bananaphone

package
v0.0.0-...-8d373c3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 6, 2021 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var HookCheck = []byte{0x4c, 0x8b, 0xd1, 0xb8}

HookCheck is the bytes expected to be seen at the start of the function: 

mov r10, rcx ;(4c 8b d1)
mov eax, sysid ;(b8 sysid)

Functions

func GetModuleLoadedOrder 

func GetModuleLoadedOrder(i int) (start uintptr, size uintptr, modulepath string)

GetModuleLoadedOrder returns the start address of module located at i in the load order. This might be useful if there is a function you need that isn't in ntdll, or if some rude individual has loaded themselves before ntdll.

func GetNtdllStart 

func GetNtdllStart() (start uintptr, size uintptr)

GetNtdllStart returns the start address of ntdll in memory

func GetPEB 

func GetPEB() uintptr

GetPEB returns the in-memory address of the start of PEB while making no api calls

func GetSysIDFromDisk 

func GetSysIDFromDisk(funcname string) (uint16, error)

GetSysIDFromDisk takes the exported syscall name and gets the ID it refers to. This function will access the ntdll file _on disk_, and relevant events/logs will be generated for those actions.

func GetSysIDFromDiskOrd 

func GetSysIDFromDiskOrd(ordinal uint32) (uint16, error)

GetSysIDFromDiskOrd takes the exported ordinal and gets the ID it refers to. This function will access the ntdll file _on disk_, and relevant events/logs will be generated for those actions.

func GetSysIDFromMemory 

func GetSysIDFromMemory(funcname string) (uint16, error)

GetSysIDFromMemory takes the exported syscall name or ordinal and gets the ID it refers to (try not to supply both, it might not work how you expect). This function will not use a clean version of the dll, if AV has hooked the in-memory ntdll module, the results of this call may be bad.

func InMemLoads 

func InMemLoads() (map[string]Image, error)

InMemLoads returns a map of loaded dll paths to current process offsets (aka images) in the current process. No syscalls are made.

func Syscall 

func Syscall(callid uint16, argh ...uintptr) (errcode uint32, err error)

Syscall calls the system function specified by callid with n arguments. Works much the same as syscall.Syscall - return value is the call error code and optional error text. All args are uintptrs to make it easy.

func WriteMemory 

func WriteMemory(inbuf []byte, destination uintptr)

WriteMemory writes the provided memory to the specified memory address. Does **not** check permissions, may cause panic if memory is not writable etc.

Types

type BananaPhone 

type BananaPhone struct {
	// contains filtered or unexported fields
}

BananaPhone will resolve SysID's used for syscalls while making minimal API calls. These ID's can be used for functions like NtAllocateVirtualMemory as defined in functions.go.

func NewBananaPhone 

func NewBananaPhone(t PhoneMode) (*BananaPhone, error)

NewBananaPhone creates a new instance of a bananaphone with behaviour as defined by the input value. Use AutoBananaPhoneMode if you're not sure.

Possible values:

  • MemoryBananaPhoneMode
  • DiskBananaPhoneMode
  • AutoBananaPhoneMode

func NewBananaPhoneNamed 

func NewBananaPhoneNamed(t PhoneMode, name, diskpath string) (*BananaPhone, error)

NewBananaPhoneNamed creates a new instance of a bananaphone with behaviour as defined by the input value, specifying the module provided. Use AutoBananaPhoneMode if you're not sure which mode and specify the path. Path only used for disk/auto modes.

Possible values:

  • MemoryBananaPhoneMode
  • DiskBananaPhoneMode
  • AutoBananaPhoneMode

func NewSystemBananaPhoneNamed 

func NewSystemBananaPhoneNamed(t PhoneMode, name, diskpath string) *BananaPhone

NewSystemBananaPhoneNamed is literally just an un-error handled passthrough for NewBananaPhoneNamed to easily work with mkwinsyscall. The ptr might be nil, who knows! lol! yolo!

func (*BananaPhone) GetFuncPtr 

func (b *BananaPhone) GetFuncPtr(funcname string) (uint64, error)

GetFuncPtr returns a pointer to the function (Virtual Address)

func (*BananaPhone) GetSysID 

func (b *BananaPhone) GetSysID(funcname string) (uint16, error)

GetSysID resolves the provided function name into a sysid.

func (*BananaPhone) GetSysIDOrd 

func (b *BananaPhone) GetSysIDOrd(ordinal uint32) (uint16, error)

GetSysIDOrd resolves the provided ordinal into a sysid.

func (*BananaPhone) GetSysIDfromhash 

func (b *BananaPhone) GetSysIDfromhash(funcnamehash string, hash func(string) string) (uint16, error)

GetSysIDfromhash resolves the provided function name into a sysid.

func (*BananaPhone) NewProc 

func (b *BananaPhone) NewProc(funcname string) BananaProcedure

NewProc emulates the windows NewProc call :-)

type BananaProcedure 

type BananaProcedure struct {
	// contains filtered or unexported fields
}

BananaProc emulates the windows proc thing

func (BananaProcedure) Addr 

func (b BananaProcedure) Addr() uintptr

Addr returns the address of this procedure

type Image 

type Image struct {
	BaseAddr uint64
	Size     uint64
}

Image contains info about a loaded image. Literally just a Base Addr and a Size - it should allow someone with a handy PE parser to pull the image out of memory...

type LdrDataTableEntry 

type LdrDataTableEntry struct {
	InLoadOrderLinks           ListEntry
	InMemoryOrderLinks         ListEntry
	InInitializationOrderLinks ListEntry
	DllBase                    *uintptr
	EntryPoint                 *uintptr
	SizeOfImage                *uintptr
	FullDllName                stupidstring
	BaseDllName                stupidstring
	Flags                      uint32
	LoadCount                  uint16
	TlsIndex                   uint16
	HashLinks                  ListEntry
	TimeDateStamp              uint64
}

func GetModuleLoadedOrderPtr 

func GetModuleLoadedOrderPtr(i int) *LdrDataTableEntry

GetModuleLoadedOrderPtr returns a pointer to the ldr data table entry in full, incase there is something interesting in there you want to see.

type ListEntry 

type ListEntry struct {
	Flink *ListEntry
	Blink *ListEntry
}

type MayBeHookedError 

type MayBeHookedError struct {
	Foundbytes []byte
}

MayBeHookedError an error returned when trying to extract the sysid from a resolved function. Contains the bytes that were actually found (incase it's useful to someone?)

func (MayBeHookedError) Error 

func (e MayBeHookedError) Error() string

type PhoneMode 

type PhoneMode int

PhoneMode determines the way a bananaphone will resolve sysids 

const (
	//MemoryBananaPhoneMode will resolve by finding the PEB in-memory, and enumerating the loaded ntdll.dll to resolve exports and determine the sysid.
	MemoryBananaPhoneMode PhoneMode = iota
	//DiskBananaPhoneMode will resolve by loading ntdll.dll from disk, and enumerating to resolve exports and determine the sysid.
	DiskBananaPhoneMode
	//AutoBananaPhoneMode will resolve by first trying to resolve in-memory, and then falling back to loading from disk if in-memory fails (eg, if it's hooked and the sysid's have been moved).
	AutoBananaPhoneMode
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.