├── .gitignore ├── Cargo.toml ├── LICENSE ├── README.md ├── example └── __wgetmainargs_hook.rs ├── sample └── dll │ └── dllmain.c └── src ├── error.rs ├── lib.rs ├── peloader ├── def.rs ├── error.rs ├── hook.rs ├── mod.rs └── winapi.rs └── peparser ├── check.rs ├── def.rs ├── error.rs ├── header.rs ├── mod.rs ├── pe.rs └── section.rs /.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | Cargo.lock 3 | *.exe 4 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "memexec" 3 | version = "0.2.0" 4 | authors = ["iv4n "] 5 | edition = "2018" 6 | description = "A library for loading and executing PE (Portable Executable) from memory without ever touching the disk" 7 | repository = "https://github.com/eddieivan01/memexec.git" 8 | license = "GPL-3.0" 9 | 10 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 11 | 12 | [features] 13 | hook = [] 14 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # memexec 2 | 3 | [![](https://img.shields.io/crates/v/memexec)](https://crates.io/crates/memexec) [![](https://img.shields.io/crates/d/memexec?label=downloads%40crates.io&style=social)](https://crates.io/crates/memexec) 4 | 5 | A library for loading and executing PE (Portable Executable) from memory without ever touching the disk 6 | 7 | # Features 8 | 9 | + Applicable to EXE and DLL (except .NET assembly) 10 | + Cross-architecture, applicable to x86 and x86-64 11 | + Zero-dependency 12 | + Contains a simple, zero-copy PE parser submodule 13 | + Provides an IAT hooking interface 14 | 15 | # Install 16 | 17 | ```toml 18 | # Cargo.toml 19 | 20 | [dependencies] 21 | memexec = "0.2" 22 | ``` 23 | 24 | # Usage 25 | 26 | ## Execute from memory 27 | 28 | **⚠The architecture of target program must be same as current process, otherwise an error will occur** 29 | 30 | ```rust 31 | use memexec; 32 | use std::fs::File; 33 | use std::io::Read; 34 | 35 | /***********************************************************/ 36 | /* EXE */ 37 | /***********************************************************/ 38 | let mut buf = Vec::new(); 39 | File::open("./test.exe") 40 | .unwrap() 41 | .read_to_end(&mut buf) 42 | .unwrap(); 43 | 44 | unsafe { 45 | // If you need to pass command line parameters, 46 | // try to modify PEB's command line buffer 47 | // Or use `memexec_exe_with_hooks` to hook related functions (see below) 48 | memexec::memexec_exe(&buf).unwrap(); 49 | } 50 | 51 | 52 | /***********************************************************/ 53 | /* DLL */ 54 | /***********************************************************/ 55 | let mut buf = Vec::new(); 56 | File::open("./test.dll") 57 | .unwrap() 58 | .read_to_end(&mut buf) 59 | .unwrap(); 60 | 61 | use memexec::peloader::def::DLL_PROCESS_ATTACH; 62 | unsafe { 63 | // DLL's entry point is DllMain 64 | memexec_dll(&buf, 0 as _, DLL_PROCESS_ATTACH, 0 as _).unwrap(); 65 | } 66 | ``` 67 | 68 | ## IAT hooking 69 | 70 | Add the `hook` feature in `Cargo.toml` 71 | 72 | ```toml 73 | [dependencies] 74 | memexec = { version="0.2", features=[ "hook" ] } 75 | ``` 76 | 77 | Hook the `__wgetmainargs` function (see `example/__wgetmainargs_hook.rs`) 78 | 79 | ```rust 80 | let mut buf = Vec::new(); 81 | File::open("./test.x64.exe") 82 | .unwrap() 83 | .read_to_end(&mut buf) 84 | .unwrap(); 85 | 86 | let mut hooks = HashMap::new(); 87 | 88 | unsafe { 89 | hooks.insert( 90 | "msvcrt.dll!__wgetmainargs".into(), 91 | mem::transmute:: _, _>(__wgetmainargs), 92 | ); 93 | memexec::memexec_exe_with_hooks(&buf, &hooks).unwrap(); 94 | } 95 | ``` 96 | 97 | The definition of `__wgetmainargs` (notice the calling convention on different archtectures): 98 | 99 | ```rust 100 | // https://docs.microsoft.com/en-us/cpp/c-runtime-library/getmainargs-wgetmainargs?view=msvc-160 101 | /* 102 | int __wgetmainargs ( 103 | int *_Argc, 104 | wchar_t ***_Argv, 105 | wchar_t ***_Env, 106 | int _DoWildCard, 107 | _startupinfo * _StartInfo) 108 | */ 109 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 110 | extern "win64" fn __wgetmainargs( 111 | _Argc: *mut i32, 112 | _Argv: *mut *const *const u16, 113 | _Env: *const c_void, 114 | _DoWildCard: i32, 115 | _StartInfo: *const c_void, 116 | ) -> i32 { 117 | unsafe { 118 | *_Argc = 2; 119 | let a0: Vec<_> = "program_name\0" 120 | .chars() 121 | .map(|c| (c as u16).to_le()) 122 | .collect(); 123 | let a1: Vec<_> = "token::whoami\0" 124 | .chars() 125 | .map(|c| (c as u16).to_le()) 126 | .collect(); 127 | *_Argv = [a0.as_ptr(), a1.as_ptr()].as_ptr(); 128 | 129 | // Avoid calling destructor 130 | mem::forget(a0); 131 | mem::forget(a1); 132 | } 133 | 134 | 0 135 | } 136 | ``` 137 | 138 | ## PE parser 139 | 140 | **PE parser could parse programs which have different architectures from current process** 141 | 142 | ```rust 143 | use memexec::peparser::PE; 144 | 145 | // Zero copy 146 | // Make sure that the lifetime of `buf` is longer than `pe` 147 | let pe = PE::new(&buf); 148 | println!("{:?}", pe); 149 | ``` 150 | 151 | # TODO 152 | 153 | - [ ] Replace `LoadLibrary` with calling `load_pe_into_mem` recursively 154 | 155 | - [ ] Replace `GetProcAddress` with self-implemented [`LdrpSnapThunk`](https://doxygen.reactos.org/dd/d83/ntdllp_8h.html#ae2196bc7f46cc2a92d36b7c4881ee633), so as to support resolving proc address by `IMAGE_IMPORT_BY_NAME.Hint` 156 | 157 | # License 158 | 159 | The GPLv3 license 160 | -------------------------------------------------------------------------------- /example/__wgetmainargs_hook.rs: -------------------------------------------------------------------------------- 1 | use std::collections::HashMap; 2 | use std::fs::File; 3 | use std::io::Read; 4 | use std::mem; 5 | use std::os::raw::c_void; 6 | 7 | // https://docs.microsoft.com/en-us/cpp/c-runtime-library/getmainargs-wgetmainargs?view=msvc-160 8 | /* 9 | int __wgetmainargs ( 10 | int *_Argc, 11 | wchar_t ***_Argv, 12 | wchar_t ***_Env, 13 | int _DoWildCard, 14 | _startupinfo * _StartInfo) 15 | */ 16 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 17 | extern "cdecl" fn __wgetmainargs( 18 | _Argc: *mut i32, 19 | _Argv: *mut *const *const u16, 20 | _Env: *const c_void, 21 | _DoWildCard: i32, 22 | _StartInfo: *const c_void, 23 | ) -> i32 { 24 | unsafe { 25 | *_Argc = 2; 26 | let a0: Vec<_> = "program_name\0" 27 | .chars() 28 | .map(|c| (c as u16).to_le()) 29 | .collect(); 30 | let a1: Vec<_> = "token::whoami\0" 31 | .chars() 32 | .map(|c| (c as u16).to_le()) 33 | .collect(); 34 | *_Argv = [a0.as_ptr(), a1.as_ptr()].as_ptr(); 35 | 36 | // Avoid calling destructor 37 | mem::forget(a0); 38 | mem::forget(a1); 39 | } 40 | 41 | 0 42 | } 43 | 44 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 45 | fn hook_x86() { 46 | let mut buf = Vec::new(); 47 | File::open("./test.x86.exe") 48 | .unwrap() 49 | .read_to_end(&mut buf) 50 | .unwrap(); 51 | 52 | let mut hooks = HashMap::new(); 53 | 54 | unsafe { 55 | hooks.insert( 56 | "msvcrt.dll!