Skip to content

alexlee820/RustEatNETLoader

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
images
images
 
 
src
src
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
readme.md
readme.md
 
 

Repository files navigation

RustEATNETLoader

RustEATNETLoader is a exe version of RustEATNETLoader to load .NET assembly by using clroxide library .This is just a practise for me to write some rust stuff.

When writing an eat hook in Rust, many troublesome issues emerged. Due to Rust's memory protection mechanisms, the eat hook for Windows libraries encountered problems because the addresses of the Windows libraries are relatively high, while our dummy function is located at a lower position. When we attempt to change the RVA of the target function, the RVA becomes negative because the address of our dummy function is smaller than that of the Windows API we want to hook. However, since the RVA is stored using DWORD/ULONG, which only occupies 8 bytes, when the RVA we obtain is negative, it gets truncated, resulting in a positive RVA instead. Therefore, the redirection is not to our dummy function but to an incorrect location. This is why we also found that sometimes using inline-ea would cause crashes, but I haven't actually debugged it, so I'm not sure if this is the cause. So now you might ask how we can solve this. Actually, the solution is quite simple. We just need to set up a trampoline and use some high-level library functions in Windows, such as MessageBoxA. We patch MessageBoxA to do mov rax, 1; ret; The assembly code, then change the RVA of EventWrite and AMSIscanbuffer in the eat hook to MessageBoxA minus their library base (amsi.dll and advapi32.dll), then our hook will be successful. Here, we don't need to worry. After testing, edr only temporarily monitors the patching of specific functions, so our patching won't cause an alert to appear.

This repo includes:

  • EAT hook Amsi.dll!AmsiScanBuffer and advapi32!Event
  • Patching CLR.dll AmsiScanbuffer string
  • Patching MessageboxA via indirect syscall to create trampoline

Pending Improve/Research

  • VirtualProtect in EAT hook (When I am using the NtProtectVirtualMemory , the CLR donot know why can't run without any error. If anyone know why ,can make a pull request.)
  • EAT Hook Fail to Bypass AMSI . When I have EAT hooked the Amsiscanbuffer to MessageboxA, but don't know why the messageboxA return 1 ,it still enter to the code which identify the contents as malicious

ETW bypass

Credits

Inline-ea - https://github.com/EricEsquivel/Inline-EA
RustPatchlessCLRLoader - https://github.com/c2pain/RustPatchlessCLRLoader/tree/main
clroxide - https://github.com/yamakadi/clroxide
rust hook - https://github.com/aurexav/hook-in-rust/tree/master/messagebox-eat-hook

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages