STRLCPY/ekko-rs

Cargo fmted and added some checks (BUG: RtlCaptureContext)
memN0ps committed 2 years ago

d45cb27b

1 parent abb29d87

Total 1 files

■ ■ ■ ■ ■ ■

src/ekko.rs

1	1		use ntapi::winapi::um::errhandlingapi::GetLastError;
2		-	use std::{ffi::c_void, mem::zeroed, ptr::null_mut};
	2	+	use std::{
	3	+	ffi::c_void,
	4	+	mem::zeroed,
	5	+	ptr::{null, null_mut},
	6	+	};
3	7		use windows_sys::Win32::{
4		-	Foundation::{HANDLE, UNICODE_STRING},
	8	+	Foundation::{HANDLE, INVALID_HANDLE_VALUE, UNICODE_STRING},
5	9		System::{
6	10		Diagnostics::Debug::{CONTEXT, IMAGE_NT_HEADERS64},
7	11		LibraryLoader::{GetModuleHandleA, GetProcAddress, LoadLibraryA},
		skipped 25 lines
33	37
34	38		// Creates or opens a named or unnamed event object.
35	39		// https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventw
36		-	let h_event = unsafe { CreateEventW(null_mut(), 0, 0, null_mut()) };
	40	+	let h_event = unsafe { CreateEventW(null(), 0, 0, null()) };
37	41		log::info!("[+] h_event: {:#x}", h_event);
38	42
	43	+	if h_event == INVALID_HANDLE_VALUE {
	44	+	panic!("[!] CreateEventW failed with error: {}", unsafe {
	45	+	GetLastError()
	46	+	});
	47	+	}
	48	+
39	49		// Creates a queue for timers. Timer-queue timers are lightweight objects that enable you to specify a callback function to be called at a specified time.
40	50		// https://learn.microsoft.com/en-us/windows/win32/api/threadpoollegacyapiset/nf-threadpoollegacyapiset-createtimerqueue
41	51		let h_timer_queue = unsafe { CreateTimerQueue() };
42	52		log::info!("[+] h_timer_queue: {:#x}", h_timer_queue);
43	53
	54	+	if h_timer_queue == INVALID_HANDLE_VALUE {
	55	+	panic!("[!] CreateTimerQueue failed with error: {}", unsafe {
	56	+	GetLastError()
	57	+	});
	58	+	}
	59	+
44	60		let nt_continue = unsafe {
45	61		GetProcAddress(
46	62		GetModuleHandleA("ntdll.dll\0".as_ptr()),
47	63		"NtContinue\0".as_ptr(),
48	64		)
49	65		};
	66	+
	67	+	if nt_continue.is_none() {
	68	+	panic!("[!] NtContinue not found");
	69	+	}
	70	+
	71	+	log::info!("[+] NtContinue: {:#x}", nt_continue.unwrap() as u64);
	72	+
50	73		let sys_func032 = unsafe {
51	74		GetProcAddress(
52	75		LoadLibraryA("cryptsp.dll\0".as_ptr()),
53	76		"SystemFunction032\0".as_ptr(),
54	77		)
55	78		};
	79	+
	80	+	if sys_func032.is_none() {
	81	+	panic!("[!] SystemFunction032 not found");
	82	+	}
	83	+
	84	+	log::info!("[+] SystemFunction032: {:#x}", sys_func032.unwrap() as u64);
	85	+
56	86		let rtlcont = unsafe {
57	87		GetProcAddress(
58	88		GetModuleHandleA("ntdll.dll\0".as_ptr()),
		skipped 1 lines
60	90		)
61	91		};
62	92
	93	+	if rtlcont.is_none() {
	94	+	panic!("[!] RtlCaptureContext not found");
	95	+	}
	96	+
	97	+	log::info!("[+] RtlCaptureContext: {:#x}", rtlcont.unwrap() as u64);
	98	+
63	99		let image_base = unsafe { GetModuleHandleA(null_mut()) };