__wgetmainargs".into(), 57 | mem::transmute:: _, _>(__wgetmainargs), 58 | ); 59 | memexec::memexec_exe_with_hooks(&buf, &hooks).unwrap(); 60 | } 61 | } 62 | 63 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 64 | extern "win64" fn __wgetmainargs( 65 | _Argc: *mut i32, 66 | _Argv: *mut *const *const u16, 67 | _Env: *const c_void, 68 | _DoWildCard: i32, 69 | _StartInfo: *const c_void, 70 | ) -> i32 { 71 | unsafe { 72 | *_Argc = 2; 73 | let a0: Vec<_> = "program_name\0" 74 | .chars() 75 | .map(|c| (c as u16).to_le()) 76 | .collect(); 77 | let a1: Vec<_> = "token::whoami\0" 78 | .chars() 79 | .map(|c| (c as u16).to_le()) 80 | .collect(); 81 | *_Argv = [a0.as_ptr(), a1.as_ptr()].as_ptr(); 82 | 83 | // Avoid calling destructor 84 | mem::forget(a0); 85 | mem::forget(a1); 86 | } 87 | 88 | 0 89 | } 90 | 91 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 92 | fn hook_x64() { 93 | let mut buf = Vec::new(); 94 | File::open("./test.x64.exe") 95 | .unwrap() 96 | .read_to_end(&mut buf) 97 | .unwrap(); 98 | 99 | let mut hooks = HashMap::new(); 100 | 101 | unsafe { 102 | hooks.insert( 103 | "msvcrt.dll!__wgetmainargs".into(), 104 | mem::transmute:: _, _>(__wgetmainargs), 105 | ); 106 | memexec::memexec_exe_with_hooks(&buf, &hooks).unwrap(); 107 | } 108 | } 109 | -------------------------------------------------------------------------------- /sample/dll/dllmain.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // TLS callback: https://stackoverflow.com/a/36891752/11159056 5 | void NTAPI tls_callback(PVOID DllHandle, DWORD dwReason, PVOID lpReserved) { 6 | MessageBoxA(0, "TLS callback", "TLS", 0); 7 | } 8 | 9 | #ifdef _WIN64 10 | #pragma comment (linker, "/INCLUDE:_tls_used") // See p. 1 below 11 | #pragma comment (linker, "/INCLUDE:tls_callback_func") // See p. 3 below 12 | #else 13 | #pragma comment (linker, "/INCLUDE:__tls_used") // See p. 1 below 14 | #pragma comment (linker, "/INCLUDE:_tls_callback_func") // See p. 3 below 15 | #endif 16 | 17 | // Explained in p. 3 below 18 | #ifdef _WIN64 19 | #pragma const_seg(".CRT$XLF") 20 | EXTERN_C const 21 | #else 22 | #pragma data_seg(".CRT$XLF") 23 | EXTERN_C 24 | #endif 25 | PIMAGE_TLS_CALLBACK tls_callback_func = tls_callback; 26 | #ifdef _WIN64 27 | #pragma const_seg() 28 | #else 29 | #pragma data_seg() 30 | #endif //_WIN64 31 | 32 | void proc() { 33 | MessageBoxA(0, "Hello world from loaded DLL, will pop calc.exe later", "What's up", 0); 34 | STARTUPINFO si = { sizeof(si) }; 35 | PROCESS_INFORMATION pi; 36 | if (CreateProcessA("C:\\windows\\system32\\calc.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) { 37 | WaitForSingleObject(pi.hProcess, INFINITE); 38 | CloseHandle(pi.hProcess); 39 | CloseHandle(pi.hThread); 40 | }; 41 | } 42 | 43 | BOOL APIENTRY DllMain(HMODULE hModule, 44 | DWORD ul_reason_for_call, 45 | LPVOID lpReserved 46 | ) { 47 | switch (ul_reason_for_call) { 48 | case DLL_PROCESS_ATTACH: 49 | proc(); 50 | break; 51 | 52 | case DLL_THREAD_ATTACH: 53 | case DLL_THREAD_DETACH: 54 | case DLL_PROCESS_DETACH: 55 | break; 56 | } 57 | return TRUE; 58 | } 59 | -------------------------------------------------------------------------------- /src/error.rs: -------------------------------------------------------------------------------- 1 | use super::peloader; 2 | use super::peparser; 3 | 4 | #[derive(Debug)] 5 | pub enum Error { 6 | PeParserErr(peparser::error::Error), 7 | PeLoaderErr(peloader::error::Error), 8 | MismatchedArch, 9 | } 10 | 11 | impl std::convert::From for Error { 12 | fn from(err: peloader::error::Error) -> Self { 13 | Error::PeLoaderErr(err) 14 | } 15 | } 16 | 17 | impl std::convert::From for Error { 18 | fn from(err: peparser::error::Error) -> Self { 19 | Error::PeParserErr(err) 20 | } 21 | } 22 | 23 | pub type Result = std::result::Result; 24 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | #![allow(non_camel_case_types)] 2 | #![allow(non_snake_case)] 3 | #![allow(overflowing_literals)] 4 | #![allow(non_upper_case_globals)] 5 | 6 | pub mod error; 7 | pub mod peloader; 8 | pub mod peparser; 9 | 10 | use error::Result; 11 | use peloader::{DllLoader, ExeLoader}; 12 | use peparser::PE; 13 | use std::os::raw::c_void; 14 | 15 | #[cfg(feature = "hook")] 16 | pub use peloader::hook; 17 | #[cfg(feature = "hook")] 18 | use peloader::hook::ProcDesc; 19 | #[cfg(feature = "hook")] 20 | use std::collections::HashMap; 21 | 22 | pub unsafe fn memexec_exe(bs: &[u8]) -> Result<()> { 23 | let pe = PE::new(bs)?; 24 | #[cfg(feature = "hook")] 25 | let loader = ExeLoader::new(&pe, None)?; 26 | #[cfg(not(feature = "hook"))] 27 | let loader = ExeLoader::new(&pe)?; 28 | Ok(loader.invoke_entry_point()) 29 | } 30 | 31 | #[cfg(feature = "hook")] 32 | pub unsafe fn memexec_exe_with_hooks( 33 | bs: &[u8], 34 | hooks: &HashMap, 35 | ) -> Result<()> { 36 | let pe = PE::new(bs)?; 37 | let loader = ExeLoader::new(&pe, Some(hooks))?; 38 | Ok(loader.invoke_entry_point()) 39 | } 40 | 41 | pub unsafe fn memexec_dll( 42 | bs: &[u8], 43 | hmod: *const c_void, 44 | reason_for_call: u32, 45 | lp_reserved: *const c_void, 46 | ) -> Result { 47 | let pe = PE::new(bs)?; 48 | #[cfg(feature = "hook")] 49 | let loader = DllLoader::new(&pe, None)?; 50 | #[cfg(not(feature = "hook"))] 51 | let loader = DllLoader::new(&pe)?; 52 | Ok(loader.invoke_entry_point(hmod, reason_for_call, lp_reserved)) 53 | } 54 | 55 | #[cfg(feature = "hook")] 56 | pub unsafe fn memexec_dll_with_hooks( 57 | bs: &[u8], 58 | hmod: *const c_void, 59 | reason_for_call: u32, 60 | lp_reserved: *const c_void, 61 | hooks: &HashMap, 62 | ) -> Result { 63 | let pe = PE::new(bs)?; 64 | let loader = DllLoader::new(&pe, Some(hooks))?; 65 | Ok(loader.invoke_entry_point(hmod, reason_for_call, lp_reserved)) 66 | } 67 | 68 | #[cfg(test)] 69 | mod tests { 70 | use super::*; 71 | use std::fs::File; 72 | use std::io::Read; 73 | 74 | #[test] 75 | #[cfg(not(feature = "hook"))] 76 | fn test_dll() { 77 | let mut buf = Vec::new(); 78 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 79 | File::open("./test.x64.dll") 80 | .unwrap() 81 | .read_to_end(&mut buf) 82 | .unwrap(); 83 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 84 | File::open("./test.x86.dll") 85 | .unwrap() 86 | .read_to_end(&mut buf) 87 | .unwrap(); 88 | 89 | unsafe { 90 | memexec_dll(&buf, 0 as _, peloader::def::DLL_PROCESS_ATTACH, 0 as _).unwrap(); 91 | } 92 | } 93 | 94 | #[test] 95 | #[cfg(not(feature = "hook"))] 96 | fn test_exe() { 97 | let mut buf = Vec::new(); 98 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 99 | File::open("./test.x64.exe") 100 | .unwrap() 101 | .read_to_end(&mut buf) 102 | .unwrap(); 103 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 104 | File::open("./test.x86.exe") 105 | .unwrap() 106 | .read_to_end(&mut buf) 107 | .unwrap(); 108 | 109 | unsafe { 110 | memexec_exe(&buf).unwrap(); 111 | } 112 | } 113 | 114 | #[cfg(feature = "hook")] 115 | use std::mem; 116 | 117 | #[cfg(feature = "hook")] 118 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 119 | extern "cdecl" fn __wgetmainargs( 120 | _Argc: *mut i32, 121 | _Argv: *mut *const *const u16, 122 | _Env: *const c_void, 123 | _DoWildCard: i32, 124 | _StartInfo: *const c_void, 125 | ) -> i32 { 126 | unsafe { 127 | *_Argc = 2; 128 | let a0: Vec<_> = "program_name\0" 129 | .chars() 130 | .map(|c| (c as u16).to_le()) 131 | .collect(); 132 | let a1: Vec<_> = "token::whoami\0" 133 | .chars() 134 | .map(|c| (c as u16).to_le()) 135 | .collect(); 136 | *_Argv = [a0.as_ptr(), a1.as_ptr()].as_ptr(); 137 | 138 | mem::forget(a0); 139 | mem::forget(a1); 140 | } 141 | 142 | 0 143 | } 144 | 145 | #[test] 146 | #[cfg(feature = "hook")] 147 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 148 | fn hook_x86() { 149 | let mut buf = Vec::new(); 150 | File::open("./test.x86.exe") 151 | .unwrap() 152 | .read_to_end(&mut buf) 153 | .unwrap(); 154 | 155 | let mut hooks = HashMap::new(); 156 | 157 | unsafe { 158 | hooks.insert( 159 | "msvcrt.dll!