winapi

package
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2023 License: GPL-3.0 Imports: 6 Imported by: 1

Documentation

Overview

Package winapi is a Windows specific package that assists with handeling or accessing many advanced WinAPI functions. This package also contains various helper functions to assist with complex operations.

Index

Constants

View Source 
const (
	ErrNoData             syscall.Errno = 232
	ErrPipeBusy           syscall.Errno = 231
	ErrIoPending          syscall.Errno = 997
	ErrBrokenPipe         syscall.Errno = 109
	ErrSemTimeout         syscall.Errno = 121
	ErrBadPathname        syscall.Errno = 161
	ErrInvalidName        syscall.Errno = 123
	ErrNoMoreFiles        syscall.Errno = 18
	ErrIoIncomplete       syscall.Errno = 996
	ErrFileNotFound       syscall.Errno = 2
	ErrPipeConnected      syscall.Errno = 535
	ErrOperationAborted   syscall.Errno = 995
	ErrInsufficientBuffer syscall.Errno = 122
)

Windows API Specific syscall error values.

View Source 
const (
	// CurrentThread returns the handle for the current thread. It is a pseudo
	// handle that does not need to be closed.
	CurrentThread = ^uintptr(2 - 1)
	// CurrentProcess returns the handle for the current process. It is a pseudo
	// handle that does not need to be closed.
	CurrentProcess = ^uintptr(0)
)
View Source 
const (
	// SwHide hides the window and activates another window.
	SwHide uint8 = iota
	// SwNormal activates and displays a window. If the window is minimized or
	// maximized, the system restores it to its original size and position. An
	// application should specify this flag when displaying the window for the
	// first time.
	SwNormal
	// SwMinimized activates the window and displays it as a minimized window.
	SwMinimized
	// SwMaximize activates the window and displays it as a maximized window.
	SwMaximize
	// SwNoActive displays a window in its most recent size and position. This
	// value is similar to SwNormal, except that the window is not activated.
	SwNoActive
	// SwShow activates the window and displays it in its current size and
	// position.
	SwShow
	// SwMinimize minimizes the specified window and activates the next top-level
	// window in the Z order.
	SwMinimize
	// SwMinimizeNoActive displays the window as a minimized window. This value
	// is similar to SwMinimizeNoActive, except the window is not activated.
	SwMinimizeNoActive
	// SwShowNoActive displays the window in its current size and position.
	// This value is similar to SwShow, except that the window is not activated.
	SwShowNoActive
	// SwRestore activates and displays the window. If the window is minimized
	// or maximized, the system restores it to its original size and position.
	// An application should specify this flag when restoring a minimized window.
	SwRestore
	// SwDefault sets the show state based on the SW_ value specified in the
	// STARTUPINFO structure passed to the CreateProcess function by the program
	// that started the application.
	SwDefault
	// SwMinimizeForce minimizes a window, even if the thread that owns the
	// window is not responding. This flag should only be used when minimizing
	// windows from a different thread.
	SwMinimizeForce
)

Variables

This section is empty.

Functions

func ActiveDisplays added in v0.2.2 

func ActiveDisplays() (uint32, error)

ActiveDisplays returns the count of current active displays enabled on the device.

This function returns an error if any error occurs when retrieving the display count.

func AdjustTokenPrivileges 

func AdjustTokenPrivileges(h uintptr, disableAll bool, new unsafe.Pointer, newLen uint32, old unsafe.Pointer, oldLen *uint32) error

AdjustTokenPrivileges Windows API Call 

The AdjustTokenPrivileges function enables or disables privileges in the
specified access token. Enabling or disabling privileges in an access token
requires TOKEN_ADJUST_PRIVILEGES access.

https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges

Re-targeted to use 'NtAdjustPrivilegesToken' instead. https://docs.rs/ntapi/0.3.6/aarch64-pc-windows-msvc/ntapi/ntseapi/fn.NtAdjustPrivilegesToken.html

func BlockInput added in v0.3.0 

func BlockInput(e bool) error

BlockInput Windows API Call 

Blocks keyboard and mouse input events from reaching applications.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-blockinput

func CancelIoEx 

func CancelIoEx(h uintptr, o *Overlapped) error

CancelIoEx Windows API Call 

Marks any outstanding I/O operations for the specified file handle. The
function only cancels I/O operations in the current process, regardless of
which thread created the I/O operation.

https://docs.microsoft.com/en-us/windows/win32/fileio/cancelioex-func

Re-targeted to use 'NtCancelIoFileEx' instead. https://learn.microsoft.com/en-us/windows/win32/devnotes/nt-cancel-io-file-ex

NOTE(dij): ^ THIS IS WRONG! It forgets the IO_STATUS_BLOCK entry at the end. 

NtCancelIoFileEx (HANDLE FileHandle, PIO_STATUS_BLOCK IoRequestToCancel, PIO_STATUS_BLOCK IoStatusBlock)

This function will fallback to 'NtCancelIoFile' if the underlying device is older than Windows 7 and built using <= go1.10.

Normally, Windows Vista would work, but this has a weird issue that causes it to wait forever.

func CheckDLL added in v0.4.2 

func CheckDLL(dll string, addr uint32, b []byte) (bool, error)

CheckDLL attempts to check the in-memory contents of the DLL name or file path provided to ensure it matches "known-good" values.

This function version will check the DLL contents against the supplied bytes and starting address. The 'winapi.ExtractDLLBase' can suppply these values. If the byte array is nil/empty, this function returns an error.

DLL base names will be expanded to full paths not if already full path names. (Unless it is a known DLL name).

This returns true if the DLL is considered valid/unhooked.

func CheckDLLFile added in v0.4.2 

func CheckDLLFile(dll string) (bool, error)

CheckDLLFile attempts to check the in-memory contents of the DLL name or file path provided to ensure it matches "known-good" values.

This function version will read in the DLL data from the disk and will verify the entire executable region.

DLL base names will be expanded to full paths not if already full path names. (Unless it is a known DLL name).

This returns true if the DLL is considered valid/unhooked.

func CheckDebugWithLoad added in v0.3.1 

func CheckDebugWithLoad(d string) bool

CheckDebugWithLoad will attempt to check for a debugger by loading a non-loaded DLL specified and will check for exclusive access (which is false for debuggers).

If the file can be opened, the library is freed and the file is closed. This will return true ONLY if opening for exclusive access fails.

Any errors opening or loading DLLs will silently return false.

func CheckFunction added in v0.4.2 

func CheckFunction(dll, name string, b []byte) (bool, error)

CheckFunction attempts to check the in-memory contents of the DLL name or file path provided with the supplied function name to ensure it matches "known-good" values.

This function version will check the function base address against the supplied bytes. If the bytes supplied are nil/empty, this will do a simple long JMP/CALL Assembly check instead.

DLL base names will be expanded to full paths not if already full path names. (Unless it is a known DLL name).

This returns true if the DLL function is considered valid/unhooked.

func CheckRemoteDebuggerPresent 

func CheckRemoteDebuggerPresent(h uintptr, b *bool) error

CheckRemoteDebuggerPresent Windows API Call 

Determines whether the specified process is being debugged.

https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-checkremotedebuggerpresent

Calls 'NtQueryInformationProcess' under the hood.

func CloseHandle 

func CloseHandle(h uintptr) error

CloseHandle Windows API Call 

Closes an open object handle.

https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-closehandle

Re-targeted to use 'NtClose' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntclose

func CloseWindow added in v0.3.2 

func CloseWindow(h uintptr) error

CloseWindow is a helper function that sends the WM_DESTROY to the supplied Window handle.

If the value of h is 0, this will target ALL FOUND WINDOWS.

func ConnectNamedPipe 

func ConnectNamedPipe(h uintptr, o *Overlapped) error

ConnectNamedPipe Windows API Call 

Enables a named pipe server process to wait for a client process to connect
to an instance of a named pipe. A client process connects by calling either
the CreateFile or CallNamedPipe function.

https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-connectnamedpipe

func CreateEvent 

func CreateEvent(sa *SecurityAttributes, manual, initial bool, name string) (uintptr, error)

CreateEvent Windows API Call 

Creates or opens a named or unnamed event object.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-CreateEventw

func CreateFile 

func CreateFile(name string, access, mode uint32, sa *SecurityAttributes, disposition, attrs uint32, template uintptr) (uintptr, error)

CreateFile Windows API Call 

Creates or opens a file or I/O device. The most commonly used I/O devices
are as follows: file, file stream, directory, physical disk, volume, console
buffer, tape drive, communications resource, mailslot, and pipe. The function
returns a handle that can be used to access the file or device for various
types of I/O depending on the file or device and the flags and attributes
specified.

https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew

func CreateMailslot 

func CreateMailslot(name string, maxSize uint32, timeout int32, sa *SecurityAttributes) (uintptr, error)

CreateMailslot Windows API Call 

Creates a mailslot with the specified name and returns a handle that a
mailslot server can use to perform operations on the mailslot. The mailslot
is local to the computer that creates it. An error occurs if a mailslot
with the specified name already exists.

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createmailslotw

func CreateMutex 

func CreateMutex(sa *SecurityAttributes, initial bool, name string) (uintptr, error)

CreateMutex Windows API Call 

Creates or opens a named or unnamed mutex object.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-CreateMutexw

func CreateNamedPipe 

func CreateNamedPipe(name string, flags, mode, max, out, in, timeout uint32, sa *SecurityAttributes) (uintptr, error)

CreateNamedPipe Windows API Call 

Creates an instance of a named pipe and returns a handle for subsequent pipe
operations. A named pipe server process uses this function either to create
the first instance of a specific named pipe and establish its basic attributes
or to create a new instance of an existing named pipe.

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea

func CreateProcess 

func CreateProcess(name, cmd string, procSa, threadSa *SecurityAttributes, inherit bool, flags uint32, env []string, dir string, y *StartupInfo, x *StartupInfoEx, i *ProcessInformation) error

CreateProcess Windows API Call 

Creates a new process and its primary thread. The new process runs in the
security context of the calling process.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw

func CreateProcessWithLogin added in v0.3.0 

func CreateProcessWithLogin(user, domain, pass string, loginFlags uint32, name, cmd string, flags uint32, env []string, dir string, y *StartupInfo, x *StartupInfoEx, i *ProcessInformation) error

CreateProcessWithLogin Windows API Call 

Creates a new process and its primary thread. Then the new process runs the
specified executable file in the security context of the specified credentials
(user, domain, and password). It can optionally load the user profile for a
specified user.

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw

func CreateProcessWithToken 

func CreateProcessWithToken(t uintptr, loginFlags uint32, name, cmd string, flags uint32, env []string, dir string, y *StartupInfo, x *StartupInfoEx, i *ProcessInformation) error

CreateProcessWithToken Windows API Call 

Creates a new process and its primary thread. The new process runs in the
security context of the specified token. It can optionally load the user
profile for the specified user.

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw

This function returns 'syscall.EINVAL' if the underlying device is Windows Xp and built using <= go1.10.

func CreateSemaphore 

func CreateSemaphore(sa *SecurityAttributes, initial, max uint32, name string) (uintptr, error)

CreateSemaphore Windows API Call 

Creates or opens a named or unnamed semaphore object.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-CreateSemaphorew

func DisconnectNamedPipe 

func DisconnectNamedPipe(h uintptr) error

DisconnectNamedPipe Windows API Call 

Disconnects the server end of a named pipe instance from a client process.

https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-disconnectnamedpipe

func DisplayBounds added in v0.2.2 

func DisplayBounds(i uint32) (image.Rectangle, error)

DisplayBounds returns the bounds of the supplied display index.

This function will return the bounds of the first monitor if the index is out of bounds of the current display count.

func DuplicateHandle 

func DuplicateHandle(srcProc, src, dstProc uintptr, dst *uintptr, access uint32, inherit bool, options uint32) error

DuplicateHandle Windows API Call 

Duplicates an object handle.

https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle

Re-targeted to use 'NtDuplicateObject' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwduplicateobject

func DuplicateTokenEx 

func DuplicateTokenEx(h uintptr, access uint32, sa *SecurityAttributes, level, p uint32, new *uintptr) error

DuplicateTokenEx Windows API Call 

The DuplicateTokenEx function creates a new access token that duplicates an
existing token. This function can create either a primary token or an
impersonation token.

https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex

Re-targeted to use 'NtDuplicateToken' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntduplicatetoken

func EmptyWorkingSet added in v0.3.0 

func EmptyWorkingSet()

EmptyWorkingSet Windows API Call wrapper 

Removes as many pages as possible from the working set of the specified
process.

https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-emptyworkingset

Wraps the 'SetProcessWorkingSetSizeEx' call instead to prevent having to track the 'EmptyWorkingSet' function between kernel32.dll and psapi.dll.

This function will fallback to 'SetProcessWorkingSetSize' if the underlying device is Windows Xp and built using <= go1.10.

func EnablePrivileges added in v0.3.1 

func EnablePrivileges(s ...string) error

EnablePrivileges will attempt to enable the supplied Windows privilege values on the current process's Token.

Errors during encoding, lookup or assignment will be returned and not all privileges will be assigned, if they occur.

func EnableTokenPrivileges added in v0.3.1 

func EnableTokenPrivileges(h uintptr, s ...string) error

EnableTokenPrivileges will attempt to enable the supplied Windows privilege values on the supplied process Token.

Errors during encoding, lookup or assignment will be returned and not all privileges will be assigned, if they occur.

func EnableWindow added in v0.3.0 

func EnableWindow(h uintptr, e bool) (bool, error)

EnableWindow Windows API Call 

Enables or disables mouse and keyboard input to the specified window or
control. When input is disabled, the window does not receive input such as
mouse clicks and key presses. When input is enabled, the window receives
all input.

The resulting boolean is if the window was previously enabled, or false if it was disabled. (This value is always false if 'AllWindows'/0 is passed as the handle.)

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enablewindow

If the value of h is 0, this will target ALL FOUND WINDOWS.

func EnumDrivers added in v0.4.2 

func EnumDrivers(f func(uintptr, string) error) error

EnumDrivers attempts to reterive the list of currently loaded drivers and will call the supplied function with the handle of each driver along with the base name of the driver file.

The user supplied function can return an error that if non-nil, will stop Driver iteration immediately and will be returned by this function.

Callers can return the special 'winapi.ErrNoMoreFiles' error that will stop iteration but will cause this function to return nil. This can be used to stop iteration without errors if needed.

func EnumProcesses added in v0.4.2 

func EnumProcesses(f func(ProcessEntry) error) error

EnumProcesses attempts to reterive the list of currently running Processes and will call the supplied function with an entry for each Process.

The user supplied function can return an error that if non-nil, will stop Process iteration immediately and will be returned by this function.

Callers can return the special 'winapi.ErrNoMoreFiles' error that will stop iteration but will cause this function to return nil. This can be used to stop iteration without errors if needed.

This function is affected by the 'snap' buildtag, which if supplied will use the 'CreateToolhelp32Snapshot' API function instead of the default 'NtQuerySystemInformation' API function.

func EnumThreads added in v0.4.2 

func EnumThreads(pid uint32, f func(ThreadEntry) error) error

EnumThreads attempts to reterive the list of currently running Process Threads and will call the supplied function with an entry for each Thread that matches the supplied Process ID.

The user supplied function can return an error that if non-nil, will stop Thread iteration immediately and will be returned by this function.

Callers can return the special 'winapi.ErrNoMoreFiles' error that will stop iteration but will cause this function to return nil. This can be used to stop iteration without errors if needed.

This function is affected by the 'snap' buildtag, which if supplied will use the 'CreateToolhelp32Snapshot' API function instead of the default 'NtQuerySystemInformation' API function.

func ErasePEHeader added in v0.5.1 

func ErasePEHeader() error

ErasePEHeader erases the first page of the mapped PE memory data. This is recommended to ONLY use when using a shipped binary.

Any errors found during zeroing will returned.

Retrieved from: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDump/ErasePEHeaderFromMemory.cpp

func ExtractDLLBase added in v0.4.2 

func ExtractDLLBase(dll string) (uint32, []byte, error)

ExtractDLLBase will extract the '.text' (executable) section of the supplied DLL file path or basename (Windows-only) and return the '.text' base address and raw bytes to be used in calls to 'winapi.Patch*' or 'winapi.Check*'

This function returns any errors that may occur during reading.

Non-Windows devices may use this function to extract DLL data.

func ExtractDLLBaseRaw added in v0.4.2 

func ExtractDLLBaseRaw(v []byte) (uint32, []byte, error)

ExtractDLLBaseRaw will extract the '.text' (executable) section of the supplied DLL raw bytes and return the '.text' base address and raw bytes to be used in calls to 'winapi.Patch*' or 'winapi.Check*'

This function returns any errors that may occur during reading.

Non-Windows devices may use this function to extract DLL data.

func ExtractDLLFunction added in v0.4.2 

func ExtractDLLFunction(dll string, name string, count uint32) ([]byte, error)

ExtractDLLFunction will extract 'count' bytes from the supplied DLL file path or basename (Windows-only) at the base of the supplied function name.

If 'count' is zero, this defaults to 16 bytes.

This function returns any errors that may occur during reading. Forwarded functions also return an error that indicates where the forward points to.

Non-Windows devices may use this function to extract DLL data.

func ExtractDLLFunctionRaw added in v0.4.2 

func ExtractDLLFunctionRaw(v []byte, name string, count uint32) ([]byte, error)

ExtractDLLFunctionRaw will extract 'count' bytes from the supplied DLL raw bytes at the base of the supplied function name.

If 'count' is zero, this defaults to 16 bytes.

This function returns any errors that may occur during reading. Forwarded functions also return an error that indicates where the forward points to.

Non-Windows devices may use this function to extract DLL data.

func FileSigningIssuerName added in v0.5.0 

func FileSigningIssuerName(path string) (string, error)

FileSigningIssuerName attempts to read the Authenticate signing certificate issuer name for the specified file path.

If the file does not exist or a certificate cannot be found, this returns the error 'syscall.EINVAL'.

If the function success, the return result will be the string name of the certificate issuer.

func FnvHash added in v0.4.4 

func FnvHash(n string) uint32

FnvHash returns the fnv32 hash of the supplied string value.

func ForEachProcThread added in v0.4.2 

func ForEachProcThread(f func(uintptr) error) error

ForEachProcThread is a helper function that allows a function to be executed with the handle of the Thread.

This function only returns an error if enumerating the Threads generates an error or the supplied function returns an error.

This function targets ALL threads (including non-Golang threads). To target all only Golang threads, use 'ForEachThread'.

func ForEachThread added in v0.3.1 

func ForEachThread(f func(uintptr) error) error

ForEachThread is a helper function that allows a function to be executed with the handle of the Thread.

This function only returns an error if enumerating the Threads generates an error or the supplied function returns an error.

This function ONLY targets Golang threads. To target all Process threads, use 'ForEachProcThread'.

func FuncRemap added in v0.4.4 

func FuncRemap(_ string, _ []byte) error

FuncRemap attempts to remap the raw ntdll.dll function name with the supplied machine-code bytes. If successful, this will point all function calls in the runtime to that allocated byte array in memory, bypassing any hooked calls without overriting any existing memory.

This function returns EINVAL if the byte slice is empty or ErrNotExist if the function name is not a recognized ntdll.dll function that does a direct syscall.

It is recommended to call 'FuncUnmap(name)' or 'FuncUnmapAll' once complete to release the memory space.

The 'Func*' functions only work of the build tag "funcmap" is used during buildtime, otherwise these functions return EINVAL.

func FuncRemapHash added in v0.4.4 

func FuncRemapHash(_ uint32, _ []byte) error

FuncRemapHash attempts to remap the raw ntdll.dll function hash with the supplied machine-code bytes. If successful, this will point all function calls in the runtime to that allocated byte array in memory, bypassing any hooked calls without overriting any existing memory.

This function returns EINVAL if the byte slice is empty or ErrNotExist if the function hash is not a recognized ntdll.dll function that does a direct syscall.

It is recommended to call 'FuncUnmap(name)' or 'FuncUnmapAll' once complete to release the memory space.

The 'Func*' functions only work of the build tag "funcmap" is used during buildtime, otherwise these functions return EINVAL.

func FuncUnmap added in v0.4.4 

func FuncUnmap(_ string) error

FuncUnmap will attempt to unmap the ntdll.dll function by name. If successful all calls to the affected function will work normally and the allocated memory region will be freed.

This function returns ErrNotExist if the function name is not a recognized ntdll.dll function that does a direct syscall.

This function returns nil even if the function was not previously remapped.

If this function returns any errors do not assume the call site was fixed to behave normally.

func FuncUnmapAll added in v0.4.4 

func FuncUnmapAll() error

FuncUnmapAll attempts to call 'FuncUnmap' on all currently mapped functions. If any error occurs during unmapping, this function will stop and return an error. Errors will stop any pending unmap calls from occuring.

func FuncUnmapHash added in v0.4.4 

func FuncUnmapHash(_ uint32) error

FuncUnmapHash will attempt to unmap the ntdll.dll by its function hash. If successful all calls to the affected function will work normally and the allocated memory region will be freed.

This function returns ErrNotExist if the function name is not a recognized ntdll.dll function that does a direct syscall.

This function returns nil even if the function was not previously remapped.

If this function returns any errors do not assume the call site was fixed to behave normally.

func GetCodeIntegrityState added in v0.5.0 

func GetCodeIntegrityState() (uint32, error)

GetCodeIntegrityState returns a bitvalue that returns the Code Integrity status of the current device. If the return value is zero without an error, this means that code integrity is disabled.

func GetCurrentProcessID 

func GetCurrentProcessID() uint32

GetCurrentProcessID Windows API Call 

Retrieves the process identifier of the calling process.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getcurrentprocessid

func GetDebugPrivilege 

func GetDebugPrivilege() error

GetDebugPrivilege is a quick helper function that will attempt to grant the caller the "SeDebugPrivilege" privilege.

func GetDiskSize added in v0.5.1 

func GetDiskSize(name string) (uint64, error)

GetDiskSize returns the size in bytes of the disk by it's NT path or the path to a partition or volume on the disk.

Any errors encountered during reading will be returned.

The name can be in the format of an NT path such as:

  • \\.\C:
  • \\.\PhysicalDrive0

Both are equal on /most/ systems.

func GetExitCodeProcess 

func GetExitCodeProcess(h uintptr, e *uint32) error

GetExitCodeProcess Windows API Call 

Retrieves the termination status of the specified process.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getexitcodeprocess

Calls 'NtQueryInformationProcess' under the hood.

func GetExitCodeThread 

func GetExitCodeThread(h uintptr, e *uint32) error

GetExitCodeThread Windows API Call 

Retrieves the termination status of the specified thread.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getexitcodethread

Calls 'NtQueryInformationThread' under the hood.

func GetKernelTime added in v0.4.4 

func GetKernelTime() time.Time

GetKernelTime returns the system time based on the KSHARED_USER_DATA struct in memory that is converted to a time.Time struct.

This can be used to get the system time without relying on any API calls.

NOTE(dij): Supposedly Go already reads this for 'time.Now()'?

func GetLocalUser added in v0.4.2 

func GetLocalUser() (string, error)

GetLocalUser attempts to return the username associated with the current Thread or Process.

This function will first check if the Thread is using a Token (Impersonation) and if not it will then pull the Token for the Process instead.

This function will concationate the domain (or local workstation) name if the Token provides one.

If any errors occur, an empty string with the error will be returned.

func GetLogicalDrives 

func GetLogicalDrives() (uint32, error)

GetLogicalDrives Windows API Call 

Retrieves a bitmask representing the currently available disk drives.

https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getlogicaldrives

func GetOverlappedResult 

func GetOverlappedResult(h uintptr, o *Overlapped, n *uint32, w bool) error

GetOverlappedResult Windows API Call 

Retrieves the results of an overlapped operation on the specified file,
named pipe, or communications device. To specify a timeout interval or wait
on an alertable thread, use GetOverlappedResultEx.

https://docs.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-getoverlappedresult

func GetProcessFileName 

func GetProcessFileName(h uintptr) (string, error)

GetProcessFileName will attempt to retrieve the basename of the process related to the open Process handle supplied.

func GetProcessID 

func GetProcessID(h uintptr) (uint32, error)

GetProcessID Windows API Call 

Retrieves the process identifier of the specified process.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessid

Calls 'NtQueryInformationProcess' instead under the hood.

func GetTokenInformation 

func GetTokenInformation(t uintptr, class uint32, info *byte, length uint32, ret *uint32) error

GetTokenInformation Windows API Call 

The GetTokenInformation function retrieves a specified type of information
about an access token. The calling process must have appropriate access
rights to obtain the information.

https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-gettokeninformation

Re-targeted to use 'NtQueryInformationToken' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationtoken

func GetVersionNumbers added in v0.4.2 

func GetVersionNumbers() (uint32, uint32, uint16)

GetVersionNumbers returns the NTDLL internal version numbers as Major, Minor and Build.

This function should return the correct values regardless of manifest version.

func Getppid added in v0.4.2 

func Getppid() uint32

Getppid returns the Parent Process ID of this Process by reading the PEB. If this fails, this returns zero.

func HideGoThreads added in v0.4.2 

func HideGoThreads() error

HideGoThreads is a utility function that can aid in anti-debugging measures. This will set the "ThreadHideFromDebugger" flag on all GOLANG threads only.

func ImpersonateNamedPipeClient 

func ImpersonateNamedPipeClient(h uintptr) error

ImpersonateNamedPipeClient Windows API Call 

The ImpersonateNamedPipeClient function impersonates a named-pipe client
application.

https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient

func ImpersonatePipeToken added in v0.3.1 

func ImpersonatePipeToken(h uintptr) error

ImpersonatePipeToken will attempt to impersonate the Token used by the Named Pipe client.

This function is only usable on Windows with a Server Pipe handle.

BUG(dij): I'm not sure if this is broken or this is how it's handled. I'm 

getting error 5.

Pipe insights: 

https://papers.vx-underground.org/papers/Windows/System%20Components%20and%20Abuse/Offensive%20Windows%20IPC%20Internals%201%20Named%20Pipes.pdf

func InSafeMode added in v0.4.4 

func InSafeMode() bool

InSafeMode returns true if the current device was booted into Safe Mode, false otherwise.

func InWow64Process added in v0.5.1 

func InWow64Process() (bool, error)

InWow64Process is a helper function that just calls'IsWow64Process' with the 'CurrentProcess' handle to determine if the current process is a WOW64 process.

func InitiateSystemShutdownEx added in v0.4.0 

func InitiateSystemShutdownEx(t, msg string, secs uint32, force, reboot bool, reason uint32) error

InitiateSystemShutdownEx Windows API Call 

Initiates a shutdown and optional restart of the specified computer, and
optionally records the reason for the shutdown.

NOTE: The caller must have the "SeShutdownPrivilege" privilege enabled. This 

function does NOT automatically request it.

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-initiatesystemshutdownexa

func IsDebugged added in v0.4.2 

func IsDebugged() bool

IsDebugged attempts to check multiple system calls in order to determine REAL debugging status.

NOTE: Systems that are "Debug" / "Checked" versions of Windows will always return false!

This function checks in this order:

  • KSHARED.KdDebuggerEnabled
  • KSHARED.SharedDataFlags.DbgErrorPortPresent
  • NtQuerySystemInformation/SystemKernelDebuggerInformation
  • IsDebuggerPresent (from PEB)
  • NtGlobalFlag (from PEB)
  • OutputDebugStringA
  • CheckRemoteDebuggerPresent

Errors make the function return false only if they are the last call.

func IsSecureBootEnabled added in v0.5.0 

func IsSecureBootEnabled() (bool, error)

IsSecureBootEnabled returns true if Secure Boot is enabled in the current device.

This function returns true or false and any errors that may occur during checking for secure boot.

func IsStackTracingEnabled added in v0.4.4 

func IsStackTracingEnabled() bool

IsStackTracingEnabled returns true if the KSHARED_USER_DATA.MaxStackTraceDepth value is greater than zero.

MaxStackTraceDepth is a value that represents the stack trace depth if tracing is enabled. If this flag is greater than zero, it is likely that some form of debug tracing is enabled.

func IsSystemEval added in v0.4.4 

func IsSystemEval() bool

IsSystemEval returns true if the KSHARED_USER_DATA.SystemExpirationDate value is greater than zero.

SystemExpirationDate is the time that remains in any evaluation copies of Windows. This can be used to find systems that may be used for testing and are not production machines.

func IsTokenElevated 

func IsTokenElevated(h uintptr) bool

IsTokenElevated returns true if this token has a High or System privileges.

Always returns false on any systems older than Windows Vista.

func IsUACEnabled added in v0.4.4 

func IsUACEnabled() bool

IsUACEnabled returns true if UAC (User Account Control) is enabled, false otherwise.

func IsUTCTime added in v0.4.4 

func IsUTCTime() (bool, error)

IsUTCTime checks the current system TimeZone information to see if the device is set to the UTC time zone. Most systems in debugging/logging environments will have this set.

This function detects UTC as it's biases are always zero and is the only time zone that has this feature.

func IsUserNetworkToken added in v0.4.4 

func IsUserNetworkToken(t uintptr) bool

IsUserNetworkToken will return true if the origin of the Token was a LoginUser network impersonation API call and NOT a duplicated Token via Token or Thread impersonation.

func IsWindows10 added in v0.5.0 

func IsWindows10() bool

IsWindows10 returns true if the underlying device runs at least Windows 10 (>=10).

func IsWindows7 added in v0.5.0 

func IsWindows7() bool

IsWindows7 returns true if the underlying device runs at least Windows 7 (>=6.2) and built using <= go1.10.

If built using >= go1.11, this function always returns true.

func IsWindowsVista added in v0.5.0 

func IsWindowsVista() bool

IsWindowsVista returns true if the underlying device runs at least Windows Vista (>=6) and built using <= go1.10.

If built using >= go1.11, this function always returns true.

func IsWindowsXp added in v0.5.0 

func IsWindowsXp() bool

IsWindowsXp returns true if the underlying device is Windows Xp and NOT Server 2003.

If built using >= go1.11, this function always returns false.

func IsWow64Process added in v0.3.6 

func IsWow64Process(h uintptr) (bool, error)

IsWow64Process Windows API Call 

Determines whether the specified process is running under WOW64 or an
Intel64 of x64 processor.

https://docs.microsoft.com/en-us/windows/win32/api/wow64apiset/nf-wow64apiset-iswow64process

func KillRuntime added in v0.2.5 

func KillRuntime()

KillRuntime attempts to walk through the process threads and will forcefully kill all Golang based OS-Threads based on their starting address (which should be the same when starting from CGo).

This will attempt to determine the base thread and any children that may be running and take action on what type of host we're in to best end the runtime without crashing.

This function can be used on binaries, shared libraries or Zombified processes.

DO NOT EXPECT ANYTHING (INCLUDING DEFERS) TO HAPPEN AFTER THIS FUNCTION.

func LoadDLL 

func LoadDLL(s string) (uintptr, error)

LoadDLL loads DLL file into memory.

This function will attempt to load non-absolute paths from the system dependent DLL directory (usually system32).

func LoadLibraryAddress 

func LoadLibraryAddress() uintptr

LoadLibraryAddress is a simple function that returns the raw address of the 'LoadLibraryW' function in 'kernel32.dll' that's currently loaded.

func LoadLibraryEx 

func LoadLibraryEx(s string, flags uintptr) (uintptr, error)

LoadLibraryEx Windows API Call 

Loads the specified module into the address space of the calling process.
The specified module may cause other modules to be loaded.

https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexw

func LoginUser added in v0.3.0 

func LoginUser(user, domain, pass string, logintype, provider uint32) (uintptr, error)

LoginUser Windows API Call 

The LogonUser function attempts to log a user on to the local computer. The
local computer is the computer from which LogonUser was called. You cannot
use LogonUser to log on to a remote computer. You specify the user with a
user name and domain and authenticate the user with a plaintext password.
If the function succeeds, you receive a handle to a token that represents
the logged-on user. You can then use this token handle to impersonate the
specified user or, in most cases, to create a process that runs in the
context of the specified user.

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw

func LookupPrivilegeValue 

func LookupPrivilegeValue(system, name string, l *LUID) error

LookupPrivilegeValue Windows API Call 

The LookupPrivilegeValue function retrieves the locally unique identifier
(LUID) used on a specified system to locally represent the specified privilege
name.

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupprivilegevaluew

func MessageBox added in v0.3.2 

func MessageBox(h uintptr, text, title string, f uint32) (uint32, error)

MessageBox Windows API Call 

Displays a modal dialog box that contains a system icon, a set of buttons,
and a brief application-specific message, such as status or error information.
The message box returns an integer value that indicates which button the user
clicked.

If the handle 'h' is '-1', "CurrentProcess" or "^uintptr(0)", this will attempt to target the Desktop window, which will fall back to '0' if it fails.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxw

func MiniDumpWriteDump added in v0.2.2 

func MiniDumpWriteDump(h uintptr, pid uint32, o uintptr, f uint32, w io.Writer) error

MiniDumpWriteDump Windows API Call 

Writes user-mode minidump information to the specified file handle.

https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump

Updated version that will take and use the supplied Writer instead of the file handle is zero.

This function may fail if attempting to dump a process that is a different CPU architecture than the host process.

Dumping to a Writer instead of a file is not avaliable on systems older than Windows Vista and will return 'syscall.EINVAL' instead.

func NtAllocateVirtualMemory 

func NtAllocateVirtualMemory(h uintptr, size, access uint32) (uintptr, error)

NtAllocateVirtualMemory Windows API Call 

The NtAllocateVirtualMemory routine reserves, commits, or both, a region of
pages within the user-mode virtual address space of a specified process.

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntallocatevirtualmemory

func NtCreateSection added in v0.4.2 

func NtCreateSection(access uint32, size uint64, protect, attrs uint32, file uintptr) (uintptr, error)

NtCreateSection Windows API Call 

The NtCreateSection routine creates a section object.

https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwcreatesection

func NtCreateThreadEx 

func NtCreateThreadEx(h, address, args uintptr, suspended bool) (uintptr, error)

NtCreateThreadEx Windows API Call 

Creates a thread that runs in the virtual address space of another process
and optionally specifies extended attributes such as processor group affinity.

http://pinvoke.net/default.aspx/ntdll/NtCreateThreadEx.html

This function will fallback to 'CreateRemoteThread' if the underlying device is older than Windows Vista and built using <= go1.10.

func NtFreeVirtualMemory 

func NtFreeVirtualMemory(h, address, size uintptr) error

NtFreeVirtualMemory Windows API Call 

The NtFreeVirtualMemory routine releases, decommits, or both releases and
decommits, a region of pages within the virtual address space of a specified
process.

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntfreevirtualmemory

func NtImpersonateThread added in v0.4.2 

func NtImpersonateThread(h, client uintptr, s *SecurityQualityOfService) error

NtImpersonateThread Windows API Call 

This routine is used to cause the server thread to impersonate the client
thread.  The impersonation is done according to the specified quality
of service parameters.

http://web.archive.org/web/20190822133735/https://www.codewarrior.cn/ntdoc/winnt/ps/NtImpersonateThread.htm

Thanks to: https://www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html

func NtMapViewOfSection added in v0.4.2 

func NtMapViewOfSection(section, proc uintptr, offset, size uint64, dis, allocType, protect uint32) (uintptr, error)

NtMapViewOfSection Windows API Call 

The NtMapViewOfSection routine maps a view of a section into the virtual
address space of a subject process.

https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsection

func NtProtectVirtualMemory 

func NtProtectVirtualMemory(h, address uintptr, size, access uint32) (uint32, error)

NtProtectVirtualMemory Windows API Call 

Changes the protection on a region of committed pages in the virtual address
space of a specified process.

http://pinvoke.net/default.aspx/ntdll/NtProtectVirtualMemory.html

func NtResumeProcess added in v0.4.4 

func NtResumeProcess(h uintptr) error

NtResumeProcess Windows API Call 

Resumes a process and all it's threads.

http://www.pinvoke.net/default.aspx/ntdll/NtResumeProcess.html

func NtSuspendProcess added in v0.4.4 

func NtSuspendProcess(h uintptr) error

NtSuspendProcess Windows API Call 

Suspends a process and all it's threads.

http://www.pinvoke.net/default.aspx/ntdll/NtSuspendProcess.html

func NtUnmapViewOfSection added in v0.4.2 

func NtUnmapViewOfSection(proc, section uintptr) error

NtUnmapViewOfSection Windows API Call 

The NtUnmapViewOfSection routine un-maps a view of a section from the virtual
address space of a subject process.

https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwunmapviewofsection

func NtWriteVirtualMemory 

func NtWriteVirtualMemory(h, address uintptr, b []byte) (uint32, error)

NtWriteVirtualMemory Windows API Call 

This function copies the specified address range from the current process
into the specified address range of the specified process.

http://www.codewarrior.cn/ntdoc/winnt/mm/NtWriteVirtualMemory.htm

func OpenEvent 

func OpenEvent(access uint32, inherit bool, name string) (uintptr, error)

OpenEvent Windows API Call 

Opens an existing named event object.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-openeventw

func OpenMutex 

func OpenMutex(access uint32, inherit bool, name string) (uintptr, error)

OpenMutex Windows API Call 

Opens an existing named mutex object.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-OpenMutexw

func OpenProcess 

func OpenProcess(access uint32, inherit bool, pid uint32) (uintptr, error)

OpenProcess Windows API Call 

Opens an existing local process object.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess

Re-targeted to use 'NtOpenProcess' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-ntopenprocess

func OpenProcessToken 

func OpenProcessToken(h uintptr, access uint32, res *uintptr) error

OpenProcessToken Windows API Call 

The OpenProcessToken function opens the access token associated with a process.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken

Re-targeted to use 'NtOpenProcessToken' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstoken

func OpenSemaphore 

func OpenSemaphore(access uint32, inherit bool, name string) (uintptr, error)

OpenSemaphore Windows API Call 

Opens an existing named semaphore object.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-OpenSemaphorew

func OpenThread 

func OpenThread(access uint32, inherit bool, tid uint32) (uintptr, error)

OpenThread Windows API Call 

Opens an existing thread object.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openthread

Re-targeted to use 'NtOpenThread' instead. https://learn.microsoft.com/en-us/windows/win32/devnotes/ntopenthread

func OpenThreadToken 

func OpenThreadToken(h uintptr, access uint32, self bool, t *uintptr) error

OpenThreadToken Windows API Call 

The OpenThreadToken function opens the access token associated with a thread.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openthreadtoken

Re-targeted to use 'NtOpenThreadToken' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtoken

func PatchAmsi added in v0.4.2 

func PatchAmsi() error

PatchAmsi will attempt to zero out the following function calls with a ASM patch that returns with zero (Primary AMSI/PowerShell calls).

