README
¶
xwindows
Go interface to DLLs functions
Base on golang.org/x/sys/windows
Note
Please do not consider this code, particularly the autogenerated code, as stable. Identifiers names may still be subject to change.
Description
This package makes selected DLLs functions directly available in Go programs. At the moment, types and functions for accessing kernel objects and the Registry are included. The goal is to, eventually, cover all available functions.
What’s Changed
2024.03.01
- 修复多个函数的Bug
- 添加文档
- 新增多个未公开的函数
2024.02.26
variant 项目衍生库
- 基于
golang.org/x/sys/windows - 使用
syscall.SyscallN()作为syscall的调用,增加了绝大多数Go loader所使用的函数 - 包含了variant 项目所有的函数,同步更新
Uasge
xwindows.EnumPageFilesW()
Documentation
¶
Index ¶
- func AllocADsMem(cb uintptr) (value uintptr, err error)
- func CloseHandle(handle windows.Handle) (err error)
- func ConvertThreadToFiber(lpParameter uintptr) (value uintptr, err error)
- func CreateFiber(dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr) (value uintptr, err error)
- func CreateRemoteThread(hProcess windows.Handle, lpThreadAttributes uintptr, dwStackSize uintptr, ...) (value uintptr, err error)
- func CreateRemoteThreadEx(hProcess windows.Handle, lpThreadAttributes uintptr, dwStackSize uintptr, ...) (handle windows.Handle, err error)
- func CreateThread(lpThreadAttributes uintptr, dwStackSize uintptr, lpStartAddress uintptr, ...) (handle windows.Handle, err error)
- func CreateToolhelp32Snapshot(flags uint32, processId uint32) (handle windows.Handle, err error)
- func EnumPageFilesW(pCallBackRoutine uintptr, pContext uintptr) (value uintptr, err error)
- func EnumSystemLocalesA(lpLocaleEnumProc uintptr, dwFlags uint32) (value uintptr, err error)
- func EnumSystemLocalesEx(lpLocaleEnumProcEx uintptr, dwFlags uint32, lParam uintptr, lpReserved uintptr) (value uintptr, err error)
- func EnumSystemLocalesW(lpLocaleEnumProc uintptr, dwFlags uint32) (value uintptr, err error)
- func EnumerateLoadedModules(hProcess windows.Handle, enumLoadedModulesCallback uintptr, ...) (value uintptr, err error)
- func EtwEventWrite(regHandle windows.Handle, eventDescriptor uintptr, userDataCount uint32, ...) (value uintptr, err error)
- func EtwEventWriteEx(regHandle windows.Handle, eventDescriptor uintptr, filter uint64, flags uint32, ...) (value uintptr, err error)
- func EtwEventWriteFull(regHandle windows.Handle, eventDescriptor uintptr, eventProperty uintptr, ...) (value uintptr, err error)
- func EtwEventWriteString(regHandle windows.Handle, level byte, keyword uint64, str *uint16) (value uintptr, err error)
- func EtwEventWriteTransfer(regHandle windows.Handle, eventDescriptor *EVENT_DESCRIPTOR, ...) (value uintptr, err error)
- func EtwpCreateEtwThread(lpStartAddress uintptr, lpParameter uintptr) (value uintptr, err error)
- func FreeADsMem(pMem uintptr) (value uintptr, err error)
- func GetCurrentProcess() (handle windows.Handle, err error)
- func GetCurrentThread() (handle windows.Handle, err error)
- func GetPhysicallyInstalledSystemMemory(totalMemoryInKilobytes uintptr) (value uintptr, err error)
- func GetTickCount() (value uintptr, err error)
- func HeapAlloc(hHeap windows.Handle, dwFlags uint32, dwBytes uintptr) (value uintptr, err error)
- func HeapCreate(flOptions uint32, dwInitialSize uintptr, dwMaximumSize uintptr) (value uintptr, err error)
- func I_QueryTagInformation(pszMachineName uintptr, eInfoLevel uintptr, pTagInfo uintptr) (value uintptr, err error)
- func NtAllocateVirtualMemory(processHandle windows.Handle, baseAddress *byte, zeroBits uintptr, ...) (value uintptr, err error)
- func NtCreateSection(sectionHandle *windows.Handle, desiredAccess uint32, ...) (err error)
- func NtQueryInformationThread(threadHandle windows.Handle, threadInformationClass uintptr, ...) (value uintptr, err error)
