runpe

package module

v0.0.0-...-7542655 Latest Latest Go to latest Published: Sep 18, 2021 License: MIT Imports: 7 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/abdullah2993/go-runpe

Links

Open Source Insights

README ¶

go-runpe

Execute a PE in the address space of another PE aka process hollowing

Documentation ¶

Rendered for windows/amd64

Index ¶

func GetThreadContext(hThread uintptr) (ctx []uint8, e error)
func Inject(srcPath, destPath string)
func Log(format string, args ...interface{})
func NtUnmapViewOfSection(hProcess uintptr, baseAddr uintptr) (e error)
func ReadProcessMemory(hProcess uintptr, lpBaseAddress uintptr, size uint32) (data []byte, e error)
func ReadProcessMemoryAsAddr(hProcess uintptr, lpBaseAddress uintptr) (val uintptr, e error)
func ResumeThread(hThread uintptr) (count int32, e error)
func SetThreadContext(hThread uintptr, ctx []uint8) (e error)
func VirtualAllocEx(hProcess uintptr, lpAddress uintptr, dwSize uint32, flAllocationType int, ...) (addr uintptr, e error)
func WriteProcessMemory(hProcess uintptr, lpBaseAddress uintptr, data []byte, size uint32) (e error)
func WriteProcessMemoryAsAddr(hProcess uintptr, lpBaseAddress uintptr, val uintptr) (e error)
type IMAGE_REL_BASED

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetThreadContext ¶

func GetThreadContext(hThread uintptr) (ctx []uint8, e error)

func Inject ¶

func Inject(srcPath, destPath string)

Inject starts the src process and injects the target process.

func Log ¶

func Log(format string, args ...interface{})

func NtUnmapViewOfSection ¶

func NtUnmapViewOfSection(hProcess uintptr, baseAddr uintptr) (e error)

func ReadProcessMemory ¶

func ReadProcessMemory(hProcess uintptr, lpBaseAddress uintptr, size uint32) (data []byte, e error)

func ReadProcessMemoryAsAddr ¶

func ReadProcessMemoryAsAddr(hProcess uintptr, lpBaseAddress uintptr) (val uintptr, e error)

func ResumeThread ¶

func ResumeThread(hThread uintptr) (count int32, e error)

func SetThreadContext ¶

func SetThreadContext(hThread uintptr, ctx []uint8) (e error)

func VirtualAllocEx ¶

func VirtualAllocEx(hProcess uintptr, lpAddress uintptr, dwSize uint32, flAllocationType int, flProtect int) (addr uintptr, e error)

func WriteProcessMemory ¶

func WriteProcessMemory(hProcess uintptr, lpBaseAddress uintptr, data []byte, size uint32) (e error)

func WriteProcessMemoryAsAddr ¶

func WriteProcessMemoryAsAddr(hProcess uintptr, lpBaseAddress uintptr, val uintptr) (e error)

Types ¶

type IMAGE_REL_BASED ¶

type IMAGE_REL_BASED uint16

const (
	IMAGE_REL_BASED_ABSOLUTE       IMAGE_REL_BASED = 0  //The base relocation is skipped. This type can be used to pad a block.
	IMAGE_REL_BASED_HIGH           IMAGE_REL_BASED = 1  //The base relocation adds the high 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the high value of a 32-bit word.
	IMAGE_REL_BASED_LOW            IMAGE_REL_BASED = 2  //The base relocation adds the low 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the low half of a 32-bit word.
	IMAGE_REL_BASED_HIGHLOW        IMAGE_REL_BASED = 3  //The base relocation applies all 32 bits of the difference to the 32-bit field at offset.
	IMAGE_REL_BASED_HIGHADJ        IMAGE_REL_BASED = 4  //The base relocation adds the high 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the high value of a 32-bit word. The low 16 bits of the 32-bit value are stored in the 16-bit word that follows this base relocation. This means that this base relocation occupies two slots.
	IMAGE_REL_BASED_MIPS_JMPADDR   IMAGE_REL_BASED = 5  //The relocation interpretation is dependent on the machine type.When the machine type is MIPS, the base relocation applies to a MIPS jump instruction.
	IMAGE_REL_BASED_ARM_MOV32      IMAGE_REL_BASED = 5  //This relocation is meaningful only when the machine type is ARM or Thumb. The base relocation applies the 32-bit address of a symbol across a consecutive MOVW/MOVT instruction pair.
	IMAGE_REL_BASED_RISCV_HIGH20   IMAGE_REL_BASED = 5  //This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the high 20 bits of a 32-bit absolute address.
	IMAGE_REL_BASED_THUMB_MOV32    IMAGE_REL_BASED = 7  //This relocation is meaningful only when the machine type is Thumb. The base relocation applies the 32-bit address of a symbol to a consecutive MOVW/MOVT instruction pair.
	IMAGE_REL_BASED_RISCV_LOW12I   IMAGE_REL_BASED = 7  //This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the low 12 bits of a 32-bit absolute address formed in RISC-V I-type instruction format.
	IMAGE_REL_BASED_RISCV_LOW12S   IMAGE_REL_BASED = 8  //This relocation is only meaningful when the machine type is RISC-V. The base relocation applies to the low 12 bits of a 32-bit absolute address formed in RISC-V S-type instruction format.
	IMAGE_REL_BASED_MIPS_JMPADDR16 IMAGE_REL_BASED = 9  //The relocation is only meaningful when the machine type is MIPS. The base relocation applies to a MIPS16 jump instruction.
	IMAGE_REL_BASED_DIR64          IMAGE_REL_BASED = 10 //The base relocation applies the difference to the 64-bit field at offset.
)

Source Files ¶

View all Source files

runpe.go

Directories ¶

Path	Synopsis
cmd
exec

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL