From 091120fced1a29e05eed7e57993b774a2f1448d6 Mon Sep 17 00:00:00 2001 From: joaoviictorti Date: Sat, 5 Jul 2025 16:29:58 -0300 Subject: [PATCH] style: minor code style improvements --- shadowx/src/utils/address.rs | 16 +++++++++--- shadowx/src/utils/file.rs | 8 +++--- shadowx/src/utils/mdl.rs | 13 +++++++--- shadowx/src/utils/mod.rs | 47 ++++++++++++++++++----------------- shadowx/src/utils/patterns.rs | 34 ++++++++++++++----------- 5 files changed, 71 insertions(+), 47 deletions(-) diff --git a/shadowx/src/utils/address.rs b/shadowx/src/utils/address.rs index 4fc78d3..54f1080 100644 --- a/shadowx/src/utils/address.rs +++ b/shadowx/src/utils/address.rs @@ -1,15 +1,25 @@ +use alloc::string::ToString; use core::{ ffi::{CStr, c_void}, ptr::null_mut, slice::from_raw_parts, }; -use crate::data::{IMAGE_DOS_HEADER, IMAGE_EXPORT_DIRECTORY, IMAGE_NT_HEADERS}; use ntapi::ntexapi::SystemModuleInformation; use wdk_sys::{NT_SUCCESS, POOL_FLAG_NON_PAGED}; -use {super::pool::PoolMemory, alloc::string::ToString}; -use crate::{Result, SystemModuleInformation, data::ZwQuerySystemInformation, error::ShadowError}; +use super::pool::PoolMemory; +use crate::data::{ + IMAGE_DOS_HEADER, + IMAGE_EXPORT_DIRECTORY, + IMAGE_NT_HEADERS +}; +use crate::{ + Result, + SystemModuleInformation, + data::ZwQuerySystemInformation, + error::ShadowError +}; /// Gets the base address of a specified module by querying system module information. /// This function queries the system for all loaded modules and compares their names diff --git a/shadowx/src/utils/file.rs b/shadowx/src/utils/file.rs index 7d668dc..f1fa6cc 100644 --- a/shadowx/src/utils/file.rs +++ b/shadowx/src/utils/file.rs @@ -1,3 +1,6 @@ +use alloc::vec::Vec; +use core::{ffi::c_void, ptr::null_mut}; + use wdk_sys::{ _FILE_INFORMATION_CLASS::FileStandardInformation, ntddk::{ZwCreateFile, ZwQueryInformationFile, ZwReadFile}, @@ -5,10 +8,7 @@ use wdk_sys::{ }; use super::{InitializeObjectAttributes, handle::Handle}; -use crate::Result; -use crate::error::ShadowError; -use alloc::vec::Vec; -use core::{ffi::c_void, ptr::null_mut}; +use crate::{Result, error::ShadowError}; /// Reads the content of a file given its path in the NT kernel environment. /// diff --git a/shadowx/src/utils/mdl.rs b/shadowx/src/utils/mdl.rs index 24284a0..8e465f2 100644 --- a/shadowx/src/utils/mdl.rs +++ b/shadowx/src/utils/mdl.rs @@ -1,11 +1,17 @@ use core::ptr::null_mut; use wdk_sys::ntddk::{ - IoAllocateMdl, IoFreeMdl, MmMapLockedPagesSpecifyCache, MmProbeAndLockPages, MmUnlockPages, + IoAllocateMdl, IoFreeMdl, + MmMapLockedPagesSpecifyCache, + MmProbeAndLockPages, + MmUnlockPages, MmUnmapLockedPages, }; use wdk_sys::{ - _LOCK_OPERATION::IoModifyAccess, _MEMORY_CACHING_TYPE::MmCached, - _MM_PAGE_PRIORITY::HighPagePriority, _MODE::KernelMode, MDL, MdlMappingNoExecute, PUCHAR, + _LOCK_OPERATION::IoModifyAccess, + _MEMORY_CACHING_TYPE::MmCached, + _MM_PAGE_PRIORITY::HighPagePriority, + _MODE::KernelMode, MDL, + MdlMappingNoExecute, PUCHAR, }; /// Memory Descriptor List (MDL) wrapper for safe kernel memory modification. @@ -59,6 +65,7 @@ impl Mdl { 0, HighPagePriority as u32 | MdlMappingNoExecute, ) as *mut u8; + if mapped_address.is_null() { wdk::println!("Failed to map blocked pages"); MmUnlockPages(mdl); diff --git a/shadowx/src/utils/mod.rs b/shadowx/src/utils/mod.rs index 3a1a832..752a386 100644 --- a/shadowx/src/utils/mod.rs +++ b/shadowx/src/utils/mod.rs @@ -5,21 +5,33 @@ use core::{ slice::from_raw_parts, }; +use ntapi::ntexapi::{ + PSYSTEM_PROCESS_INFORMATION, + SystemProcessInformation +}; use wdk_sys::{ - _KWAIT_REASON::{DelayExecution, UserRequest, WrAlertByThreadId}, - ntddk::{MmGetSystemRoutineAddress, PsIsThreadTerminating}, + _KWAIT_REASON::{ + DelayExecution, + UserRequest, + WrAlertByThreadId + }, + ntddk::{ + MmGetSystemRoutineAddress, + PsIsThreadTerminating + }, *, }; -use ntapi::ntexapi::{PSYSTEM_PROCESS_INFORMATION, SystemProcessInformation}; - use crate::data::{ - IMAGE_DOS_HEADER, IMAGE_EXPORT_DIRECTORY, IMAGE_NT_HEADERS, KTHREAD_STATE::Waiting, + IMAGE_DOS_HEADER, IMAGE_EXPORT_DIRECTORY, + IMAGE_NT_HEADERS, KTHREAD_STATE::Waiting, LDR_DATA_TABLE_ENTRY, PEB, }; - use