README
¶
dllinquent
- Search running process for a given dll/function.
- Exposes a bufio.Scanner-like interface for walking a process' PEB
Examples
Walker
walker, _ := NewPebWalker(pid)
for walker.Walk() {
dll := walker.Dll()
if strings.HasSuffix(dll.DllFullName, "amsi.dll") {
hFunc, _ = windows.GetProcAddress(
windows.Handle(dll.DllBaseAddr),
"AmsiScanBuffer",
)
funcOffset = uint64(dll.FuncAddress) - dll.DllBaseAddr
fmt.Printf("AmsiScanBuffer offset: %v", funcOffset)
}
if walker.Err() == io.EOF {
fmt.Println("amsi not loaded")
}
}
err = walker.Err()
return
Finding Dlls/Functions
// dllinquent.FindInSelf("amsi.dll", "AmsiScanBuffer") (Dll, err)
// dllinquent.FindInProcess(123, "amsi.dll", "AmsiScanBuffer") (Dll, err)
// dllinquent.FindInProcesses("amsi.dll", "AmsiScanBuffer") (map[Process]Dll, err)
func HasAmsi() (hasAmsi bool, dll Dll, err error) {
dll, err = dllinquent.FindInSelf("amsi.dll", "AmsiScanBuffer")
if err != nil {
return
}
if dll != (dllinquent.Dll{}) {
hasAmsi = true
}
return
}
Documentation
¶
Overview ¶
Package dllinquent provides the ability to search through loaded modules and functions withing a process' PEB
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FindInProcesses ¶ added in v0.1.0
func FindInProcesses(dllName, funcionName string) (funcAddrs map[memutils.WindowsProcess]Dll, err error)
FindInProcesses will enumerate all current process, searching for provided function and returns a map of Process structs as keys and Dll structs as keys
Types ¶
type Dll ¶ added in v0.1.0
type Dll struct {
DllFullName string
DllBaseName string
DllBaseAddr uint64
FuncName string
FuncAddress uintptr
FuncOffset uint64
LdrDataTableEntry LdrDataTableEntry64
}
Dll serves as a representation of the currently iterated module in a PebWalker. It exposes the raw LdrDataTableEntry should the user wish to access additional information.
func FindInProcess ¶
FindInProcess will walk the PEB of a given process and search for the provided dll name and function. Dll names must end with '.dll' and functionName is case-sensitive
func FindInSelf ¶
FindInSelf delegates to FindInProcess, passing its own PID
type LdrDataTableEntry64 ¶ added in v0.1.0
type LdrDataTableEntry64 struct {
InOrderLinks windows.LIST_ENTRY
InMemoryOrderLinks windows.LIST_ENTRY
InInitializationOrderLinks windows.LIST_ENTRY
DllBase uint64
EntryPoint uint64
SizeOfImage uint64
FullDllName windows.NTUnicodeString
BaseDllName windows.NTUnicodeString
Flags uint32
LoadCount uint16
TlsIndex uint16
HashLinks [16]byte
}
LdrDataTableEntry64 is an expanded version of windows.LdrDataTableEntry (contains additional undocumented structures)
type PebWalker ¶ added in v0.1.0
type PebWalker struct {
// PEB holds the PEB for the process provided to NewPebWalker
PEB windows.PEB
// Handle holds the Handle to the process provided to NewPebWalker
Handle windows.Handle
// contains filtered or unexported fields
}
PebWalker create a bufio.Scanner-like interface for walking loaded modules in a process' PEB
func NewPebWalker ¶ added in v0.1.0
NewPebWalker creates a new PebWalker from the provided PID
func (PebWalker) Dll ¶ added in v0.1.0
Dll return a repreesentation of the currently iterated module
Source Files