Documentation
¶
Index ¶
- Constants
- func AllVirtualQueryEx(hProcess win32.HANDLE) (cmbi chan win32.MemoryBasicInformation)
- func CheckProcessIntegrity(hProcess win32.HANDLE) (bytediff int, length int, err error)
- func CloseHandle(hObject win32.HANDLE) error
- func CreateEvent(lpEventAttribute uintptr, bManualReset win32.BOOL, bInitialState win32.BOOL, ...) (win32.HANDLE, error)
- func CreateToolhelp32Snapshot(dwFlags win32.DWORD, th32ProcessID win32.DWORD) (win32.HANDLE, error)
- func EnumProcessModules(hProcess win32.HANDLE) ([]win32.HANDLE, error)
- func FindTextSection(hProcess win32.HANDLE, mi MODULEINFO) (mbi win32.MemoryBasicInformation, err error)
- func FindTextSectionFromImage(image string) (section []byte, err error)
- func ForceDumpAllMemory(pid int, dumpFile string) error
- func GetCurrentProcess() (pseudoHandle win32.HANDLE, lastError error)
- func GetCurrentThread() win32.HANDLE
- func GetCurrentThreadId() win32.DWORD
- func GetExitCodeProcess(hProcess win32.HANDLE) (exitCode win32.DWORD, err error)
- func GetFirstTidOfPid(pid int) int
- func GetLastError() win32.DWORD
- func GetModuleFilename(hProcess win32.HANDLE) (string, error)
- func GetModuleFilenameExW(hProcess win32.HANDLE, hModule win32.HANDLE) (string, error)
- func GetModuleFilenameFromPID(pid int) (fn string, err error)
- func GetModuleFilenameSelf() (string, error)
- func GetModuleHandleW(lpModuleName string) (win32.HANDLE, error)
- func GetProcessIdOfThread(hThread win32.HANDLE) (win32.DWORD, error)
- func GetThreadContext(hThread win32.HANDLE, lpContext win32.LPCONTEXT) error
- func GetThreadId(thread win32.HANDLE) (win32.DWORD, error)
- func IsPIDRunning(pid int) bool
- func IsProcessRunning(hProcess win32.HANDLE) bool
- func IsThreadRunning(hThread win32.HANDLE) (bool, error)
- func ListThreads(pid int) (ctid chan int)
- func OpenProcess(dwDesiredAccess win32.DWORD, bInheritHandle win32.BOOL, ...) (win32.HANDLE, error)
- func OpenThread(dwDesiredAccess win32.DWORD, bInheritHandle win32.BOOL, dwThreadId win32.DWORD) (win32.HANDLE, error)
- func Process32FirstW(hSnapshot win32.HANDLE, lppe LPPROCESSENTRY32W) (bool, error)
- func QueryDosDevice(device string) (out []string, err error)
- func QueryFullProcessImageName(hProcess win32.HANDLE) (string, error)
- func ReadProcessMemory(hProcess win32.HANDLE, lpBaseAddress win32.LPCVOID, lpBuffer []byte) (int, error)
- func ResetEvent(hEvent win32.HANDLE) error
- func ResumeProcess(pid int)
- func ResumeThread(hThread win32.HANDLE) (win32.DWORD, error)
- func SetCurrentThreadPriority(nPriority int) error
- func SetThreadContext(hThread win32.HANDLE, lpContext win32.LPCONTEXT) error
- func SetThreadPriority(hThread win32.HANDLE, nPriority int) error
- func SuspendProcess(pid int)
- func SuspendThread(hThread win32.HANDLE) (win32.DWORD, error)
- func TerminateProcess(hProcess win32.HANDLE, exitCode win32.UINT) (err error)
