Documentation ¶
Index ¶
- func AllocADsMem(cb uintptr) (value uintptr, err error)
- func CloseHandle(handle windows.Handle) (err error)
- func ConvertThreadToFiber(lpParameter uintptr) (value uintptr, err error)
- func CreateFiber(dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr) (value uintptr, err error)
- func CreateRemoteThread(hProcess windows.Handle, lpThreadAttributes uintptr, dwStackSize uintptr, ...) (value uintptr, err error)
- func CreateRemoteThreadEx(hProcess windows.Handle, lpThreadAttributes uintptr, dwStackSize uintptr, ...) (handle windows.Handle, err error)
- func CreateThread(lpThreadAttributes uintptr, dwStackSize uintptr, lpStartAddress uintptr, ...) (handle windows.Handle, err error)
- func CreateToolhelp32Snapshot(flags uint32, processId uint32) (handle windows.Handle, err error)
- func EnumPageFilesW(pCallBackRoutine uintptr, pContext uintptr) (value uintptr, err error)
- func EnumSystemLocalesA(lpLocaleEnumProc uintptr, dwFlags uint32) (value uintptr, err error)
- func EnumSystemLocalesEx(lpLocaleEnumProcEx uintptr, dwFlags uint32, lParam uintptr, lpReserved uintptr) (value uintptr, err error)
- func EnumSystemLocalesW(lpLocaleEnumProc uintptr, dwFlags uint32) (value uintptr, err error)
- func EnumerateLoadedModules(hProcess windows.Handle, enumLoadedModulesCallback uintptr, ...) (value uintptr, err error)
- func EtwEventWrite(regHandle windows.Handle, eventDescriptor uintptr, userDataCount uint32, ...) (value uintptr, err error)
- func EtwEventWriteEx(regHandle windows.Handle, eventDescriptor uintptr, filter uint64, flags uint32, ...) (value uintptr, err error)
- func EtwEventWriteFull(regHandle windows.Handle, eventDescriptor uintptr, eventProperty uintptr, ...) (value uintptr, err error)
- func EtwEventWriteString(regHandle windows.Handle, level byte, keyword uint64, str *uint16) (value uintptr, err error)
- func EtwEventWriteTransfer(regHandle windows.Handle, eventDescriptor *EVENT_DESCRIPTOR, ...) (value uintptr, err error)
- func EtwpCreateEtwThread(lpStartAddress uintptr, lpParameter uintptr) (value uintptr, err error)
- func FreeADsMem(pMem uintptr) (value uintptr, err error)
- func GetCurrentProcess() (handle windows.Handle, err error)
- func GetCurrentThread() (handle windows.Handle, err error)
- func GetPhysicallyInstalledSystemMemory(totalMemoryInKilobytes uintptr) (value uintptr, err error)
- func GetTickCount() (value uintptr, err error)
- func HeapAlloc(hHeap windows.Handle, dwFlags uint32, dwBytes uintptr) (value uintptr, err error)
- func HeapCreate(flOptions uint32, dwInitialSize uintptr, dwMaximumSize uintptr) (value uintptr, err error)
- func I_QueryTagInformation(pszMachineName uintptr, eInfoLevel uintptr, pTagInfo uintptr) (value uintptr, err error)
- func NtAllocateVirtualMemory(processHandle windows.Handle, baseAddress *byte, zeroBits uintptr, ...) (value uintptr, err error)
- func NtCreateSection(sectionHandle *windows.Handle, desiredAccess uint32, ...) (err error)
- func NtQueryInformationThread(threadHandle windows.Handle, threadInformationClass uintptr, ...) (value uintptr, err error)
- func NtQueueApcThreadEx(threadHandle windows.Handle, userApcOption uintptr, apcRoutine uintptr, ...) (err error)
- func NtWriteVirtualMemory(processHandle windows.Handle, baseAddress *byte, buffer *byte, ...) (value uintptr, err error)
- func OpenProcess(desiredAccess uint32, inheritHandle bool, processId uint32) (handle windows.Handle, err error)
