// Contains processor-specific register data. The system uses CONTEXT structures to perform various internal operations.
skipped 33 lines
57
66
});
58
67
}
59
68
60
-
let nt_continue = unsafe {
69
+
let virtualprotect = unsafe {
61
70
GetProcAddress(
62
-
GetModuleHandleA("ntdll.dll\0".as_ptr()),
63
-
"NtContinue\0".as_ptr(),
71
+
GetModuleHandleA("kernel32.dll\0".as_ptr()),
72
+
"VirtualProtect\0".as_ptr(),
64
73
)
65
74
};
66
75
67
-
if nt_continue.is_none() {
68
-
panic!("[!] NtContinue not found");
76
+
if virtualprotect.is_none() {
77
+
panic!("[!] VirtualProtect not found");
69
78
}
70
79
71
-
log::info!("[+] NtContinue: {:#x}", nt_continue.unwrap() as u64);
80
+
log::info!("[+] VirtualProtect: {:#x}", virtualprotect.unwrap() as u64);
81
+
72
82
73
83
let sys_func032 = unsafe {
74
84
GetProcAddress(
75
-
LoadLibraryA("cryptsp.dll\0".as_ptr()),
85
+
LoadLibraryA("Advapi32.dll\0".as_ptr()),
76
86
"SystemFunction032\0".as_ptr(),
77
87
)
78
88
};
skipped 4 lines
83
93
84
94
log::info!("[+] SystemFunction032: {:#x}", sys_func032.unwrap() as u64);
85
95
86
-
let rtlcont = unsafe {
96
+
let setevent = unsafe {
87
97
GetProcAddress(
88
-
GetModuleHandleA("ntdll.dll\0".as_ptr()),
89
-
"RtlCaptureContext\0".as_ptr(),
98
+
GetModuleHandleA("kernel32.dll\0".as_ptr()),
99
+
"SetEvent\0".as_ptr(),
90
100
)
91
101
};
92
102
93
-
if rtlcont.is_none() {
94
-
panic!("[!] RtlCaptureContext not found");
103
+
if setevent.is_none() {
104
+
panic!("[!] SetEvent not found");
95
105
}
96
106
97
-
log::info!("[+] RtlCaptureContext: {:#x}", rtlcont.unwrap() as u64);
107
+
log::info!("[+] SetEvent: {:#x}", setevent.unwrap() as u64);
108
+
109
+
let waitforsingleobject = unsafe {
110
+
GetProcAddress(
111
+
GetModuleHandleA("kernel32.dll\0".as_ptr()),
112
+
"WaitForSingleObject\0".as_ptr(),
113
+
)
114
+
};
115
+
116
+
if waitforsingleobject.is_none() {
117
+
panic!("[!] WaitForSingleObject not found");
118
+
}
119
+
120
+
log::info!("[+] WaitForSingleObject: {:#x}", waitforsingleobject.unwrap() as u64);
98
121
99
122
let image_base = unsafe { GetModuleHandleA(null_mut()) };
100
123
let dos_header = image_base as *mut IMAGE_DOS_HEADER;
skipped 11 lines
112
135
img.Buffer = image_base as *mut u16;
113
136
img.Length = image_size as u16;
114
137
img.MaximumLength = image_size as u16;
115
-
pause();
116
138
117
139
log::info!("[+] Calling CreateTimerQueueTimer with ctx_thread");
118
140
// Creates a timer-queue timer. This timer expires at the specified due time, then after every specified period. When the timer expires, the callback function is called.