__wgetmainargs".into(), 160 | mem::transmute:: _, _>(__wgetmainargs), 161 | ); 162 | memexec_exe_with_hooks(&buf, &hooks).unwrap(); 163 | } 164 | } 165 | 166 | #[cfg(feature = "hook")] 167 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 168 | extern "win64" fn __wgetmainargs( 169 | _Argc: *mut i32, 170 | _Argv: *mut *const *const u16, 171 | _Env: *const c_void, 172 | _DoWildCard: i32, 173 | _StartInfo: *const c_void, 174 | ) -> i32 { 175 | unsafe { 176 | *_Argc = 2; 177 | 178 | let a0: Vec<_> = "program_name\0" 179 | .chars() 180 | .map(|c| (c as u16).to_le()) 181 | .collect(); 182 | let a1: Vec<_> = "token::whoami\0" 183 | .chars() 184 | .map(|c| (c as u16).to_le()) 185 | .collect(); 186 | *_Argv = [a0.as_ptr(), a1.as_ptr()].as_ptr(); 187 | 188 | mem::forget(a0); 189 | mem::forget(a1); 190 | } 191 | 192 | 0 193 | } 194 | 195 | #[test] 196 | #[cfg(feature = "hook")] 197 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 198 | fn hook_x64() { 199 | let mut buf = Vec::new(); 200 | File::open("./test.x64.exe") 201 | .unwrap() 202 | .read_to_end(&mut buf) 203 | .unwrap(); 204 | 205 | let mut hooks = HashMap::new(); 206 | 207 | unsafe { 208 | hooks.insert( 209 | "msvcrt.dll!__wgetmainargs".into(), 210 | mem::transmute:: _, _>(__wgetmainargs), 211 | ); 212 | memexec_exe_with_hooks(&buf, &hooks).unwrap(); 213 | } 214 | } 215 | } 216 | -------------------------------------------------------------------------------- /src/peloader/def.rs: -------------------------------------------------------------------------------- 1 | use std::os::raw::{c_char, c_void}; 2 | 3 | pub(crate) type PVOID = *const c_void; 4 | pub(crate) type HANDLE = PVOID; 5 | pub(crate) type HMODULE = PVOID; 6 | pub(crate) type LPCSTR = *const c_char; 7 | pub(crate) type ULONG = u32; 8 | pub(crate) type PULONG = *const ULONG; 9 | pub(crate) type ULONG_PTR = usize; 10 | pub(crate) type PSIZE_T = *const ULONG_PTR; 11 | pub(crate) type NTSTATUS = i32; 12 | pub(crate) type BOOL = bool; 13 | pub(crate) type DWORD = u32; 14 | 15 | pub(crate) const MEM_COMMIT: DWORD = 0x00001000; 16 | pub(crate) const MEM_RESERVE: DWORD = 0x00002000; 17 | 18 | pub const DLL_PROCESS_ATTACH: DWORD = 1; 19 | pub const DLL_THREAD_ATTACH: DWORD = 2; 20 | pub const DLL_THREAD_DETACH: DWORD = 3; 21 | pub const DLL_PROCESS_DETACH: DWORD = 0; 22 | 23 | /* 24 | BOOL APIENTRY DllMain( 25 | HMODULE hModule, 26 | DWORD ul_reason_for_call, 27 | LPVOID lpReserved 28 | ) 29 | */ 30 | pub type DllMain = extern "system" fn(HMODULE, DWORD, PVOID) -> BOOL; 31 | -------------------------------------------------------------------------------- /src/peloader/error.rs: -------------------------------------------------------------------------------- 1 | #[derive(Debug)] 2 | pub enum Error { 3 | InvalidCString, 4 | LoadLibararyFail, 5 | GetProcAddressFail, 6 | NtAllocVmErr(i32), 7 | NtProtectVmErr(i32), 8 | InvalidUtf8String, 9 | MismatchedArch, 10 | MismatchedLoader, 11 | NoEntryPoint, 12 | UnsupportedDotNetExecutable, 13 | InvalidProcDescString, 14 | } 15 | 16 | pub type Result = std::result::Result; 17 | 18 | impl std::convert::From for Error { 19 | fn from(_: std::str::Utf8Error) -> Self { 20 | Error::InvalidUtf8String 21 | } 22 | } 23 | 24 | impl std::convert::From for Error { 25 | fn from(_: std::num::ParseIntError) -> Self { 26 | Error::InvalidProcDescString 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/peloader/hook.rs: -------------------------------------------------------------------------------- 1 | #![cfg(feature = "hook")] 2 | 3 | use std::hash::Hash; 4 | use std::mem; 5 | 6 | #[derive(Debug)] 7 | pub enum Thunk<'a> { 8 | Ordinal(isize), 9 | Name(&'a str), 10 | } 11 | 12 | impl<'a> PartialEq for Thunk<'a> { 13 | fn eq(&self, other: &Self) -> bool { 14 | match (self, other) { 15 | (&Thunk::Ordinal(s), &Thunk::Ordinal(o)) => s == o, 16 | (&Thunk::Name(s), &Thunk::Name(o)) => s == o, 17 | _ => false, 18 | } 19 | } 20 | } 21 | 22 | impl<'a> Eq for Thunk<'a> {} 23 | 24 | impl<'a> Hash for Thunk<'a> { 25 | fn hash(&self, state: &mut H) { 26 | mem::discriminant(self).hash(state); 27 | match *self { 28 | Thunk::Ordinal(o) => o.hash(state), 29 | Thunk::Name(n) => n.hash(state), 30 | }; 31 | } 32 | } 33 | 34 | #[derive(Debug)] 35 | pub struct ProcDesc<'a> { 36 | // Use `String` instead of `&str`, 37 | // because we need a case conversion in `new` function 38 | dll: String, 39 | thunk: Thunk<'a>, 40 | } 41 | 42 | impl<'a> PartialEq for ProcDesc<'a> { 43 | #[inline] 44 | fn eq(&self, other: &Self) -> bool { 45 | self.dll == other.dll && self.thunk == other.thunk 46 | } 47 | } 48 | 49 | impl<'a> Eq for ProcDesc<'a> {} 50 | 51 | impl<'a> Hash for ProcDesc<'a> { 52 | fn hash(&self, state: &mut H) { 53 | self.dll.hash(state); 54 | self.thunk.hash(state); 55 | } 56 | } 57 | 58 | impl<'a> ProcDesc<'a> { 59 | /// Dll name is case insensitive 60 | pub fn new(dll: &str, thunk: Thunk<'a>) -> ProcDesc<'a> { 61 | ProcDesc { 62 | dll: dll.to_ascii_lowercase(), 63 | thunk: thunk, 64 | } 65 | } 66 | } 67 | 68 | // Couldn't implement `FromStr` trait here, 69 | // because the signature of `from_str` doesn't allow an explicit lifetime hint 70 | impl<'a> From<&'a str> for ProcDesc<'a> { 71 | fn from(s: &'a str) -> Self { 72 | match s.find('!') { 73 | Some(i) => { 74 | let (dll, proc_name) = s.split_at(i); 75 | ProcDesc::new(dll, Thunk::Name(&proc_name[1..])) 76 | } 77 | None => match s.find('#') { 78 | Some(i) => { 79 | let (dll, proc_ord) = s.split_at(i); 80 | ProcDesc::new(dll, Thunk::Ordinal(proc_ord[1..].parse().unwrap_or(0))) 81 | } 82 | // Failure case 83 | None => ProcDesc { 84 | dll: String::new(), 85 | thunk: Thunk::Ordinal(0), 86 | }, 87 | }, 88 | } 89 | } 90 | } 91 | 92 | /* 93 | use std::collections::HashMap; 94 | use std::os::raw::c_void; 95 | 96 | trait ProcDescTbl<'a> { 97 | fn get(&self, proc_desc: &'a ProcDesc) -> Option<&*const c_void>; 98 | } 99 | 100 | impl<'a> ProcDescTbl<'a> for HashMap, *const c_void> { 101 | fn get(&self, proc_desc: &'a ProcDesc) -> Option<&*const c_void> { 102 | self.get(proc_desc) 103 | } 104 | } 105 | */ 106 | 107 | /* 108 | // Implement FNV-1a hash 109 | #[derive(Debug, Hash)] 110 | pub struct ProcHash(u64, u64); 111 | 112 | impl PartialEq for ProcHash { 113 | #[inline] 114 | fn eq(&self, other: &Self) -> bool { 115 | self.0 == other.0 && self.1 == other.1 116 | } 117 | } 118 | 119 | impl Eq for ProcHash {} 120 | 121 | impl ProcHash { 122 | /// Dll name is case insensitive 123 | /// ProcHash::new("kernel32.dll", Thunk::Name("CreateProcessW")) 124 | pub fn new(dll: &str, thunk: Thunk) -> ProcHash { 125 | // The hash of DLL and thunk is calculated and saved separately, 126 | // in order to reduce the collision probability 127 | let mut h1: u64 = 0xcbf29ce484222325; 128 | 129 | for c in dll.chars() { 130 | h1 ^= c.to_ascii_lowercase() as u64; 131 | h1 = h1.wrapping_mul(0x100000001b3); 132 | } 133 | 134 | let mut h2: u64 = 0xcbf29ce484222325; 135 | match thunk { 136 | Thunk::Ordinal(ord) => { 137 | // # 138 | h2 ^= 0x23; 139 | h2 = h2.wrapping_mul(0x100000001b3); 140 | h2 ^= ord as u64; 141 | h2 = h2.wrapping_mul(0x100000001b3); 142 | } 143 | Thunk::Name(name) => { 144 | // ! 