  • AmsiInitialize
  • AmsiScanBuffer
  • AmsiScanString

This will return an error if any of the patches fail.

This function returns 'syscall.EINVAL' if ASMI is not avaliable on the target system, which is Windows 10 and newer.

func PatchDLL added in v0.4.2 

func PatchDLL(dll string, addr uint32, b []byte) error

PatchDLL attempts to overrite the in-memory contents of the DLL name or file path provided to ensure it has "known-good" values.

This function version will overwrite the DLL contents against the supplied bytes and starting address. The 'winapi.ExtractDLLBase' can suppply these values. If the byte array is nil/empty, this function returns an error.

DLL base names will be expanded to full paths not if already full path names. (Unless it is a known DLL name).

func PatchDLLFile added in v0.4.2 

func PatchDLLFile(dll string) error

PatchDLLFile attempts overrite the in-memory contents of the DLL name or file path provided to ensure it has "known-good" values.

This function version will read in the DLL data from the local disk and will overwite the entire executable region.

DLL base names will be expanded to full paths not if already full path names. (Unless it is a known DLL name).

func PatchFunction added in v0.4.2 

func PatchFunction(dll, name string, b []byte) error

PatchFunction attempts to overrite the in-memory contents of the DLL name or file path provided with the supplied function name to ensure it has "known-good" values.

This function version will overwite the function base address against the supplied bytes. If the bytes supplied are nil/empty, this function returns an error.

DLL base names will be expanded to full paths not if already full path names. (Unless it is a known DLL name).

func PatchTracing added in v0.4.2 

func PatchTracing() error

PatchTracing will attempt to zero out the following function calls with a ASM patch that returns with zero:

  • NtTraceEvent
  • DebugBreak
  • DbgBreakPoint
  • EtwEventWrite
  • EtwEventRegister
  • EtwEventWriteFull
  • EtwNotificationRegister

This will return an error if any of the patches fail.

Any system older than Windows Vista will NOT patch ETW functions as they do not exist in older versions.

func PhysicalInfo added in v0.4.4 

func PhysicalInfo() (uint8, uint32, error)

PhysicalInfo will query the system using NtQuerySystemInformation to grab the number of CPUs installed and the current memory (in MB) that is avaliable to the system (installed physically).

func QueryServiceDynamicInformation added in v0.2.1 

func QueryServiceDynamicInformation(h uintptr, l uint32) (uint32, error)

QueryServiceDynamicInformation Windows API Call 

Retrieves dynamic information related to the current service start.

https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-queryservicedynamicinformation

This function is not avaliable to any systems older than Windows 8 (<= Win8).

func ReadFile 

func ReadFile(h uintptr, b []byte, n *uint32, o *Overlapped) error

ReadFile Windows API Call 

Reads data from the specified file or input/output (I/O) device. Reads
occur at the position specified by the file pointer if supported by the device.

https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-readfile

func RegCreateKeyEx 

func RegCreateKeyEx(h uintptr, path, class string, options, access uint32, sa *SecurityAttributes, out *uintptr, result *uint32) error

RegCreateKeyEx Windows API Call 

Creates the specified registry key. If the key already exists, the function
opens it. Note that key names are not case sensitive.

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regcreatekeyexw

func RegDeleteKey 

func RegDeleteKey(h uintptr, path string) error

RegDeleteKey Windows API Call 

Deletes a subkey and its values. Note that key names are not case sensitive.
ONLY DELETES EMPTY SUBKEYS. (invalid argument if non-empty)

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regdeletekeyw

func RegDeleteKeyEx added in v0.2.3 

func RegDeleteKeyEx(h uintptr, path string, f uint32) error

RegDeleteKeyEx Windows API Call 

Deletes a subkey and its values. Note that key names are not case sensitive.
ONLY DELETES EMPTY SUBKEYS. (invalid argument if non-empty)

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regdeletekeyexw

This function will fallback to 'RegDeleteKey' if the underlying device is older than Windows Vista and built using <= go1.10.

func RegDeleteTree added in v0.2.3 

func RegDeleteTree(h uintptr, path string) error

RegDeleteTree Windows API Call 

Deletes the subkeys and values of the specified key recursively.

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regdeletetreew

This function returns 'syscall.EINVAL' if the underlying device is older than Windows Vista and built using <= go1.10.

func RegDeleteValue 

func RegDeleteValue(h uintptr, path string) error

RegDeleteValue Windows API Call 

Removes a named value from the specified registry key. Note that value names
are not case sensitive.

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regdeletevaluew

func RegEnumValue 

func RegEnumValue(h uintptr, index uint32, path *uint16, pathLen, valType *uint32, data *byte, dataLen *uint32) error

RegEnumValue Windows API Call 

Enumerates the values for the specified open registry key. The function
copies one indexed value name and data block for the key each time it is
called.

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regenumvaluew

func RegFlushKey added in v0.3.7 

func RegFlushKey(h uintptr) error

RegFlushKey Windows API Call 

Writes all the attributes of the specified open registry key into the registry.

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regflushkey

func RegSetValueEx 

func RegSetValueEx(h uintptr, path string, t uint32, data *byte, dataLen uint32) error

RegSetValueEx Windows API Call 

Sets the data and type of a specified value under a registry key.

https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-RegSetValueExw

func RegisterServiceCtrlHandlerEx added in v0.2.1 

func RegisterServiceCtrlHandlerEx(name string, handler uintptr, args uintptr) (uintptr, error)

RegisterServiceCtrlHandlerEx Windows API Call 

Registers a function to handle extended service control requests.

https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-registerservicectrlhandlerexw

func ResumeThread 

func ResumeThread(h uintptr) (uint32, error)

ResumeThread Windows API Call 

Decrements a thread's suspend count. When the suspend count is decremented
to zero, the execution of the thread is resumed.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-resumethread

Re-targeted to use 'NtResumeThread' instead. https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/type.NtResumeThread.html

func RevertToSelf 

func RevertToSelf() error

RevertToSelf Windows API Call 

The RevertToSelf function terminates the impersonation of a client application.

https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-revqerttoself

Alias of 'SetAllThreadsToken(0)'

NOTE(dij): This only clears the token on all the Golang Threads. Same as 

'device.RevertToSelf'.

func ScreenShot added in v0.2.2 

func ScreenShot(x, y, width, height uint32, w io.Writer) error

ScreenShot attempts to take a PNG-encoded screenshot of the current dimensions specified into the supplied io.Writer.

This function will return an error if any of the API calls or encoding the image fails.

func SendInput added in v0.3.2 

func SendInput(h uintptr, s string) error

SendInput will attempt to set the window 'h' to the front (activate) and will perform input typing of the supplied string as input events.

The window handle can be zero to ignore targeting a window.

func SetAllThreadsToken added in v0.4.4 

func SetAllThreadsToken(h uintptr) error

SetAllThreadsToken sets the Token for all current Golang threads. This is an easy way to do thread impersonation across the entire runtime.

Calls 'ForEachThread' -> 'SetThreadToken' under the hood.

func SetCommandLine added in v0.4.2 

func SetCommandLine(s string) error

SetCommandLine will attempt to read the Process PEB and overrite the 'ProcessParameters.CommandLine' property with the supplied string value.

This will NOT change the ImagePath or Binary Name.

This will return any errors that occur during reading the PEB.

DOES NOT WORK ON WOW6432 PEBs!

  • These are in a separate memory space and seem to only be read once? or the data is copied somewhere else. Even if I call 'NtWow64QueryInformationProcess64' and change it, it does NOT seem to care. *shrug* who TF uses x86 anyway in 2022!?

TODO(dij): Since we have backwards compatibility now. The 32bit PEB can be read using NtQueryInformationProcess/ProcessWow64Information which returns 32bit pointer to the PEB in 32bit mode.

func SetEvent added in v0.3.5 

func SetEvent(h uintptr) error

SetEvent Windows API Call 

Sets the specified event object to the signaled state.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-setevent

Re-targeted to use 'NtSetEvent' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwsetevent

func SetForegroundWindow added in v0.3.2 

func SetForegroundWindow(h uintptr) error

SetForegroundWindow Windows API Call 

Brings the thread that created the specified window into the foreground and
activates the window. Keyboard input is directed to the window, and various
visual cues are changed for the user. The system assigns a slightly higher
priority to the thread that created the foreground window than it does to
other threads.