- func OpenThread(desiredAccess uint32, inheritHandle bool, threadId uint32) (handle windows.Handle, err error)
- func QueueUserAPC(pfnAPC uintptr, hThread uintptr, dwData uintptr) (value uintptr, err error)
- func ReadProcessMemory(process windows.Handle, baseAddress uintptr, buffer *byte, size uintptr, ...) (err error)
- func RtlCopyBytes(address uintptr, source *byte, length uintptr) (err error)
- func RtlCopyMemory(address *byte, source *byte, length uintptr) (err error)
- func RtlEthernetAddressToStringA(addr *byte, s uintptr) (value uintptr, err error)
- func RtlEthernetStringToAddressA(s uintptr, terminator *byte, addr *byte) (value uintptr, err error)
- func RtlIpv4AddressToStringA(addr uintptr, s uintptr) (value uintptr, err error)
- func RtlIpv4StringToAddressA(s uintptr, strict uintptr, terminator *byte, addr *byte) (value uintptr, err error)
- func RtlMoveMemory(destination *byte, source *byte, length uintptr) (err error)
- func SwitchToFiber(lpFiber uintptr) (value uintptr, err error)
- func TerminateThread(hThread uintptr, dwExitCode uint32) (value uintptr, err error)
- func Thread32First(snapshot windows.Handle, threadEntry *ThreadEntry32) (err error)
- func UuidFromStringA(stringUuid *byte, uuid uintptr) (value uintptr, err error)
- func VirtualAlloc(address uintptr, size uintptr, allocType uint32, protect uint32) (value uintptr, err error)
- func VirtualAllocEx(hProcess windows.Handle, lpAddress uintptr, dwSize uintptr, allocType uint32, ...) (value uintptr, err error)
- func VirtualProtect(address uintptr, size uintptr, newProtect uint32, oldProtect *uint32) (value uintptr, err error)
- func VirtualProtectEx(process windows.Handle, address uintptr, size uintptr, newProtect uint32, ...) (err error)
- func WaitForSingleObject(handle windows.Handle, waitMilliseconds uint32) (event uint32, err error)
- func WriteProcessMemory(process windows.Handle, baseAddress uintptr, buffer *byte, size uintptr, ...) (err error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AllocADsMem ¶
AllocADsMem 函数分配指定大小的内存块。
LPVOID AllocADsMem(
[in] DWORD cb );
返回值 类型: LPVOID 如果成功,该函数将返回指向已分配内存的非 NULL 指针。 当不再需要此内存时,调用方必须通过将返回的指针传递给 FreeADsMem 来释放此内存。 如果未成功,则返回 NULL 。 调用 ADsGetLastError 以获取扩展错误状态。 有关错误代码值的详细信息,请参阅 ADSI 错误代码。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/adshlp/nf-adshlp-allocadsmem
func CloseHandle ¶
CloseHandle 关闭打开的对象句柄
BOOL CloseHandle(
[in] HANDLE hObject );
如果该函数成功,则返回值为非零值 如果函数失败,则返回值为零
Link: https://learn.microsoft.com/zh-CN/windows/win32/api/handleapi/nf-handleapi-closehandle
func ConvertThreadToFiber ¶
ConvertThreadToFiber Converts the current thread into a fiber. You must convert a thread into a fiber before you can schedule other fibers.
LPVOID ConvertThreadToFiber(
[in, optional] LPVOID lpParameter );
If the function succeeds, the return value is the address of the fiber.
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-convertthreadtofiber
func CreateFiber ¶
func CreateFiber(dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr) (value uintptr, err error)
CreateFiber Allocates a fiber object, assigns it a stack, and sets up execution to begin at the specified start address, typically the fiber function. This function does not schedule the fiber.
LPVOID CreateFiber(
[in] SIZE_T dwStackSize, [in] LPFIBER_START_ROUTINE lpStartAddress, [in, optional] LPVOID lpParameter );
If the function succeeds, the return value is the address of the fiber.
