101	+	prochandle,
102	+	(base as isize + i) as *const c_void,
103	+	a.as_mut_ptr() as *mut c_void,
104	+	1,
105	+	std::ptr::null_mut(),
106	+	);
107	+
108	+	if a[0] == 0 \|\| i == 50 {
109	+	return s;
110	+	}
111	+	s.push(a[0] as char);
112	+	i += 1;
113	+	}
114	+	}
115	+	}
116	+
117	+	pub fn GetStringFromu8Array(arr: &mut [u8]) -> String {
118	+	let mut temp = String::new();
119	+
120	+	for i in 0..arr.len() {
121	+	if arr[i] == 0 {
122	+	return temp;
123	+	} else {
124	+	temp.push(arr[i] as u8 as char);
125	+	}
126	+	}
127	+
128	+	temp
129	+	}
130	+
131	+	pub fn GetStringFromi8Array(arr: &mut [i8]) -> String {
132	+	let mut temp = String::new();
133	+
134	+	for i in 0..arr.len() {
135	+	if arr[i] == 0 {
136	+	return temp;
137	+	} else {
138	+	temp.push(arr[i] as u8 as char);
139	+	}
140	+	}
141	+
142	+	temp
143	+	}
144	+
145	+
146	+	use winapi::um::errhandlingapi::*;
147	+	use std::ffi::{CString};
148	+	//use dll_syringe::{Syringe,process::OwnedProcess};
149	+
150	+
151	+	/pub fn DllInject(prochandle:mut c_void,dllpath:&str){
152	+
153	+
154	+
155	+	unsafe{
156	+
157	+	let targetproc= OwnedProcess::find_first_by_name("sample.exe").unwrap();
158	+
159	+	let s =Syringe::for_process(targetproc);
160	+
161	+	let payload= s.inject(dllpath).unwrap();
162	+	/* println!("dllpath : {}",dllpath);
163	+
164	+	let remotebase =VirtualAllocEx(prochandle,
165	+	std::ptr::null_mut(),dllpath.len(),
166	+	0x1000,0x40);
167	+
168	+	let mut byteswritten = 0;
169	+
170	+	WriteProcessMemory(prochandle,
171	+	remotebase,
172	+	dllpath.as_bytes().as_ptr() as *const c_void,
173	+	dllpath.len(), &mut byteswritten as mut _ as mut usize);
174	+
175	+	println!("bytes written: {}",byteswritten);
176	+
177	+
178	+	let dllhandle =GetModuleHandleA("kernel32.dll\0".as_ptr() as *const i8);
179	+
180	+	let funcaddr =GetProcAddress(dllhandle, "LoadLibraryA\0".as_ptr() as *const i8);
181	+
182	+	CreateRemoteThread(prochandle,
183	+	std::ptr::null_mut(),
184	+	0,
185	+	std::mem::transmute(funcaddr),
186	+	remotebase, 0, std::ptr::null_mut());
187	+
188	+	}*/
189	+	}
190	+	}*/
191	+
192	+
193	+	pub fn DllInject(prochandle:mut c_void,dllpath:&str) -> mut c_void{
194	+
195	+	unsafe{
196	+
197	+	let remotebase =VirtualAllocEx(prochandle,
198	+	std::ptr::null_mut(),
199	+	dllpath.len(), 0x1000, 0x40);
200	+
201	+
202	+	WriteProcessMemory(prochandle,
203	+	remotebase,
204	+	dllpath.as_bytes().as_ptr() as *const c_void,
205	+	dllpath.len(), std::ptr::null_mut());
206	+
207	+	let dllhandle =GetModuleHandleA("kernel32.dll\0".as_ptr() as *const i8);
208	+	let funcaddress = GetProcAddress(dllhandle,"LoadLibraryA\0".as_ptr() as *const i8);
209	+
210	+	CreateRemoteThread(prochandle,
211	+	std::ptr::null_mut(),
212	+	0,
213	+	Some(std::mem::transmute(funcaddress)),
214	+	remotebase, 0,
215	+	std::ptr::null_mut());
216	+
217	+
218	+	return remotebase;
219	+
220	+	}
221	+
222	+
223	+	}
224	+
225	+
226	+
227	+	use std::collections;
