Reboare/spawn_blockdll.rs

## spawn_blockdll.rs
use std::ptr::null_mut;
use std::mem::{size_of, transmute};
use std::ffi::CString;
use winapi::shared::minwindef::{BYTE, TRUE};
use winapi::um::processthreadsapi::{InitializeProcThreadAttributeList, LPSTARTUPINFOA, CreateProcessA,
				PROC_THREAD_ATTRIBUTE_LIST, UpdateProcThreadAttribute,
				PROCESS_INFORMATION};
use winapi::shared::ntdef::PVOID;
use winapi::um::winbase::STARTUPINFOEXA;

const PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON: u64 = 0x100000000000;
const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY: usize = 0x00020007;
const EXTENDED_STARTUPINFO_PRESENT: u32 = 0x00080000;

fn main() {
	let pid = spawn_blockdll("notepad".to_string());
	println!("You spawned a blockdll process with pid: {0}", pid)
}

pub fn spawn_blockdll(program: String) -> usize {
	// Initialize process variables with defaults
	// This has the unexpected benefit of spoofing our PPID
	let mut pi = PROCESS_INFORMATION::default();
	let mut si = STARTUPINFOEXA::default();
	let mut size = 0;

	// Convert the
	let exe_name = CString::new(program).expect("CString creation failed!");

	// Calculate the length of PROC_THREAD_ATTRIBUTE_LIST
	unsafe {
		InitializeProcThreadAttributeList(&mut PROC_THREAD_ATTRIBUTE_LIST::default(), 1,0, &mut size);
	}

	// Attribute list which will be modified
	let mut attributes: Box<[BYTE]> = vec![0; size].into_boxed_slice();
	si.lpAttributeList = attributes.as_mut_ptr() as _;

	unsafe{
		//Initialize our attribute list
		InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &mut size);

		// Update the attribute list with the relevant mitigation policy
		UpdateProcThreadAttribute(
			si.lpAttributeList,
			0,
			PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY,
			transmute::<&mut u64, PVOID>(&mut PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON),
			size_of::<u64>(),
			null_mut(),
			null_mut());

		// Spawn a process using the attribute list
		CreateProcessA(
			null_mut(),
			exe_name.into_raw(),
			null_mut(),
			null_mut(),
			TRUE,
			EXTENDED_STARTUPINFO_PRESENT,
			null_mut(),
			null_mut(),
			&mut si.StartupInfo as LPSTARTUPINFOA,
			&mut pi
		);
	}
	// Return our process ID
	pi.dwProcessId as usize
}

#[derive(Copy, Clone)]
enum PROCESS_CREATION_FLAG {
    CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
    CREATE_SUSPENDED = 0x00000004,
    EXTENDED_STARTUPINFO_PRESENT = 0x00080000
}

type process_cr_flags = Vec<PROCESS_CREATION_FLAG>;

    fn flatten(v: process_cr_flags) -> u32 {
        v.iter().fold(0u32, |x, y| x|(*y as u32))
    }
	use std::ptr::null_mut;
	use std::mem::{size_of, transmute};
	use std::ffi::CString;
	use winapi::shared::minwindef::{BYTE, TRUE};
	use winapi::um::processthreadsapi::{InitializeProcThreadAttributeList, LPSTARTUPINFOA, CreateProcessA,
	PROC_THREAD_ATTRIBUTE_LIST, UpdateProcThreadAttribute,
	PROCESS_INFORMATION};
	use winapi::shared::ntdef::PVOID;
	use winapi::um::winbase::STARTUPINFOEXA;

	const PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON: u64 = 0x100000000000;
	const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY: usize = 0x00020007;
	const EXTENDED_STARTUPINFO_PRESENT: u32 = 0x00080000;

	fn main() {
	let pid = spawn_blockdll("notepad".to_string());
	println!("You spawned a blockdll process with pid: {0}", pid)
	}

	pub fn spawn_blockdll(program: String) -> usize {
	// Initialize process variables with defaults
	// This has the unexpected benefit of spoofing our PPID
	let mut pi = PROCESS_INFORMATION::default();
	let mut si = STARTUPINFOEXA::default();
	let mut size = 0;

	// Convert the
	let exe_name = CString::new(program).expect("CString creation failed!");

	// Calculate the length of PROC_THREAD_ATTRIBUTE_LIST
	unsafe {
	InitializeProcThreadAttributeList(&mut PROC_THREAD_ATTRIBUTE_LIST::default(), 1,0, &mut size);
	}

	// Attribute list which will be modified
	let mut attributes: Box<[BYTE]> = vec![0; size].into_boxed_slice();
	si.lpAttributeList = attributes.as_mut_ptr() as _;

	unsafe{
	//Initialize our attribute list
	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &mut size);

	// Update the attribute list with the relevant mitigation policy
	UpdateProcThreadAttribute(
	si.lpAttributeList,
	0,
	PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY,
	transmute::<&mut u64, PVOID>(&mut PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON),
	size_of::<u64>(),
	null_mut(),
	null_mut());

	// Spawn a process using the attribute list
	CreateProcessA(
	null_mut(),
	exe_name.into_raw(),
	null_mut(),
	null_mut(),
	TRUE,
	EXTENDED_STARTUPINFO_PRESENT,
	null_mut(),
	null_mut(),
	&mut si.StartupInfo as LPSTARTUPINFOA,
	&mut pi
	);
	}
	// Return our process ID
	pi.dwProcessId as usize
	}

	#[derive(Copy, Clone)]
	enum PROCESS_CREATION_FLAG {
	CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
	CREATE_SUSPENDED = 0x00000004,
	EXTENDED_STARTUPINFO_PRESENT = 0x00080000
	}

	type process_cr_flags = Vec<PROCESS_CREATION_FLAG>;

	fn flatten(v: process_cr_flags) -> u32 {
	v.iter().fold(0u32, \|x, y\| x\|(*y as u32))
	}