Fadavvi
diff --git a/‎Api_Hooking/Cargo.toml‎
Lines changed: 17 additions & 0 deletions b/‎Api_Hooking/Cargo.toml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎Api_Hooking/README.md‎
Lines changed: 73 additions & 0 deletions b/‎Api_Hooking/README.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎Api_Hooking/demp.gif‎
302 KB b/‎Api_Hooking/demp.gif‎
302 KB
diff --git a/‎Api_Hooking/src/main.rs‎
Lines changed: 235 additions & 0 deletions b/‎Api_Hooking/src/main.rs‎
Lines changed: 235 additions & 0 deletions
diff --git a/‎Custom_Shellcode/README.md‎
Lines changed: 5 additions & 0 deletions b/‎Custom_Shellcode/README.md‎
Lines changed: 5 additions & 0 deletions
@@ -0,0 +1,17 @@
+[package]
+name = "Api_Hooking"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+widestring = "1.2.0"
+winapi = { version = "0.3", features = [
+    "libloaderapi",
+    "memoryapi",
+    "processthreadsapi",
+    "errhandlingapi",
+    "minwindef",
+    "winuser",
+    "ntdef",
+    "windef"
+] }
@@ -0,0 +1,73 @@
+
+# System API Interceptor
+
+## Name of the Code
+System API Interceptor (`api_interceptor.rs`)
+
+![Demo](./demp.gif)
+## Explanation
+The System API Interceptor is a Rust-based utility for intercepting and monitoring Windows API calls, specifically targeting the `MessageBoxA` function in `user32.dll`. It employs inline function hooking via a trampoline to redirect calls to a custom handler, log parameters, and invoke `MessageBoxW` with modified text.
+
+### How It Works [Step-By-Step]
+1. **Interceptor Structure (`ApiInterceptor`)**:
+   - Stores the target function address (`MessageBoxA`), replacement function address, original code bytes, and original memory protection state.
+   - Uses a fixed-size array (`INTERCEPTOR_SIZE`) for storing original bytes (14 bytes for 64-bit, 5 bytes for 32-bit).
+
+2. **Setup (`setup_interceptor`)**:
+   - Resolves `MessageBoxA` address using `GetModuleHandleA` and `GetProcAddress`.
+   - Copies the first `INTERCEPTOR_SIZE` bytes of `MessageBoxA` to preserve the original code.
+   - Changes memory protection to `PAGE_EXECUTE_READWRITE` using `VirtualProtect` to allow code modification.
+
+3. **Activation (`activate_interceptor`)**:
+   - Constructs a trampoline to redirect execution:
+     - **64-bit**: Uses `jmp [rip+0]` (6 bytes) followed by an 8-byte absolute address of the custom handler.
+     - **32-bit**: Uses `jmp <relative>` (5 bytes) with a relative offset to the custom handler.
+   - Writes the trampoline to the `MessageBoxA` entry point, ensuring minimal instruction overwriting.
+
+4. **Custom Handler (`custom_dialog`)**:
+   - Logs input parameters (`lpText`, `lpCaption`) using `CStr::to_string_lossy`.
+   - Converts new text to UTF-16 using `WideCString` for `MessageBoxW`.
+   - Calls `MessageBoxW` with modified text ("Smukx Is Good") and caption ("System Dialog").
+
+5. **Deactivation (`deactivate_interceptor`)**:
+   - Restores the original `MessageBoxA` bytes from the stored copy.
+   - Reverts memory protection to its original state using `VirtualProtect`.
+   - Clears the interceptor structure to prevent reuse.
+
+6. **Safety Considerations**:
+   - Uses `unsafe` blocks for WinAPI calls and pointer operations, ensuring controlled access.
+   - Validates pointers and handles errors from WinAPI functions (e.g., `GetLastError`).
+   - Maintains thread safety by avoiding shared mutable state.
+
+### Key Features
+- **Cross-Architecture**: Adapts trampoline construction for 32-bit and 64-bit systems.
+- **Non-Invasive**: Preserves original function behavior during deactivation.
+- **Error Handling**: Checks for null pointers and failed WinAPI calls.
+- **Logging**: Outputs parameter details for debugging and monitoring.
+
+## How to Compile and Use It
+
+1. **Compilation**:
+   - Build: `cargo build --release`.
