kernel32

package
v1.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 21, 2022 License: GPL-3.0 Imports: 11 Imported by: 0

Documentation

Rendered for windows/amd64

Index

Constants

View Source 
const (
	STANDARD_RIGHTS_REQUIRED = 0x000F0000
	DELETE                   = 0x00010000
	READ_CONTROL             = 0x00020000
	WRITE_DAC                = 0x00040000
	WRITE_OWNER              = 0x00080000
	SYNCHRONIZE              = 0x00100000

	STANDARD_RIGHTS_READ    = READ_CONTROL
	STANDARD_RIGHTS_WRITE   = READ_CONTROL
	STANDARD_RIGHTS_EXECUTE = READ_CONTROL

	STANDARD_RIGHTS_ALL = 0x001F0000

	SPECIFIC_RIGHTS_ALL = 0x0000FFFF

	ACCESS_SYSTEM_SECURITY = 0x01000000
	MAXIMUM_ALLOWED        = 0x02000000

	GENERIC_READ    = 0x80000000
	GENERIC_WRITE   = 0x40000000
	GENERIC_EXECUTE = 0x20000000
	GENERIC_ALL     = 0x10000000

	PROCESS_ALL_ACCESS                = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff
	PROCESS_TERMINATE                 = 0x0001
	PROCESS_CREATE_THREAD             = 0x0002
	PROCESS_SET_SESSIONID             = 0x0004
	PROCESS_VM_OPERATION              = 0x0008
	PROCESS_VM_READ                   = 0x0010
	PROCESS_VM_WRITE                  = 0x0020
	PROCESS_DUP_HANDLE                = 0x0040
	PROCESS_CREATE_PROCESS            = 0x0080
	PROCESS_SET_QUOTA                 = 0x0100
	PROCESS_SET_INFORMATION           = 0x0200
	PROCESS_QUERY_INFORMATION         = 0x0400
	PROCESS_SUSPEND_RESUME            = 0x0800
	PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
)
View Source 
const (
	THREAD_TERMINATE                 = 0x0001
	THREAD_SUSPEND_RESUME            = 0x0002
	THREAD_GET_CONTEXT               = 0x0008
	THREAD_SET_CONTEXT               = 0x0010
	THREAD_SET_INFORMATION           = 0x0020
	THREAD_QUERY_INFORMATION         = 0x0040
	THREAD_SET_THREAD_TOKEN          = 0x0080
	THREAD_IMPERSONATE               = 0x0100
	THREAD_DIRECT_IMPERSONATION      = 0x0200
	THREAD_SET_LIMITED_INFORMATION   = 0x0400
	THREAD_QUERY_LIMITED_INFORMATION = 0x0800
	THREAD_ALL_ACCESS                = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff
)

threads

View Source 
const (
	TH32CS_SNAPHEAPLIST = 0x00000001
	TH32CS_SNAPPROCESS  = 0x00000002
	TH32CS_SNAPTHREAD   = 0x00000004
	TH32CS_SNAPMODULE   = 0x00000008
	TH32CS_SNAPMODULE32 = 0x00000010
	TH32CS_SNAPALL      = TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE
	TH32CS_INHERIT      = 0x80000000
)

Variables

This section is empty.

Functions

func AllVirtualQueryEx 

func AllVirtualQueryEx(hProcess win32.HANDLE) (cmbi chan win32.MemoryBasicInformation)

AllVirtualQueryEx helper function

func CheckProcessIntegrity 

func CheckProcessIntegrity(hProcess win32.HANDLE) (bytediff int, length int, err error)

CheckProcessIntegrity helper function to check process integrity compare entrypoint section on disk and in memory

func CloseHandle 

func CloseHandle(hObject win32.HANDLE) error

CloseHandle Win32 API wrapper

func CreateEvent 

func CreateEvent(lpEventAttribute uintptr,
	bManualReset win32.BOOL,
	bInitialState win32.BOOL,
	lpName string) (win32.HANDLE, error)

func CreateToolhelp32Snapshot 

func CreateToolhelp32Snapshot(dwFlags win32.DWORD, th32ProcessID win32.DWORD) (win32.HANDLE, error)

CreateToolhelp32Snapshot Win32 API wrapper

func EnumProcessModules 

func EnumProcessModules(hProcess win32.HANDLE) ([]win32.HANDLE, error)

func FindTextSection 

func FindTextSection(hProcess win32.HANDLE, mi MODULEINFO) (mbi win32.MemoryBasicInformation, err error)

FindTextSection returns the Memory Basic Information of the memory zone containing the entrypoint of the image

func FindTextSectionFromImage 

func FindTextSectionFromImage(image string) (section []byte, err error)

FindTextSectionFromImage returns the section containing the entrypoint

func ForceDumpAllMemory 

func ForceDumpAllMemory(pid int, dumpFile string) error

ForceDumpAllMemory helper function  TODO : increase the limitation used to dump memory

func GetCurrentProcess 

func GetCurrentProcess() (pseudoHandle win32.HANDLE, lastError error)