This function is supplemented with the "SetFocus" function, as this will allow for requesting THEN setting the foreground window without user interaction.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setforegroundwindow

func SetHighContrast added in v0.3.0 

func SetHighContrast(e bool) error

SetHighContrast uses the 'SystemParametersInfo' API call to trigger the HighContrast theme setting. Set to 'True' to enable it and 'False' to disbale it.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-systemparametersinfoa

func SetProcessIsCritical added in v0.4.4 

func SetProcessIsCritical(c bool) (bool, error)

SetProcessIsCritical Windows API Call 

Set process system critical status.
Returns the last Critical status.

https://www.codeproject.com/articles/43405/protecting-your-process-with-rtlsetprocessiscriti

func SetServiceStatus added in v0.2.1 

func SetServiceStatus(h uintptr, s *ServiceStatus) error

SetServiceStatus Windows API Call 

Contains status information for a service. The ControlService, EnumDependentServices,
EnumServicesStatus, and QueryServiceStatus functions use this structure. A
service uses this structure in the SetServiceStatus function to report its
current status to the service control manager.

https://docs.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_status

func SetThreadToken 

func SetThreadToken(h uintptr, t uintptr) error

SetThreadToken Windows API Call 

The SetThreadToken function assigns an impersonation token to a thread. The
function can also cause a thread to stop using an impersonation token.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadtoken

Calls 'NtSetInformationThread' under the hood.

func SetWallpaper added in v0.3.0 

func SetWallpaper(s string) error

SetWallpaper uses the 'SystemParametersInfo' API call to set the user's wallpaper. Changes take effect immediately.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-systemparametersinfoa

func SetWindowPos added in v0.3.2 

func SetWindowPos(h uintptr, x, y, width, height int32) error

SetWindowPos Windows API Call 

Changes the size, position, and Z order of a child, pop-up, or top-level
window. These windows are ordered according to their appearance on the screen.
The topmost window receives the highest rank and is the first window in the
Z order.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowpos

Use '-1' for both the 'x' and 'y' arguments to ignore changing the position and just change the size OR use '-1' for both the 'width' and 'height' arguments to only change the window position.

This implementation does NOT change the active state of Z index of the window.

func SetWindowTransparency added in v0.3.0 

func SetWindowTransparency(h uintptr, t uint8) error

SetWindowTransparency will attempt to set the transparency of the window handle to 0-255, 0 being completely transparent and 255 being opaque.

If the value of h is 0, this will target ALL FOUND WINDOWS.

func ShowWindow added in v0.3.2 

func ShowWindow(h uintptr, t uint8) (bool, error)

ShowWindow Windows API Call 

Sets the specified window's show state.

The provided Sw* constants can be used to specify a show type.

The resulting boolean is if the window was previously shown, or false if it was hidden. (This value is always false if 'AllWindows'/0 is passed as the handle.)

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-showwindow

If the value of h is 0, this will target ALL FOUND WINDOWS.

func StartServiceCtrlDispatcher added in v0.2.1 

func StartServiceCtrlDispatcher(t *ServiceTableEntry) error

StartServiceCtrlDispatcher Windows API Call 

Connects the main thread of a service process to the service control manager,
which causes the thread to be the service control dispatcher thread for the
calling process.

https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicectrldispatcherw

func StringListToUTF16Block 

func StringListToUTF16Block(s []string) (*uint16, error)

StringListToUTF16Block creates a UTF16 encoded block for usage as a Process environment block.

This function returns an error if any of the environment strings are not in the 'KEY=VALUE' format or contain a NUL byte.

func SuspendThread 

func SuspendThread(h uintptr) (uint32, error)

SuspendThread Windows API Call 

Suspends the specified thread.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread

Re-targeted to use 'NtSuspendThread' instead. https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/type.NtSuspendThread.html

func SwapMouseButtons added in v0.3.0 

func SwapMouseButtons(e bool) error

SwapMouseButtons uses the 'SystemParametersInfo' API call to trigger the swapping of the left and right mouse buttons. Set to 'True' to swap and 'False' to disable it.

https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-systemparametersinfoa

func SystemDirectory added in v0.4.2 

func SystemDirectory() string

SystemDirectory Windows API Call 

Retrieves the path of the system directory. The system directory contains
system files such as dynamic-link libraries and drivers.

https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getsystemdirectoryw

Technically a link to the runtime "GetSystemDirectory" cached API call.

func TerminateProcess 

func TerminateProcess(h uintptr, e uint32) error

TerminateProcess Windows API Call 

Terminates the specified process and all of its threads.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess

Re-targeted to use 'NtTerminateProcess' instead. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-zwterminateprocess

func TerminateThread 

func TerminateThread(h uintptr, e uint32) error

TerminateThread Windows API Call 

Terminates a thread.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminatethread

Re-targeted to use 'NtTerminateThread' instead. http://pinvoke.net/default.aspx/ntdll/NtTerminateThread.html

func UTF16Decode 

func UTF16Decode(s []uint16) []rune

UTF16Decode returns the Unicode code point sequence represented by the UTF-16 encoding rune values supplied.

func UTF16EncodeStd 

func UTF16EncodeStd(s []rune) []uint16

UTF16EncodeStd encodes the runes into a UTF16 array and ignores zero points.

This is ONLY safe to use if you know what you're doing.

func UTF16FromString 

func UTF16FromString(s string) ([]uint16, error)

UTF16FromString returns the UTF-16 encoding of the UTF-8 string with a terminating NUL added.

If the string contains a NUL byte at any location, it returns syscall.EINVAL.

func UTF16PtrFromString 

func UTF16PtrFromString(s string) (*uint16, error)

UTF16PtrFromString returns pointer to the UTF-16 encoding of the UTF-8 string, with a terminating NUL added.

If the string contains a NUL byte at any location, it returns syscall.EINVAL.

func UTF16PtrToString 

func UTF16PtrToString(p *uint16) string

UTF16PtrToString takes a pointer to a UTF-16 sequence and returns the corresponding UTF-8 encoded string.

If the pointer is nil, it returns the empty string. It assumes that the UTF-16 sequence is terminated at a zero word; if the zero word is not present, the program may crash.

func UTF16ToString 

func UTF16ToString(s []uint16) string

UTF16ToString returns the UTF-8 encoding of the UTF-16 sequence s, with a terminating NUL and any bytes after the NUL removed.

func Untrust added in v0.3.1 

func Untrust(p uint32) error

Untrust will attempt to revoke all Token permissions and change the Token integrity level to "Untrusted".

This effectively revokes all permissions for the application with the supplied PID to run.

Ensure a call to 'GetDebugPrivilege' is made first before starting.

Thanks for the find by @zha0gongz1 in their article: 

https://golangexample.com/without-closing-windows-defender-to-make-defender-useless-by-removing-its-token-privileges-and-lowering-the-token-integrity/

func UpdateProcThreadAttribute 

func UpdateProcThreadAttribute(a *StartupAttributes, attr uintptr, val unsafe.Pointer, valLen uint64, old *StartupAttributes, oldLen *uint64) error

UpdateProcThreadAttribute Windows API Call 

Updates the specified attribute in a list of attributes for process and
thread creation.

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute

func UserFromToken added in v0.3.2 

func UserFromToken(h uintptr) (string, error)

UserFromToken will attempt to get the User SID from the supplied Token and return the associated Username and Domain string from the SID.

func UserInAdminGroup added in v0.5.0 

func UserInAdminGroup() bool

UserInAdminGroup returns true if the current thread or process token user is part of the Administrators group. This is only used if the device is older than Windows Vista and built using <= go1.10.

If built using >= go1.11, this function always returns false.

func WTSCloseServer added in v0.4.2 

func WTSCloseServer(h uintptr)

WTSCloseServer Windows API Call 

Closes an open handle to a Remote Desktop Session Host (RD Session Host)
server.

https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtscloseserver

func WTSDisconnectSession added in v0.4.2 

func WTSDisconnectSession(server uintptr, sid int32, wait bool) error

WTSDisconnectSession Windows API Call 

Disconnects the logged-on user from the specified Remote Desktop Services
session without closing the session. If the user subsequently logs on to
the same Remote Desktop Session Host (RD Session Host) server, the user is
reconnected to the same session.

https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsdisconnectsession

func WTSLogoffSession added in v0.4.2 

func WTSLogoffSession(server uintptr, sid int32, wait bool) error

WTSLogoffSession Windows API Call 

Logs off a specified Remote Desktop Services session.

https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtslogoffsession

func WTSOpenServer added in v0.4.2 

func WTSOpenServer(server string) (uintptr, error)

WTSOpenServer Windows API Call 

Opens a handle to the specified Remote Desktop Session Host (RD Session Host)
server.

https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsopenserverw

func WTSSendMessage added in v0.4.2 

func WTSSendMessage(server uintptr, sid int32, title, text string, f, secs uint32, wait bool) (uint32, error)

WTSSendMessage Windows API Call 

Displays a message box on the client desktop of a specified Remote Desktop
Services session.

https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtssendmessagew

func WaitForMultipleObjects added in v0.3.5 

func WaitForMultipleObjects(h []uintptr, all bool, timeout int32) (uint32, error)

WaitForMultipleObjects Windows API Call 

Waits until one or all of the specified objects are in the signaled state or
the time-out interval elapses. To enter an alertable wait state, use the
WaitForMultipleObjectsEx function.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitformultipleobjects

Calls 'WaitForMultipleObjectsEx' under the hood.

func WaitForSingleObject 

func WaitForSingleObject(h uintptr, timeout int32) (uint32, error)

WaitForSingleObject Windows API Call 

Waits until the specified object is in the signaled state or the time-out
interval elapses.

https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject

func WaitNamedPipe 

func WaitNamedPipe(name string, timeout uint32) error

WaitNamedPipe Windows API Call 

Waits until either a time-out interval elapses or an instance of the
specified named pipe is available for connection (that is, the pipe's server
process has a pending ConnectNamedPipe operation on the pipe).

