README
¶
HalfBanana
Ripoff of bananphone from c-sto just without a lot of dependencies so it doesnt get flagged
Documentation
¶
Index ¶
- Constants
- Variables
- func GetModuleLoadedOrder(i int) (start uintptr, size uintptr, modulepath string)
- func GetNtdllStart() (start uintptr, size uintptr)
- func GetPEB() uintptr
- func GetSysID(baseStruct *baseStruct, funcname string) (uint16, error)
- func InMemLoads() (map[string]Image, error)
- func RunShellCodeCreateThreadHalosGate(shellcode []byte)
- func Syscall(callid uint16, argh ...uintptr) (errcode uint32, err error)
- func UTF16PtrToString(p *uint16) string
- func WriteMemory(inbuf []byte, destination uintptr)
- func WriteShellCodeToMemory(shellcode []byte) uintptr
- type COFFSymbol
- type DataDirectory
- type DosHeader
- type Export
- type ExportDirectory
- type File
- type FileHeader
- type Image
- type LdrDataTableEntry
- type ListEntry
- type MayBeHookedError
- type OptionalHeader32
- type OptionalHeader64
- type Reloc
- type Section
- type SectionHeader
- type SectionHeader32
- type Slice
- type String
- type StringTable
- type Symbol
Constants ¶
View Source
const ( IMAGE_FILE_MACHINE_UNKNOWN = 0x0 IMAGE_FILE_MACHINE_AM33 = 0x1d3 IMAGE_FILE_MACHINE_AMD64 = 0x8664 IMAGE_FILE_MACHINE_ARM = 0x1c0 IMAGE_FILE_MACHINE_ARMNT = 0x1c4 IMAGE_FILE_MACHINE_ARM64 = 0xaa64 IMAGE_FILE_MACHINE_EBC = 0xebc IMAGE_FILE_MACHINE_I386 = 0x14c IMAGE_FILE_MACHINE_IA64 = 0x200 IMAGE_FILE_MACHINE_M32R = 0x9041 IMAGE_FILE_MACHINE_MIPS16 = 0x266 IMAGE_FILE_MACHINE_MIPSFPU = 0x366 IMAGE_FILE_MACHINE_MIPSFPU16 = 0x466 IMAGE_FILE_MACHINE_POWERPC = 0x1f0 IMAGE_FILE_MACHINE_POWERPCFP = 0x1f1 IMAGE_FILE_MACHINE_R4000 = 0x166 IMAGE_FILE_MACHINE_SH3 = 0x1a2 IMAGE_FILE_MACHINE_SH3DSP = 0x1a3 IMAGE_FILE_MACHINE_SH4 = 0x1a6 IMAGE_FILE_MACHINE_SH5 = 0x1a8 IMAGE_FILE_MACHINE_THUMB = 0x1c2 IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x169 )
View Source
const CERTIFICATE_TABLE = 4
View Source
const (
OnlyMode injectionMode = iota // also known as halos gate lol
)
Variables ¶
View Source
var HookCheck = []byte{0x4c, 0x8b, 0xd1, 0xb8}
SUPER IMPORTANT: THESE ARE THE BYTES THAT HALOS GATE USES TO CHECK IF THE API IS HOOKED. IT WILL VARY DEPENDING ON EDR/AV AND MIGHT NEED TO BE EDITED.
Functions ¶
func GetModuleLoadedOrder ¶
func GetNtdllStart ¶
GetNtdllStart returns the start address of ntdll in memory
func GetPEB ¶
func GetPEB() uintptr
GetPEB returns the in-memory address of the start of PEB while making no api calls
func InMemLoads ¶
func RunShellCodeCreateThreadHalosGate ¶
func RunShellCodeCreateThreadHalosGate(shellcode []byte)
func UTF16PtrToString ¶
func WriteMemory ¶
func WriteShellCodeToMemory ¶
Types ¶
type COFFSymbol ¶
type COFFSymbol struct {
Name [8]uint8
Value uint32
SectionNumber int16
Type uint16
StorageClass uint8
NumberOfAuxSymbols uint8
}
func (*COFFSymbol) FullName ¶
func (sym *COFFSymbol) FullName(st StringTable) (string, error)
type DataDirectory ¶
type DosHeader ¶
type DosHeader struct {
MZSignature uint16
UsedBytesInTheLastPage uint16
FileSizeInPages uint16
NumberOfRelocationItems uint16
HeaderSizeInParagraphs uint16
MinimumExtraParagraphs uint16
MaximumExtraParagraphs uint16
InitialRelativeSS uint16
InitialSP uint16
CheckSum uint16
InitialIP uint16
InitialRelativeCS uint16
AddressOfRelocationTable uint16
OverlayNumber uint16
Reserved [4]uint16
OEMid uint16
OEMinfo uint16
Reserved2 [10]uint16
AddressOfNewExeHeader uint32
}
type ExportDirectory ¶
type ExportDirectory struct {
ExportFlags uint32 // reserved, must be zero
TimeDateStamp uint32
MajorVersion uint16
MinorVersion uint16
NameRVA uint32 // pointer to the name of the DLL
OrdinalBase uint32
NumberOfFunctions uint32
NumberOfNames uint32 // also Ordinal Table Len
AddressTableAddr uint32 // RVA of EAT, relative to image base