- func NtQueueApcThreadEx(threadHandle windows.Handle, userApcOption uintptr, apcRoutine uintptr, ...) (err error)
- func NtWriteVirtualMemory(processHandle windows.Handle, baseAddress *byte, buffer *byte, ...) (value uintptr, err error)
- func OpenProcess(desiredAccess uint32, inheritHandle bool, processId uint32) (handle windows.Handle, err error)
- func OpenThread(desiredAccess uint32, inheritHandle bool, threadId uint32) (handle windows.Handle, err error)
- func QueueUserAPC(pfnAPC uintptr, hThread uintptr, dwData uintptr) (value uintptr, err error)
- func ReadProcessMemory(process windows.Handle, baseAddress uintptr, buffer *byte, size uintptr, ...) (err error)
- func RtlCopyBytes(address uintptr, source *byte, length uintptr) (err error)
- func RtlCopyMemory(address *byte, source *byte, length uintptr) (err error)
- func RtlEthernetAddressToStringA(addr *byte, s uintptr) (value uintptr, err error)
- func RtlEthernetStringToAddressA(s uintptr, terminator *byte, addr *byte) (value uintptr, err error)
- func RtlIpv4AddressToStringA(addr uintptr, s uintptr) (value uintptr, err error)
- func RtlIpv4StringToAddressA(s uintptr, strict uintptr, terminator *byte, addr *byte) (value uintptr, err error)
- func RtlMoveMemory(destination *byte, source *byte, length uintptr) (err error)
- func SwitchToFiber(lpFiber uintptr) (value uintptr, err error)
- func TerminateThread(hThread uintptr, dwExitCode uint32) (value uintptr, err error)
- func Thread32First(snapshot windows.Handle, threadEntry *ThreadEntry32) (err error)
- func UuidFromStringA(stringUuid *byte, uuid uintptr) (value uintptr, err error)
- func VirtualAlloc(address uintptr, size uintptr, allocType uint32, protect uint32) (value uintptr, err error)
- func VirtualAllocEx(hProcess windows.Handle, lpAddress uintptr, dwSize uintptr, allocType uint32, ...) (value uintptr, err error)
- func VirtualProtect(address uintptr, size uintptr, newProtect uint32, oldProtect *uint32) (value uintptr, err error)
- func VirtualProtectEx(process windows.Handle, address uintptr, size uintptr, newProtect uint32, ...) (err error)
- func WaitForSingleObject(handle windows.Handle, waitMilliseconds uint32) (event uint32, err error)
- func WriteProcessMemory(process windows.Handle, baseAddress uintptr, buffer *byte, size uintptr, ...) (err error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AllocADsMem ¶
AllocADsMem 函数分配指定大小的内存块。
LPVOID AllocADsMem(
[in] DWORD cb );
返回值 类型: LPVOID 如果成功,该函数将返回指向已分配内存的非 NULL 指针。 当不再需要此内存时,调用方必须通过将返回的指针传递给 FreeADsMem 来释放此内存。 如果未成功,则返回 NULL 。 调用 ADsGetLastError 以获取扩展错误状态。 有关错误代码值的详细信息,请参阅 ADSI 错误代码。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/adshlp/nf-adshlp-allocadsmem
func CloseHandle ¶
CloseHandle 关闭打开的对象句柄
BOOL CloseHandle(
[in] HANDLE hObject );
如果该函数成功,则返回值为非零值 如果函数失败,则返回值为零
Link: https://learn.microsoft.com/zh-CN/windows/win32/api/handleapi/nf-handleapi-closehandle
func ConvertThreadToFiber ¶
ConvertThreadToFiber Converts the current thread into a fiber. You must convert a thread into a fiber before you can schedule other fibers.
LPVOID ConvertThreadToFiber(
[in, optional] LPVOID lpParameter );
If the function succeeds, the return value is the address of the fiber.
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-convertthreadtofiber
func CreateFiber ¶
func CreateFiber(dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr) (value uintptr, err error)
CreateFiber Allocates a fiber object, assigns it a stack, and sets up execution to begin at the specified start address, typically the fiber function. This function does not schedule the fiber.
LPVOID CreateFiber(
[in] SIZE_T dwStackSize, [in] LPFIBER_START_ROUTINE lpStartAddress, [in, optional] LPVOID lpParameter );
If the function succeeds, the return value is the address of the fiber.