145 | h2 ^= 0x21; 146 | h2 = h2.wrapping_mul(0x100000001b3); 147 | for c in name.chars() { 148 | h2 ^= c as u64; 149 | h2 = h2.wrapping_mul(0x100000001b3); 150 | } 151 | } 152 | } 153 | 154 | ProcHash(h1, h2) 155 | } 156 | } 157 | */ 158 | -------------------------------------------------------------------------------- /src/peloader/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod def; 2 | pub mod error; 3 | pub mod winapi; 4 | 5 | use crate::peparser::def::*; 6 | use crate::peparser::PE; 7 | use def::{DllMain, DLL_PROCESS_ATTACH, MEM_COMMIT, MEM_RESERVE}; 8 | use error::{Error, Result}; 9 | use std::ffi::CStr; 10 | use std::mem; 11 | use std::os::raw::c_void; 12 | use std::ptr; 13 | 14 | #[cfg(feature = "hook")] 15 | use hook::{ProcDesc, Thunk}; 16 | #[cfg(feature = "hook")] 17 | use std::collections::HashMap; 18 | #[cfg(feature = "hook")] 19 | pub mod hook; 20 | 21 | unsafe fn patch_reloc_table(pe: &PE, base_addr: *const c_void) -> Result<()> { 22 | let reloc_entry = &pe.pe_header.nt_header.get_data_directory()[IMAGE_DIRECTORY_ENTRY_BASERELOC]; 23 | let image_base_offset = base_addr as isize - pe.pe_header.nt_header.get_image_base() as isize; 24 | 25 | if image_base_offset != 0 && reloc_entry.VirtualAddress != 0 && reloc_entry.Size != 0 { 26 | let mut reloc_table_ptr = 27 | base_addr.offset(reloc_entry.VirtualAddress as isize) as *const u8; 28 | 29 | loop { 30 | let reloc_block = 31 | &*mem::transmute::<*const u8, *const IMAGE_BASE_RELOCATION>(reloc_table_ptr); 32 | if reloc_block.SizeOfBlock == 0 && reloc_block.VirtualAddress == 0 { 33 | break; 34 | } 35 | 36 | for i in 0..(reloc_block.SizeOfBlock as isize - 8) / 2 { 37 | let item = *(reloc_table_ptr.offset(8 + i * 2) as *const u16); 38 | if (item >> 12) == IMAGE_REL_BASED { 39 | let patch_addr = base_addr 40 | .offset(reloc_block.VirtualAddress as isize + (item & 0xfff) as isize) 41 | as *mut isize; 42 | *patch_addr = *patch_addr + image_base_offset; 43 | } 44 | } 45 | 46 | reloc_table_ptr = reloc_table_ptr.offset(reloc_block.SizeOfBlock as isize); 47 | } 48 | } 49 | Ok(()) 50 | } 51 | 52 | unsafe fn resolve_import_symbols( 53 | pe: &PE, 54 | base_addr: *const c_void, 55 | #[cfg(feature = "hook")] hooks: Option<&HashMap>, 56 | ) -> Result<()> { 57 | let import_entry = &pe.pe_header.nt_header.get_data_directory()[IMAGE_DIRECTORY_ENTRY_IMPORT]; 58 | if import_entry.Size != 0 && import_entry.VirtualAddress != 0 { 59 | let mut import_desc_ptr = base_addr.offset(import_entry.VirtualAddress as isize) 60 | as *const IMAGE_IMPORT_DESCRIPTOR; 61 | loop { 62 | let import_desc = &*import_desc_ptr; 63 | if 0 == import_desc.Name 64 | && 0 == import_desc.FirstThunk 65 | && 0 == import_desc.OriginalFirstThunk 66 | && 0 == import_desc.TimeDateStamp 67 | && 0 == import_desc.ForwarderChain 68 | { 69 | break; 70 | } 71 | 72 | let dll_name = CStr::from_ptr(base_addr.offset(import_desc.Name as isize) as *const i8) 73 | .to_str()?; 74 | // TODO: implement loading module by calling self recursively 75 | let hmod = winapi::load_library(&dll_name)?; 76 | 77 | // Whether the ILT (called INT in IDA) exists? (some linkers didn't generate the ILT) 78 | let (mut iat_ptr, mut ilt_ptr) = if import_desc.OriginalFirstThunk != 0 { 79 | ( 80 | base_addr.offset(import_desc.FirstThunk as isize) as *mut IMAGE_THUNK_DATA, 81 | base_addr.offset(import_desc.OriginalFirstThunk as isize) 82 | as *const IMAGE_THUNK_DATA, 83 | ) 84 | } else { 85 | ( 86 | base_addr.offset(import_desc.FirstThunk as isize) as *mut IMAGE_THUNK_DATA, 87 | base_addr.offset(import_desc.FirstThunk as isize) as *const IMAGE_THUNK_DATA, 88 | ) 89 | }; 90 | 91 | loop { 92 | let thunk_data = *ilt_ptr as isize; 93 | if thunk_data == 0 { 94 | break; 95 | } 96 | 97 | if thunk_data & IMAGE_ORDINAL_FLAG != 0 { 98 | // Import by ordinal number 99 | 100 | #[cfg(not(feature = "hook"))] 101 | let proc_addr = winapi::get_proc_address_by_ordinal(hmod, thunk_data & 0xffff)?; 102 | #[cfg(feature = "hook")] 103 | let proc_addr = match hooks { 104 | Some(hooks) => { 105 | match hooks.get(&ProcDesc::new( 106 | dll_name, 107 | Thunk::Ordinal(thunk_data & 0xffff), 108 | )) { 109 | Some(addr) => *addr, 110 | None => { 111 | winapi::get_proc_address_by_ordinal(hmod, thunk_data & 0xffff)? 112 | } 113 | } 114 | } 115 | None => winapi::get_proc_address_by_ordinal(hmod, thunk_data & 0xffff)?, 116 | }; 117 | 118 | // rust-lang/rust/issues/15701 119 | *iat_ptr = proc_addr as IMAGE_THUNK_DATA; 120 | } else { 121 | // TODO: implement resolving proc address by `IMAGE_IMPORT_BY_NAME.Hint` 122 | let hint_name_table = &*mem::transmute::< 123 | *const c_void, 124 | *const IMAGE_IMPORT_BY_NAME, 125 | >(base_addr.offset(thunk_data)); 126 | if 0 == hint_name_table.Name { 127 | break; 128 | } 129 | 130 | #[cfg(not(feature = "hook"))] 131 | let proc_addr = winapi::get_proc_address_by_name( 132 | hmod, 133 | CStr::from_ptr(&hint_name_table.Name as _).to_str()?, 134 | )?; 135 | #[cfg(feature = "hook")] 136 | let proc_addr = match hooks { 137 | Some(hooks) => match hooks.get(&ProcDesc::new( 138 | dll_name, 139 | Thunk::Name(CStr::from_ptr(&hint_name_table.Name as _).to_str()?), 140 | )) { 141 | Some(addr) => *addr, 142 | None => winapi::get_proc_address_by_name( 143 | hmod, 144 | CStr::from_ptr(&hint_name_table.Name as _).to_str()?, 145 | )?, 146 | }, 147 | None => winapi::get_proc_address_by_name( 148 | hmod, 149 | CStr::from_ptr(&hint_name_table.Name as _).to_str()?, 150 | )?, 151 | }; 152 | 153 | *iat_ptr = proc_addr as IMAGE_THUNK_DATA; 154 | } 155 | 156 | iat_ptr = iat_ptr.offset(1); 157 | ilt_ptr = ilt_ptr.offset(1); 158 | } 159 | 160 | import_desc_ptr = import_desc_ptr.offset(1); 161 | } 162 | } 163 | Ok(()) 164 | } 165 | 166 | unsafe fn call_tls_callback(pe: &PE, base_addr: *const c_void) -> Result<()> { 167 | let tls_entry = &pe.pe_header.nt_header.get_data_directory()[IMAGE_DIRECTORY_ENTRY_TLS]; 168 | if tls_entry.Size != 0 && tls_entry.VirtualAddress != 0 { 169 | let tls = &*mem::transmute::<*const c_void, *const IMAGE_TLS_DIRECTORY>( 170 | base_addr.offset(tls_entry.VirtualAddress as isize), 171 | ); 172 | let mut tls_callback_addr = tls.AddressOfCallBacks as *const *const c_void; 173 | 174 | loop { 175 | if *tls_callback_addr == 0 as _ { 176 | break; 177 | } 178 | 179 | mem::transmute::<*const c_void, PIMAGE_TLS_CALLBACK>(*tls_callback_addr)( 180 | base_addr, 181 | DLL_PROCESS_ATTACH, 182 | 0 as _, 183 | ); 184 | tls_callback_addr = tls_callback_addr.offset(1); 185 | } 186 | } 187 | Ok(()) 188 | } 189 | 190 | unsafe fn load_pe_into_mem( 191 | pe: &PE, 192 | #[cfg(feature = "hook")] hooks: Option<&HashMap>, 193 | ) -> Result<*const c_void> { 194 | // Step1: allocate memory for image 195 | let mut base_addr = pe.pe_header.nt_header.get_image_base(); 196 | let size = pe.pe_header.nt_header.get_size_of_image(); 197 | 198 | // ASLR 199 | if winapi::nt_alloc_vm( 200 | &base_addr as _, 201 | &size as _, 202 | MEM_RESERVE | MEM_COMMIT, 203 | PAGE_READWRITE, 204 | ) 205 | .is_err() 206 | { 207 | base_addr = 0 as *const c_void; 208 | winapi::nt_alloc_vm( 209 | &base_addr as _, 210 | &size as _, 211 | MEM_RESERVE | MEM_COMMIT, 212 | PAGE_READWRITE, 213 | )?; 214 | } 215 | 216 | // Step2: copy sections 217 | for section in pe.section_area.section_table { 218 | ptr::copy_nonoverlapping( 219 | pe.raw.as_ptr().offset(section.PointerToRawData