Documentation
¶
Index ¶
- Variables
- func GetModuleLoadedOrder(i int) (start uintptr, size uintptr, modulepath string)
- func GetNtdllStart() (start uintptr, size uintptr)
- func GetPEB() uintptr
- func GetSysIDFromDisk(funcname string) (uint16, error)
- func GetSysIDFromDiskOrd(ordinal uint32) (uint16, error)
- func GetSysIDFromMemory(funcname string) (uint16, error)
- func InMemLoads() (map[string]Image, error)
- func Syscall(callid uint16, argh ...uintptr) (errcode uint32, err error)
- func WriteMemory(inbuf []byte, destination uintptr)
- type BananaPhone
- type BananaProcedure
- type Image
- type LdrDataTableEntry
- type ListEntry
- type MayBeHookedError
- type PhoneMode
Constants ¶
This section is empty.
Variables ¶
var HookCheck = []byte{0x4c, 0x8b, 0xd1, 0xb8}
HookCheck is the bytes expected to be seen at the start of the function:
mov r10, rcx ;(4c 8b d1) mov eax, sysid ;(b8 sysid)
Functions ¶
func GetModuleLoadedOrder ¶
GetModuleLoadedOrder returns the start address of module located at i in the load order. This might be useful if there is a function you need that isn't in ntdll, or if some rude individual has loaded themselves before ntdll.
func GetNtdllStart ¶
GetNtdllStart returns the start address of ntdll in memory
func GetPEB ¶
func GetPEB() uintptr
GetPEB returns the in-memory address of the start of PEB while making no api calls
func GetSysIDFromDisk ¶
GetSysIDFromDisk takes the exported syscall name and gets the ID it refers to. This function will access the ntdll file _on disk_, and relevant events/logs will be generated for those actions.
func GetSysIDFromDiskOrd ¶
GetSysIDFromDiskOrd takes the exported ordinal and gets the ID it refers to. This function will access the ntdll file _on disk_, and relevant events/logs will be generated for those actions.
func GetSysIDFromMemory ¶
GetSysIDFromMemory takes the exported syscall name or ordinal and gets the ID it refers to (try not to supply both, it might not work how you expect). This function will not use a clean version of the dll, if AV has hooked the in-memory ntdll module, the results of this call may be bad.
func InMemLoads ¶
InMemLoads returns a map of loaded dll paths to current process offsets (aka images) in the current process. No syscalls are made.
func Syscall ¶
Syscall calls the system function specified by callid with n arguments. Works much the same as syscall.Syscall - return value is the call error code and optional error text. All args are uintptrs to make it easy.
func WriteMemory ¶
WriteMemory writes the provided memory to the specified memory address. Does **not** check permissions, may cause panic if memory is not writable etc.
Types ¶
type BananaPhone ¶
type BananaPhone struct {
// contains filtered or unexported fields
}
BananaPhone will resolve SysID's used for syscalls while making minimal API calls. These ID's can be used for functions like NtAllocateVirtualMemory as defined in functions.go.
func NewBananaPhone ¶
func NewBananaPhone(t PhoneMode) (*BananaPhone, error)
NewBananaPhone creates a new instance of a bananaphone with behaviour as defined by the input value. Use AutoBananaPhoneMode if you're not sure.
Possible values:
- MemoryBananaPhoneMode
- DiskBananaPhoneMode
- AutoBananaPhoneMode
- HalosGateBananaPhoneMode
func NewBananaPhoneNamed ¶
func NewBananaPhoneNamed(t PhoneMode, name, diskpath string) (*BananaPhone, error)
NewBananaPhoneNamed creates a new instance of a bananaphone with behaviour as defined by the input value, specifying the module provided. Use AutoBananaPhoneMode if you're not sure which mode and specify the path. Path only used for disk/auto modes.
Possible values:
- MemoryBananaPhoneMode
- DiskBananaPhoneMode
- AutoBananaPhoneMode
- HalosGateBananaPhoneMode
func NewSystemBananaPhoneNamed ¶
func NewSystemBananaPhoneNamed(t PhoneMode, name, diskpath string) *BananaPhone
NewSystemBananaPhoneNamed is literally just an un-error handled passthrough for NewBananaPhoneNamed to easily work with mkwinsyscall. The ptr might be nil, who knows! lol! yolo!
func (*BananaPhone) GetFuncPtr ¶
func (b *BananaPhone) GetFuncPtr(funcname string) (uint64, error)
GetFuncPtr returns a pointer to the function (Virtual Address)
func (*BananaPhone) GetSysID ¶
func (b *BananaPhone) GetSysID(funcname string) (uint16, error)
GetSysID resolves the provided function name into a sysid.
func (*BananaPhone) GetSysIDOrd ¶
func (b *BananaPhone) GetSysIDOrd(ordinal uint32) (uint16, error)
GetSysIDOrd resolves the provided ordinal into a sysid.
func (*BananaPhone) NewProc ¶
func (b *BananaPhone) NewProc(funcname string) BananaProcedure
NewProc emulates the windows NewProc call :-)
type BananaProcedure ¶
type BananaProcedure struct {
// contains filtered or unexported fields
}
BananaProc emulates the windows proc thing
func (BananaProcedure) Addr ¶
func (b BananaProcedure) Addr() uintptr
Addr returns the address of this procedure
type Image ¶
Image contains info about a loaded image. Literally just a Base Addr and a Size - it should allow someone with a handy PE parser to pull the image out of memory...
type LdrDataTableEntry ¶
type LdrDataTableEntry struct {
InLoadOrderLinks ListEntry
InMemoryOrderLinks ListEntry
InInitializationOrderLinks ListEntry
DllBase *uintptr
EntryPoint *uintptr
SizeOfImage *uintptr
FullDllName stupidstring
BaseDllName stupidstring
Flags uint32
LoadCount uint16
TlsIndex uint16
HashLinks ListEntry
TimeDateStamp uint64
}
func GetModuleLoadedOrderPtr ¶
func GetModuleLoadedOrderPtr(i int) *LdrDataTableEntry
GetModuleLoadedOrderPtr returns a pointer to the ldr data table entry in full, incase there is something interesting in there you want to see.
type MayBeHookedError ¶
type MayBeHookedError struct {
Foundbytes []byte
}
MayBeHookedError an error returned when trying to extract the sysid from a resolved function. Contains the bytes that were actually found (incase it's useful to someone?)
func (MayBeHookedError) Error ¶
func (e MayBeHookedError) Error() string
type PhoneMode ¶
type PhoneMode int
PhoneMode determines the way a bananaphone will resolve sysids
const ( //MemoryBananaPhoneMode will resolve by finding the PEB in-memory, and enumerating the loaded ntdll.dll to resolve exports and determine the sysid. MemoryBananaPhoneMode PhoneMode = iota //DiskBananaPhoneMode will resolve by loading ntdll.dll from disk, and enumerating to resolve exports and determine the sysid. DiskBananaPhoneMode //AutoBananaPhoneMode will resolve by first trying to resolve in-memory, and then falling back to loading using halos gate, then on-disk if in-memory fails (eg, if it's hooked and the sysid's have been moved). AutoBananaPhoneMode //HalosGateBananaPhoneMode will resolve by first trying to resolve in-memory, and then falling back to deduce the syscall by searching a non-hooked function HalosGateBananaPhoneMode )
Source Files