228	+	use std::mem::*;
229	+	pub fn ParseExports64(prochandle:mut c_void,baseaddress:mut c_void) -> HashMap<String,i32>{
230	+
231	+	unsafe{
232	+
233	+	let mut exports:HashMap<String,i32> = HashMap::new();
234	+
235	+
236	+	let mut dos:[u8;64] = [0;64];
237	+	ReadProcessMemory(prochandle,
238	+	baseaddress, &mut dos as mut u8 as mut c_void,
239	+	64, std::ptr::null_mut());
240	+
241	+	if dos[0]!=77 && dos[1]!=90{
242	+	return exports;
243	+	}
244	+
245	+	let mut dosheader = IMAGE_DOS_HEADER::default();
246	+	FillStructureFromArray(&mut dosheader, &dos);
247	+
248	+
249	+	let mut nt:[u8;size_of::<IMAGE_NT_HEADERS64>()] = [0;size_of::<IMAGE_NT_HEADERS64>()];
250	+	ReadProcessMemory(prochandle,
251	+	(baseaddress as isize + dosheader.e_lfanew as isize)as const c_void, &mut nt as mut u8 as *mut c_void,
252	+	size_of::<IMAGE_NT_HEADERS64>(), std::ptr::null_mut());
253	+
254	+	let mut ntheader = IMAGE_NT_HEADERS64::default();
255	+	FillStructureFromArray(&mut ntheader, &nt);
256	+
257	+
258	+	if ntheader.OptionalHeader.ExportTable.Size==0{
259	+	return exports;
260	+	}
261	+
262	+	let mut export = IMAGE_EXPORT_DIRECTORY::default();
263	+
264	+	let mut exp:[u8;size_of::<IMAGE_EXPORT_DIRECTORY>()] = [0;size_of::<IMAGE_EXPORT_DIRECTORY>()];
265	+	ReadProcessMemory(prochandle,
266	+	(baseaddress as isize + ntheader.OptionalHeader.ExportTable.VirtualAddress as isize)as const c_void, &mut exp as mut u8 as *mut c_void,
267	+	size_of::<IMAGE_EXPORT_DIRECTORY>(), std::ptr::null_mut());
268	+
269	+	FillStructureFromArray(&mut export, &exp);
270	+
271	+	// println!("{:x?}",export);
272	+
273	+
274	+	let entptr =baseaddress as isize + export.AddressOfNames as isize;
275	+	let eotptr =baseaddress as isize + export.AddressOfNameOrdinals as isize;
276	+	let eatptr =baseaddress as isize + export.AddressOfFunctions as isize;
277	+
278	+
279	+
280	+	for i in 0..export.NumberOfNames{
281	+
282	+	let mut nameaddr:[u8;4] = [0;4];
283	+	ReadProcessMemory(prochandle,
284	+	(entptr + (i4) as isize) as const c_void,
285	+	nameaddr.as_mut_ptr() as *mut c_void, 4, std::ptr::null_mut());
286	+
287	+
288	+	let nameoffset = i32::from_ne_bytes(nameaddr.try_into().unwrap());
289	+
290	+	let funcname = ReadStringFromMemory(prochandle, (baseaddress as isize +nameoffset as isize )as *const c_void);
291	+
292	+
293	+	let mut ordaddr:[u8;2] = [0;2];
294	+	ReadProcessMemory(prochandle,
295	+	(eotptr + (i2) as isize) as const c_void,
296	+	ordaddr.as_mut_ptr() as *mut c_void, 2, std::ptr::null_mut());
297	+
298	+	let ordoffset = i32::from_ne_bytes(nameaddr.try_into().unwrap());
299	+
300	+
301	+
302	+
303	+	let mut addresses:[u8;4] = [0;4];
304	+	ReadProcessMemory(prochandle,
305	+	(eatptr + (i4) as isize) as const c_void,
306	+	addresses.as_mut_ptr() as *mut c_void, 4, std::ptr::null_mut());
307	+
308	+	let finaladdress = i32::from_ne_bytes(addresses.try_into().unwrap());
309	+
310	+	exports.insert(funcname,finaladdress);