as isize), 220 | base_addr.offset(section.VirtualAddress as isize) as *mut u8, 221 | section.SizeOfRawData as usize, 222 | ); 223 | } 224 | 225 | // Step3: handle base relocataion table 226 | patch_reloc_table(pe, base_addr)?; 227 | 228 | // Step4: resolve import symbols 229 | #[cfg(feature = "hook")] 230 | resolve_import_symbols(pe, base_addr, hooks)?; 231 | #[cfg(not(feature = "hook"))] 232 | resolve_import_symbols(pe, base_addr)?; 233 | 234 | // Step5: restore sections' protection 235 | for section in pe.section_area.section_table { 236 | let size = section.SizeOfRawData as usize; 237 | if size == 0 { 238 | continue; 239 | } 240 | 241 | winapi::nt_protect_vm( 242 | &(base_addr.offset(section.VirtualAddress as isize)) as _, 243 | &size as _, 244 | section.get_protection(), 245 | )?; 246 | } 247 | 248 | // Step6: call TLS callback 249 | call_tls_callback(pe, base_addr)?; 250 | 251 | Ok(base_addr) 252 | } 253 | 254 | fn check_platform(pe: &PE) -> Result<()> { 255 | if (mem::size_of::() == 4 && pe.is_x86()) 256 | || (mem::size_of::() == 8 && pe.is_x64()) 257 | { 258 | Ok(()) 259 | } else { 260 | Err(Error::MismatchedArch) 261 | } 262 | } 263 | 264 | pub struct ExeLoader { 265 | entry_point_va: *const c_void, 266 | } 267 | 268 | impl ExeLoader { 269 | pub unsafe fn new( 270 | pe: &PE, 271 | #[cfg(feature = "hook")] hooks: Option<&HashMap>, 272 | ) -> Result { 273 | check_platform(pe)?; 274 | if pe.is_dll() { 275 | return Err(Error::MismatchedLoader); 276 | } 277 | 278 | if pe.is_dot_net() { 279 | return Err(Error::UnsupportedDotNetExecutable); 280 | } 281 | 282 | let entry_point = pe.pe_header.nt_header.get_address_of_entry_point(); 283 | if entry_point == 0 { 284 | Err(Error::NoEntryPoint) 285 | } else { 286 | #[cfg(feature = "hook")] 287 | let entry_point_va = load_pe_into_mem(pe, hooks)?.offset(entry_point); 288 | #[cfg(not(feature = "hook"))] 289 | let entry_point_va = load_pe_into_mem(pe)?.offset(entry_point); 290 | Ok(ExeLoader { 291 | entry_point_va: entry_point_va, 292 | }) 293 | } 294 | } 295 | 296 | pub unsafe fn invoke_entry_point(&self) { 297 | mem::transmute::<*const c_void, extern "system" fn()>(self.entry_point_va)() 298 | } 299 | } 300 | 301 | pub struct DllLoader { 302 | entry_point_va: *const c_void, 303 | } 304 | 305 | impl DllLoader { 306 | pub unsafe fn new( 307 | pe: &PE, 308 | #[cfg(feature = "hook")] hooks: Option<&HashMap>, 309 | ) -> Result { 310 | check_platform(pe)?; 311 | if !pe.is_dll() { 312 | return Err(Error::MismatchedLoader); 313 | } 314 | 315 | if pe.is_dot_net() { 316 | return Err(Error::UnsupportedDotNetExecutable); 317 | } 318 | 319 | let entry_point = pe.pe_header.nt_header.get_address_of_entry_point(); 320 | if entry_point == 0 { 321 | Err(Error::NoEntryPoint) 322 | } else { 323 | #[cfg(feature = "hook")] 324 | let entry_point_va = load_pe_into_mem(pe, hooks)?.offset(entry_point); 325 | #[cfg(not(feature = "hook"))] 326 | let entry_point_va = load_pe_into_mem(pe)?.offset(entry_point); 327 | Ok(DllLoader { 328 | entry_point_va: entry_point_va, 329 | }) 330 | } 331 | } 332 | 333 | pub unsafe fn invoke_entry_point( 334 | &self, 335 | hmod: *const c_void, 336 | reason_for_call: u32, 337 | lp_reserved: *const c_void, 338 | ) -> bool { 339 | mem::transmute::<*const c_void, DllMain>(self.entry_point_va)( 340 | hmod, 341 | reason_for_call, 342 | lp_reserved, 343 | ) 344 | } 345 | } 346 | -------------------------------------------------------------------------------- /src/peloader/winapi.rs: -------------------------------------------------------------------------------- 1 | use super::def::*; 2 | use super::error::{Error, Result}; 3 | use std::ffi::CString; 4 | use std::mem; 5 | use std::os::raw::c_char; 6 | 7 | extern "system" { 8 | fn LoadLibraryA(lpLibFileName: LPCSTR) -> HMODULE; 9 | fn GetProcAddress(hModule: HMODULE, lpProcName: LPCSTR) -> PVOID; 10 | fn GetCurrentProcess() -> HANDLE; 11 | } 12 | 13 | pub fn load_library(lib: &str) -> Result { 14 | if let Ok(lib) = CString::new(lib) { 15 | let hmod = unsafe { LoadLibraryA(lib.as_ptr()) }; 16 | if hmod == 0 as HMODULE { 17 | Err(Error::LoadLibararyFail) 18 | } else { 19 | Ok(hmod) 20 | } 21 | } else { 22 | Err(Error::InvalidCString) 23 | } 24 | } 25 | 26 | pub fn get_proc_address_by_name(hmod: HMODULE, proc_name: &str) -> Result { 27 | if let Ok(proc_name) = CString::new(proc_name) { 28 | let proc = unsafe { GetProcAddress(hmod, proc_name.as_ptr()) }; 29 | if proc == 0 as PVOID { 30 | Err(Error::GetProcAddressFail) 31 | } else { 32 | Ok(proc) 33 | } 34 | } else { 35 | Err(Error::InvalidCString) 36 | } 37 | } 38 | 39 | pub fn get_proc_address_by_ordinal(hmod: HMODULE, proc_ordinal: isize) -> Result { 40 | let proc = unsafe { GetProcAddress(hmod, proc_ordinal as *const c_char) }; 41 | if proc == 0 as PVOID { 42 | Err(Error::GetProcAddressFail) 43 | } else { 44 | Ok(proc) 45 | } 46 | } 47 | 48 | // raw pointer doesn't implement `Sync` trait 49 | static mut p_nt_alloc_vm: usize = 0_usize; 50 | static mut p_nt_protect_vm: usize = 0_usize; 51 | 52 | /* 53 | #[link(name = "ntdll")] 54 | extern "system" { 55 | fn NtAllocateVirtualMemory( 56 | ProcessHandle: HANDLE, 57 | BaseAddress: *const PVOID, 58 | ZeroBits: ULONG_PTR, 59 | RegionSize: PSIZE_T, 60 | AllocationType: ULONG, 61 | Protect: ULONG, 62 | ) -> NTSTATUS; 63 | } 64 | */ 65 | // bypass possible hooks 66 | pub unsafe fn nt_alloc_vm( 67 | base_addr: *const PVOID, 68 | size: PSIZE_T, 69 | allocation_typ: ULONG, 70 | protect: ULONG, 71 | ) -> Result<()> { 72 | if p_nt_alloc_vm == 0 as _ { 73 | p_nt_alloc_vm = 74 | get_proc_address_by_name(load_library("ntdll.dll")?, "NtAllocateVirtualMemory")? as _; 75 | }; 76 | 77 | let ret = mem::transmute::< 78 | usize, 79 | unsafe extern "system" fn( 80 | HANDLE, 81 | *const PVOID, 82 | ULONG_PTR, 83 | PSIZE_T, 84 | ULONG, 85 | ULONG, 86 | ) -> NTSTATUS, 87 | >(p_nt_alloc_vm)( 88 | GetCurrentProcess(), 89 | base_addr, 90 | 0, 91 | size, 92 | allocation_typ, 93 | protect, 94 | ); 95 | 96 | if 0 == ret { 97 | Ok(()) 98 | } else { 99 | Err(Error::NtAllocVmErr(ret)) 100 | } 101 | } 102 | 103 | /* 104 | #[link(name = "ntdll")] 105 | extern "system" { 106 | fn NtProtectVirtualMemory( 107 | ProcessHandle: HANDLE, 108 | BaseAddress: *const PVOID, 109 | RegionSize: PSIZE_T, 110 | NewProtect: ULONG, 111 | OldProtect: PULONG, 112 | ) -> NTSTATUS; 113 | } 114 | */ 115 | pub unsafe fn nt_protect_vm( 116 | base_addr: *const PVOID, 117 | size: PSIZE_T, 118 | new_protect: ULONG, 119 | ) -> Result<()> { 120 | if p_nt_protect_vm == 0 as _ { 121 | p_nt_protect_vm = 122 | get_proc_address_by_name(load_library("ntdll.dll")?, "NtProtectVirtualMemory")? as _; 123 | }; 124 | 125 | let old_protect: ULONG = 0; 126 | let ret = mem::transmute::< 127 | usize, 128 | unsafe extern "system" fn(HANDLE, *const PVOID, PSIZE_T, ULONG, PULONG) -> NTSTATUS, 129 | >(p_nt_protect_vm)( 130 | GetCurrentProcess(), 131 | base_addr, 132 | size, 133 | new_protect, 134 | &old_protect as PULONG, 135 | ); 136 | 137 | if 0 == ret { 138 | Ok(()) 139 | } else { 140 | Err(Error::NtProtectVmErr(ret)) 141 | } 142 | } 143 | -------------------------------------------------------------------------------- /src/peparser/check.rs: -------------------------------------------------------------------------------- 1 | use super::def::*; 2 | use super::error::{Error, Result}; 3 | use super::header::ImageNtHeaders; 4 | 5 | impl IMAGE_DOS_HEADER { 6 | pub(crate) fn is_valid(&self) -> Result<()> { 7 | if self.e_magic != IMAGE_DOS_SIGNATURE { 8 | return Err(Error::InvalidDosSignature); 9 | } 10 | 11 | if self.e_lfanew == 0 { 12 | return Err(Error::InvalidNtHeaderOffset); 13 | } 14 | 15 | Ok(()) 16 | } 17 | } 18 | 19 | impl<'a> ImageNtHeaders<'a> { 20 | pub(crate) fn is_valid(&self) -> Result<()> { 21 | match *self { 22 | ImageNtHeaders::x86(h) => { 23 | if h.Signature != IMAGE_NT_SIGNATURE { 24 | return Err(Error::InvalidNtSignature); 25 | }; 26 | 27 | if h.FileHeader.Machine != IMAGE_FILE_MACHINE_I386 { 28 | return Err(Error::UnsupportedMachine); 29 | } 30 | 31 | // 32-bit .NET assembly may not set IMAGE_FILE_32BIT_MACHINE 32 | if h.FileHeader.Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE == 0 33 | // || h.FileHeader.Characteristics & IMAGE_FILE_32BIT_MACHINE == 0 34 | { 35 | return Err(Error::InvalidFileHeaderCharacteristics); 36 | } 37 | } 38 | ImageNtHeaders::x64(h) => { 39 | if h.Signature != IMAGE_NT_SIGNATURE { 40 | return Err(Error::InvalidNtSignature); 41 | }; 42 | 43 | if h.FileHeader.Machine != IMAGE_FILE_MACHINE_AMD64 { 44 | return Err(Error::UnsupportedMachine); 45 | } 46 | 47 | if h.FileHeader.Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE == 0 48 | // || h.FileHeader.Characteristics & IMAGE_FILE_LARGE_ADDRESS_AWARE == 0 49 | { 50 | return Err(Error::InvalidFileHeaderCharacteristics); 51 | } 52 | } 53 | }; 54 | 55 | Ok(()) 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/peparser/def.rs: -------------------------------------------------------------------------------- 1 | use std::os::raw::c_void; 2 | 3 | pub(crate) type WORD = u16; 4 | pub(crate) type LONG = i32; 5 | pub(crate) type DWORD = u32; 6 | pub(crate) type BYTE = u8; 7 | pub(crate) type ULONGLONG = u64; 8 | pub(crate) type CHAR = i8; 9 | pub(crate) type PVOID = *const c_void; 10 | 11 | pub(crate) const IMAGE_DOS_SIGNATURE: WORD = 0x5a4d; 12 | pub(crate) const IMAGE_NT_SIGNATURE: DWORD = 0x00004550; 13 | 14 | pub(crate) const IMAGE_FILE_EXECUTABLE_IMAGE: WORD = 0x0002; // File is executable (i.e. no unresolved external references). 15 | #[allow(dead_code)] 16 | pub(crate) const IMAGE_FILE_LARGE_ADDRESS_AWARE: WORD = 0x0020; // App can handle >2gb addresses 17 | #[allow(dead_code)] 18 | pub(crate) const IMAGE_FILE_32BIT_MACHINE: WORD = 0x0100; // 32 bit word machine. 19 | pub(crate) const IMAGE_FILE_DLL: WORD = 0x2000; // File is a DLL. 20 | 21 | pub(crate) const IMAGE_FILE_MACHINE_I386: WORD = 0x014c; 22 | pub(crate) const IMAGE_FILE_MACHINE_AMD64: WORD = 0x8664; 23 | 24 | pub(crate) const IMAGE_NT_OPTIONAL_HDR32_MAGIC: WORD = 0x10b; 25 | pub(crate) const IMAGE_NT_OPTIONAL_HDR64_MAGIC: WORD = 0x20b; 26 | 27 | pub const PAGE_NOACCESS: DWORD = 0x01; 28 | pub const PAGE_READONLY: DWORD = 0x02; 29 | pub const PAGE_READWRITE: DWORD = 0x04; 30 | pub const PAGE_EXECUTE: DWORD = 0x10; 31 | pub const PAGE_EXECUTE_READ: DWORD = 0x20; 32 | pub const PAGE_EXECUTE_READWRITE: DWORD = 0x40; 33 | 34 | pub const IMAGE_SCN_MEM_EXECUTE: DWORD = 0x20000000; 35 | pub const IMAGE_SCN_MEM_READ: DWORD = 0x40000000; 36 | pub const IMAGE_SCN_MEM_WRITE: DWORD = 0x80000000; 37 | 38 | pub(crate) const IMAGE_SIZEOF_SHORT_NAME: usize = 8; 39 | 40 | pub(crate) const IMAGE_NUMBEROF_DIRECTORY_ENTRIES: usize = 16; 41 | 42 | pub const IMAGE_DIRECTORY_ENTRY_EXPORT: usize = 0; // Export Directory 43 | pub const IMAGE_DIRECTORY_ENTRY_IMPORT: usize = 1; // Import Directory 44 | pub const IMAGE_DIRECTORY_ENTRY_RESOURCE: usize = 2; // Resource Directory 45 | pub const IMAGE_DIRECTORY_ENTRY_EXCEPTION: usize = 3; // Exception Directory 46 | pub const IMAGE_DIRECTORY_ENTRY_SECURITY: usize = 4; // Security Directory 47 | pub const IMAGE_DIRECTORY_ENTRY_BASERELOC: usize = 5; // Base Relocation Table 48 | pub const IMAGE_DIRECTORY_ENTRY_DEBUG: usize = 6; // Debug Directory 49 | pub const IMAGE_DIRECTORY_ENTRY_ARCHITECTURE: usize = 7; // Architecture Specific Data 50 | pub const IMAGE_DIRECTORY_ENTRY_GLOBALPTR: usize = 8; // RVA of GP 51 | pub const IMAGE_DIRECTORY_ENTRY_TLS: usize = 9; // TLS Directory 52 | pub const IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG: usize = 10; // Load Configuration Directory 53 | pub const IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT: usize = 11; // Bound Import Directory in headers 54 | pub const IMAGE_DIRECTORY_ENTRY_IAT: usize = 12; // Import Address Table 55 | pub const IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT: usize = 13; // Delay Load Import Descriptors 56 | pub const IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR: usize = 14; // COM Runtime descriptor 57 | 58 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 59 | pub(crate) const IMAGE_REL_BASED_DIR64: WORD = 10; 60 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 61 | pub(crate) const IMAGE_REL_BASED_HIGHLOW: WORD = 3; 62 | 63 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 64 | pub(crate) const IMAGE_REL_BASED: WORD = IMAGE_REL_BASED_DIR64; 65 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 66 | pub(crate) const IMAGE_REL_BASED: WORD = IMAGE_REL_BASED_HIGHLOW; 67 | 68 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 69 | pub(crate) const IMAGE_ORDINAL_FLAG64: isize = 0x8000000000000000; 70 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 71 | pub(crate) const IMAGE_ORDINAL_FLAG32: isize = 0x80000000; 72 | 73 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 74 | pub(crate) const IMAGE_ORDINAL_FLAG: isize = IMAGE_ORDINAL_FLAG64; 75 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 76 | pub(crate) const IMAGE_ORDINAL_FLAG: isize = IMAGE_ORDINAL_FLAG32; 77 | 78 | macro_rules! struct_wrapper { 79 | (struct $name:ident { 80 | $($field:ident: $t:ty,)* 81 | }) => { 82 | #[repr(C)] 83 | #[derive(Debug)] 84 | pub struct $name { 85 | $(pub $field: $t),* 86 | } 87 | } 88 | } 89 | 90 | struct_wrapper!( 91 | struct IMAGE_DOS_HEADER { 92 | // DOS .EXE header 93 | e_magic: WORD, // Magic number 94 | e_cblp: WORD, // Bytes on last page of file 95 | e_cp: WORD, // Pages in file 96 | e_crlc: WORD, // Relocations 97 | e_cparhdr: WORD, // Size of header in paragraphs 98 | e_minalloc: WORD, // Minimum extra paragraphs needed 99 | e_maxalloc: WORD, // Maximum extra paragraphs needed 100 | e_ss: WORD, // Initial (relative) SS value 101 | e_sp: WORD, // Initial SP value 102 | e_csum: WORD, // Checksum 103 | e_ip: WORD, // Initial IP value 104 | e_cs: WORD, // Initial (relative) CS value 105 | e_lfarlc: WORD, // File address of relocation table 106 | e_ovno: WORD, // Overlay number 107 | e_res: [WORD; 4], // Reserved words 108 | e_oemid: WORD, // OEM identifier (for e_oeminfo) 109 | e_oeminfo: WORD, // OEM information; e_oemid specific 110 | e_res2: [WORD; 10], // Reserved words 111 | e_lfanew: LONG, // File address of new exe header 112 | } 113 | ); 114 | 115 | struct_wrapper!( 116 | struct IMAGE_FILE_HEADER { 117 | Machine: WORD, 118 | NumberOfSections: WORD, 119 | TimeDateStamp: DWORD, 120 | PointerToSymbolTable: DWORD, 121 | NumberOfSymbols: DWORD, 122 | SizeOfOptionalHeader: WORD, 123 | Characteristics: WORD, 124 | } 125 | ); 126 | 127 | /* 128 | ImageBase 129 | 130 | EXE 131 | 32-bit 0x400000 132 | 64-bit 0x140000000 133 | 134 | DLL 135 | 32-bit 0x10000000 136 | 64-bit 0x180000000 137 | */ 138 | 139 | struct_wrapper!