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-createfiber
func CreateRemoteThread ¶
func CreateRemoteThread(hProcess windows.Handle, lpThreadAttributes uintptr, dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr, dwCreationFlags uintptr, lpThreadId uintptr) (value uintptr, err error)
CreateRemoteThread 创建在另一个进程的虚拟地址空间中运行的线程。 使用 CreateRemoteThreadEx 函数创建在另一个进程的虚拟地址空间中运行的线程,并选择性地指定扩展属性。
HANDLE CreateRemoteThread(
[in] HANDLE hProcess, [in] LPSECURITY_ATTRIBUTES lpThreadAttributes, [in] SIZE_T dwStackSize, [in] LPTHREAD_START_ROUTINE lpStartAddress, [in] LPVOID lpParameter, [in] DWORD dwCreationFlags, [out] LPDWORD lpThreadId );
如果函数成功,则返回值是新线程的句柄。 如果函数失败,则返回值为 NULL。
func CreateRemoteThreadEx ¶
func CreateRemoteThreadEx(hProcess windows.Handle, lpThreadAttributes uintptr, dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr, dwCreationFlags uint32, lpAttributeList uintptr, lpThreadId uintptr) (handle windows.Handle, err error)
CreateRemoteThreadEx 创建一个线程,该线程在另一个进程的虚拟地址空间中运行,并选择性地指定扩展属性,例如处理器组相关性
HANDLE CreateRemoteThreadEx(
[in] HANDLE hProcess, [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, [in] SIZE_T dwStackSize, [in] LPTHREAD_START_ROUTINE lpStartAddress, [in, optional] LPVOID lpParameter, [in] DWORD dwCreationFlags, [in, optional] LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, [out, optional] LPDWORD lpThreadId );
如果函数成功,则返回值是新线程的句柄 如果函数失败,则返回值为 NULL
func CreateThread ¶
func CreateThread(lpThreadAttributes uintptr, dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr, dwCreationFlags uintptr, lpThreadId uintptr) (handle windows.Handle, err error)
CreateThread 创建在调用进程的虚拟地址空间内执行的线程。 若要创建在另一个进程的虚拟地址空间中运行的线程,请使用 CreateRemoteThread 函数
HANDLE CreateThread(
[in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, [in] SIZE_T dwStackSize, [in] LPTHREAD_START_ROUTINE lpStartAddress, [in, optional] __drv_aliasesMem LPVOID lpParameter, [in] DWORD dwCreationFlags, [out, optional] LPDWORD lpThreadId );
如果函数成功,则返回值是新线程的句柄 如果函数失败,则返回值为 NULL
func CreateToolhelp32Snapshot ¶
CreateToolhelp32Snapshot 获取指定进程以及这些进程使用的堆、模块和线程的快照
HANDLE CreateToolhelp32Snapshot(
[in] DWORD dwFlags, [in] DWORD th32ProcessID );
如果函数成功,它将返回指定快照的打开句柄。 如果函数失败,它将返回 INVALID_HANDLE_VALUE。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot
func EnumPageFilesW ¶
EnumPageFilesW 为系统中每个已安装的页面文件调用回调例程
BOOL EnumPageFilesW(
[out] PENUM_PAGE_FILE_CALLBACKW pCallBackRoutine, [in] LPVOID pContext );
返回值 如果函数成功,则返回值为 TRUE。 如果函数失败,则返回值为 FALSE。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/psapi/nf-psapi-enumpagefilesw
func EnumSystemLocalesA ¶
EnumSystemLocalesA 枚举安装在操作系统上或受操作系统支持的区域设置
BOOL EnumSystemLocalesA(
[in] LOCALE_ENUMPROCA lpLocaleEnumProc, [in] DWORD dwFlags );
如果成功,则返回非零值,否则返回 0。 若要获取扩展错误信息,应用程序可以调用 GetLastError,这会返回以下错误代码之一: ERROR_BADDB: 函数无法访问数据,这种情况通常不应发生,通常表示安装错误、磁盘问题或类似问题。 ERROR_INVALID_FLAGS: 为标志提供的值无效。 ERROR_INVALID_PARAMETER: 任何参数值都无效。
Link: https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesa
func EnumSystemLocalesEx ¶
func EnumSystemLocalesEx(lpLocaleEnumProcEx uintptr, dwFlags uint32, lParam uintptr, lpReserved uintptr) (value uintptr, err error)
EnumSystemLocalesEx 枚举安装在操作系统上或受操作系统支持的区域设置 注意:如果设计为仅在 Windows Vista 及更高版本上运行,则应用程序应优先调用此函数,而不是 EnumSystemLocales
BOOL EnumSystemLocalesEx(
[in] LOCALE_ENUMPROCEX lpLocaleEnumProcEx, [in] DWORD dwFlags, [in] LPARAM lParam, [in, optional] LPVOID lpReserved );
如果成功,则返回非零值,否则返回 0。 若要获取扩展错误信息,应用程序可以调用 GetLastError,这会返回以下错误代码之一:
ERROR_BADDB: 函数无法访问数据。 这种情况通常不应发生,通常表示安装错误、磁盘问题或类似问题。 ERROR_INVALID_FLAGS: 为标志提供的值无效。 ERROR_INVALID_PARAMETER: 任何参数值都无效。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winnls/nf-winnls-enumsystemlocalesex
func EnumSystemLocalesW ¶