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-waitnamedpipea

func WinHTTPGetDefaultProxyConfiguration 

func WinHTTPGetDefaultProxyConfiguration(i *ProxyInfo) error

WinHTTPGetDefaultProxyConfiguration Windows API Call 

The WinHttpGetDefaultProxyConfiguration function retrieves the default WinHTTP
proxy configuration from the registry.

https://docs.microsoft.com/en-us/windows/win32/api/winhttp/nf-winhttp-winhttpgetdefaultproxyconfiguration

This function returns 'syscall.EINVAL' if the underlying device is Windows Xp and built using <= go1.10.

func WriteFile 

func WriteFile(h uintptr, b []byte, n *uint32, o *Overlapped) error

WriteFile Windows API Call 

Writes data to the specified file or input/output (I/O) device.

https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefile

Types

type ACL 

type ACL struct {
	// contains filtered or unexported fields
}

ACL matches the ACL struct 

https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-acl

typedef struct _ACL {
  BYTE AclRevision;
  BYTE Sbz1;
  WORD AclSize;
  WORD AceCount;
  WORD Sbz2;
} ACL;

DO NOT REORDER

type FuncEntry added in v0.4.4 

type FuncEntry struct{}

FuncEntry is a simple struct that is used to describe the current status of function mappings. This struct is returned by a call to 'FuncRemaps' in a slice of current remaps.

func FuncRemapList added in v0.4.4 

func FuncRemapList() []FuncEntry

FuncRemapList returns a list of all current remapped functions. This includes the old and new addresses and the function name hash.

If no functions are remapped, this function returns nil.

func (FuncEntry) MarshalStream added in v0.4.4 

func (FuncEntry) MarshalStream(_ data.Writer) error

MarshalStream transforms this struct into a binary format and writes to the supplied data.Writer.

type LUID 

type LUID struct {
	Low  uint32
	High int32
}

LUID matches the LUID struct 

https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-luid

typedef struct _LUID {
  DWORD LowPart;
  LONG  HighPart;
} LUID, *PLUID;

DO NOT REORDER

type LUIDAndAttributes 

type LUIDAndAttributes struct {
	Luid       LUID
	Attributes uint32
}

LUIDAndAttributes matches the LUIDAndAttributes struct 

https://docs.microsoft.com/en-us/previous-versions/windows/desktop/wmipjobobjprov/win32-luidandattributes

typedef struct LUIDAndAttributes {
  LUID  Luid;
  DWORD dwSize;
} PLUIDANDATTRIBUTES;

DO NOT REORDER

type Overlapped 

type Overlapped struct {
	Internal     uintptr
	InternalHigh uintptr
	Offset       uint32
	OffsetHigh   uint32
	Event        uintptr
}

Overlapped matches the OVERLAPPED struct 

https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-overlapped

typedef struct _OVERLAPPED {
  ULONG_PTR Internal;
  ULONG_PTR InternalHigh;
  DWORD Offset;
  DWORD OffsetHigh;
  HANDLE    hEvent;
} OVERLAPPED, *LPOVERLAPPED;

DO NOT REORDER

type ProcessEntry added in v0.4.2 

type ProcessEntry struct {
	Name    string
	PID     uint32
	PPID    uint32
	Threads uint32
	// contains filtered or unexported fields
}

ProcessEntry is a basic struct passed to the user supplied function during a call to 'EnumProcesses'. This struct supplies basic Process information and can be used to gain more information about a Process.

func (ProcessEntry) Handle added in v0.4.2 

func (p ProcessEntry) Handle(a uint32) (uintptr, error)

Handle is a convenience function that calls 'OpenProcess' on the Process with the supplied access mask and returns a Process handle that must be closed when you are done using it.

This function does NOT make handles inheritable.

Any errors that occur during the operation will be returned.

func (ProcessEntry) Info added in v0.4.2 

func (p ProcessEntry) Info(a uint32, elevated, session bool) (bool, uint32, error)

Info will attempt to retrieve the Process session and Token elevation status and return it as a boolean (true if elevated) and a Session ID.

The access mask can be used to determine the open permissions for the Process and this function will automatically add the PROCESS_QUERY_INFORMATION mask. If no access testing is desired, a value of zero is accepted.

Boolean values for the elevation and session checks are passed as parameters to disable/enable checking of the value. If the value check is disabled (false) the return result will be the default value.

Any errors during checking will be returned.

To gain access to the underlying handle instead of opening a new one, use the 'InfoEx' function.

func (ProcessEntry) InfoEx added in v0.4.2 

func (p ProcessEntry) InfoEx(a uint32, elevated, session, handle bool) (uintptr, bool, uint32, error)

InfoEx will attempt to retrieve the Process handle (optional) session and Token elevation status and return it as a boolean (true if elevated) and a Session ID.

The access mask can be used to determine the open permissions for the Process and this function will automatically add the PROCESS_QUERY_INFORMATION mask. If no access testing is desired, a value of zero is accepted. Unlike the non-Ex function 'Info', this function will return the un-closed Process handle if the last Boolean value for handle is true.

Boolean values for the elevation and session checks are passed as parameters to disable/enable checking of the value. If the value check is disabled (false) the return result will be the default value.

Any errors during checking will be returned.

func (ProcessEntry) User added in v0.4.2 

func (p ProcessEntry) User() (string, error)

User attempts to reterive a string version of the username that this Process is running under.

A string username and any errors during reterival will be returned.

type ProcessInformation 

type ProcessInformation struct {
	Process   uintptr
	Thread    uintptr
	ProcessID uint32
	ThreadID  uint32
}

ProcessInformation matches the PROCESS_INFORMATION struct 

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-process_information

typedef struct _PROCESS_INFORMATION {
  HANDLE hProcess;
  HANDLE hThread;
  DWORD  dwProcessId;
  DWORD  dwThreadId;
} PROCESS_INFORMATION, *PPROCESS_INFORMATION, *LPPROCESS_INFORMATION;

DO NOT REORDER

type ProxyInfo 

type ProxyInfo struct {
	AccessType  uint32
	Proxy       *uint16
	ProxyBypass *uint16
}

ProxyInfo matches the WINHTTP_PROXY_INFO struct 

https://docs.microsoft.com/en-us/windows/win32/api/winhttp/ns-winhttp-winhttp_proxy_info

typedef struct _WINHTTP_PROXY_INFO {
  DWORD  dwAccessType;
  LPWSTR lpszProxy;
  LPWSTR lpszProxyBypass;
} WINHTTP_PROXY_INFO, *LPWINHTTP_PROXY_INFO, *PWINHTTP_PROXY_INFO;

DO NOT REORDER

type SID 

type SID struct{}

SID matches the SID struct 

https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid

func GetSystemSID 

func GetSystemSID() (*SID, error)

GetSystemSID will attempt to determine the System SID value and return it.

func (*SID) IsWellKnown 

func (s *SID) IsWellKnown(t uint32) bool

IsWellKnown returns true if this SID matches the well known SID type index.

func (*SID) String 

func (s *SID) String() string

String returns the string representation of this SID.

func (*SID) UserName added in v0.3.2 

func (s *SID) UserName() (string, error)

UserName attempts to return a Domain\User string from the SID.

type SIDAndAttributes 

type SIDAndAttributes struct {
	Sid        *SID
	Attributes uint32
}

SIDAndAttributes matches the SID_AND_ATTRIBUTES struct 

https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid_and_attributes

typedef struct _SID_AND_ATTRIBUTES {
  PSID  Sid;
  DWORD Attributes;
} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES;

DO NOT REORDER

type SecurityAttributes 

type SecurityAttributes struct {
	Length             uint32
	SecurityDescriptor *SecurityDescriptor
	InheritHandle      uint32
}

SecurityAttributes matches the SECURITY_ATTRIBUTES struct 

https://docs.microsoft.com/en-us/windows/win32/api/wtypesbase/ns-wtypesbase-security_attributes

typedef struct _SECURITY_ATTRIBUTES {
  DWORD  nLength;
  LPVOID lpSecurityDescriptor;
  BOOL   bInheritHandle;
} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;

DO NOT REORDER

type SecurityDescriptor 

type SecurityDescriptor struct {
	// contains filtered or unexported fields
}

SecurityDescriptor matches the SECURITY_DESCRIPTOR struct 

https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-security_descriptor

typedef struct _SECURITY_DESCRIPTOR {
  BYTE                        Revision;
  BYTE                        Sbz1;
  SECURITY_DESCRIPTOR_CONTROL Control;
  PSID                        Owner;
  PSID                        Group;
  PACL                        Sacl;
  PACL                        Dacl;
} SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR;

DO NOT REORDER

func SecurityDescriptorFromString 

func SecurityDescriptorFromString(s string) (*SecurityDescriptor, error)

SecurityDescriptorFromString converts an SDDL string describing a security descriptor into a self-relative security descriptor object allocated on the Go heap.

type SecurityDescriptorControl 

type SecurityDescriptorControl uint16

SecurityDescriptorControl matches the SECURITY_DESCRIPTOR_CONTROL bitflag. 

