8 个版本
| 0.3.4 | 2023年8月3日 |
|---|---|
| 0.2.0 | 2023年7月31日 |
| 0.1.5 | 2023年7月30日 |
#475 in 过程宏
每月196 次下载
48KB
605 行
razy_importer
Rust 实现的 lazy_importer
用法
razy-importer = "0.3.4"
razy-importer-macros = "0.3.3"
必须在变量上显式声明函数原型,这是由 Rust 设计决定的,Rust 不允许在编译时需要已知类型信息的地方使用常量。
由于 ri_fn 宏的实现将 func_type 作为 Expr 类型,这被视为在运行时解析的表达式。然而,像 extern "system" fn() 这样的类型,代表函数指针,需要在编译时知道类型信息。因此,在运行时解析的 Expr 类型不能直接用作这种函数类型。
#[macro_use]
extern crate razy_importer_macros;
fn main() {
let NtGetCurrentProcessorNumber: unsafe extern "system" fn() -> ULONG =
ri_fn_m!("NtGetCurrentProcessorNumber", ri_mod!("ntdll.dll"));
println!("NtGetCurrentProcessorNumber={}", unsafe { NtGetCurrentProcessorNumber() });
let NtGetCurrentProcessorNumber: unsafe extern "system" fn() -> ULONG =
ri_fn!("NtGetCurrentProcessorNumber");
println!("NtGetCurrentProcessorNumber={}", unsafe { NtGetCurrentProcessorNumber() });
}
大小写敏感
Crates razy-importer 和 razy-importer-macros 具有默认的 区分大小写 功能。字母大小写将被忽略,因为 Windows 不会考虑字母是大写还是小写。
如果您需要使用严格的大小写敏感检查,请禁用此功能。
razy-importer = { version = "...", default_feature = false }
razy-importer-macros = { version = "...", default_feature = false }
支持API集DLL
支持API集DLL(如 SetProcessMitigationPolicy),自 >=0.2.0 起支持。
- 关系:
kernel32.dll->api-ms-win-core-processthreads-l1-1-1.SetProcessMitigationPolicy - 关系:
api-ms-win-core-processthreads-l1-1-1.dll->kernel32.SetProcessMitigationPolicy
Windows有一个名为“API集”的概念。从Windows 7开始引入,这个概念是将某些函数集(API)分组,并将它们“映射”到特定的DLL文件,旨在实现实现的抽象和兼容性的维护。
API集DLL(如本案中的api-ms-win-core-processthreads-l1-1-1.dll)实际上并不包含任何函数。这些DLL用于告知操作系统哪个DLL实现了特定功能,实际功能位于另一个DLL中(在本例中为kernel32.dll)。
转换输出
此输出由IDA 8.3生成,没有符号(且没有gooMBA)。
#[inline(never)]
#[no_mangle]
#[export_name = "nt"]
fn nt() -> u32 {
let NtGetCurrentProcessorNumber: unsafe extern "system" fn() -> ULONG =
ri_fn!("NtGetCurrentProcessorNumber");
return unsafe { NtGetCurrentProcessorNumber() };
}
__int64 nt()
{
PPEB_LDR_DATA Ldr; // rax
struct _LIST_ENTRY *Flink; // r8
struct _LIST_ENTRY *Blink; // rsi
int v3; // r10d
int v4; // r12d
int v5; // r9d
struct _LIST_ENTRY *v6; // rbx
struct _LIST_ENTRY *v7; // rdi
int v8; // eax
struct _LIST_ENTRY *v9; // rcx
unsigned __int8 v10; // r11
struct _LIST_ENTRY *v11; // r15
__int64 Blink_high; // rax
__int64 v13; // r14
__int64 v14; // rdx
unsigned int *v15; // r14
__int64 v16; // rax
__int64 v17; // r13
char *v18; // rbp
__int64 v19; // rcx
__int64 v20; // rax
int v21; // r11d
__int64 v22; // rcx
char v23; // r12
unsigned __int8 v24; // r8
__int64 (*v25)(void); // rdx
unsigned __int8 v26; // cl
char *v27; // rax
char *v28; // rdx
int v29; // ecx
unsigned __int8 v30; // r8
unsigned __int8 v31; // cl
unsigned __int8 v32; // al
unsigned __int8 v33; // cl
unsigned __int8 v34; // r8
unsigned __int8 v35; // al
int v37; // [rsp+4h] [rbp-64h]
struct _LIST_ENTRY *v38; // [rsp+8h] [rbp-60h]
char v39; // [rsp+10h] [rbp-58h]
struct _LIST_ENTRY *v40; // [rsp+20h] [rbp-48h]