EnumSystemLocalesW 枚举安装在操作系统上或受操作系统支持的区域设置
BOOL EnumSystemLocalesW(
[in] LOCALE_ENUMPROCW lpLocaleEnumProc, [in] DWORD dwFlags );
如果成功,则返回非零值,否则返回 0。 若要获取扩展错误信息,应用程序可以调用 GetLastError,这会返回以下错误代码之一: ERROR_BADDB: 函数无法访问数据,这种情况通常不应发生,通常表示安装错误、磁盘问题或类似问题。 ERROR_INVALID_FLAGS: 为标志提供的值无效。 ERROR_INVALID_PARAMETER: 任何参数值都无效。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winnls/nf-winnls-enumsystemlocalesw
func EnumerateLoadedModules ¶
func EnumerateLoadedModules(hProcess windows.Handle, enumLoadedModulesCallback uintptr, userContext uintptr) (value uintptr, err error)
EnumerateLoadedModules 枚举指定进程的已加载模块。
BOOL IMAGEAPI EnumerateLoadedModules(
[in] HANDLE hProcess, [in] PENUMLOADED_MODULES_CALLBACK EnumLoadedModulesCallback, [in, optional] PVOID UserContext );
返回值 如果函数成功,则返回值为 TRUE。 如果函数失败,则返回值为 FALSE。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodules
func EtwEventWrite ¶
func EtwEventWrite(regHandle windows.Handle, eventDescriptor uintptr, userDataCount uint32, userData uintptr) (value uintptr, err error)
EtwEventWrite 函数及其返回的结构在操作系统内部,并且可能会从一个版本的 Windows 更改为另一个版本。 将基本事件写入会话
ULONG EVNTAPI EtwEventWrite(
__in REGHANDLE RegHandle, __in PCEVENT_DESCRIPTOR EventDescriptor, __in ULONG UserDataCount, __in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData );
返回值 Win32 错误代码。
Link: https://learn.microsoft.com/zh-cn/windows/win32/devnotes/etweventwrite
func EtwEventWriteEx ¶
func EtwEventWriteEx(regHandle windows.Handle, eventDescriptor uintptr, filter uint64, flags uint32, activityId uintptr, relatedActivityId uintptr, userDataCount uintptr, userData uintptr) (value uintptr, err error)
EtwEventWriteEx
ULONG EtwEventWriteEx (
REGHANDLE RegHandle, EVENT_DESCRIPTOR const *EventDescriptor, ULONG64 Filter, ULONG Flags, GUID const *ActivityId, GUID const *RelatedActivityId, ULONG UserDataCount, EVENT_DATA_DESCRIPTOR *UserData);
The function returns zero for success, else a Win32 error code.
Link: https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/evntapi/writeex.htm
func EtwEventWriteFull ¶
func EtwEventWriteFull(regHandle windows.Handle, eventDescriptor uintptr, eventProperty uintptr, activityId uintptr, relatedActivityId uintptr, userDataCount uint32, userData uintptr) (value uintptr, err error)
EtwEventWriteFull 函数及其返回的结构在操作系统内部,可能会从一个版本的 Windows 更改为另一个版本。 将完整事件写入会话
ULONG EVNTAPI EtwEventWriteFull(
__in REGHANDLE RegHandle, __in PCEVENT_DESCRIPTOR EventDescriptor, __in USHORT EventProperty, __in_opt LPCGUID ActivityId, __in_opt LPCGUID RelatedActivityId, __in ULONG UserDataCount, __in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData );
返回值 Win32 错误代码。
Link: https://learn.microsoft.com/zh-cn/windows/win32/devnotes/etweventwritefull
func EtwEventWriteString ¶
func EtwEventWriteString(regHandle windows.Handle, level byte, keyword uint64, str *uint16) (value uintptr, err error)
EtwEventWriteString forwarded from EventWriteString TODO: Need documentation, not sure function is correct
NTSYSAPI ULONG NTAPI EtwEventWriteString(
_In_ REGHANDLE RegHandle, _In_ UCHAR Level, _In_ ULONGLONG Keyword, _In_ PCWSTR String );
func EtwEventWriteTransfer ¶
func EtwEventWriteTransfer(regHandle windows.Handle, eventDescriptor *EVENT_DESCRIPTOR, activityId, relatedActivityId *GUID, userDataCount uint32, userData []*EVENT_DATA_DESCRIPTOR) (value uintptr, err error)
EtwEventWriteTransfer TODO: Need documentation, not sure function is correct
ULONG
EtwEventWriteTransfer ( REGHANDLE RegHandle, EVENT_DESCRIPTOR const *EventDescriptor, GUID const *ActivityId, GUID const *RelatedActivityId, ULONG UserDataCount, EVENT_DATA_DESCRIPTOR *UserData );
The function returns zero for success, else a Win32 error code.