https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-control

typedef WORD SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL;

type SecurityQualityOfService added in v0.4.2 

type SecurityQualityOfService struct {
	Length              uint32
	ImpersonationLevel  uint32
	ContextTrackingMode bool
	EffectiveOnly       bool
}

SecurityQualityOfService matches the SECURITY_QUALITY_OF_SERVICE struct 

https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-security_quality_of_service

typedef struct _SECURITY_QUALITY_OF_SERVICE {
  DWORD                          Length;
  SECURITY_IMPERSONATION_LEVEL   ImpersonationLevel;
  SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode;
  BOOLEAN                        EffectiveOnly;
} SECURITY_QUALITY_OF_SERVICE, *PSECURITY_QUALITY_OF_SERVICE;

type ServiceStatus added in v0.2.1 

type ServiceStatus struct {
	ServiceType             uint32
	CurrentState            uint32
	ControlsAccepted        uint32
	Win32ExitCode           uint32
	ServiceSpecificExitCode uint32
	CheckPoint              uint32
	WaitHint                uint32
}

ServiceStatus matches the SERVICE_STATUS struct 

https://docs.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_status

typedef struct _SERVICE_STATUS {
 DWORD dwServiceType;
 DWORD dwCurrentState;
 DWORD dwControlsAccepted;
 DWORD dwWin32ExitCode;
 DWORD dwServiceSpecificExitCode;
 DWORD dwCheckPoint;
 DWORD dwWaitHint;
} SERVICE_STATUS, *LPSERVICE_STATUS;

type ServiceTableEntry added in v0.2.1 

type ServiceTableEntry struct {
	Name *uint16
	Proc uintptr
}

ServiceTableEntry matches the SERVICE_TABLE_ENTRYW struct 

https://docs.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_table_entryw

typedef struct _SERVICE_TABLE_ENTRYW {
 LPWSTR                   lpServiceName;
 LPSERVICE_MAIN_FUNCTIONW lpServiceProc;
} SERVICE_TABLE_ENTRYW, *LPSERVICE_TABLE_ENTRYW;

type Session added in v0.4.2 

type Session struct {
	User      string
	Host      string
	Domain    string
	Login     int64
	LastInput int64
	ID        uint32
	From      [16]byte
	Remote    bool
	Status    uint8
	// contains filtered or unexported fields
}

Session is a struct that is used to indicate Windows Terminal Services (WTS) Login/Session data.

This struct is similar to 'device.Login' but contains more non-generic data.

func WTSGetSessions added in v0.4.2 

func WTSGetSessions(server uintptr) ([]Session, error)

WTSGetSessions will attempt to reterive a detailed list of all Sessions on the target server handle (use 0 for the current host or use 'WTSOpenServer')

This function will return a 'Session' struct for each Session found or any errors that may occur during enumeration.

func WTSGetSessionsHost added in v0.4.2 

func WTSGetSessionsHost(server string) ([]Session, error)

WTSGetSessionsHost will attempt to reterive a detailed list of all Sessions on the target server name (use an empty string for the local host).

This function will return a 'Session' struct for each Session found or any errors that may occur during enumeration.

This function calls 'WTSOpenServer(server)' then enumerates the Sessions and closes the handle after. If you would like more control, use the 'WTSGetSessions' function which takes a server handle instead.

type SessionProcess added in v0.4.2 

type SessionProcess struct {
	Name      string
	User      string
	SessionID uint32
	PID       uint32
	// contains filtered or unexported fields
}

SessionProcess is a struct that contains information about a Process reterived via a 'WTSEnumerateProcesses' call.

func WTSEnumerateProcesses added in v0.4.2 

func WTSEnumerateProcesses(server uintptr, sid int32) ([]SessionProcess, error)

WTSEnumerateProcesses Windows API Call 

Retrieves information about the active processes on a specified Remote
Desktop Session Host (RD Session Host) server.

https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsenumerateprocessesw

func (SessionProcess) MarshalStream added in v0.4.2 

func (p SessionProcess) MarshalStream(w data.Writer) error

MarshalStream transforms this struct into a binary format and writes to the supplied data.Writer.

type SliceHeader added in v0.2.1 

type SliceHeader struct {
	Data unsafe.Pointer
	Len  int
	Cap  int
}

SliceHeader is the runtime representation of a slice.

It cannot be used safely or portably and its representation may change in a later release. ^ Hey, shut up.

type StartupAttributes 

type StartupAttributes struct {
	Count uint32
	// contains filtered or unexported fields
}

StartupAttributes matches the LPPROC_THREAD_ATTRIBUTE_LIST opaque struct 

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-initializeprocthreadattributelist

There's not much documentation for this *shrug*

type StartupInfo 

type StartupInfo struct {
	Cb uint32

	Desktop       *uint16
	Title         *uint16
	X             uint32
	Y             uint32
	XSize         uint32
	YSize         uint32
	XCountChars   uint32
	YCountChars   uint32
	FillAttribute uint32
	Flags         uint32
	ShowWindow    uint16

	StdInput  uintptr
	StdOutput uintptr
	StdErr    uintptr
	// contains filtered or unexported fields
}

StartupInfo matches the STARTUPINFOW struct 

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfow

typedef struct _STARTUPINFOW {
  DWORD  cb;
  LPWSTR lpReserved;
  LPWSTR lpDesktop;
  LPWSTR lpTitle;
  DWORD  dwX;
  DWORD  dwY;
  DWORD  dwXSize;
  DWORD  dwYSize;
  DWORD  dwXCountChars;
  DWORD  dwYCountChars;
  DWORD  dwFillAttribute;
  DWORD  dwFlags;
  WORD   wShowWindow;
  WORD   cbReserved2;
  LPBYTE lpReserved2;
  HANDLE hStdInput;
  HANDLE hStdOutput;
  HANDLE hStdError;
} STARTUPINFOW, *LPSTARTUPINFOW;

DO NOT REORDER

type StartupInfoEx 

type StartupInfoEx struct {
	StartupInfo   StartupInfo
	AttributeList *StartupAttributes
}

StartupInfoEx matches the STARTUPINFOEXW struct 

https://docs.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-startupinfoexw

typedef struct _STARTUPINFOEXW {
  STARTUPINFOW                 StartupInfo;
  LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
} STARTUPINFOEXW, *LPSTARTUPINFOEXW;

DO NOT REORDER

type ThreadEntry added in v0.4.2 

type ThreadEntry struct {
	TID uint32
	PID uint32
	// contains filtered or unexported fields
}

ThreadEntry is a basic struct passed to the user supplied function during a call to 'EnumThreads'. This struct supplies basic Thread information and can be used to gain more information about a Thread.

func (ThreadEntry) Handle added in v0.4.2 

func (t ThreadEntry) Handle(a uint32) (uintptr, error)

Handle is a convenience function that calls 'OpenThread' on the Thread with the supplied access mask and returns a Thread handle that must be closed when you are done using it.

This function does NOT make handles inheritable.

Any errors that occur during the operation will be returned.

func (ThreadEntry) IsSuspended added in v0.4.2 

func (t ThreadEntry) IsSuspended() (bool, error)

IsSuspended will attempt to determine if the current Thread is suspended. If the state information was supplied initially during discovery, it will be immediately returned, otherwise a Suspend/Resume cycle will be done to get the Thread suspension count.

The return result will be true if the Thread is currently suspended and any errors that may have occurred.

type TokenUser 

type TokenUser struct {
	User SIDAndAttributes
}

TokenUser matches the TOKEN_USER struct. 

https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_user

typedef struct _TOKEN_USER {
  SID_AND_ATTRIBUTES User;
} TOKEN_USER, *PTOKEN_USER

DO NOT REORDER

func GetTokenUser 

func GetTokenUser(h uintptr) (*TokenUser, error)

GetTokenUser retrieves access token user account information and SID.

type Window added in v0.3.0 

type Window struct {
	Name          string
	Flags         uint8
	Handle        uintptr
	X, Y          int32
	Width, Height int32
	// contains filtered or unexported fields
}

Window is a struct that represents a Windows Window. The handles are the same for the duration of the Window's existence.

func TopLevelWindows added in v0.3.0 

func TopLevelWindows() ([]Window, error)

TopLevelWindows returns a list of the current (non-dialog) Windows as a slice with their Name, Handle, Size and Position.

The handles may be used for multiple functions and are valid until the window is closed.

func (Window) IsMaximized added in v0.3.2 

func (i Window) IsMaximized() bool

IsMaximized returns true if the Window state was maximized at the time of discovery.

func (Window) IsMinimized added in v0.3.2 

func (i Window) IsMinimized() bool

IsMinimized returns true if the Window state was minimized at the time of discovery.

func (Window) MarshalStream added in v0.3.0 

func (i Window) MarshalStream(w data.Writer) error

MarshalStream transforms this struct into a binary format and writes to the supplied data.Writer.

Notes

Bugs

  • For some reason adding this flag causes the function 

    to return "invalid parameter", even this this IS THE ACCEPTED
thing to do???!

    flags |= 0x80000

  • I'm not sure if this is broken or this is how it's handled. I'm 

    getting error 5.

    Pipe insights: 

    https://papers.vx-underground.org/papers/Windows/System%20Components%20and%20Abuse/Offensive%20Windows%20IPC%20Internals%201%20Named%20Pipes.pdf

Source Files

View all Source files

Directories

Path Synopsis
Package registry contains code to handle common Windows registry operations.
 Package registry contains code to handle common Windows registry operations.
Package svc is a Windows specific Service interface.
 Package svc is a Windows specific Service interface.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.