ntapi | Rust FFI bindings for Native API | Wrapper library
kandi X-RAY | ntapi Summary
kandi X-RAY | ntapi Summary
Rust FFI bindings for Native API. Mostly based on Process Hacker phnt headers as the most complete source of bindings to be found. The comments there also contain useful information on how to use specific things.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of ntapi
ntapi Key Features
ntapi Examples and Code Snippets
Community Discussions
Trending Discussions on ntapi
QUESTION
I was reading some code and found really hard to understand this:
extern "C" NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName
Here some real code:
...ANSWER
Answered 2021-Jan-07 at 17:12There's only one return type, NTSTATUS, which is an enumeration. The others are modifiers on the function call, for example NTAPI resolves to __stdcall, which modifies how the function is called by the compiler, and NTSYSAPI resolves to declspec(dllimport), which marks the function as a library import.
Also this has nothing to do with SAL.
QUESTION
I have a driver, which I want to use from my C# client app. The issue here is that my output buffer is always empty (0). When I use this driver from C code - everything works like a charm, so I think the issue is in my client C# code.
Extern is defined as below:
...ANSWER
Answered 2020-Dec-05 at 15:58First - I had to compile in x64. Second - had to allocate memory for pBuffer
Below is a working example
QUESTION
I am trying to perform a system call on 32-bit, but there is an issue.
I originally had a naked function as my stub and used inline assembly, but when I tried to turn it into shellcode, despite it being a 1-to-1 copy of the naked function (When looking at it in Visual Studio's disassembly), it does not function (Access Violation Executing NULL).
It worked perfectly with the naked function, by the way.
Here is the shellcode I wrote:
...ANSWER
Answered 2020-Nov-15 at 18:36As noted by Micheal Petch, the shellcode was wrong. I only missed one byte (0x0C) that should be 0xC0.
If anyone will ever attempt something so stupid and useless like I did, double-check your shellcode first!
QUESTION
I had a problem with using winternl.h, I was using some of the datatypes out of there and have sucessfully compiled it for x64 without any problems. However I made some changes and now for some reason its failing to compile, through debugging I've found that the reason seems to be down to _WIN32_WINNT not being defined at all which causes winternl.h to not define any types. It was specifically this that was causing the problem with the PEB struct
ANSWER
Answered 2020-Aug-27 at 20:19_WIN32_WINNT comes from the include file , so in order to fix the error you are seeing:
In the file throwing the error, change this:
QUESTION
I am trying to write a little program which uses NTAllocateVirtualMemory and GetProcAddress instead of VirtualAlloc.
This is what I have currently:
...ANSWER
Answered 2020-Jun-18 at 09:53Since your actual problem is to hide from anti-virus, I would suggest to use a static buffer.
Make data sections executable(in Visual Studio)Specify Project->Properties->Linker->Specify Section Attributes.
uninitialized is still zero initialized
/* global or static*/ char buf[20000];
specify .bss,RWE
(which is probably what you need)
For initialized data/* global or static*/ char buf[20000]{1};
specify .data,RWE
specify Linker->Command Line->Additional Options as /SECTION:.bss,RWE /SECTION:.data,RWE
QUESTION
I want to allocate some memory inside a specific module of a process instead of the process in general. The following Windows C++ code can allocate memory inside a process given its process id:
ANSWER
Answered 2020-May-15 at 22:38I want to allocate some memory inside a specific module
You cannot do this, when a module is mapped it's memory is allocated. You can't allocate memory inside the module, the module exists inside it's allocated pages and no where else. Any allocated pages will be outside of the module.
Alternatively if you want to use memory which is already allocated but is not used, this called a code cave. It's typically an area of memory inside a module which is filled with zeros. So you can scan for a code cave by finding a certain length of redundant zeros inside the module and then you can write to that memory.
This is done frequently and is especially useful if the page has the execute bit set as you won't have to change any permissions which could be deemed risky.
This is also done frequently in injectors which use "scatter mapping" where it only uses these code caves to inject code.
QUESTION
I am trying to access the dos header of a DLL PE file. I am getting the address of the IMAGE_DOS_HEADER from the PEB of my process. I am getting the address by accessing the PEB, then accessing the LDR and then scanning the InMemoryOrderModuleList until I find the DLL I want to access (on this case the kernel32.DLL), and use the dllbase to convert it to IMAGE_DOS_HEADER. After getting the DLL base I am getting the following error :
...ANSWER
Answered 2020-May-07 at 03:39And your
currentitem_InMemoryOrderModuleListis just a pointer toLIST_ENTRY. And thisLIST_ENTRYis aInMemoryOrderLinksfield inLDR_DATA_TABLE_ENTRY. You can adjust pointer to point to enclosing structure before using.
Refer to "PEB (Process Environment Block) invalid DllBase address", "CONTAINING_RECORD" (Which returns the base address of an instance of a structure given the type of the structure and the address of a field within the containing structure.).
The following code works for me. You can have a try:
QUESTION
I want to call NtCreateProcessEx, But i get no exception and error and nothing happens. Also i don't want to use CreateProcess. My intention is to create and run a process from a file with this specific function.
This what i have tried so far:
...ANSWER
Answered 2020-Mar-31 at 07:53First of all, the 3rd parameter is a pointer to the OBJECT_ATTRIBUTES:
QUESTION
I try to stop some process, I use NativeAPI from ntdll. I wrote some C code, It works:
...ANSWER
Answered 2020-Feb-13 at 18:54;Process pause
pauseProc proc pid:dword
push pid
push 0
push PROCESS_ALL_ACCESS
call OpenProcess@12
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorOpenProccess
PUSH 0
CALL MessageBoxA@16
.ENDIF
mov processHandle, eax
push offset NtModuleNameWStr
call GetModuleHandleW@4
; call GetLastError
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetModuleHandle
PUSH 0
CALL MessageBoxA@16
.ENDIF
push offset NtSuspendProcessAStr
push eax
call GetProcAddress@8
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetProcAddress
PUSH 0
CALL MessageBoxA@16
.ENDIF
;Call NtSuspendProcess from dll
push processHandle
call eax
push processHandle
call CloseHandle@4
; pfnNtSuspendProcess
ret
pauseProc endp
QUESTION
I used multiple Hooking libraries e.g. Microsoft Detours Express, Mhook, etc. to hook NtWriteVirtualMemory API calls. I wrote following code to hook the API:
...ANSWER
Answered 2017-May-02 at 13:39Simple: Your DLL is loaded only into process that load user32.dll. Some process do. Other don't. The one you speak of doesn't:
It's not that the hooking doesn't work. Your DLL isn't even loaded.
Also, hooking in thread attach is probably not what you want, and unhooking in thread detach is almost certainly not what you want.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install ntapi
Rust is installed and managed by the rustup tool. Rust has a 6-week rapid release process and supports a great number of platforms, so there are many builds of Rust available at any time. Please refer rust-lang.org for more information.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