crate::{ - ZwQuerySystemInformation, attach::ProcessAttach, error::ShadowError, pool::PoolMemory, *, + ZwQuerySystemInformation, + attach::ProcessAttach, + error::ShadowError, + pool::PoolMemory, *, }; pub mod address; @@ -61,10 +73,7 @@ pub unsafe fn find_thread_alertable(target_pid: usize) -> Result<*mut _KTHREAD> ); if !NT_SUCCESS(status) { - return Err(ShadowError::ApiCallFailed( - "ZwQuerySystemInformation", - status, - )); + return Err(ShadowError::ApiCallFailed("ZwQuerySystemInformation", status)); } // Iterate over process information to find the target PID and alertable thread @@ -76,6 +85,7 @@ pub unsafe fn find_thread_alertable(target_pid: usize) -> Result<*mut _KTHREAD> (*process_info).Threads.as_ptr(), (*process_info).NumberOfThreads as usize, ); + for &thread in threads_slice { if thread.ThreadState == Waiting as u32 && thread.WaitReason == WrAlertByThreadId as u32 @@ -134,10 +144,7 @@ pub unsafe fn find_thread(target_pid: usize) -> Result<*mut _KTHREAD> { ); if !NT_SUCCESS(status) { - return Err(ShadowError::ApiCallFailed( - "ZwQuerySystemInformation", - status, - )); + return Err(ShadowError::ApiCallFailed("ZwQuerySystemInformation", status)); } // Iterate over process information to find the target PID and alertable thread @@ -203,10 +210,7 @@ pub unsafe fn get_function_peb( // Access its `PEB` let peb = PsGetProcessPeb(process.e_process) as *mut PEB; if peb.is_null() || (*peb).Ldr.is_null() { - return Err(ShadowError::FunctionExecutionFailed( - "PsGetProcessPeb", - line!(), - )); + return Err(ShadowError::FunctionExecutionFailed("PsGetProcessPeb", line!())); } // Traverse the InLoadOrderModuleList to find the module @@ -313,10 +317,7 @@ pub unsafe fn get_process_by_name(process_name: &str) -> Result { ); if !NT_SUCCESS(status) { - return Err(ShadowError::ApiCallFailed( - "ZwQuerySystemInformation", - status, - )); + return Err(ShadowError::ApiCallFailed("ZwQuerySystemInformation", status)); } let mut process_info = info_process; diff --git a/shadowx/src/utils/patterns.rs b/shadowx/src/utils/patterns.rs index b9e51d9..829cb79 100644 --- a/shadowx/src/utils/patterns.rs +++ b/shadowx/src/utils/patterns.rs @@ -3,21 +3,30 @@ use core::{ ptr::{null_mut, read}, slice::from_raw_parts, }; -use obfstr::obfstr; +use obfstr::obfstr; use wdk_sys::{ _SECTION_INHERIT::ViewUnmap, - ntddk::{ZwClose, ZwMapViewOfSection, ZwOpenSection, ZwUnmapViewOfSection}, + ntddk::{ + ZwClose, + ZwMapViewOfSection, + ZwOpenSection, + ZwUnmapViewOfSection + }, *, }; -use { - super::{InitializeObjectAttributes, address::get_module_base_address}, - crate::{ - Result, - data::{IMAGE_DOS_HEADER, IMAGE_EXPORT_DIRECTORY, IMAGE_NT_HEADERS, IMAGE_SECTION_HEADER}, - error::ShadowError, - utils::uni, +use super::{ + InitializeObjectAttributes, + address::get_module_base_address +}; +use crate::{ + Result, + error::ShadowError, + utils::uni, + data::{ + IMAGE_DOS_HEADER, IMAGE_EXPORT_DIRECTORY, + IMAGE_NT_HEADERS, IMAGE_SECTION_HEADER }, }; @@ -206,8 +215,7 @@ pub unsafe fn find_zw_function(name: &str) -> Result { ZW_PATTERN[22] = ssn_bytes[1]; let dos_header = ntoskrnl_addr as *const IMAGE_DOS_HEADER; - let nt_header = - (ntoskrnl_addr as usize + (*dos_header).e_lfanew as usize) as *const IMAGE_NT_HEADERS; + let nt_header = (ntoskrnl_addr as usize + (*dos_header).e_lfanew as usize) as *const IMAGE_NT_HEADERS; let section_header = (nt_header as usize + size_of::()) as *const IMAGE_SECTION_HEADER; @@ -215,10 +223,8 @@ pub unsafe fn find_zw_function(name: &str) -> Result { for i in 0..(*nt_header).FileHeader.NumberOfSections as usize { let section = (*section_header.add(i)).Name; let name = core::str::from_utf8(§ion).unwrap().trim_matches('\0'); - if name == obfstr!(".text") { - let text_start = - ntoskrnl_addr as usize + (*section_header.add(i)).VirtualAddress as usize; + let text_start = ntoskrnl_addr as usize + (*section_header.add(i)).VirtualAddress as usize; let text_end = text_start + (*section_header.add(i)).Misc.VirtualSize as usize; let data = core::slice::from_raw_parts(text_start as *const u8, text_end - text_start);