func EtwpCreateEtwThread ¶
EtwpCreateEtwThread
static extern IntPtr EtwpCreateEtwThread(
IntPtr lpStartAddress, IntPtr lpParameter );
Link: https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3
func FreeADsMem ¶
FreeADsMem 函数释放由 AllocADsMem 或 ReallocADsMem 分配的内存。
BOOL FreeADsMem(
[in] LPVOID pMem );
返回值 类型: BOOL 如果成功,函数将返回 TRUE ,否则返回 FALSE。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/adshlp/nf-adshlp-freeadsmem
func GetCurrentThread ¶
GetCurrentThread Retrieves a pseudo handle for the calling thread.
HANDLE GetCurrentThread();
The return value is a pseudo handle for the current thread.
func GetPhysicallyInstalledSystemMemory ¶
GetPhysicallyInstalledSystemMemory 检索实际安装在计算机上的 RAM 量
BOOL GetPhysicallyInstalledSystemMemory(
[out] PULONGLONG TotalMemoryInKilobytes );
如果函数成功,则返回 TRUE 并将 TotalMemoryInKilobytes 参数设置为非零值。 如果函数失败,它将返回 FALSE ,并且不会修改 TotalMemoryInKilobytes 参数。
func GetTickCount ¶
GetTickCount 检索自系统启动以来经过的毫秒数,最长为 49.7 天
DWORD GetTickCount();
返回值是自系统启动以来经过的毫秒数
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount
func HeapAlloc ¶
HeapAlloc 从堆中分配内存块。 分配的内存不可移动
DECLSPEC_ALLOCATOR LPVOID HeapAlloc(
[in] HANDLE hHeap, [in] DWORD dwFlags, [in] SIZE_T dwBytes );
如果函数成功,则返回值是指向已分配内存块的指针 如果函数失败并且您尚未指定 HEAP_GENERATE_EXCEPTIONS,则返回值为 NULL 如果函数失败并且已指定 HEAP_GENERATE_EXCEPTIONS,则函数可能会生成列出的任一异常: STATUS_NO_MEMORY, STATUS_ACCESS_VIOLATION
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/heapapi/nf-heapapi-heapalloc
func HeapCreate ¶
func HeapCreate(flOptions uint32, dwInitialSize uintptr, dwMaximumSize uintptr) (value uintptr, err error)
HeapCreate 创建可由调用进程使用的专用堆对象。 函数在进程的虚拟地址空间中保留空间,并为此块的指定初始部分分配物理存储
HANDLE HeapCreate(
[in] DWORD flOptions, [in] SIZE_T dwInitialSize, [in] SIZE_T dwMaximumSize );
如果函数成功,则返回值是新创建的堆的句柄 如果函数失败,则返回值为 NULL
Link: https://learn.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapcreate
func I_QueryTagInformation ¶
func I_QueryTagInformation(pszMachineName uintptr, eInfoLevel uintptr, pTagInfo uintptr) (value uintptr, err error)
I_QueryTagInformation
_Must_inspect_result_ DWORD WINAPI I_QueryTagInformation(_In_opt_ LPCWSTR pszMachineName,
_In_ TAG_INFO_LEVEL eInfoLevel, _Inout_ PVOID pTagInfo );
func NtAllocateVirtualMemory ¶
func NtAllocateVirtualMemory(processHandle windows.Handle, baseAddress *byte, zeroBits uintptr, regionSize uintptr, allocationType uintptr, protect uintptr) (value uintptr, err error)
NtAllocateVirtualMemory 在指定进程的用户模式虚拟地址空间中保留和/或提交页面区域。
__kernel_entry NTSYSCALLAPI NTSTATUS NtAllocateVirtualMemory(
[in] HANDLE ProcessHandle, [in, out] PVOID *BaseAddress, [in] ULONG_PTR ZeroBits, [in, out] PSIZE_T RegionSize, [in] ULONG AllocationType, [in] ULONG Protect );
NtAllocateVirtualMemory returns either STATUS_SUCCESS or an error status code
func NtCreateSection ¶
func NtCreateSection(sectionHandle *windows.Handle, desiredAccess uint32, objectAttributes *OBJECT_ATTRIBUTES, maximumSize *int64, sectionPageProtection uint32, allocationAttributes uint32, fileHandle windows.Handle) (err error)
NtCreateSection 例程创建一个节对象**
__kernel_entry NTSYSCALLAPI NTSTATUS NtCreateSection(
[out] PHANDLE SectionHandle, [in] ACCESS_MASK DesiredAccess, [in, optional] POBJECT_ATTRIBUTES ObjectAttributes, [in, optional] PLARGE_INTEGER MaximumSize, [in] ULONG SectionPageProtection, [in] ULONG AllocationAttributes, [in, optional] HANDLE FileHandle );
NtCreateSection 在成功时返回STATUS_SUCCESS,或在失败时返回相应的 NTSTATUS 错误代码
link: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatesection Github: https://github.com/hillu/go-ntdll/blob/f8894bfa00af/section_generated.go#L24
func NtQueryInformationThread ¶
func NtQueryInformationThread(threadHandle windows.Handle, threadInformationClass uintptr, threadInformation uintptr, threadInformationLength uintptr, returnLength uintptr) (value uintptr, err error)
NtQueryInformationThread 在 Windows 的未来版本中可能已更改或不可用。 应用程序应使用本主题中列出的备用函数。 检索有关指定线程的信息。
__kernel_entry NTSTATUS NtQueryInformationThread(
[in] HANDLE ThreadHandle, [in] THREADINFOCLASS ThreadInformationClass, [in, out] PVOID ThreadInformation, [in] ULONG ThreadInformationLength, [out, optional] PULONG ReturnLength );
返回 NTSTATUS 成功或错误代码。 NTSTATUS 错误代码的形式和意义列在 DDK 中提供的 Ntstatus.h 头文件中,并在 DDK 文档中 Kernel-Mode 驱动程序体系结构/设计指南/驱动程序编程技术/日志记录错误下进行了介绍。
func NtQueueApcThreadEx ¶
func NtQueueApcThreadEx(threadHandle windows.Handle, userApcOption uintptr, apcRoutine uintptr, args ...uintptr) (err error)
NtQueueApcThreadEx Each time NtQueueApcThread is called, a new KAPC object is allocated in kernel mode (from the kernel pool) to store the data about the APC object. Let’s say there’s a component that queues a lot of APCs, one after another. This can have performance implications because a lot of non-paged memory is used and also allocating memory takes some time.
NTSTATUS NtQueueApcThreadEx(
IN HANDLE ThreadHandle, IN USER_APC_OPTION UserApcOption, IN PPS_APC_ROUTINE ApcRoutine, IN PVOID SystemArgument1 OPTIONAL, IN PVOID SystemArgument2 OPTIONAL, IN PVOID SystemArgument3 OPTIONAL );
Link: https://repnz.github.io/posts/apc/user-apc/#ntqueueapcthreadex-reusing-kernel-memory Gitlab: https://gitlab.com/mjwhitta/runsc/-/blob/v1.3.4/api_windows.go#L157 Github: https://github.com/mjwhitta/win/blob/v0.15.2/api/ntdll_windows.go#L171
func NtWriteVirtualMemory ¶
func NtWriteVirtualMemory(processHandle windows.Handle, baseAddress *byte, buffer *byte, BufferSize uintptr, numberOfBytesWritten *uintptr) (value uintptr, err error)
NtWriteVirtualMemory is similar to WINAPI WriteProcessMemory.
NTSYSAPI NTSTATUS NTAPI NtWriteVirtualMemory(
IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL );
func OpenProcess ¶
func OpenProcess(desiredAccess uint32, inheritHandle bool, processId uint32) (handle windows.Handle, err error)
OpenProcess 打开现有的本地进程对象
HANDLE OpenProcess(
[in] DWORD dwDesiredAccess, [in] BOOL bInheritHandle, [in] DWORD dwProcessId );
如果函数成功,则返回值是指定进程的打开句柄; 如果函数失败,则返回值为 NULL
func OpenThread ¶
func OpenThread(desiredAccess uint32, inheritHandle bool, threadId uint32) (handle windows.Handle, err error)
OpenThread 打开现有线程对象
HANDLE OpenThread(
[in] DWORD dwDesiredAccess, [in] BOOL bInheritHandle, [in] DWORD dwThreadId );
如果函数成功,则返回值是指定线程的打开句柄。 如果函数失败,则返回值为 NULL。
func QueueUserAPC ¶
QueueUserAPC 将用户模式 异步过程调用 (APC) 对象添加到指定线程的 APC 队列
DWORD QueueUserAPC(
[in] PAPCFUNC pfnAPC, [in] HANDLE hThread, [in] ULONG_PTR dwData );
如果该函数成功,则返回值为非零值。 如果函数失败,则返回值为零。
func ReadProcessMemory ¶
func ReadProcessMemory(process windows.Handle, baseAddress uintptr, buffer *byte, size uintptr, numberOfBytesRead *uintptr) (err error)
ReadProcessMemory BOOL ReadProcessMemory(
[in] HANDLE hProcess, [in] LPCVOID lpBaseAddress, [out] LPVOID lpBuffer, [in] SIZE_T nSize, [out] SIZE_T *lpNumberOfBytesRead );
如果该函数成功,则返回值为非零值。 如果函数失败,则返回值为 0。 如果请求的读取操作交叉到无法访问的进程区域,函数将失败。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory
func RtlCopyBytes ¶
RtlCopyBytes The RtlCopyBytes routine copies the specified number of bytes from a source memory block to a destination memory block.