- func Thread32First(hSnapshot win32.HANDLE, lpte LPTHREADENTRY32) (bool, error)
- func Thread32Next(hSnapshot win32.HANDLE, lpte LPTHREADENTRY32) (bool, error)
- func ToJSON(data interface{}) string
- func VirtualAllocEx(hProcess win32.HANDLE, lpAddress win32.LPVOID, dwSize win32.SIZE_T, ...) (win32.LPVOID, error)
- func VirtualProtect(lpAddress win32.LPVOID, dwSize win32.SIZE_T, flNewProtect win32.DWORD) (lpflOldProtect win32.DWORD, err error)
- func VirtualQueryEx(hProcess win32.HANDLE, lpAddress win32.LPCVOID) (win32.MemoryBasicInformation, error)
- func WaitForMultipleObjects(lpHandles []win32.HANDLE, bWaitAll win32.BOOL, dwMilliseconds win32.DWORD) win32.DWORD
- func WaitForSingleObject(hHandle win32.HANDLE, dwMilliseconds win32.DWORD) win32.DWORD
- func WaitThreadRuns(hThread win32.HANDLE, step, timeout time.Duration) bool
- func WriteMemoryAndControl(hProcess win32.HANDLE, lpBaseAddress win32.LPCVOID, lpBuffer []byte) error
- func WriteProcessMemory(hProcess win32.HANDLE, lpBaseAddress win32.LPCVOID, lpBuffer []byte) (int, error)
- type LPCPROCESSENTRY32W
- type LPCTHREADENTRY32
- type LPPROCESSENTRY32W
- type LPTHREADENTRY32
- type MODULEINFO
- type PROCESSENTRY32W
- type THREADENTRY32
Constants ¶
const ( STANDARD_RIGHTS_REQUIRED = 0x000F0000 DELETE = 0x00010000 READ_CONTROL = 0x00020000 WRITE_DAC = 0x00040000 WRITE_OWNER = 0x00080000 SYNCHRONIZE = 0x00100000 STANDARD_RIGHTS_READ = READ_CONTROL STANDARD_RIGHTS_WRITE = READ_CONTROL STANDARD_RIGHTS_EXECUTE = READ_CONTROL STANDARD_RIGHTS_ALL = 0x001F0000 SPECIFIC_RIGHTS_ALL = 0x0000FFFF ACCESS_SYSTEM_SECURITY = 0x01000000 MAXIMUM_ALLOWED = 0x02000000 GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 GENERIC_EXECUTE = 0x20000000 GENERIC_ALL = 0x10000000 PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff PROCESS_TERMINATE = 0x0001 PROCESS_CREATE_THREAD = 0x0002 PROCESS_SET_SESSIONID = 0x0004 PROCESS_VM_OPERATION = 0x0008 PROCESS_VM_READ = 0x0010 PROCESS_VM_WRITE = 0x0020 PROCESS_DUP_HANDLE = 0x0040 PROCESS_CREATE_PROCESS = 0x0080 PROCESS_SET_QUOTA = 0x0100 PROCESS_SET_INFORMATION = 0x0200 PROCESS_QUERY_INFORMATION = 0x0400 PROCESS_SUSPEND_RESUME = 0x0800 PROCESS_QUERY_LIMITED_INFORMATION = 0x1000 )
const ( THREAD_TERMINATE = 0x0001 THREAD_SUSPEND_RESUME = 0x0002 THREAD_GET_CONTEXT = 0x0008 THREAD_SET_CONTEXT = 0x0010 THREAD_SET_INFORMATION = 0x0020 THREAD_QUERY_INFORMATION = 0x0040 THREAD_SET_THREAD_TOKEN = 0x0080 THREAD_IMPERSONATE = 0x0100 THREAD_DIRECT_IMPERSONATION = 0x0200 THREAD_SET_LIMITED_INFORMATION = 0x0400 THREAD_QUERY_LIMITED_INFORMATION = 0x0800 THREAD_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff )
threads
const ( TH32CS_SNAPHEAPLIST = 0x00000001 TH32CS_SNAPPROCESS = 0x00000002 TH32CS_SNAPTHREAD = 0x00000004 TH32CS_SNAPMODULE = 0x00000008 TH32CS_SNAPMODULE32 = 0x00000010 TH32CS_SNAPALL = TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE TH32CS_INHERIT = 0x80000000 )
Variables ¶
This section is empty.