NameTableAddr uint32 // RVA of export name pointer table, relative to image base
OrdinalTableAddr uint32 // address of the ordinal table, relative to iamge base
DllName string
}
type File ¶
type File struct {
DosHeader
DosExists bool
DosStub [64]byte // TODO(capnspacehook) make slice and correctly parse any DOS stub
RichHeader []byte
FileHeader
OptionalHeader interface{} // of type *OptionalHeader32 or *OptionalHeader64
Sections []*Section
Symbols []*Symbol // COFF symbols with auxiliary symbol records removed
COFFSymbols []COFFSymbol // all COFF symbols (including auxiliary symbol records)
StringTable StringTable
CertificateTable []byte
InsertionAddr uint32
InsertionBytes []byte
// contains filtered or unexported fields
}
type FileHeader ¶
type LdrDataTableEntry ¶
type LdrDataTableEntry struct {
InLoadOrderLinks ListEntry
InMemoryOrderLinks ListEntry
InInitializationOrderLinks ListEntry
DllBase *uintptr
EntryPoint *uintptr
SizeOfImage *uintptr
FullDllName stupidstring
BaseDllName stupidstring
Flags uint32
LoadCount uint16
TlsIndex uint16
HashLinks ListEntry
TimeDateStamp uint64
}
func GetModuleLoadedOrderPtr ¶
func GetModuleLoadedOrderPtr(i int) *LdrDataTableEntry
GetModuleLoadedOrderPtr returns a pointer to the ldr data table entry in full, incase there is something interesting in there you want to see.
type MayBeHookedError ¶
type MayBeHookedError struct {
Foundbytes []byte
}
func (MayBeHookedError) Error ¶
func (e MayBeHookedError) Error() string
type OptionalHeader32 ¶
type OptionalHeader32 struct {
Magic uint16
MajorLinkerVersion uint8
MinorLinkerVersion uint8
SizeOfCode uint32
SizeOfInitializedData uint32
SizeOfUninitializedData uint32
AddressOfEntryPoint uint32
BaseOfCode uint32
BaseOfData uint32
ImageBase uint32
SectionAlignment uint32
FileAlignment uint32
MajorOperatingSystemVersion uint16
MinorOperatingSystemVersion uint16
MajorImageVersion uint16
MinorImageVersion uint16
MajorSubsystemVersion uint16
MinorSubsystemVersion uint16
Win32VersionValue uint32
SizeOfImage uint32
SizeOfHeaders uint32
CheckSum uint32
Subsystem uint16
DllCharacteristics uint16
SizeOfStackReserve uint32
SizeOfStackCommit uint32
SizeOfHeapReserve uint32
SizeOfHeapCommit uint32
LoaderFlags uint32
NumberOfRvaAndSizes uint32
DataDirectory [16]DataDirectory
}
type OptionalHeader64 ¶
type OptionalHeader64 struct {
Magic uint16
MajorLinkerVersion uint8
MinorLinkerVersion uint8
SizeOfCode uint32
SizeOfInitializedData uint32
SizeOfUninitializedData uint32
AddressOfEntryPoint uint32
BaseOfCode uint32
ImageBase uint64
SectionAlignment uint32
FileAlignment uint32
MajorOperatingSystemVersion uint16
MinorOperatingSystemVersion uint16
MajorImageVersion uint16
MinorImageVersion uint16
MajorSubsystemVersion uint16
MinorSubsystemVersion uint16
Win32VersionValue uint32
SizeOfImage uint32
SizeOfHeaders uint32
CheckSum uint32
Subsystem uint16
DllCharacteristics uint16
SizeOfStackReserve uint64
SizeOfStackCommit uint64
SizeOfHeapReserve uint64
SizeOfHeapCommit uint64
LoaderFlags uint32
NumberOfRvaAndSizes uint32
DataDirectory [16]DataDirectory
}
type Section ¶
type Section struct {
SectionHeader
Relocs []Reloc
// Embed ReaderAt for ReadAt method.
// Do not embed SectionReader directly
// to avoid having Read and Seek.
// If a client wants Read and Seek it must use
// Open() to avoid fighting over the seek offset
// with other clients.
io.ReaderAt
// contains filtered or unexported fields
}
type SectionHeader ¶
type SectionHeader32 ¶
type String ¶
String is the runtime representation of a string. It cannot be used safely or portably and its representation may change in a later release.
type StringTable ¶
type StringTable []byte
Source Files
Click to show internal directories.
Click to hide internal directories.