VOID RtlCopyBytes(
_Out_ PVOID Destination, _In_ const VOID *Source, _In_ SIZE_T Length );
Return value None ¶
Link: https://learn.microsoft.com/en-us/previous-versions/windows/hardware/kernel/ff561806(v=vs.85)
func RtlCopyMemory ¶
RtlCopyMemory 例程将源内存块的内容复制到目标内存块
void RtlCopyMemory(
void* Destination, const void* Source, size_t Length );
无返回值
Link: https://learn.microsoft.com/zh-cn/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlcopymemory
func RtlEthernetAddressToStringA ¶
RtlEthernetAddressToStringA 将二进制以太网地址转换为以太网 MAC 地址的字符串表示形式
NTSYSAPI PSTR RtlEthernetAddressToStringA(
[in] const DL_EUI48 *Addr, [out] PSTR S );
指向插入到以太网 MAC 地址字符串表示形式的末尾的 NULL 字符的指针。 调用方可以使用它轻松地将更多信息追加到字符串。
func RtlEthernetStringToAddressA ¶
func RtlEthernetStringToAddressA(s uintptr, terminator *byte, addr *byte) (value uintptr, err error)
RtlEthernetStringToAddressA 将以太网 MAC 地址的字符串表示形式转换为以太网地址的二进制格式
NTSYSAPI NTSTATUS RtlEthernetStringToAddressA(
[in] PCSTR S, [out] PCSTR *Terminator, [out] DL_EUI48 *Addr );
如果函数成功,则返回值 STATUS_SUCCESS。
func RtlIpv4AddressToStringA ¶
RtlIpv4AddressToStringA 将 IPv4 地址转换为 Internet 标准点十进制格式的字符串
NTSYSAPI PSTR RtlIpv4AddressToStringA(
[in] const in_addr *Addr, [out] PSTR S );
指向在 IPv4 地址的字符串表示形式末尾插入的 NULL 字符的指针。 调用方可以使用它轻松将更多信息追加到字符串。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/ip2string/nf-ip2string-rtlipv4addresstostringa
func RtlIpv4StringToAddressA ¶
func RtlIpv4StringToAddressA(s uintptr, strict uintptr, terminator *byte, addr *byte) (value uintptr, err error)
RtlIpv4StringToAddressA 将 IPv4 地址的字符串表示形式转换为二进制 IPv4 地址
NTSYSAPI NTSTATUS RtlIpv4StringToAddressA(
[in] PCSTR S, [in] BOOLEAN Strict, [out] PCSTR *Terminator, [out] in_addr *Addr );
如果函数成功,则返回值 STATUS_SUCCESS。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/ip2string/nf-ip2string-rtlipv4stringtoaddressa
func RtlMoveMemory ¶
RtlMoveMemory 将源内存块的内容复制到目标内存块,并支持重叠的源内存块和目标内存块
VOID RtlMoveMemory(
_Out_ VOID UNALIGNED *Destination, _In_ const VOID UNALIGNED *Source, _In_ SIZE_T Length );
无返回值
Link: https://learn.microsoft.com/en-us/windows/win32/devnotes/rtlmovememory
func SwitchToFiber ¶
SwitchToFiber Schedules a fiber. The function must be called on a fiber.
void SwitchToFiber(
[in] LPVOID lpFiber );
None return value.