Functions ¶
func AllVirtualQueryEx ¶
func AllVirtualQueryEx(hProcess win32.HANDLE) (cmbi chan win32.MemoryBasicInformation)
AllVirtualQueryEx helper function
func CheckProcessIntegrity ¶
CheckProcessIntegrity helper function to check process integrity compare entrypoint section on disk and in memory
func CreateEvent ¶
func CreateToolhelp32Snapshot ¶
CreateToolhelp32Snapshot Win32 API wrapper
func FindTextSection ¶
func FindTextSection(hProcess win32.HANDLE, mi MODULEINFO) (mbi win32.MemoryBasicInformation, err error)
FindTextSection returns the Memory Basic Information of the memory zone containing the entrypoint of the image
func FindTextSectionFromImage ¶
FindTextSectionFromImage returns the section containing the entrypoint
func ForceDumpAllMemory ¶
ForceDumpAllMemory helper function TODO : increase the limitation used to dump memory
func GetCurrentProcess ¶
GetCurrentProcess Win32 API wrapper
func GetCurrentThreadId ¶
GetCurrentThreadId win32 API wrapper
func GetExitCodeProcess ¶
GetExitCodeProcess win32 API wrapper hProcess must have the PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION
func GetFirstTidOfPid ¶
GetFirstTidOfPid list the threads of process pid
func GetModuleFilename ¶
GetModuleFilename Win32 API wrapper
func GetModuleFilenameExW ¶
GetModuleFilenameExW Win32 API wrapper
func GetModuleFilenameFromPID ¶
GetModuleFilenameFromPID helper function to retrieve the module filename from a pid
func GetModuleFilenameSelf ¶
GetModuleFilenameSelf helper function to retrieve self executable module filename
func GetModuleHandleW ¶
GetModuleHandleW Win32 API wrapper
func GetProcessIdOfThread ¶
GetProcessIdOfThread win32 API wrapper
func GetThreadContext ¶
GetThreadContext Win32 API wrapper
func GetThreadId ¶
GetThreadId win32 API wrapper
func IsPIDRunning ¶
IsPIDRunning returns true if the process referenced by pid is running
func IsProcessRunning ¶
IsProcessRunning returns true if the process is running and false if not
func IsThreadRunning ¶
IsThreadRunning returns true if hThread is running else false It is a little hack since I am not aware of any API call to check whether a thread is running or not
func ListThreads ¶
ListThreads list the threads of process pid
func OpenProcess ¶
func OpenProcess(dwDesiredAccess win32.DWORD, bInheritHandle win32.BOOL, dwProcessId win32.DWORD) (win32.HANDLE, error)
OpenProcess Win32 API wrapper
func OpenThread ¶
func OpenThread(dwDesiredAccess win32.DWORD, bInheritHandle win32.BOOL, dwThreadId win32.DWORD) (win32.HANDLE, error)
OpenThread Win32 api wrapper
func Process32FirstW ¶
func Process32FirstW(hSnapshot win32.HANDLE, lppe LPPROCESSENTRY32W) (bool, error)
func QueryDosDevice ¶
QueryDosDevice API wrapper if device is "" it retrieves the list of all available Devices https://docs.microsoft.com/en-us/windows/desktop/api/fileapi/nf-fileapi-querydosdevicew
func QueryFullProcessImageName ¶
QueryFullProcessImageName Win32 API wrapper
func ReadProcessMemory ¶
func ReadProcessMemory(hProcess win32.HANDLE, lpBaseAddress win32.LPCVOID, lpBuffer []byte) (int, error)
ReadProcessMemory Win32 API wrapper TODO: verify that we have everything
func ResumeProcess ¶
func ResumeProcess(pid int)
ResumeProcess resumes a previously suspended process
func ResumeThread ¶