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-createfiber
func CreateRemoteThread ¶
func CreateRemoteThread(hProcess windows.Handle, lpThreadAttributes uintptr, dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr, dwCreationFlags uintptr, lpThreadId uintptr) (value uintptr, err error)
CreateRemoteThread 创建在另一个进程的虚拟地址空间中运行的线程。 使用 CreateRemoteThreadEx 函数创建在另一个进程的虚拟地址空间中运行的线程,并选择性地指定扩展属性。
HANDLE CreateRemoteThread(
[in] HANDLE hProcess, [in] LPSECURITY_ATTRIBUTES lpThreadAttributes, [in] SIZE_T dwStackSize, [in] LPTHREAD_START_ROUTINE lpStartAddress, [in] LPVOID lpParameter, [in] DWORD dwCreationFlags, [out] LPDWORD lpThreadId );
如果函数成功,则返回值是新线程的句柄。 如果函数失败,则返回值为 NULL。
func CreateRemoteThreadEx ¶
func CreateRemoteThreadEx(hProcess windows.Handle, lpThreadAttributes uintptr, dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr, dwCreationFlags uint32, lpAttributeList uintptr, lpThreadId uintptr) (handle windows.Handle, err error)
CreateRemoteThreadEx 创建一个线程,该线程在另一个进程的虚拟地址空间中运行,并选择性地指定扩展属性,例如处理器组相关性
HANDLE CreateRemoteThreadEx(
[in] HANDLE hProcess, [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, [in] SIZE_T dwStackSize, [in] LPTHREAD_START_ROUTINE lpStartAddress, [in, optional] LPVOID lpParameter, [in] DWORD dwCreationFlags, [in, optional] LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, [out, optional] LPDWORD lpThreadId );
如果函数成功,则返回值是新线程的句柄 如果函数失败,则返回值为 NULL
func CreateThread ¶
func CreateThread(lpThreadAttributes uintptr, dwStackSize uintptr, lpStartAddress uintptr, lpParameter uintptr, dwCreationFlags uintptr, lpThreadId uintptr) (handle windows.Handle, err error)
CreateThread 创建在调用进程的虚拟地址空间内执行的线程。 若要创建在另一个进程的虚拟地址空间中运行的线程,请使用 CreateRemoteThread 函数
HANDLE CreateThread(
[in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, [in] SIZE_T dwStackSize, [in] LPTHREAD_START_ROUTINE lpStartAddress, [in, optional] __drv_aliasesMem LPVOID lpParameter, [in] DWORD dwCreationFlags, [out, optional] LPDWORD lpThreadId );
如果函数成功,则返回值是新线程的句柄 如果函数失败,则返回值为 NULL
func CreateToolhelp32Snapshot ¶
CreateToolhelp32Snapshot 获取指定进程以及这些进程使用的堆、模块和线程的快照
HANDLE CreateToolhelp32Snapshot(
[in] DWORD dwFlags, [in] DWORD th32ProcessID );
如果函数成功,它将返回指定快照的打开句柄。 如果函数失败,它将返回 INVALID_HANDLE_VALUE。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot
func EnumPageFilesW ¶
EnumPageFilesW 为系统中每个已安装的页面文件调用回调例程
BOOL EnumPageFilesW(
[out] PENUM_PAGE_FILE_CALLBACKW pCallBackRoutine, [in] LPVOID pContext );
返回值 如果函数成功,则返回值为 TRUE。 如果函数失败,则返回值为 FALSE。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/psapi/nf-psapi-enumpagefilesw
func EnumSystemLocalesA ¶
EnumSystemLocalesA 枚举安装在操作系统上或受操作系统支持的区域设置
BOOL EnumSystemLocalesA(
[in] LOCALE_ENUMPROCA lpLocaleEnumProc, [in] DWORD dwFlags );
如果成功,则返回非零值,否则返回 0。 若要获取扩展错误信息,应用程序可以调用 GetLastError,这会返回以下错误代码之一: ERROR_BADDB: 函数无法访问数据,这种情况通常不应发生,通常表示安装错误、磁盘问题或类似问题。 ERROR_INVALID_FLAGS: 为标志提供的值无效。 ERROR_INVALID_PARAMETER: 任何参数值都无效。