GetCurrentProcess Win32 API wrapper

func GetCurrentThread 

func GetCurrentThread() win32.HANDLE

GetCurrentThread win32 API wrapper

func GetCurrentThreadId 

func GetCurrentThreadId() win32.DWORD

GetCurrentThreadId win32 API wrapper

func GetExitCodeProcess 

func GetExitCodeProcess(hProcess win32.HANDLE) (exitCode win32.DWORD, err error)

GetExitCodeProcess win32 API wrapper hProcess must have the PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION

func GetFirstTidOfPid 

func GetFirstTidOfPid(pid int) int

GetFirstTidOfPid list the threads of process pid

func GetLastError 

func GetLastError() win32.DWORD

GetLastError win32 API wrapper

func GetModuleFilename 

func GetModuleFilename(hProcess win32.HANDLE) (string, error)

GetModuleFilename Win32 API wrapper

func GetModuleFilenameExW 

func GetModuleFilenameExW(hProcess win32.HANDLE, hModule win32.HANDLE) (string, error)

GetModuleFilenameExW Win32 API wrapper

func GetModuleFilenameFromPID 

func GetModuleFilenameFromPID(pid int) (fn string, err error)

GetModuleFilenameFromPID helper function to retrieve the module filename from a pid

func GetModuleFilenameSelf 

func GetModuleFilenameSelf() (string, error)

GetModuleFilenameSelf helper function to retrieve self executable module filename

func GetModuleHandleW 

func GetModuleHandleW(lpModuleName string) (win32.HANDLE, error)

GetModuleHandleW Win32 API wrapper

func GetProcessIdOfThread 

func GetProcessIdOfThread(hThread win32.HANDLE) (win32.DWORD, error)

GetProcessIdOfThread win32 API wrapper

func GetThreadContext 

func GetThreadContext(hThread win32.HANDLE, lpContext win32.LPCONTEXT) error

GetThreadContext Win32 API wrapper

func GetThreadId 

func GetThreadId(thread win32.HANDLE) (win32.DWORD, error)

GetThreadId win32 API wrapper

func IsPIDRunning 

func IsPIDRunning(pid int) bool

IsPIDRunning returns true if the process referenced by pid is running

func IsProcessRunning 

func IsProcessRunning(hProcess win32.HANDLE) bool

IsProcessRunning returns true if the process is running and false if not

func IsThreadRunning 

func IsThreadRunning(hThread win32.HANDLE) (bool, error)

IsThreadRunning returns true if hThread is running else false It is a little hack since I am not aware of any API call to check whether a thread is running or not

func ListThreads 

func ListThreads(pid int) (ctid chan int)

ListThreads list the threads of process pid

func OpenProcess 

func OpenProcess(dwDesiredAccess win32.DWORD, bInheritHandle win32.BOOL, dwProcessId win32.DWORD) (win32.HANDLE, error)

OpenProcess Win32 API wrapper

func OpenThread 

func OpenThread(dwDesiredAccess win32.DWORD, bInheritHandle win32.BOOL, dwThreadId win32.DWORD) (win32.HANDLE, error)

OpenThread Win32 api wrapper

func Process32FirstW 

func Process32FirstW(hSnapshot win32.HANDLE, lppe LPPROCESSENTRY32W) (bool, error)

func QueryDosDevice 

func QueryDosDevice(device string) (out []string, err error)

QueryDosDevice API wrapper if device is "" it retrieves the list of all available Devices https://docs.microsoft.com/en-us/windows/desktop/api/fileapi/nf-fileapi-querydosdevicew

func QueryFullProcessImageName 

func QueryFullProcessImageName(hProcess win32.HANDLE) (string, error)

QueryFullProcessImageName Win32 API wrapper

func ReadProcessMemory 

func ReadProcessMemory(hProcess win32.HANDLE, lpBaseAddress win32.LPCVOID, lpBuffer []byte) (int, error)

ReadProcessMemory Win32 API wrapper TODO: verify that we have everything

func ResetEvent 

func ResetEvent(hEvent win32.HANDLE) error

ResetEvent Win32 API wrapper

func ResumeProcess 

func ResumeProcess(pid int)

ResumeProcess resumes a previously suspended process

func ResumeThread 

func ResumeThread(hThread win32.HANDLE) (win32.DWORD, error)

ResumeThread Win32 API wrapper

func SetCurrentThreadPriority 

func SetCurrentThreadPriority(nPriority int) error

SetCurrentThreadPriority helper function to set priority of current Thread

func SetThreadContext 

func SetThreadContext(hThread win32.HANDLE, lpContext win32.LPCONTEXT) error

SetThreadContext Win32 API wrapper

func SetThreadPriority 

func SetThreadPriority(hThread win32.HANDLE, nPriority int) error

SetThreadPriority Win32 API wrapper

func SuspendProcess 

func SuspendProcess(pid int)

SuspendProcess suspends a given process

func SuspendThread 

func SuspendThread(hThread win32.HANDLE) (win32.DWORD, error)

SuspendThread Win32 API wrapper

func TerminateProcess 

func TerminateProcess(hProcess win32.HANDLE, exitCode win32.UINT) (err error)

func Thread32First 

func Thread32First(hSnapshot win32.HANDLE, lpte LPTHREADENTRY32) (bool, error)