( 140 | struct IMAGE_OPTIONAL_HEADER32 { 141 | Magic: WORD, 142 | MajorLinkerVersion: BYTE, 143 | MinorLinkerVersion: BYTE, 144 | SizeOfCode: DWORD, 145 | SizeOfInitializedData: DWORD, 146 | SizeOfUninitializedData: DWORD, 147 | AddressOfEntryPoint: DWORD, 148 | BaseOfCode: DWORD, 149 | BaseOfData: DWORD, 150 | ImageBase: DWORD, 151 | SectionAlignment: DWORD, 152 | FileAlignment: DWORD, 153 | MajorOperatingSystemVersion: WORD, 154 | MinorOperatingSystemVersion: WORD, 155 | MajorImageVersion: WORD, 156 | MinorImageVersion: WORD, 157 | MajorSubsystemVersion: WORD, 158 | MinorSubsystemVersion: WORD, 159 | Win32VersionValue: DWORD, 160 | SizeOfImage: DWORD, 161 | SizeOfHeaders: DWORD, 162 | CheckSum: DWORD, 163 | Subsystem: WORD, 164 | DllCharacteristics: WORD, 165 | SizeOfStackReserve: DWORD, 166 | SizeOfStackCommit: DWORD, 167 | SizeOfHeapReserve: DWORD, 168 | SizeOfHeapCommit: DWORD, 169 | LoaderFlags: DWORD, 170 | NumberOfRvaAndSizes: DWORD, 171 | DataDirectory: [IMAGE_DATA_DIRECTORY; IMAGE_NUMBEROF_DIRECTORY_ENTRIES], 172 | } 173 | ); 174 | 175 | struct_wrapper!( 176 | struct IMAGE_NT_HEADERS32 { 177 | Signature: DWORD, 178 | FileHeader: IMAGE_FILE_HEADER, 179 | OptionalHeader: IMAGE_OPTIONAL_HEADER32, 180 | } 181 | ); 182 | 183 | struct_wrapper!( 184 | struct IMAGE_OPTIONAL_HEADER64 { 185 | Magic: WORD, 186 | MajorLinkerVersion: BYTE, 187 | MinorLinkerVersion: BYTE, 188 | SizeOfCode: DWORD, 189 | SizeOfInitializedData: DWORD, 190 | SizeOfUninitializedData: DWORD, 191 | AddressOfEntryPoint: DWORD, 192 | BaseOfCode: DWORD, 193 | ImageBase: ULONGLONG, 194 | SectionAlignment: DWORD, 195 | FileAlignment: DWORD, 196 | MajorOperatingSystemVersion: WORD, 197 | MinorOperatingSystemVersion: WORD, 198 | MajorImageVersion: WORD, 199 | MinorImageVersion: WORD, 200 | MajorSubsystemVersion: WORD, 201 | MinorSubsystemVersion: WORD, 202 | Win32VersionValue: DWORD, 203 | SizeOfImage: DWORD, 204 | SizeOfHeaders: DWORD, 205 | CheckSum: DWORD, 206 | Subsystem: WORD, 207 | DllCharacteristics: WORD, 208 | SizeOfStackReserve: ULONGLONG, 209 | SizeOfStackCommit: ULONGLONG, 210 | SizeOfHeapReserve: ULONGLONG, 211 | SizeOfHeapCommit: ULONGLONG, 212 | LoaderFlags: DWORD, 213 | NumberOfRvaAndSizes: DWORD, 214 | DataDirectory: [IMAGE_DATA_DIRECTORY; IMAGE_NUMBEROF_DIRECTORY_ENTRIES], 215 | } 216 | ); 217 | 218 | struct_wrapper!( 219 | struct IMAGE_NT_HEADERS64 { 220 | Signature: DWORD, 221 | FileHeader: IMAGE_FILE_HEADER, 222 | OptionalHeader: IMAGE_OPTIONAL_HEADER64, 223 | } 224 | ); 225 | 226 | struct_wrapper!( 227 | struct IMAGE_DATA_DIRECTORY { 228 | VirtualAddress: DWORD, 229 | Size: DWORD, 230 | } 231 | ); 232 | 233 | struct_wrapper!( 234 | struct IMAGE_SECTION_HEADER { 235 | Name: [u8; IMAGE_SIZEOF_SHORT_NAME], 236 | /* 237 | union { 238 | DWORD PhysicalAddress; 239 | DWORD VirtualSize; 240 | } Misc; 241 | */ 242 | Misc: DWORD, 243 | VirtualAddress: DWORD, 244 | SizeOfRawData: DWORD, 245 | PointerToRawData: DWORD, 246 | PointerToRelocations: DWORD, 247 | PointerToLinenumbers: DWORD, 248 | NumberOfRelocations: WORD, 249 | NumberOfLinenumbers: WORD, 250 | Characteristics: DWORD, 251 | } 252 | ); 253 | 254 | struct_wrapper!( 255 | struct IMAGE_BASE_RELOCATION { 256 | VirtualAddress: DWORD, 257 | SizeOfBlock: DWORD, 258 | } 259 | ); 260 | 261 | struct_wrapper!( 262 | struct IMAGE_IMPORT_DESCRIPTOR { 263 | /* 264 | union { 265 | DWORD Characteristics; // 0 for terminating null import descriptor 266 | DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) 267 | } 268 | */ 269 | OriginalFirstThunk: DWORD, 270 | // 0 if not bound, 271 | // -1 if bound, and real date\time stamp 272 | // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) 273 | // O.W. date/time stamp of DLL bound to (Old BIND) 274 | TimeDateStamp: DWORD, 275 | ForwarderChain: DWORD, // -1 if no forwarders 276 | Name: DWORD, 277 | FirstThunk: DWORD, // RVA to IAT (if bound this IAT has actual addresses) 278 | } 279 | ); 280 | 281 | /* 282 | union { 283 | ULONGLONG ForwarderString; // PBYTE 284 | ULONGLONG Function; // PDWORD 285 | ULONGLONG Ordinal; 286 | ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME 287 | } 288 | */ 289 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 290 | pub(crate) type IMAGE_THUNK_DATA64 = ULONGLONG; 291 | 292 | /* 293 | union { 294 | DWORD ForwarderString; // PBYTE 295 | DWORD Function; // PDWORD 296 | DWORD Ordinal; 297 | DWORD AddressOfData; // PIMAGE_IMPORT_BY_NAME 298 | } 299 | */ 300 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 301 | pub(crate) type IMAGE_THUNK_DATA32 = DWORD; 302 | 303 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 304 | pub(crate) type IMAGE_THUNK_DATA = IMAGE_THUNK_DATA64; 305 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 306 | pub(crate) type IMAGE_THUNK_DATA = IMAGE_THUNK_DATA32; 307 | 308 | struct_wrapper!( 309 | struct IMAGE_IMPORT_BY_NAME { 310 | Hint: WORD, 311 | Name: CHAR, 312 | } 313 | ); 314 | 315 | pub type PIMAGE_TLS_CALLBACK = extern "system" fn(PVOID, DWORD, PVOID); 316 | 317 | struct_wrapper!( 318 | struct IMAGE_TLS_DIRECTORY64 { 319 | StartAddressOfRawData: ULONGLONG, 320 | EndAddressOfRawData: ULONGLONG, 321 | AddressOfIndex: ULONGLONG, // PDWORD 322 | AddressOfCallBacks: ULONGLONG, // PIMAGE_TLS_CALLBACK *; 323 | SizeOfZeroFill: DWORD, 324 | 325 | /* 326 | union { 327 | DWORD Characteristics; 328 | struct { 329 | DWORD Reserved0 : 20; 330 | DWORD Alignment : 4; 331 | DWORD Reserved1 : 8; 332 | } DUMMYSTRUCTNAME; 333 | } DUMMYUNIONNAME; 334 | */ 335 | Reserved0: DWORD, 336 | Alignment: DWORD, 337 | Reserved1: DWORD, 338 | } 339 | ); 340 | 341 | struct_wrapper!( 342 | struct IMAGE_TLS_DIRECTORY32 { 343 | StartAddressOfRawData: DWORD, 344 | EndAddressOfRawData: DWORD, 345 | AddressOfIndex: DWORD, // PDWORD 346 | AddressOfCallBacks: DWORD, // PIMAGE_TLS_CALLBACK *; 347 | SizeOfZeroFill: DWORD, 348 | 349 | /* 350 | union { 351 | DWORD Characteristics; 352 | struct { 353 | DWORD Reserved0 : 20; 354 | DWORD Alignment : 4; 355 | DWORD Reserved1 : 8; 356 | } DUMMYSTRUCTNAME; 357 | } DUMMYUNIONNAME; 358 | */ 359 | Reserved0: DWORD, 360 | Alignment: DWORD, 361 | Reserved1: DWORD, 362 | } 363 | ); 364 | 365 | #[cfg(all(target_arch = "x86_64", target_os = "windows"))] 366 | pub(crate) type IMAGE_TLS_DIRECTORY = IMAGE_TLS_DIRECTORY64; 367 | #[cfg(all(target_arch = "x86", target_os = "windows"))] 368 | pub(crate) type IMAGE_TLS_DIRECTORY = IMAGE_TLS_DIRECTORY32; 369 | -------------------------------------------------------------------------------- /src/peparser/error.rs: -------------------------------------------------------------------------------- 1 | #[derive(Debug)] 2 | pub enum Error { 3 | InvalidDosSignature, 4 | InvalidNtHeaderOffset, 5 | InvalidNtSignature, 6 | UnsupportedMachine, 7 | InvalidFileHeaderCharacteristics, 8 | InvalidOptionalHeaderMagic, 9 | } 10 | 11 | pub type Result = std::result::Result; 12 | -------------------------------------------------------------------------------- /src/peparser/header.rs: -------------------------------------------------------------------------------- 1 | use super::def::*; 2 | use super::error::{Error, Result}; 3 | use std::mem; 4 | use std::os::raw::c_void; 5 | 6 | // Zero copy 7 | #[derive(Debug)] 8 | pub enum ImageNtHeaders<'a> { 