{"id":13589176,"url":"https://github.com/janoglezcampos/rust_syscalls","last_synced_at":"2025-04-08T07:31:50.552Z","repository":{"id":58942273,"uuid":"534678304","full_name":"janoglezcampos/rust_syscalls","owner":"janoglezcampos","description":"Single stub direct and indirect syscalling with runtime SSN resolving for windows.","archived":false,"fork":false,"pushed_at":"2023-03-23T06:19:35.000Z","size":12,"stargazers_count":149,"open_issues_count":0,"forks_count":18,"subscribers_count":1,"default_branch":"main","last_synced_at":"2023-11-07T18:29:23.541Z","etag":null,"topics":["rust","rust-lang","security-tools","syscalls"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/janoglezcampos.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-09T14:32:50.000Z","updated_at":"2024-08-01T16:35:09.094Z","dependencies_parsed_at":"2024-08-01T16:45:11.114Z","dependency_job_id":null,"html_url":"https://github.com/janoglezcampos/rust_syscalls","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janoglezcampos%2Frust_syscalls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janoglezcampos%2Frust_syscalls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janoglezcampos%2Frust_syscalls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janoglezcampos%2Frust_syscalls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/janoglezcampos","download_url":"https://codeload.github.com/janoglezcampos/rust_syscalls/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247796204,"owners_count":20997528,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rust","rust-lang","security-tools","syscalls"],"created_at":"2024-08-01T16:00:24.671Z","updated_at":"2025-04-08T07:31:48.121Z","avatar_url":"https://github.com/janoglezcampos.png","language":"Rust","funding_links":[],"categories":["Projects"],"sub_categories":[],"readme":"# RUST_SYSCALLS\nSingle stub direct and indirect syscalling with runtime SSN resolving for windows.\n\n---\n\n## Features:\n* One single line for all your syscalls\n* Function name hashing at compilation time\n* Direct or indirect sycalls\n* x86_64, WOW64 and x86 native support\n* Designed to allow the implementation of custom SSN fetching methods (check the end of this readme for more info)\n  \n---\n\n## How to use:\n1. Add the git repository / local path to the library to your dependencies:\n   \n   \u003e `rust_syscalls = {git = \"https://github.com/janoglezcampos/rust_syscalls\"}`\n\n   or\n\n   \u003e `rust_syscalls = {path = \u003cpath to library folder\u003e}`\n\n2. Choose direct or indirect method by setting `_DIRECT_` or `_INDIRECT_` as a feature:\n\n    \u003e `rust_syscalls = {path = \u003cpath to library folder\u003e}, features = [\"_INDIRECT_\"]}`\n\n3. Import\n   \n   \u003e `use rust_syscalls::syscall;`\n\n4.  Syscall:\n   \n    \u003e `NTSTATUS status = syscall!(\"NtClose\", handle);`\n\n---\n## Example:\n\n```rust\n    #![allow(non_snake_case)]\n    use ntapi::ntapi_base::CLIENT_ID;\n    use rust_syscalls::syscall;\n\n    use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, HANDLE, NULL, NTSTATUS, PVOID};\n    use winapi::um::winnt::{PROCESS_VM_WRITE, PROCESS_VM_READ, MEMORY_BASIC_INFORMATION};\n    use std::mem::size_of;\n    \n    fn main(){\n        let pid             : u64      = 3268; //Process PID\n        let currentProcess  : HANDLE = -1isize as _;\n        let mem_info_len    : usize = size_of::\u003cMEMORY_BASIC_INFORMATION\u003e() as _;\n\n        let mut handle      : HANDLE   = NULL;\n        let mut status      : NTSTATUS;\n    \n        let mem_info: MEMORY_BASIC_INFORMATION = MEMORY_BASIC_INFORMATION {\n            BaseAddress: NULL,\n            AllocationBase: NULL,\n            AllocationProtect: 0,\n            RegionSize: 0,\n            State: 0,\n            Protect: 0,\n            Type: 0,\n        };\n\n        let oa : OBJECT_ATTRIBUTES = OBJECT_ATTRIBUTES {\n            Length: size_of::\u003cOBJECT_ATTRIBUTES\u003e() as _,\n            RootDirectory: NULL,\n            ObjectName: NULL as _,\n            Attributes: 0,\n            SecurityDescriptor: NULL,\n            SecurityQualityOfService: NULL\n        };\n\n        let cid : CLIENT_ID = CLIENT_ID {\n            UniqueProcess: pid as _,\n            UniqueThread: 0 as _\n        };\n\n        unsafe {\n            status = syscall!(\"NtOpenProcess\", \u0026mut handle, PROCESS_VM_WRITE | PROCESS_VM_READ, \u0026oa, \u0026cid);\n        }\n        \n        println!(\"\\n\\t[-] NtOpenProcess status: {:#02X}\", status);\n\n        if status != 0 {\n            return;\n        }\n\n        unsafe {\n            status = syscall!(\"NtQueryVirtualMemory\", currentProcess, \u0026pid, 0, \u0026mem_info, mem_info_len, NULL as PVOID);\n        }\n        \n        println!(\"\\n\\t[-] NtQueryVirtualMemory status: {:#02X}\", status);\n        \n        if status != 0 {\n            return;\n        }\n\n        println!(\"\\n\\t[-] Protect value: {:#02X}\\n\\t\", mem_info.Protect);\n\n        unsafe {\n            status = syscall!(\"NtClose\", handle);\n        }\n        \n        println!(\"\\t[-] NtClose       status: {:#02X}\", status);\n    }\n```\n\n\n## Implementing new SSN and syscall addresses runtime resolving methods:\n\nAll the code required to do the SSN and address fetching is included in the file `src\\syscall_resolve.rs`.\n\nThere is one core function used to retrieve the values called `get_ssn`, with 4 implementations, where the received argument is the result of calling `crate::obf!(\\\u003cyour function name\\\u003e)`, and the return values are the ssn (u16), and, in case of indirect syscalling, the address of the syscall/sysenter instruction that you want to use.\n\n* x86_64 direct:\n  \n    \u003e fn get_ssn(hash: u32) -\u003e (u16);\n\n* x86_64 indirect:\n\n    \u003e fn get_ssn(hash: u32) -\u003e (u16, u64);\n\n* x86 direct:\n\n    \u003e fn get_ssn(hash: u32) -\u003e (u16);\n\n* x86 indirect:\n\n    \u003e fn get_ssn(hash: u32) -\u003e (u16, u32);\n\nJust reimplement this functions with your desired fetching method.\n\n---\n\n**Thanks to [SysWhispers3](https://github.com/klezVirus/SysWhispers3) for being a strong pilar on the development of this library**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjanoglezcampos%2Frust_syscalls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjanoglezcampos%2Frust_syscalls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjanoglezcampos%2Frust_syscalls/lists"}