Link: https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-enumsystemlocalesa
func EnumSystemLocalesEx ¶
func EnumSystemLocalesEx(lpLocaleEnumProcEx uintptr, dwFlags uint32, lParam uintptr, lpReserved uintptr) (value uintptr, err error)
EnumSystemLocalesEx 枚举安装在操作系统上或受操作系统支持的区域设置 注意:如果设计为仅在 Windows Vista 及更高版本上运行,则应用程序应优先调用此函数,而不是 EnumSystemLocales
BOOL EnumSystemLocalesEx(
[in] LOCALE_ENUMPROCEX lpLocaleEnumProcEx, [in] DWORD dwFlags, [in] LPARAM lParam, [in, optional] LPVOID lpReserved );
如果成功,则返回非零值,否则返回 0。 若要获取扩展错误信息,应用程序可以调用 GetLastError,这会返回以下错误代码之一:
ERROR_BADDB: 函数无法访问数据。 这种情况通常不应发生,通常表示安装错误、磁盘问题或类似问题。 ERROR_INVALID_FLAGS: 为标志提供的值无效。 ERROR_INVALID_PARAMETER: 任何参数值都无效。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winnls/nf-winnls-enumsystemlocalesex
func EnumSystemLocalesW ¶
EnumSystemLocalesW 枚举安装在操作系统上或受操作系统支持的区域设置
BOOL EnumSystemLocalesW(
[in] LOCALE_ENUMPROCW lpLocaleEnumProc, [in] DWORD dwFlags );
如果成功,则返回非零值,否则返回 0。 若要获取扩展错误信息,应用程序可以调用 GetLastError,这会返回以下错误代码之一: ERROR_BADDB: 函数无法访问数据,这种情况通常不应发生,通常表示安装错误、磁盘问题或类似问题。 ERROR_INVALID_FLAGS: 为标志提供的值无效。 ERROR_INVALID_PARAMETER: 任何参数值都无效。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winnls/nf-winnls-enumsystemlocalesw
func EnumerateLoadedModules ¶
func EnumerateLoadedModules(hProcess windows.Handle, enumLoadedModulesCallback uintptr, userContext uintptr) (value uintptr, err error)
EnumerateLoadedModules 枚举指定进程的已加载模块。
BOOL IMAGEAPI EnumerateLoadedModules(
[in] HANDLE hProcess, [in] PENUMLOADED_MODULES_CALLBACK EnumLoadedModulesCallback, [in, optional] PVOID UserContext );
返回值 如果函数成功,则返回值为 TRUE。 如果函数失败,则返回值为 FALSE。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/dbghelp/nf-dbghelp-enumerateloadedmodules
func EtwEventWrite ¶
func EtwEventWrite(regHandle windows.Handle, eventDescriptor uintptr, userDataCount uint32, userData uintptr) (value uintptr, err error)
EtwEventWrite 函数及其返回的结构在操作系统内部,并且可能会从一个版本的 Windows 更改为另一个版本。 将基本事件写入会话
ULONG EVNTAPI EtwEventWrite(
__in REGHANDLE RegHandle, __in PCEVENT_DESCRIPTOR EventDescriptor, __in ULONG UserDataCount, __in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData );
返回值 Win32 错误代码。
Link: https://learn.microsoft.com/zh-cn/windows/win32/devnotes/etweventwrite
func EtwEventWriteEx ¶
func EtwEventWriteEx(regHandle windows.Handle, eventDescriptor uintptr, filter uint64, flags uint32, activityId uintptr, relatedActivityId uintptr, userDataCount uintptr, userData uintptr) (value uintptr, err error)
EtwEventWriteEx
ULONG EtwEventWriteEx (
REGHANDLE RegHandle, EVENT_DESCRIPTOR const *EventDescriptor, ULONG64 Filter, ULONG Flags, GUID const *ActivityId, GUID const *RelatedActivityId, ULONG UserDataCount, EVENT_DATA_DESCRIPTOR *UserData);
The function returns zero for success, else a Win32 error code.