ResumeThread Win32 API wrapper
func SetCurrentThreadPriority ¶
SetCurrentThreadPriority helper function to set priority of current Thread
func SetThreadContext ¶
SetThreadContext Win32 API wrapper
func SetThreadPriority ¶
SetThreadPriority Win32 API wrapper
func SuspendThread ¶
SuspendThread Win32 API wrapper
func TerminateProcess ¶
func Thread32First ¶
func Thread32First(hSnapshot win32.HANDLE, lpte LPTHREADENTRY32) (bool, error)
Thread32First Win32 API wrapper
func Thread32Next ¶
func Thread32Next(hSnapshot win32.HANDLE, lpte LPTHREADENTRY32) (bool, error)
Thread32Next Win32 API wrapper
func VirtualAllocEx ¶
func VirtualAllocEx(hProcess win32.HANDLE, lpAddress win32.LPVOID, dwSize win32.SIZE_T, flAllocationType win32.DWORD, flProtect win32.DWORD) (win32.LPVOID, error)
VirtualAllocEx Win32 API wrapper https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890(v=vs.85).aspx LPVOID WINAPI VirtualAllocEx( _In_ HANDLE hProcess, _In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect ); TODO: Test it
func VirtualProtect ¶
func VirtualProtect(lpAddress win32.LPVOID, dwSize win32.SIZE_T, flNewProtect win32.DWORD) (lpflOldProtect win32.DWORD, err error)
VirtualProtect Win32 API wrapper
func VirtualQueryEx ¶
func VirtualQueryEx(hProcess win32.HANDLE, lpAddress win32.LPCVOID) (win32.MemoryBasicInformation, error)
VirtualQueryEx Win32 API wrapper
func WaitForMultipleObjects ¶
func WaitForMultipleObjects(lpHandles []win32.HANDLE, bWaitAll win32.BOOL, dwMilliseconds win32.DWORD) win32.DWORD
WaitForMultipleObjects wrapper DWORD WaitForMultipleObjects(
DWORD nCount, const HANDLE *lpHandles, BOOL bWaitAll, DWORD dwMilliseconds
); https://docs.microsoft.com/en-us/windows/desktop/api/synchapi/nf-synchapi-waitformultipleobjects
func WaitForSingleObject ¶
func WaitThreadRuns ¶
WaitThreadRuns waits until a thread is running
Types ¶
type LPCPROCESSENTRY32W ¶
type LPCPROCESSENTRY32W *PROCESSENTRY32W
type LPCTHREADENTRY32 ¶
type LPCTHREADENTRY32 *THREADENTRY32
type LPPROCESSENTRY32W ¶
type LPPROCESSENTRY32W *PROCESSENTRY32W
type LPTHREADENTRY32 ¶
type LPTHREADENTRY32 *THREADENTRY32
type MODULEINFO ¶
type MODULEINFO struct {
LpBaseOfDll win32.LPVOID
// Size of the image mapped in memory
// To compute it from the image file we need to add all section sizes
// rounded up to the dwPageSize (minimum alloc size) + 1 page for the PE header
SizeOfImage win32.DWORD
EntryPoint win32.LPVOID
}
func GetImageModuleInfo ¶
func GetImageModuleInfo(hProcess win32.HANDLE) (mi MODULEINFO, err error)
GetImageModuleInfo helper function
func GetImageModuleInfoFromPID ¶
func GetImageModuleInfoFromPID(pid uint32) (mi MODULEINFO, err error)
GetImageModuleInfoFromPID helper function
func GetModuleInformation ¶
GetModuleInformation Win32 API wrapper Calling process needs PROCESS_QUERY_INFORMATION and VM_READ
func (MODULEINFO) String ¶
func (mi MODULEINFO) String() string
type PROCESSENTRY32W ¶
type PROCESSENTRY32W struct {
DwSize win32.DWORD
CntUsage win32.DWORD
Th32ProcessID win32.DWORD
Th32DefaultHeapID win32.ULONG_PTR
Th32ModuleID win32.DWORD
CntThreads win32.DWORD
Th32ParentProcessID win32.DWORD
PcPriClassBase win32.LONG
DwFlags win32.DWORD
SzExeFile [win32.MAX_PATH]uint16
}
func NewProcessEntry32W ¶
func NewProcessEntry32W() PROCESSENTRY32W
Source Files