Ldr = NtCurrentPeb()->Ldr;
Flink = Ldr->InLoadOrderModuleList.Flink;
Blink = Ldr->InLoadOrderModuleList.Blink;
if ( Flink != Blink )
{
v3 = -42511511;
v39 = 0;
v4 = 0;
v5 = 0;
v38 = Ldr->InLoadOrderModuleList.Blink;
do
{
v6 = Flink[6].Flink;
v7 = (struct _LIST_ENTRY *)((char *)v6 + ((unsigned __int16)(LODWORD(Flink[5].Blink) - 8) & 0xFFFE));
v8 = 218083195;
if ( v6 < v7 )
{
v9 = Flink[6].Flink;
do
{
v10 = LOBYTE(v9->Flink) | 0x20;
if ( (unsigned __int8)(LOBYTE(v9->Flink) - 65) >= 0x1Au )
v10 = (unsigned __int8)v9->Flink;
v8 = 16777619 * (v8 ^ v10);
v9 = (struct _LIST_ENTRY *)((char *)v9 + 2);
}
while ( v9 < v7 );
}
if ( !v5 || v8 == v5 || v8 && v8 != v4 )
{
v11 = Flink[3].Flink;
Blink_high = SHIDWORD(v11[3].Blink);
v13 = *(unsigned int *)((char *)&v11[8].Blink + Blink_high);
if ( *(_DWORD *)((char *)&v11[8].Blink + Blink_high) )
{
v40 = Flink;
v37 = v4;
v14 = *(unsigned int *)((char *)&v11[1].Blink + v13);
v15 = (unsigned int *)((char *)v11 + v13);
v16 = 0i64;
do
{
if ( v16 == v14 )
{
Blink = v38;
v4 = v37;
Flink = v40;
goto LABEL_49;
}
v17 = v16;
v18 = (char *)v11 + *(unsigned int *)((char *)&v11->Flink + 4 * v16 + v15[8]);
v19 = 0i64;
do
v20 = v19++;
while ( v18[v20] );
v21 = 218083195;
if ( v19 != 1 )
{
v22 = 0i64;
do
{
v23 = v18[v22];
if ( !v23 )
break;
v24 = v23 | 0x20;
if ( (unsigned __int8)(v23 - 65) >= 0x1Au )
v24 = v18[v22];
v21 = 16777619 * (v24 ^ v21);
++v22;
}
while ( v20 != v22 );
}
v16 = v17 + 1;
}
while ( v21 != v3 );
v25 = (__int64 (*)(void))((char *)v11
+ *(unsigned int *)((char *)&v11->Flink
+ 4
* *(unsigned __int16 *)((char *)&v11->Flink
+ 2 * (unsigned int)v17
+ v15[9])
+ v15[7]));
v4 = v37;
if ( (v39 & 1) != 0 )
{
Blink = v38;
}
else
{
v4 = 218083195;
Blink = v38;
if ( v6 < v7 )
{
v4 = 218083195;
do
{
v26 = LOBYTE(v6->Flink) | 0x20;
if ( (unsigned __int8)(LOBYTE(v6->Flink) - 65) >= 0x1Au )
v26 = (unsigned __int8)v6->Flink;
v4 = 16777619 * (v4 ^ v26);
v6 = (struct _LIST_ENTRY *)((char *)v6 + 2);
}
while ( v6 < v7 );
}
}
if ( v15 >= (unsigned int *)v25
|| (char *)v15 + *(unsigned int *)((char *)&v11[8].Blink + SHIDWORD(v11[3].Blink) + 4) <= (char *)v25 )
{
return v25();
}
v27 = (char *)v25 + 1;
v28 = (char *)v25 + 2;
v5 = 218083195;
while ( 1 )
{
v29 = (unsigned __int8)*(v27 - 1);
if ( !*(v27 - 1) )
goto LABEL_47;
if ( v29 == 46 )
break;
v30 = v29 - 65;
v31 = v29 | 0x20;
if ( v30 >= 0x1Au )
v31 = *(v27 - 1);
v5 = 16777619 * (v31 ^ v5);
++v27;
++v28;
}
v32 = *v27;
if ( !v32 )
{
LABEL_47:
v3 = 218083195;
goto LABEL_48;
}
v3 = 218083195;
do
{
v33 = v32 - 65;
v34 = v32;
v35 = v32 | 0x20;
if ( v33 >= 0x1Au )
v35 = v34;
v3 = 16777619 * (v3 ^ v35);
v32 = *v28++;
}
while ( v32 );
LABEL_48:
Flink = NtCurrentPeb()->Ldr->InLoadOrderModuleList.Flink;
v39 = 1;
}
}
LABEL_49:
Flink = Flink->Flink;
}
while ( Flink != Blink );
}
v25 = 0i64;
return v25();
}
许可证
致谢
Apache 2.0 - JustasMasiulis/lazy_importer
依赖项
~2–2.7MB
~62K SLoC