311	+
312	+	}
313	+
314	+	//println!("{:?}",exports);
315	+
316	+	return exports;
317	+	}
318	+
319	+
320	+
321	+	}
322	+
323	+
324	+
325	+	fn main() {
326	+
327	+	let pid: u32 = 15108;
328	+	let loadeddll = "tempdll.dll";
329	+
330	+
331	+	unsafe{
332	+
333	+	let prochandle = OpenProcess(0x001FFFFF, 0, pid);
334	+	let magic:[u8;4];
335	+
336	+	if prochandle.is_null() {
337	+	panic!("OpenProcess failed with error: {}", GetLastError());
338	+	}
339	+
340	+	DllInject(prochandle, r#"D:\rust_practice\dlls\tempdll\target\release\tempdll.dll"#);
341	+
342	+
343	+	let mut me =std::mem::MaybeUninit::<MODULEENTRY32>::uninit();
344	+	me.assume_init().dwSize = std::mem::size_of::<MODULEENTRY32>() as u32;
345	+
346	+	let snaphandle = CreateToolhelp32Snapshot(TH32CS_SNAPALL, pid);
347	+
348	+	let res= Module32First(snaphandle, me.as_mut_ptr());
349	+	println!("result: {}",res);
350	+
351	+	let modname =GetStringFromi8Array(&mut me.assume_init().szModule);
352	+
353	+	println!("{} : {:x?}",modname,me.assume_init().modBaseAddr);
354	+
355	+	let mut base:mut c_void = 0 as mut c_void ;
356	+	let mut remotedllbase:mut c_void = 0 as mut c_void ;
357	+
358	+	if modname.contains(".exe"){
359	+	base = me.assume_init().modBaseAddr as *mut c_void;
360	+	}
361	+
362	+	/*if modname == loadeddll{
363	+	remotedllbase = me.assume_init().modBaseAddr as *mut c_void;
364	+	}*/
365	+
366	+	loop{
367	+	let mut me2 = std::mem::MaybeUninit::<MODULEENTRY32>::uninit();
368	+	let res =Module32Next(snaphandle, me2.as_mut_ptr());
369	+	if res!=1{
370	+	break;
371	+	}
372	+
373	+	let modulename= GetStringFromi8Array(&mut me2.assume_init().szModule);
374	+	println!("{} : {:x?}",modulename,me2.assume_init().modBaseAddr);
375	+
376	+
377	+	if modulename ==loadeddll{
378	+	remotedllbase = me2.assume_init().modBaseAddr as *mut c_void;
379	+	}
380	+
381	+	if modulename.contains(".exe"){
382	+	base = me2.assume_init().modBaseAddr as *mut c_void;
383	+	println!("base =====>{:x?}",base);
384	+	//break;
385	+	}
386	+
387	+	}
388	+
389	+	assert!(!base.is_null());
390	+	assert!(!remotedllbase.is_null());
391	+
392	+	println!("base -> {:x?}",base);
393	+	println!("remote dllbase -> {:x?}",remotedllbase);
394	+
395	+	ParseExports64(prochandle, remotedllbase);
396	+
397	+	let mut t1:[u8;2] = [0;2];
398	+
399	+	ReadProcessMemory(prochandle,
400	+	remotedllbase, t1.as_mut_ptr() as *mut c_void,
401	+	2, std::ptr::null_mut());
402	+	println!("{:x?}",t1);
403	+
404	+
405	+	//println!("{}",me.assume_init().hModule);
406	+
407	+	let mut dos:[u8;64] = [0;64];
408	+
409	+	ReadProcessMemory(prochandle,
410	+	base as *const c_void,
411	+	dos.as_mut_ptr() as *mut c_void,
412	+	64, std::ptr::null_mut());
413	+
414	+
415	+	let mut dosheader = IMAGE_DOS_HEADER::default();
416	+	FillStructureFromArray(&mut dosheader, &dos);
417	+
418	+
419	+	print!("{:x?}",dosheader.e_magic);
420	+
421	+	let mut ntheader = IMAGE_NT_HEADERS64::default();
