dinvk

Dynamically invoke arbitrary code with Rust tricks, #[no_std] support, and compatibility for x64, x86, ARM64 and WoW64 (DInvoke)

This tool is a Rust version of DInvoke, originally written in C#, with additional features added.

Table of Contents

• Features
• Getting started
• Usage
  • Dynamically Invoke Arbitrary Code
  • Retrieving Module Addresses and Exported APIs
  • Indirect syscall
  • Different Hash Methods for API Hashing
  • Tampered Syscalls Via Hardware BreakPoints
  • Support for no_std Environments
• License

Features

• ✅ Dynamically invoke arbitrary code (x64, x86, Wow64, ARM64).
• ✅ Indirect Syscall (x64, x86, Wow64).
• ✅ Tampered Syscalls Via Hardware BreakPoints (x64, x86, Wow64).
• ✅ Supports #[no_std] environments (with alloc).
• ✅ Retrieve exported API addresses via string, ordinal, and hashing.
• ✅ Retrieve module addresses via string and hashing.
• ✅ Supports multiple 32-bit hash algorithms for API Hashing using get_module_address and get_proc_address: Jenkins3, Jenkins One-at-a-Time, DJB2, Murmur3, FNV-1a, SDBM, Lose, PJW, JS, and AP.

Getting started

Add dinvk to your project by updating your Cargo.toml:

cargo add dinvk

Usage

dinvk provides several features for invoking code dynamically, performing indirect syscalls and manipulating exported modules and APIs. Below are detailed examples of how to use each feature.

Dynamically Invoke Arbitrary Code

Allows resolving and calling a function dynamically at runtime, avoiding static linking.

• This example demonstrates the dynamic invocation of arbitrary code using dinvoke!, resolving function addresses at runtime without direct linking. In this case, HeapAlloc is dynamically called to allocate memory.
• Using this macro is beneficial if you want to avoid having APIs directly listed in the Import Address Table (IAT) of your PE file.

use dinvk::module::get_module_address;
use dinvk::winapis::GetProcessHeap;
use dinvk::{types::HeapAllocFn, dinvoke};

const HEAP_ZERO_MEMORY: u32 = 8u32;

let kernel32 = get_module_address("KERNEL32.DLL", None);
let addr = dinvoke!(
    kernel32,
    "HeapAlloc",
    HeapAllocFn,
    GetProcessHeap(),
    HEAP_ZERO_MEMORY,
    0x200
);

println!("[+] Address: {:?}", addr);

Retrieving Module Addresses and Exported APIs

Retrieves the base address of a module and resolves exported APIs using different methods: by string, ordinal, or hash.

• In this example, the address of the KERNEL32 module is retrieved using both a string and a hash (Jenkins hash).
• Then, the LoadLibrary function address is resolved using the same methods, with an additional example using an ordinal number.

use dinvk::module::{get_module_address, get_proc_address};
use dinvk::hash::jenkins;

// Retrieving module address via string and hash
let kernel32 = get_module_address("KERNEL32.DLL", None);
let kernel32 = get_module_address(3425263715u32, Some(jenkins));

// Retrieving exported API address via string, ordinal and hash
let addr = get_proc_address(kernel32, "LoadLibraryA", None);
let addr = get_proc_address(kernel32, 3962820501u32, Some(jenkins));
let addr = get_proc_address(kernel32, 997, None);

Indirect syscall

Executes syscalls indirectly, bypassing user-mode API hooks and security monitoring tools.

• Currently supporting x64, x86 and WoW64.
• It uses techniques such as Hells Gate, Halos Gate, and Tartarus Gate to dynamically locate the System Service Number (SSN) and invoke the syscall indirectly.

use std::{ffi::c_void, ptr::null_mut};
use dinvk::winapis::{NT_SUCCESS, NtCurrentProcess};
use dinvk::{Dll, syscall, types::HANDLE};

// Memory allocation using a syscall
let mut addr = null_mut::<c_void>();
let mut size = (1 << 12) as usize;
let status = syscall!("NtAllocateVirtualMemory", NtCurrentProcess(), &mut addr, 0, &mut size, 0x3000, 0x04)
    .ok_or("syscall resolution failed")?;

if !NT_SUCCESS(status) {
    eprintln!("[-] NtAllocateVirtualMemory Failed With Status: {}", status);
    return Ok(());
}

Different Hash Methods for API Hashing

Supports various hashing algorithms for API resolution, improving stealth and flexibility.

• Currently, the library only supports 32-bit hashes for API lookup.

use dinvk::hash::*;

println!("{}", jenkins("dinvk"));
println!("{}", jenkins3("dinvk"));
println!("{}", ap("dinvk"));
println!("{}", js("dinvk"));
println!("{}", murmur3("dinvk"));
println!("{}", fnv1a("dinvk"));
println!("{}", djb2("dinvk"));
println!("{}", crc32ba("dinvk"));
println!("{}", loselose("dinvk"));
println!("{}", pjw("dinvk"));
println!("{}", sdbm("dinvk"));

Tampered Syscalls Via Hardware BreakPoints

Utilizes hardware breakpoints to manipulate syscall parameters before execution, bypassing security hooks.

• The library includes several API wrappers that leverage DInvoke and support hardware breakpoints to spoof syscall arguments dynamically.
• These breakpoints modify syscall parameters after security monitoring tools inspect them but before the syscall executes, effectively bypassing detection.
• Currently supporting x64, x86 and WoW64.
• You can find the full list of wrapped functions in the winapis module.

use dinvk::{
    types::HANDLE,
    breakpoint::{
        set_use_breakpoint, 
        veh_handler
    },
};
use dinvk::winapis::{
    NT_SUCCESS,
    NtAllocateVirtualMemory,
    AddVectoredExceptionHandler, 
    RemoveVectoredExceptionHandler,
};

// Enabling breakpoint hardware
set_use_breakpoint(true);
let handle = AddVectoredExceptionHandler(0, Some(veh_handler));

// Allocating memory and using breakpoint hardware
let mut addr = std::ptr::null_mut();
let mut size = 1 << 12;
let status = NtAllocateVirtualMemory(-1isize as HANDLE, &mut addr, 0, &mut size, 0x3000, 0x04);
if !NT_SUCCESS(status) {
    eprintln!("[-] NtAllocateVirtualMemory Failed With Status: {}", status);
    return Ok(());
}

// Disabling breakpoint hardware
set_use_breakpoint(false);
RemoveVectoredExceptionHandler(handle);

Support for no_std Environments

Enables #[no_std] compatibility for environments without the Rust standard library.

• To enable #[no_std] support, define the required features in your Cargo.toml.

[dependencies]
dinvk = { version = "<version>", features = ["alloc", "panic"] }

• Running in #[no_std] Mode.

#![no_std]
#![no_main]

use dinvk::allocator::WinHeap;
use dinvk::module::{get_ntdll_address, get_proc_address};
use dinvk::println;

#[unsafe(no_mangle)]
fn main() -> u8 {
    let addr = get_proc_address(get_ntdll_address(), "NtOpenProcess", None);
    println!("[+] NtOpenProcess: {:?}", addr);

    0
}

#[global_allocator]
static ALLOCATOR: WinHeap = WinHeap;

#[cfg(not(test))]
#[panic_handler]
fn panic(info: &core::panic::PanicInfo) -> ! {
    dinvk::panic::panic_handler(info)
}

License

dinvk is licensed under either of

• Apache License, Version 2.0, (LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or https://opensource.org/licenses/MIT)

at your option.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in dinvk by you, as defined in the Apache-2.0 license, shall be dually licensed as above, without any additional terms or conditions.