janoglezcampos/direct_syscall.rs

## direct_syscall.rs
#![allow(non_snake_case)]

use std::arch::global_asm;
use std::mem::size_of;

use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, HANDLE, NULL, PHANDLE, NTSTATUS};
use winapi::um::winnt::{ACCESS_MASK, PROCESS_VM_WRITE, PROCESS_VM_READ};

#[cfg(not(target_arch = "x86_64"))]
compile_error!("Only x86_64 machines");

global_asm!("

.section .text
.code64

NtOpenProcess:
    mov     r10, rcx
    mov     eax, 0x26
    syscall
    ret

NtClose:
    mov     r10, rcx
    mov     eax, 0x0F
    syscall
    ret

");

extern "win64" {
    fn NtOpenProcess(
        ProcessHandle:    PHANDLE,
        DesiredAccess:    ACCESS_MASK,
        ObjectAttributes: &OBJECT_ATTRIBUTES,
        ClientId:         &CLIENT_ID
    ) -> NTSTATUS;

    fn NtClose(
        Handle: HANDLE
    ) -> NTSTATUS;
}

#[repr(C)]
pub struct CLIENT_ID {
    pub UniqueProcess: HANDLE,
    pub UniqueThread: HANDLE,
}

//  [dependencies]
//  winapi = {version = "0.3.9", features = ["ntdef", "winnt"]}

fn main() {

    let     pid    : u64      = 1944;
    let mut handle : HANDLE   = NULL;
    let mut status : NTSTATUS;

    let oa : OBJECT_ATTRIBUTES = OBJECT_ATTRIBUTES {
        Length: size_of::<OBJECT_ATTRIBUTES>() as _,
        RootDirectory: NULL,
        ObjectName: NULL as _,
        Attributes: 0,
        SecurityDescriptor: NULL,
        SecurityQualityOfService: NULL
    };

    let cid : CLIENT_ID = CLIENT_ID {
        UniqueProcess: pid as _,
        UniqueThread: 0 as _
    };

    unsafe{
        status = NtOpenProcess(&mut handle, PROCESS_VM_WRITE | PROCESS_VM_READ, &oa, &cid);
    }

    println!("\n\t[-] NtOpenProcess status: {:#02X}", status);

    if status != 0 {
        return;
    }

    unsafe{
        status = NtClose(handle);
    }

    println!("\t[-] NtClose       status: {:#02X}", status);
}
	#![allow(non_snake_case)]

	use std::arch::global_asm;
	use std::mem::size_of;

	use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, HANDLE, NULL, PHANDLE, NTSTATUS};
	use winapi::um::winnt::{ACCESS_MASK, PROCESS_VM_WRITE, PROCESS_VM_READ};

	#[cfg(not(target_arch = "x86_64"))]
	compile_error!("Only x86_64 machines");

	global_asm!("

	.section .text
	.code64

	NtOpenProcess:
	mov r10, rcx
	mov eax, 0x26
	syscall
	ret

	NtClose:
	mov r10, rcx
	mov eax, 0x0F
	syscall
	ret

	");

	extern "win64" {
	fn NtOpenProcess(
	ProcessHandle: PHANDLE,
	DesiredAccess: ACCESS_MASK,
	ObjectAttributes: &OBJECT_ATTRIBUTES,
	ClientId: &CLIENT_ID
	) -> NTSTATUS;

	fn NtClose(
	Handle: HANDLE
	) -> NTSTATUS;
	}

	#[repr(C)]
	pub struct CLIENT_ID {
	pub UniqueProcess: HANDLE,
	pub UniqueThread: HANDLE,
	}

	// [dependencies]
	// winapi = {version = "0.3.9", features = ["ntdef", "winnt"]}

	fn main() {

	let pid : u64 = 1944;
	let mut handle : HANDLE = NULL;
	let mut status : NTSTATUS;

	let oa : OBJECT_ATTRIBUTES = OBJECT_ATTRIBUTES {
	Length: size_of::<OBJECT_ATTRIBUTES>() as _,
	RootDirectory: NULL,
	ObjectName: NULL as _,
	Attributes: 0,
	SecurityDescriptor: NULL,
	SecurityQualityOfService: NULL
	};

	let cid : CLIENT_ID = CLIENT_ID {
	UniqueProcess: pid as _,
	UniqueThread: 0 as _
	};

	unsafe{
	status = NtOpenProcess(&mut handle, PROCESS_VM_WRITE \| PROCESS_VM_READ, &oa, &cid);
	}

	println!("\n\t[-] NtOpenProcess status: {:#02X}", status);

	if status != 0 {
	return;
	}

	unsafe{
	status = NtClose(handle);
	}

	println!("\t[-] NtClose status: {:#02X}", status);
	}