422	+	let mut nt:[u8;std::mem::size_of::<IMAGE_NT_HEADERS64>()] = [0;std::mem::size_of::<IMAGE_NT_HEADERS64>()];
423	+
424	+	ReadProcessMemory(prochandle,
425	+	(base as isize + dosheader.e_lfanew as isize) as *const c_void,
426	+	nt.as_mut_ptr() as *mut c_void,
427	+	std::mem::size_of::<IMAGE_NT_HEADERS64>() , std::ptr::null_mut());
428	+
429	+	FillStructureFromArray(&mut ntheader, &nt);
430	+	println!("{:x?}",ntheader);
431	+
432	+	let importoffset = base as isize +ntheader.OptionalHeader.ImportTable.VirtualAddress as isize;
433	+
434	+	let mut i=0;
435	+	loop{
436	+
437	+	let mut imp:[u8;std::mem::size_of::<IMAGE_IMPORT_DESCRIPTOR>()] = [0;std::mem::size_of::<IMAGE_IMPORT_DESCRIPTOR>()];
438	+
439	+	ReadProcessMemory(prochandle,
440	+	(importoffset as isize+istd::mem::size_of::<IMAGE_IMPORT_DESCRIPTOR>() as isize) as const c_void,
441	+	imp.as_mut_ptr() as *mut c_void,
442	+	std::mem::size_of::<IMAGE_IMPORT_DESCRIPTOR>() , std::ptr::null_mut());
443	+
444	+	let mut import = IMAGE_IMPORT_DESCRIPTOR::default();
445	+	//FillStructureFromMemory(&mut import, (importoffset+(istd::mem::size_of::<IMAGE_IMPORT_DESCRIPTOR>() as isize)) as const c_void, prochandle);
446	+	FillStructureFromArray(&mut import, &imp);
447	+
448	+	if import.Name == 0{
449	+	break;
450	+	}
451	+
452	+	let dllname =ReadStringFromMemory(prochandle, (base as isize+import.Name as isize) as *const c_void);
453	+	println!("dll name: {}",dllname);
454	+
455	+	if dllname.trim_end_matches('\0')=="USER32.dll"{
456	+	println!("{}",dllname);
457	+
458	+	/* / let firsthunkptr = (base as isize + import.Characteristics_or_OriginalFirstThunk as isize) as mut c_void;
459	+
460	+	let mut j=0;
461	+	loop{
462	+
463	+	let mut originalthunk:[u8;std::mem::size_of::<isize>()] = [0;std::mem::size_of::<isize>()];
464	+
465	+	ReadProcessMemory(prochandle,
466	+	(firsthunkptr as isize +(jstd::mem::size_of::<isize>() as isize) ) as const c_void,
467	+	originalthunk.as_mut_ptr() as *mut c_void, originalthunk.len(),
468	+	std::ptr::null_mut());
469	+
470	+	let thunkoffset = usize::from_ne_bytes(originalthunk);
471	+	//println!("{:x?}",thunkoffset);
472	+
473	+	if thunkoffset==0{
474	+	break;
475	+	}
476	+
477	+	let funcname =ReadStringFromMemory(prochandle,(base as isize + thunkoffset as isize +2)as *const c_void);
478	+	println!("funcname: {}",funcname);
479	+
480	+
481	+	let addr =(base as isize+import.FirstThunk as isize+(jstd::mem::size_of::<isize>() as isize)) as const c_void;
482	+	let mut address:[u8;std::mem::size_of::<isize>()] = [0;std::mem::size_of::<isize>()];
483	+
484	+	ReadProcessMemory(prochandle,
485	+	addr,
486	+	address.as_mut_ptr() as *mut c_void,
487	+	address.len(), std::ptr::null_mut());
488	+
489	+
490	+	let finaladdress = usize::from_ne_bytes(address);
491	+	println!( "final address{:x?}",finaladdress);
492	+	println!("final {:x?}",address);
493	+
494	+
495	+	let exports = ParseExports64(prochandle, remotedllbase);