9 | x86(&'a IMAGE_NT_HEADERS32), 10 | x64(&'a IMAGE_NT_HEADERS64), 11 | } 12 | 13 | impl<'a> ImageNtHeaders<'a> { 14 | pub fn get_file_header(&self) -> &IMAGE_FILE_HEADER { 15 | match *self { 16 | ImageNtHeaders::x86(h) => &h.FileHeader, 17 | ImageNtHeaders::x64(h) => &h.FileHeader, 18 | } 19 | } 20 | 21 | pub fn get_address_of_entry_point(&self) -> isize { 22 | match *self { 23 | ImageNtHeaders::x86(h) => h.OptionalHeader.AddressOfEntryPoint as isize, 24 | ImageNtHeaders::x64(h) => h.OptionalHeader.AddressOfEntryPoint as isize, 25 | } 26 | } 27 | 28 | pub fn get_image_base(&self) -> *const c_void { 29 | match *self { 30 | ImageNtHeaders::x86(h) => h.OptionalHeader.ImageBase as *const c_void, 31 | ImageNtHeaders::x64(h) => h.OptionalHeader.ImageBase as *const c_void, 32 | } 33 | } 34 | 35 | pub fn get_size_of_image(&self) -> usize { 36 | match *self { 37 | ImageNtHeaders::x86(h) => h.OptionalHeader.SizeOfImage as usize, 38 | ImageNtHeaders::x64(h) => h.OptionalHeader.SizeOfImage as usize, 39 | } 40 | } 41 | 42 | pub fn get_file_alignment(&self) -> u32 { 43 | match *self { 44 | ImageNtHeaders::x86(h) => h.OptionalHeader.FileAlignment, 45 | ImageNtHeaders::x64(h) => h.OptionalHeader.FileAlignment, 46 | } 47 | } 48 | 49 | pub fn get_section_alignment(&self) -> u32 { 50 | match *self { 51 | ImageNtHeaders::x86(h) => h.OptionalHeader.SectionAlignment, 52 | ImageNtHeaders::x64(h) => h.OptionalHeader.SectionAlignment, 53 | } 54 | } 55 | 56 | pub fn get_data_directory(&self) -> &[IMAGE_DATA_DIRECTORY; IMAGE_NUMBEROF_DIRECTORY_ENTRIES] { 57 | match *self { 58 | ImageNtHeaders::x86(h) => &h.OptionalHeader.DataDirectory, 59 | ImageNtHeaders::x64(h) => &h.OptionalHeader.DataDirectory, 60 | } 61 | } 62 | } 63 | 64 | // Zero copy 65 | #[repr(C)] 66 | #[derive(Debug)] 67 | pub struct PeHeader<'a> { 68 | pub dos_header: &'a IMAGE_DOS_HEADER, 69 | pub dos_stub: &'a [u8], 70 | pub nt_header: ImageNtHeaders<'a>, 71 | } 72 | 73 | impl<'a> PeHeader<'a> { 74 | pub fn new(bs: &'a [u8]) -> Result> { 75 | let dos_header = 76 | unsafe { &*mem::transmute::<*const u8, *const IMAGE_DOS_HEADER>(bs.as_ptr()) }; 77 | dos_header.is_valid()?; 78 | 79 | let dos_stub = &bs[mem::size_of::()..(dos_header.e_lfanew as _)]; 80 | 81 | let nt_headers = unsafe { 82 | match *mem::transmute::<*const u8, *const WORD>(bs.as_ptr().offset( 83 | dos_header.e_lfanew as isize 84 | + mem::size_of::() as isize 85 | + mem::size_of::() as isize, 86 | )) { 87 | IMAGE_NT_OPTIONAL_HDR64_MAGIC => { 88 | ImageNtHeaders::x64(mem::transmute::<*const u8, &IMAGE_NT_HEADERS64>( 89 | bs.as_ptr().offset(dos_header.e_lfanew as isize), 90 | )) 91 | } 92 | IMAGE_NT_OPTIONAL_HDR32_MAGIC => { 93 | ImageNtHeaders::x86(mem::transmute::<*const u8, &IMAGE_NT_HEADERS32>( 94 | bs.as_ptr().offset(dos_header.e_lfanew as isize), 95 | )) 96 | } 97 | _ => return Err(Error::InvalidOptionalHeaderMagic), 98 | } 99 | }; 100 | nt_headers.is_valid()?; 101 | 102 | Ok(PeHeader { 103 | dos_header: dos_header, 104 | dos_stub: dos_stub, 105 | nt_header: nt_headers, 106 | }) 107 | } 108 | 109 | pub fn size(&self) -> usize { 110 | mem::size_of::() 111 | + self.dos_stub.len() 112 | + if let ImageNtHeaders::x86(_) = self.nt_header { 113 | mem::size_of::() 114 | } else { 115 | mem::size_of::() 116 | } 117 | } 118 | } 119 | -------------------------------------------------------------------------------- /src/peparser/mod.rs: -------------------------------------------------------------------------------- 1 | mod check; 2 | mod header; 3 | mod pe; 4 | mod section; 5 | 6 | pub mod def; 7 | pub mod error; 8 | 9 | pub use header::*; 10 | pub use pe::*; 11 | pub use section::*; 12 | -------------------------------------------------------------------------------- /src/peparser/pe.rs: -------------------------------------------------------------------------------- 1 | use super::def::*; 2 | use super::error::Result; 3 | use super::header::{ImageNtHeaders, PeHeader}; 4 | use super::section::SectionArea; 5 | 6 | #[repr(C)] 7 | #[derive(Debug)] 8 | pub struct PE<'a> { 9 | pub pe_header: PeHeader<'a>, 10 | pub section_area: SectionArea<'a>, 11 | pub raw: &'a [u8], 12 | } 13 | 14 | impl<'a> PE<'a> { 15 | pub fn new(bs: &'a [u8]) -> Result> { 16 | let pe_header = PeHeader::new(bs)?; 17 | let section_area = SectionArea::new( 18 | &bs[pe_header.size()..], 19 | pe_header.nt_header.get_file_header().NumberOfSections, 20 | )?; 21 | 22 | Ok(PE { 23 | pe_header: pe_header, 24 | section_area: section_area, 25 | raw: bs, 26 | }) 27 | } 28 | 29 | pub fn is_x86(&self) -> bool { 30 | match self.pe_header.nt_header { 31 | ImageNtHeaders::x86(_) => true, 32 | ImageNtHeaders::x64(_) => false, 33 | } 34 | } 35 | 36 | pub fn is_x64(&self) -> bool { 37 | !self.is_x86() 38 | } 39 | 40 | pub fn is_dll(&self) -> bool { 41 | match self.pe_header.nt_header { 42 | ImageNtHeaders::x86(h) => h.FileHeader.Characteristics & IMAGE_FILE_DLL != 0, 43 | ImageNtHeaders::x64(h) => h.FileHeader.Characteristics & IMAGE_FILE_DLL != 0, 44 | } 45 | } 46 | 47 | pub fn is_dot_net(&self) -> bool { 48 | let dot_net_desc = 49 | &self.pe_header.nt_header.get_data_directory()[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]; 50 | dot_net_desc.Size != 0 && dot_net_desc.VirtualAddress != 0 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/peparser/section.rs: -------------------------------------------------------------------------------- 1 | use super::def::*; 2 | use super::error::Result; 3 | use std::mem; 4 | use std::ptr; 5 | 6 | #[repr(C)] 7 | #[derive(Debug)] 8 | pub struct SectionArea<'a> { 9 | pub section_table: &'a [IMAGE_SECTION_HEADER], 10 | pub section_data: &'a [u8], 11 | } 12 | 13 | impl<'a> SectionArea<'a> { 14 | pub fn new(bs: &'a [u8], n_sections: u16) -> Result> { 15 | let section_table = unsafe { 16 | &*ptr::slice_from_raw_parts( 17 | mem::transmute::<*const u8, *const IMAGE_SECTION_HEADER>(bs.as_ptr()), 18 | n_sections as usize, 19 | ) 20 | }; 21 | 22 | Ok(SectionArea { 23 | section_table: section_table, 24 | section_data: &bs[(n_sections as usize) * mem::size_of::()..], 25 | }) 26 | } 27 | } 28 | 29 | /* 30 | pub const PAGE_NOACCESS: DWORD = 0x01; 31 | pub const PAGE_READONLY: DWORD = 0x02; 32 | pub const PAGE_READWRITE: DWORD = 0x04; 33 | pub const PAGE_EXECUTE: DWORD = 0x10; 34 | pub const PAGE_EXECUTE_READ: DWORD = 0x20; 35 | pub const PAGE_EXECUTE_READWRITE: DWORD = 0x40; 36 | */ 37 | impl IMAGE_SECTION_HEADER { 38 | #[inline] 39 | pub fn can_read(&self) -> bool { 40 | self.Characteristics & IMAGE_SCN_MEM_READ != 0 41 | } 42 | 43 | #[inline] 44 | pub fn can_write(&self) -> bool { 45 | self.Characteristics & IMAGE_SCN_MEM_WRITE != 0 46 | } 47 | 48 | #[inline] 49 | pub fn can_exec(&self) -> bool { 50 | self.Characteristics & IMAGE_SCN_MEM_EXECUTE != 0 51 | } 52 | 53 | pub fn get_protection(&self) -> DWORD { 54 | match self.can_exec() { 55 | true => match self.can_read() { 56 | true => match self.can_write() { 57 | true => PAGE_EXECUTE_READWRITE, 58 | false => PAGE_EXECUTE_READ, 59 | }, 60 | false => PAGE_EXECUTE, 61 | }, 62 | false => match self.can_read() { 63 | true => match self.can_write() { 64 | true => PAGE_READWRITE, 65 | false => PAGE_READONLY, 66 | }, 67 | false => PAGE_NOACCESS, 68 | }, 69 | } 70 | } 71 | } 72 | --------------------------------------------------------------------------------