64	100		let dos_header = image_base as *mut IMAGE_DOS_HEADER;
65		-	let nt_headesr =
	101	+	let nt_headers =
66	102		unsafe { (dos_header as u64 + (dos_header).e_lfanew as u64) as mut IMAGE_NT_HEADERS64 };
67		-	let image_size = unsafe { (*nt_headesr).OptionalHeader.SizeOfImage };
	103	+	let image_size = unsafe { (*nt_headers).OptionalHeader.SizeOfImage };
68	104
69	105		log::info!("[+] Image Base: {:#x}", image_base as u64);
70	106		log::info!("[+] Image Size: {:#x}", image_size as u64);
71		-	log::info!("[+] NtContinue: {:#x}", nt_continue.unwrap() as u64);
72		-	log::info!("[+] SystemFunction032: {:#x}", sys_func032.unwrap() as u64);
73		-	log::info!("[+] RtlCaptureContext: {:#x}", rtlcont.unwrap() as u64);
74	107
75	108		key.Buffer = key_buf.as_mut_ptr() as *mut u16;
76	109		key.Length = key_buf.len() as u16; // 16
		skipped 2 lines
79	112		img.Buffer = image_base as *mut u16;
80	113		img.Length = image_size as u16;
81	114		img.MaximumLength = image_size as u16;
	115	+	pause();
82	116
83	117		log::info!("[+] Calling CreateTimerQueueTimer with ctx_thread");
84	118		// Creates a timer-queue timer. This timer expires at the specified due time, then after every specified period. When the timer expires, the callback function is called.
		skipped 229 lines
314	348		}
315	349
316	350		fn dump_virtual_protect_context(rop: &CONTEXT) {
317		-	log::info!("[+] RSP: {:#x} RIP: {:#x} -> VirtualProtect({:#x}, {:#x}, {:#x}, {:#x})" , rop.Rsp, rop.Rip, rop.Rcx, rop.Rdx, rop.R8, rop.R9);
	351	+	log::info!(
	352	+	"[+] RSP: {:#x} RIP: {:#x} -> VirtualProtect({:#x}, {:#x}, {:#x}, {:#x})",
	353	+	rop.Rsp,
	354	+	rop.Rip,
	355	+	rop.Rcx,
	356	+	rop.Rdx,
	357	+	rop.R8,
	358	+	rop.R9
	359	+	);
318	360		}
319	361
320	362		fn dump_system_function036_context(rop: &CONTEXT) {
321		-	log::info!("[+] RSP: {:#x} RIP: {:#x} -> SystemFunction036({:#x}, {:#x})" , rop.Rsp, rop.Rip, rop.Rcx, rop.Rdx);
	363	+	log::info!(
	364	+	"[+] RSP: {:#x} RIP: {:#x} -> SystemFunction036({:#x}, {:#x})",
	365	+	rop.Rsp,
	366	+	rop.Rip,
	367	+	rop.Rcx,
	368	+	rop.Rdx
	369	+	);
322	370		}
323	371
324	372		fn dump_wait_for_single_object_context(rop: &CONTEXT) {
325		-	log::info!("[+] RSP: {:#x} RIP: {:#x} -> WaitForSingleObject({:#x}, {:#x})" , rop.Rsp, rop.Rip, rop.Rcx, rop.Rdx);
	373	+	log::info!(
	374	+	"[+] RSP: {:#x} RIP: {:#x} -> WaitForSingleObject({:#x}, {:#x})",
	375	+	rop.Rsp,
	376	+	rop.Rip,
	377	+	rop.Rcx,
	378	+	rop.Rdx
	379	+	);
326	380		}
327	381
328	382		fn dump_set_event_context(rop: &CONTEXT) {
329		-	log::info!("[+] RSP: {:#x} RIP: {:#x} -> SetEvent({:#x})" , rop.Rsp, rop.Rip, rop.Rcx);
	383	+	log::info!(
	384	+	"[+] RSP: {:#x} RIP: {:#x} -> SetEvent({:#x})",
	385	+	rop.Rsp,
	386	+	rop.Rip,
	387	+	rop.Rcx
	388	+	);
330	389		}
	390	+

Cargo fmted and added some checks (BUG: RtlCaptureContext)