496	+	if exports.contains_key("messageboxclone") &&
497	+	funcname=="MessageBoxA"{
498	+	let mut funcaddr =*exports.get("messageboxclone").unwrap();
499	+
500	+	println!("exports: {:x?}",exports);
501	+	println!("messageboxclone: {:x?}",funcaddr);
502	+	funcaddr = remotedllbase as i32+ funcaddr ;
503	+
504	+	println!("messageboxclone after adding base: {:x?}",funcaddr);
505	+
506	+	let funcoffset2:[u8;4] =funcaddr.to_ne_bytes();
507	+
508	+
509	+	let mut oldprotect = 0;
510	+	VirtualProtectEx(prochandle, addr as *mut c_void, 4, 0x40, &mut oldprotect);
511	+	println!("old protection: {}",oldprotect);
512	+	println!("last error : {}",GetLastError());
513	+	WriteProcessMemory(prochandle,
514	+	addr as *mut c_void,
515	+	funcoffset2.as_ptr() as *const c_void,
516	+	funcoffset2.len(), std::ptr::null_mut());
517	+
518	+	println!("last error : {}",GetLastError());
519	+
520	+	ReadProcessMemory(prochandle,
521	+	addr,
522	+	address.as_mut_ptr() as *mut c_void,
523	+	address.len(), std::ptr::null_mut());
524	+
525	+	println!("after writing: {:x?}",address);
526	+
527	+	}
528	+
529	+
530	+
531	+	j+=1;
532	+
533	+	}
534	+
535	+	}
536	+
537	+	i+=1;
538	+
539	+	}
540	+
541	+
542	+	CloseHandle(prochandle);
543	+
544	+	}
545	+	}
546	+
547	+
548	+
549	+
550	+
551	+
552	+
553	+
554	+
555	+	#[derive(Clone, Default, Debug)]
556	+	#[repr(C)]
557	+	pub struct IMAGE_SECTION_HEADER {
558	+	Name: [u8; 8],
559	+	VirtualSize: u32,
560	+	VirtualAddress: u32,
561	+	SizeOfRawData: u32,
562	+	PointerToRawData: u32,
563	+	PointerToRelocations: u32,
564	+	PointerToLinenumbers: u32,
565	+	NumberOfRelocations: u16,
566	+	NumberOfLinenumbers: u16,
567	+	Characteristics: u32,
568	+	}
569	+
570	+	impl IMAGE_SECTION_HEADER {
571	+	fn getsecname(&mut self) -> String {
572	+	String::from_utf8_lossy(&self.Name).to_string()
573	+	}
574	+	}
575	+
576	+	#[repr(C)]
577	+	pub union chars_or_originalfirstthunk {
578	+	Characteristics: u32,
579	+	OriginalFirstThunk: u32,
580	+	}
581	+
582	+	#[derive(Debug, Clone, Default)]
583	+	#[repr(C)]
584	+	pub struct IMAGE_IMPORT_DESCRIPTOR {
585	+	Characteristics_or_OriginalFirstThunk: u32,
586	+
587	+	TimeDateStamp: u32,
588	+
589	+	ForwarderChain: u32,
590	+
591	+	Name: u32,
592	+
593	+	FirstThunk: u32,
594	+	}
595	+
596	+	#[repr(C)]
597	+	pub union IMAGE_THUNK_DATA32 {
598	+	pub ForwarderString: u32,
599	+
600	+	pub Function: u32,
601	+
602	+	pub Ordinal: u32,
603	+
604	+	pub AddressOfData: u32,
605	+	}
606	+
607	+	#[derive(Debug, Clone, Default)]
608	+	#[repr(C)]
609	+	pub struct IMAGE_EXPORT_DIRECTORY {
610	+	pub Characteristics: u32,
611	+	pub TimeDateStamp: u32,
612	+	pub MajorVersion: u16,
613	+	pub MinorVersion: u16,
614	+	pub Name: u32,
615	+	pub Base: u32,
616	+	pub NumberOfFnctions: u32,
617	+	pub NumberOfNames: u32,
618	+	pub AddressOfFunctions: u32, // RVA from base of image
619	+	pub AddressOfNames: u32, // RVA from base of image
