Reboare · November 26, 2020 21:35
diff --git a/spawn_blockdll.rs b/spawn_blockdll.rs
 use std::ptr::null_mut;
 use std::mem::{size_of, transmute};
 use std::ffi::CString;
 use winapi::shared::minwindef::{BYTE, TRUE};
 use winapi::um::processthreadsapi::{InitializeProcThreadAttributeList, LPSTARTUPINFOA, CreateProcessA,
 				PROC_THREAD_ATTRIBUTE_LIST, UpdateProcThreadAttribute,
 				PROCESS_INFORMATION};
 use winapi::shared::ntdef::PVOID;
 use winapi::um::winbase::STARTUPINFOEXA;
 
 const PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON: u64 = 0x100000000000;
 const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY: usize = 0x00020007;
 const EXTENDED_STARTUPINFO_PRESENT: u32 = 0x00080000;

 fn main() {
 	let pid = spawn_blockdll("notepad".to_string());
 	println!("You spawned a blockdll process with pid: {0}", pid)
 }

 pub fn spawn_blockdll(program: String) -> usize {
 	// Initialize process variables with defaults
 	// This has the unexpected benefit of spoofing our PPID
 	let mut pi = PROCESS_INFORMATION::default();
 	let mut si = STARTUPINFOEXA::default();
 	let mut size = 0;
 	
 	// Convert the
 	let exe_name = CString::new(program).expect("CString creation failed!");
 	
 	// Calculate the length of PROC_THREAD_ATTRIBUTE_LIST
 	unsafe { 
 		InitializeProcThreadAttributeList(&mut PROC_THREAD_ATTRIBUTE_LIST::default(), 1,0, &mut size); 
 	}
 	
 	// Attribute list which will be modified
 	let mut attributes: Box<[BYTE]> = vec![0; size].into_boxed_slice();
 	si.lpAttributeList = attributes.as_mut_ptr() as _;
 	
 	unsafe{
 		//Initialize our attribute list
 		InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &mut size);
 		
 		// Update the attribute list with the relevant mitigation policy
 		UpdateProcThreadAttribute(
 			si.lpAttributeList, 
 			0, 
 			PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, 
 			transmute::<&mut u64, PVOID>(&mut PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON), 
 			size_of::<u64>(), 
 			null_mut(), 
 			null_mut());
 		
 		// Spawn a process using the attribute list
 		CreateProcessA(
 			null_mut(), 
 			exe_name.into_raw(), 
 			null_mut(), 
 			null_mut(), 
 			TRUE, 
 			EXTENDED_STARTUPINFO_PRESENT, 
 			null_mut(), 
 			null_mut(), 
 			&mut si.StartupInfo as LPSTARTUPINFOA, 
 			&mut pi
 		);
 	}
 	// Return our process ID
 	pi.dwProcessId as usize
 }

 #[derive(Copy, Clone)]
 enum PROCESS_CREATION_FLAG {
    CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
    CREATE_SUSPENDED = 0x00000004,
    EXTENDED_STARTUPINFO_PRESENT = 0x00080000
 }

 type process_cr_flags = Vec<PROCESS_CREATION_FLAG>;

    fn flatten(v: process_cr_flags) -> u32 {
        v.iter().fold(0u32, |x, y| x|(*y as u32))
    }
	use std::ptr::null_mut;
	use std::mem::{size_of, transmute};
	use std::ffi::CString;
	use winapi::shared::minwindef::{BYTE, TRUE};
	use winapi::um::processthreadsapi::{InitializeProcThreadAttributeList, LPSTARTUPINFOA, CreateProcessA,
	PROC_THREAD_ATTRIBUTE_LIST, UpdateProcThreadAttribute,
	PROCESS_INFORMATION};
	use winapi::shared::ntdef::PVOID;
	use winapi::um::winbase::STARTUPINFOEXA;

	const PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON: u64 = 0x100000000000;
	const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY: usize = 0x00020007;
	const EXTENDED_STARTUPINFO_PRESENT: u32 = 0x00080000;

	fn main() {
	let pid = spawn_blockdll("notepad".to_string());
	println!("You spawned a blockdll process with pid: {0}", pid)
	}

	pub fn spawn_blockdll(program: String) -> usize {
	// Initialize process variables with defaults
	// This has the unexpected benefit of spoofing our PPID
	let mut pi = PROCESS_INFORMATION::default();
	let mut si = STARTUPINFOEXA::default();
	let mut size = 0;

	// Convert the
	let exe_name = CString::new(program).expect("CString creation failed!");

	// Calculate the length of PROC_THREAD_ATTRIBUTE_LIST
	unsafe {
	InitializeProcThreadAttributeList(&mut PROC_THREAD_ATTRIBUTE_LIST::default(), 1,0, &mut size);
	}

	// Attribute list which will be modified
	let mut attributes: Box<[BYTE]> = vec![0; size].into_boxed_slice();
	si.lpAttributeList = attributes.as_mut_ptr() as _;

	unsafe{
	//Initialize our attribute list
	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &mut size);

	// Update the attribute list with the relevant mitigation policy
	UpdateProcThreadAttribute(
	si.lpAttributeList,
	0,
	PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY,
	transmute::<&mut u64, PVOID>(&mut PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON),
	size_of::<u64>(),
	null_mut(),
	null_mut());

	// Spawn a process using the attribute list
	CreateProcessA(
	null_mut(),
	exe_name.into_raw(),
	null_mut(),
	null_mut(),
	TRUE,
	EXTENDED_STARTUPINFO_PRESENT,
	null_mut(),
	null_mut(),
	&mut si.StartupInfo as LPSTARTUPINFOA,
	&mut pi
	);
	}
	// Return our process ID
	pi.dwProcessId as usize
	}

	#[derive(Copy, Clone)]
	enum PROCESS_CREATION_FLAG {
	CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
	CREATE_SUSPENDED = 0x00000004,
	EXTENDED_STARTUPINFO_PRESENT = 0x00080000
	}

	type process_cr_flags = Vec<PROCESS_CREATION_FLAG>;

	fn flatten(v: process_cr_flags) -> u32 {
	v.iter().fold(0u32, \|x, y\| x\|(*y as u32))
	}