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-switchtofiber
func TerminateThread ¶
TerminateThread 终止线程
BOOL TerminateThread(
[in, out] HANDLE hThread, [in] DWORD dwExitCode );
如果该函数成功,则返回值为非零值。 如果函数失败,则返回值为零。
func Thread32First ¶
Thread32First 检索系统快照中遇到的任何进程的第一个线程的相关信息
BOOL Thread32First(
[in] HANDLE hSnapshot, [in, out] LPTHREADENTRY32 lpte );
如果线程列表的第一个条目已复制到缓冲区,则返回 TRUE ,否则返回 FALSE 。 如果不存在线程或快照不包含线程信息,则 GetLastError 函数返回ERROR_NO_MORE_FILES错误值。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/tlhelp32/nf-tlhelp32-thread32first
func UuidFromStringA ¶
UuidFromStringA UuidFromString 函数将字符串转换为 UUID。
RPC_STATUS UuidFromStringA(
RPC_CSTR StringUuid, UUID *Uuid );
返回值 RPC_S_OK: 调用成功。 RPC_S_INVALID_STRING_UUID: 字符串 UUID 无效。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/rpcdce/nf-rpcdce-uuidfromstringa
func VirtualAlloc ¶
func VirtualAlloc(address uintptr, size uintptr, allocType uint32, protect uint32) (value uintptr, err error)
VirtualAlloc 保留、提交或更改调用进程的虚拟地址空间中页面区域的状态, 此函数分配的内存会自动初始化为零 若要在另一个进程的地址空间中分配内存,请使用 VirtualAllocEx 函数
LPVOID VirtualAlloc(
[in, optional] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flAllocationType, (MEM_COMMIT | MEM_RESERVE) [in] DWORD flProtect (PAGE_READWRITE or PAGE_EXECUTE_READWRITE) );
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
func VirtualAllocEx ¶
func VirtualAllocEx(hProcess windows.Handle, lpAddress uintptr, dwSize uintptr, allocType uint32, protect uint32) (value uintptr, err error)
VirtualAllocEx 在指定进程的虚拟地址空间中保留、提交或更改内存区域的状态。 函数将它分配的内存初始化为零 若要为物理内存指定 NUMA 节点,请参阅 VirtualAllocExNuma
LPVOID VirtualAllocEx(
[in] HANDLE hProcess, [in, optional] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flAllocationType, [in] DWORD flProtect );
如果函数成功,则返回值是已分配页区域的基址 如果函数失败,则返回值为 NULL
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
func VirtualProtect ¶
func VirtualProtect(address uintptr, size uintptr, newProtect uint32, oldProtect *uint32) (value uintptr, err error)
VirtualProtect 更改调用进程的虚拟地址空间中已提交页面区域的保护 若要更改任何进程的访问保护,请使用 VirtualProtectEx 函数
BOOL VirtualProtect(
[in] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flNewProtect, [out] DWORD lpflOldProtect );
如果该函数成功,则返回值为非零值
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect
func VirtualProtectEx ¶
func VirtualProtectEx(process windows.Handle, address uintptr, size uintptr, newProtect uint32, oldProtect *uint32) (err error)
VirtualProtectEx 更改指定进程的虚拟地址空间中已提交页面区域的保护
BOOL VirtualProtectEx(
[in] HANDLE hProcess, [in] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flNewProtect, [out] PDWORD lpflOldProtect );
如果该函数成功,则返回值为非零值
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex
func WaitForSingleObject ¶
WaitForSingleObject Waits until the specified object is in the signaled state or the time-out interval elapses. To enter an alertable wait state, use the WaitForSingleObjectEx function. To wait for multiple objects, use WaitForMultipleObjects.
DWORD WaitForSingleObject(
[in] HANDLE hHandle, [in] DWORD dwMilliseconds );
If the function succeeds, the return value indicates the event that caused the function to return. It can be one of the following values.
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject
func WriteProcessMemory ¶
func WriteProcessMemory(process windows.Handle, baseAddress uintptr, buffer *byte, size uintptr, numberOfBytesWritten *uintptr) (err error)
WriteProcessMemory 将数据写入到指定进程中的内存区域。 要写入的整个区域必须可访问,否则操作将失败
BOOL WriteProcessMemory(
[in] HANDLE hProcess, [in] LPVOID lpBaseAddress, [in] LPCVOID lpBuffer, [in] SIZE_T nSize, [out] SIZE_T *lpNumberOfBytesWritten );
如果该函数成功,则返回值为非零值。 如果函数失败,则返回值为 0(零)。 要获得更多的错误信息,请调用 GetLastError。 如果请求的写入操作交叉到无法访问的进程区域,函数将失败。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory
Types ¶
This section is empty.