620	+	pub AddressOfNameOrdinals: u32, // RVA from base of image
621	+	}
622	+
623	+	#[derive(Debug, Default, Clone)]
624	+	#[repr(C)]
625	+	pub struct IMAGE_OPTIONAL_HEADER64 {
626	+	Magic: u16,
627	+
628	+	MajorLinkerVersion: u8,
629	+
630	+	MinorLinkerVersion: u8,
631	+
632	+	SizeOfCode: u32,
633	+
634	+	SizeOfInitializedData: u32,
635	+
636	+	SizeOfUninitializedData: u32,
637	+
638	+	AddressOfEntryPoint: u32,
639	+
640	+	BaseOfCode: u32,
641	+
642	+	ImageBase: i64,
643	+
644	+	SectionAlignment: u32,
645	+
646	+	FileAlignment: u32,
647	+
648	+	MajorOperatingSystemVersion: u16,
649	+
650	+	MinorOperatingSystemVersion: u16,
651	+
652	+	MajorImageVersion: u16,
653	+
654	+	MinorImageVersion: u16,
655	+
656	+	MajorSubsystemVersion: u16,
657	+
658	+	MinorSubsystemVersion: u16,
659	+
660	+	Win32VersionValue: u32,
661	+
662	+	SizeOfImage: u32,
663	+
664	+	SizeOfHeaders: u32,
665	+
666	+	CheckSum: u32,
667	+
668	+	Subsystem: u16,
669	+
670	+	DllCharacteristics: u16,
671	+
672	+	SizeOfStackReserve: u64,
673	+
674	+	SizeOfStackCommit: u64,
675	+
676	+	SizeOfHeapReserve: u64,
677	+
678	+	SizeOfHeapCommit: u64,
679	+
680	+	LoaderFlags: u32,
681	+
682	+	NumberOfRvaAndSizes: u32,
683	+
684	+	ExportTable: IMAGE_DATA_DIRECTORY,
685	+
686	+	ImportTable: IMAGE_DATA_DIRECTORY,
687	+
688	+	ResourceTable: IMAGE_DATA_DIRECTORY,
689	+
690	+	ExceptionTable: IMAGE_DATA_DIRECTORY,
691	+
692	+	CertificateTable: IMAGE_DATA_DIRECTORY,
693	+
694	+	BaseRelocationTable: IMAGE_DATA_DIRECTORY,
695	+
696	+	Debug: IMAGE_DATA_DIRECTORY,
697	+
698	+	Architecture: IMAGE_DATA_DIRECTORY,
699	+
700	+	GlobalPtr: IMAGE_DATA_DIRECTORY,
701	+
702	+	TLSTable: IMAGE_DATA_DIRECTORY,
703	+	LoadConfigTable: IMAGE_DATA_DIRECTORY,
704	+	BoundImport: IMAGE_DATA_DIRECTORY,
705	+
706	+	IAT: IMAGE_DATA_DIRECTORY,
707	+
708	+	DelayImportDescriptor: IMAGE_DATA_DIRECTORY,
709	+	CLRRuntimeHeader: IMAGE_DATA_DIRECTORY,
710	+
711	+	Reserved: IMAGE_DATA_DIRECTORY,
712	+	}
713	+
714	+	#[derive(Debug, Default, Clone)]
715	+	#[repr(C)]
716	+	pub struct IMAGE_OPTIONAL_HEADER32 {
717	+	Magic: u16,
718	+
719	+	MajorLinkerVersion: u8,
720	+
721	+	MinorLinkerVersion: u8,
722	+
723	+	SizeOfCode: u32,
724	+
725	+	SizeOfInitializedData: u32,
726	+
727	+	SizeOfUninitializedData: u32,
728	+
729	+	AddressOfEntryPoint: u32,
730	+
731	+	BaseOfCode: u32,
732	+
733	+	// PE32 contains this additional field
734	+	BaseOfData: u32,
735	+
736	+	ImageBase: u32,
737	+
738	+	SectionAlignment: u32,
739	+
740	+	FileAlignment: u32,
741	+
742	+	MajorOperatingSystemVersion: u16,
743	+
744	+	MinorOperatingSystemVersion: u16,
745	+
746	+	MajorImageVersion: u16,
747	+
748	+	MinorImageVersion: u16,
749	+
750	+	MajorSubsystemVersion: u16,
751	+
752	+	MinorSubsystemVersion: u16,
753	+
754	+	Win32VersionValue: u32,
755	+
756	+	SizeOfImage: u32,
757	+
758	+	SizeOfHeaders: u32,
759	+
760	+	CheckSum: u32,
761	+
762	+	Subsystem: u32,
763	+
764	+	DllCharacteristics: u16,
765	+
766	+	SizeOfStackReserve: u32,