+   - Output: `target/release/Api_Hooking.exe`.
+
+2. **Execution**:
+   - Run: `target/release/Api_Hooking.exe`.
+   - Behavior:
+     - Displays an initial `MessageBoxA` dialog.
+     - Activates interceptor, showing a modified `MessageBoxW` dialog.
+     - Deactivates interceptor and shows a final `MessageBoxA` dialog.
+     - Exits on Enter key press.
+   - Run as administrator if memory protection changes fail.
+
+3. Download the Snippet: [Download](https://download.5mukx.site/#/home?url=https://github.com/Whitecat18/Rust-for-Malware-Development/tree/main/Api_Hooking)
+
+## Credits
+
+- https://github.com/ZeroMemoryEx/TrampHook
+- https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++
+- https://www.packtpub.com/en-us/product/mastering-malware-analysis-9781789610789/chapter/inspecting-process-injection-and-api-hooking-6/section/inline-api-hooking-with-trampoline-ch06lvl1sec86
+
+## Author
+
+[@5mukx](https://x.com/5mukx)
@@ -0,0 +1,235 @@
+/*
+    Windows API Hooking using Trampoline
+    @5mukx
+*/
+
+use std::{
+    ffi::{CStr, CString},
+    ptr::null_mut,
+};
+
+use widestring::WideCString;
+use winapi::{
+    shared::{
+        minwindef::{DWORD, LPVOID, UINT},
+        ntdef::{LPCSTR, LPWSTR},
+        windef::HWND,
+    },
+    um::{
+        errhandlingapi::GetLastError,
+        libloaderapi::{GetModuleHandleA, GetProcAddress},
+        memoryapi::VirtualProtect,
+        winnt::PAGE_EXECUTE_READWRITE,
+        winuser::{MB_ICONINFORMATION, MB_OK, MessageBoxA, MessageBoxW},
+    },
+};
+
+const INTERCEPTOR_SIZE: usize = 14;
+
+#[repr(C)]
+struct ApiInterceptor {
+    target_function: LPVOID,
+    replacement_function: LPVOID,
+    original_code: [u8; INTERCEPTOR_SIZE],
+    original_protection: DWORD,
+}
+
+impl ApiInterceptor {
+    fn new() -> Self {
+        ApiInterceptor {
+            target_function: null_mut(),
+            replacement_function: null_mut(),
+            original_code: [0; INTERCEPTOR_SIZE],
+            original_protection: 0,
+        }
+    }
+}
+
+fn main() {
+    unsafe {
+        let user32 = GetModuleHandleA("user32.dll\0".as_ptr() as *const i8);
+        let dialog_func = GetProcAddress(user32, "MessageBoxA\0".as_ptr() as *const i8);
+
+        let mut interceptor = ApiInterceptor::new();
+        if !setup_interceptor(
+            dialog_func as LPVOID,
+            custom_dialog as LPVOID,
+            &mut interceptor,
+        ) {
+            println!("[ERROR] Interceptor setup failed");
+            return;
+        }
+
+        let text1 = CString::new("Testing Smukx System").unwrap();
+        let caption1 = CString::new("System Info").unwrap();
+
+        MessageBoxA(
+            null_mut(),
+            text1.as_ptr(),
+            caption1.as_ptr(),
+            MB_OK | MB_ICONINFORMATION,
+        );
+
+        println!("[INFO] Activating API interceptor...");
+
+        if !activate_interceptor(&mut interceptor) {
+            println!("[ERROR] Interceptor activation failed");
+            return;
+        }
+        println!("[INFO] Interceptor activated");
+
+        let text2 = CString::new("Smukx Is Great").unwrap();
+        let caption2 = CString::new("System Info").unwrap();
+
+        MessageBoxA(
+            null_mut(),
+            text2.as_ptr(),
+            caption2.as_ptr(),
+            MB_OK | MB_ICONINFORMATION,
+        );
+
+        println!("[INFO] Deactivating API interceptor...");
+        if !deactivate_interceptor(&mut interceptor) {
+            println!("[ERROR] Interceptor deactivation failed");
+            return;
+        }
+        println!("[INFO] Interceptor deactivated");
+
+        let text3 = CString::new("Smukx System Restored").unwrap();
+        let caption3 = CString::new("System Info").unwrap();
+        MessageBoxA(
+            null_mut(),
+            text3.as_ptr(),
+            caption3.as_ptr(),
+            MB_OK | MB_ICONINFORMATION,