Thread32First Win32 API wrapper

func Thread32Next 

func Thread32Next(hSnapshot win32.HANDLE, lpte LPTHREADENTRY32) (bool, error)

Thread32Next Win32 API wrapper

func ToJSON 

func ToJSON(data interface{}) string

func VirtualAllocEx 

func VirtualAllocEx(hProcess win32.HANDLE, lpAddress win32.LPVOID, dwSize win32.SIZE_T,
	flAllocationType win32.DWORD, flProtect win32.DWORD) (win32.LPVOID, error)

VirtualAllocEx Win32 API wrapper https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890(v=vs.85).aspx LPVOID WINAPI VirtualAllocEx( _In_ HANDLE hProcess, _In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect ); TODO: Test it

func VirtualProtect 

func VirtualProtect(lpAddress win32.LPVOID, dwSize win32.SIZE_T, flNewProtect win32.DWORD) (lpflOldProtect win32.DWORD, err error)

VirtualProtect Win32 API wrapper

func VirtualQueryEx 

func VirtualQueryEx(hProcess win32.HANDLE, lpAddress win32.LPCVOID) (win32.MemoryBasicInformation, error)

VirtualQueryEx Win32 API wrapper

func WaitForMultipleObjects 

func WaitForMultipleObjects(lpHandles []win32.HANDLE, bWaitAll win32.BOOL, dwMilliseconds win32.DWORD) win32.DWORD

WaitForMultipleObjects wrapper DWORD WaitForMultipleObjects( 

DWORD        nCount,
const HANDLE *lpHandles,
BOOL         bWaitAll,
DWORD        dwMilliseconds

); https://docs.microsoft.com/en-us/windows/desktop/api/synchapi/nf-synchapi-waitformultipleobjects

func WaitForSingleObject 

func WaitForSingleObject(hHandle win32.HANDLE, dwMilliseconds win32.DWORD) win32.DWORD

func WaitThreadRuns 

func WaitThreadRuns(hThread win32.HANDLE, step, timeout time.Duration) bool

WaitThreadRuns waits until a thread is running

func WriteMemoryAndControl 

func WriteMemoryAndControl(hProcess win32.HANDLE, lpBaseAddress win32.LPCVOID, lpBuffer []byte) error

WriteMemoryAndControl write a buffer in memory and control it has been properly written. This function also manages the memory protections.

func WriteProcessMemory 

func WriteProcessMemory(hProcess win32.HANDLE, lpBaseAddress win32.LPCVOID, lpBuffer []byte) (int, error)

WriteProcessMemory Win32 API wrapper TODO: write test

Types

type LPCPROCESSENTRY32W 

type LPCPROCESSENTRY32W *PROCESSENTRY32W

type LPCTHREADENTRY32 

type LPCTHREADENTRY32 *THREADENTRY32

type LPPROCESSENTRY32W 

type LPPROCESSENTRY32W *PROCESSENTRY32W

type LPTHREADENTRY32 

type LPTHREADENTRY32 *THREADENTRY32

type MODULEINFO 

type MODULEINFO struct {
	LpBaseOfDll win32.LPVOID
	// Size of the image mapped in memory
	// To compute it from the image file we need to add all section sizes
	// rounded up to the dwPageSize (minimum alloc size) + 1 page for the PE header
	SizeOfImage win32.DWORD
	EntryPoint  win32.LPVOID
}

func GetImageModuleInfo 

func GetImageModuleInfo(hProcess win32.HANDLE) (mi MODULEINFO, err error)

GetImageModuleInfo helper function

func GetImageModuleInfoFromPID 

func GetImageModuleInfoFromPID(pid uint32) (mi MODULEINFO, err error)

GetImageModuleInfoFromPID helper function

func GetModuleInformation 

func GetModuleInformation(hProcess win32.HANDLE, hModule win32.HANDLE) (MODULEINFO, error)

GetModuleInformation Win32 API wrapper Calling process needs PROCESS_QUERY_INFORMATION and VM_READ

func (MODULEINFO) String 

func (mi MODULEINFO) String() string

type PROCESSENTRY32W 

type PROCESSENTRY32W struct {
	DwSize              win32.DWORD
	CntUsage            win32.DWORD
	Th32ProcessID       win32.DWORD
	Th32DefaultHeapID   win32.ULONG_PTR
	Th32ModuleID        win32.DWORD
	CntThreads          win32.DWORD
	Th32ParentProcessID win32.DWORD
	PcPriClassBase      win32.LONG
	DwFlags             win32.DWORD
	SzExeFile           [win32.MAX_PATH]uint16
}

func NewProcessEntry32W 

func NewProcessEntry32W() PROCESSENTRY32W

type THREADENTRY32 

type THREADENTRY32 struct {
	DwSize             win32.DWORD
	CntUsage           win32.DWORD
	Th32ThreadID       win32.DWORD
	Th32OwnerProcessID win32.DWORD
	TpBasePri          win32.LONG
	TpDeltaPri         win32.LONG
	DwFlags            win32.DWORD
}

func NewThreadEntry32 

func NewThreadEntry32() THREADENTRY32

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.