767	+
768	+	SizeOfStackCommit: u32,
769	+
770	+	SizeOfHeapReserve: u32,
771	+
772	+	SizeOfHeapCommit: u32,
773	+
774	+	LoaderFlags: u32,
775	+
776	+	NumberOfRvaAndSizes: u32,
777	+
778	+	ExportTable: IMAGE_DATA_DIRECTORY,
779	+
780	+	ImportTable: IMAGE_DATA_DIRECTORY,
781	+
782	+	ResourceTable: IMAGE_DATA_DIRECTORY,
783	+
784	+	ExceptionTable: IMAGE_DATA_DIRECTORY,
785	+
786	+	CertificateTable: IMAGE_DATA_DIRECTORY,
787	+
788	+	BaseRelocationTable: IMAGE_DATA_DIRECTORY,
789	+
790	+	Debug: IMAGE_DATA_DIRECTORY,
791	+
792	+	Architecture: IMAGE_DATA_DIRECTORY,
793	+
794	+	GlobalPtr: IMAGE_DATA_DIRECTORY,
795	+
796	+	TLSTable: IMAGE_DATA_DIRECTORY,
797	+	LoadConfigTable: IMAGE_DATA_DIRECTORY,
798	+	BoundImport: IMAGE_DATA_DIRECTORY,
799	+
800	+	IAT: IMAGE_DATA_DIRECTORY,
801	+
802	+	DelayImportDescriptor: IMAGE_DATA_DIRECTORY,
803	+	CLRRuntimeHeader: IMAGE_DATA_DIRECTORY,
804	+
805	+	Reserved: IMAGE_DATA_DIRECTORY,
806	+	}
807	+
808	+	#[derive(Debug, Default, Clone)]
809	+	#[repr(C)]
810	+	pub struct IMAGE_FILE_HEADER {
811	+	Machine: u16,
812	+	NumberOfSections: u16,
813	+	TimeDateStamp: u32,
814	+	PointerToSymbolTable: u32,
815	+	NumberOfSymbols: u32,
816	+	SizeOfOptionalHeader: u16,
817	+	Characteristics: u16,
818	+	}
819	+
820	+	#[derive(Debug, Default, Clone)]
821	+	#[repr(C)]
822	+	pub struct IMAGE_DATA_DIRECTORY {
823	+	VirtualAddress: u32,
824	+	Size: u32,
825	+	}
826	+
827	+	#[derive(Debug, Default, Clone)]
828	+	#[repr(C)]
829	+	pub struct IMAGE_NT_HEADERS32 {
830	+	Signature: u32,
831	+
832	+	FileHeader: IMAGE_FILE_HEADER,
833	+
834	+	OptionalHeader: IMAGE_OPTIONAL_HEADER32,
835	+	}
836	+
837	+	#[derive(Debug, Default, Clone)]
838	+	#[repr(C)]
839	+	pub struct IMAGE_NT_HEADERS64 {
840	+	Signature: u32,
841	+
842	+	FileHeader: IMAGE_FILE_HEADER,
843	+
844	+	OptionalHeader: IMAGE_OPTIONAL_HEADER64,
845	+	}
846	+
847	+	#[derive(Debug, Default, Clone)]
848	+	#[repr(C)]
849	+
850	+	pub struct IMAGE_DOS_HEADER {
851	+	e_magic: [u8; 2], // Magic number
852	+	e_cblp: u16, // Bytes on last page of file
853	+	e_cp: u16, // Pages in file
854	+	e_crlc: u16, // Relocations
855	+	e_cparhdr: u16, // Size of header in paragraphs
856	+	e_minalloc: u16, // Minimum extra paragraphs needed
857	+	e_maxalloc: u16, // Maximum extra paragraphs needed
858	+	e_ss: u16, // Initial (relative) SS value
859	+	e_sp: u16, // Initial SP value
860	+	e_csum: u16, // Checksum
861	+	e_ip: u16, // Initial IP value
862	+	e_cs: u16, // Initial (relative) CS value
863	+	e_lfarlc: u16, // File address of relocation table
864	+	e_ovno: u16, // Overlay number
865	+	e_res1: [u16; 4], // Reserved words
866	+	e_oemid: u16, // OEM identifier (for e_oeminfo)
867	+	e_oeminfo: u16, // OEM information, e_oemid specific
868	+	e_res2: [u16; 10], // Reserved words
869	+	e_lfanew: i32, // File address of new exe header
870	+	}
871	+
872	+
873	+
874	+
875	+
876	+
877	+
878	+

	1	+	/target
	2	+

added iat hooking