+        );
+    }
+
+    println!("[INFO] PoC Demonstrated Successfully");
+
+}
+
+fn setup_interceptor(
+    target_function: LPVOID,
+    replacement_function: LPVOID,
+    interceptor: &mut ApiInterceptor,
+) -> bool {
+    if target_function.is_null() || replacement_function.is_null() {
+        return false;
+    }
+
+    interceptor.target_function = target_function;
+    interceptor.replacement_function = replacement_function;
+
+    unsafe {
+        std::ptr::copy_nonoverlapping(
+            target_function as *const u8,
+            interceptor.original_code.as_mut_ptr(),
+            INTERCEPTOR_SIZE,
+        );
+
+        let mut old_protection: DWORD = 0;
+        if VirtualProtect(
+            target_function,
+            INTERCEPTOR_SIZE,
+            PAGE_EXECUTE_READWRITE,
+            &mut old_protection,
+        ) == 0
+        {
+            println!("[!] Memory protection change failed: {}", GetLastError());
+            return false;
+        }
+        interceptor.original_protection = old_protection;
+    }
+    true
+}
+
+fn activate_interceptor(interceptor: &mut ApiInterceptor) -> bool {
+    if interceptor.target_function.is_null() || interceptor.replacement_function.is_null() {
+        return false;
+    }
+
+    unsafe {
+        {
+            let interceptor_code: [u8; INTERCEPTOR_SIZE] = [
+                0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            ];
+            let patch = interceptor.replacement_function as u64;
+            std::ptr::copy_nonoverlapping(
+                &patch as *const _ as *const u8,
+                (interceptor.target_function as *mut u8).offset(6),
+                std::mem::size_of::<u64>(),
+            );
+
+            std::ptr::copy_nonoverlapping(
+                interceptor_code.as_ptr(),
+                interceptor.target_function as *mut u8,
+                6,
+            );
+        }
+    }
+    true
+}
+
+fn deactivate_interceptor(interceptor: &mut ApiInterceptor) -> bool {
+    if interceptor.target_function.is_null() {
+        return false;
+    }
+
+    unsafe {
+        std::ptr::copy_nonoverlapping(
+            interceptor.original_code.as_ptr(),
+            interceptor.target_function as *mut u8,
+            INTERCEPTOR_SIZE,
+        );
+
+        std::ptr::write_bytes(interceptor.original_code.as_mut_ptr(), 0, INTERCEPTOR_SIZE);
+
+        let mut old_protection: DWORD = 0;
+        if VirtualProtect(
+            interceptor.target_function,
+            INTERCEPTOR_SIZE,
+            interceptor.original_protection,
+            &mut old_protection,
+        ) == 0
+        {
+            println!(
+                "[!] Memory protection restoration failed: {}",
+                GetLastError()
+            );
+            return false;
+        }
+
+        interceptor.target_function = null_mut();
+        interceptor.replacement_function = null_mut();
+        interceptor.original_protection = 0;
+    }
+
+    true
+}
+
+unsafe extern "system" fn custom_dialog(
+    hwnd: HWND,
+    lp_text: LPCSTR,
+    lp_caption: LPCSTR,
+    u_type: UINT,
+) -> i32 {
+    let text = unsafe { CStr::from_ptr(lp_text) }.to_string_lossy();
+    let caption = unsafe { CStr::from_ptr(lp_caption) }.to_string_lossy();
+
+    println!("[INFO] Dialog Parameters:");
+    println!("\tText: {}", text);
+    println!("\tCaption: {}", caption);
+
+    let new_text = WideCString::from_str("Smukx Is Good").unwrap();
+    let new_caption = WideCString::from_str("System Dialog").unwrap();
+
+    unsafe {
+        MessageBoxW(
+            hwnd,
+            new_text.as_ptr() as LPWSTR,
+            new_caption.as_ptr() as LPWSTR,
+            u_type,
+        )
+    }
+}
@@ -0,0 +1,5 @@
+# Custom Shellcode Template Section
+
+This series Work In Progress .....
+
+![Work](https://havocframework.com/images/Spiderman_work.png)