Link: https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/evntapi/writeex.htm
func EtwEventWriteFull ¶
func EtwEventWriteFull(regHandle windows.Handle, eventDescriptor uintptr, eventProperty uintptr, activityId uintptr, relatedActivityId uintptr, userDataCount uint32, userData uintptr) (value uintptr, err error)
EtwEventWriteFull 函数及其返回的结构在操作系统内部,可能会从一个版本的 Windows 更改为另一个版本。 将完整事件写入会话
ULONG EVNTAPI EtwEventWriteFull(
__in REGHANDLE RegHandle, __in PCEVENT_DESCRIPTOR EventDescriptor, __in USHORT EventProperty, __in_opt LPCGUID ActivityId, __in_opt LPCGUID RelatedActivityId, __in ULONG UserDataCount, __in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData );
返回值 Win32 错误代码。
Link: https://learn.microsoft.com/zh-cn/windows/win32/devnotes/etweventwritefull
func EtwEventWriteString ¶
func EtwEventWriteString(regHandle windows.Handle, level byte, keyword uint64, str *uint16) (value uintptr, err error)
EtwEventWriteString forwarded from EventWriteString TODO: Need documentation, not sure function is correct
NTSYSAPI ULONG NTAPI EtwEventWriteString(
_In_ REGHANDLE RegHandle, _In_ UCHAR Level, _In_ ULONGLONG Keyword, _In_ PCWSTR String );
func EtwEventWriteTransfer ¶
func EtwEventWriteTransfer(regHandle windows.Handle, eventDescriptor *EVENT_DESCRIPTOR, activityId, relatedActivityId *GUID, userDataCount uint32, userData []*EVENT_DATA_DESCRIPTOR) (value uintptr, err error)
EtwEventWriteTransfer TODO: Need documentation, not sure function is correct
ULONG
EtwEventWriteTransfer ( REGHANDLE RegHandle, EVENT_DESCRIPTOR const *EventDescriptor, GUID const *ActivityId, GUID const *RelatedActivityId, ULONG UserDataCount, EVENT_DATA_DESCRIPTOR *UserData );
The function returns zero for success, else a Win32 error code.
func EtwpCreateEtwThread ¶
EtwpCreateEtwThread
static extern IntPtr EtwpCreateEtwThread(
IntPtr lpStartAddress, IntPtr lpParameter );
Link: https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3
func FreeADsMem ¶
FreeADsMem 函数释放由 AllocADsMem 或 ReallocADsMem 分配的内存。
BOOL FreeADsMem(
[in] LPVOID pMem );
返回值 类型: BOOL 如果成功,函数将返回 TRUE ,否则返回 FALSE。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/adshlp/nf-adshlp-freeadsmem
func GetCurrentThread ¶
GetCurrentThread Retrieves a pseudo handle for the calling thread.
HANDLE GetCurrentThread();
The return value is a pseudo handle for the current thread.
func GetPhysicallyInstalledSystemMemory ¶
GetPhysicallyInstalledSystemMemory 检索实际安装在计算机上的 RAM 量
BOOL GetPhysicallyInstalledSystemMemory(
[out] PULONGLONG TotalMemoryInKilobytes );
如果函数成功,则返回 TRUE 并将 TotalMemoryInKilobytes 参数设置为非零值。 如果函数失败,它将返回 FALSE ,并且不会修改 TotalMemoryInKilobytes 参数。
func GetTickCount ¶
GetTickCount 检索自系统启动以来经过的毫秒数,最长为 49.7 天
DWORD GetTickCount();
返回值是自系统启动以来经过的毫秒数
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount
func HeapAlloc ¶
HeapAlloc 从堆中分配内存块。 分配的内存不可移动
DECLSPEC_ALLOCATOR LPVOID HeapAlloc(
[in] HANDLE hHeap, [in] DWORD dwFlags, [in] SIZE_T dwBytes );
如果函数成功,则返回值是指向已分配内存块的指针 如果函数失败并且您尚未指定 HEAP_GENERATE_EXCEPTIONS,则返回值为 NULL 如果函数失败并且已指定 HEAP_GENERATE_EXCEPTIONS,则函数可能会生成列出的任一异常: STATUS_NO_MEMORY, STATUS_ACCESS_VIOLATION
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/heapapi/nf-heapapi-heapalloc
func HeapCreate ¶
func HeapCreate(flOptions uint32, dwInitialSize uintptr, dwMaximumSize uintptr) (value uintptr, err error)
HeapCreate 创建可由调用进程使用的专用堆对象。 函数在进程的虚拟地址空间中保留空间,并为此块的指定初始部分分配物理存储
HANDLE HeapCreate(
[in] DWORD flOptions, [in] SIZE_T dwInitialSize, [in] SIZE_T dwMaximumSize );
如果函数成功,则返回值是新创建的堆的句柄 如果函数失败,则返回值为 NULL
Link: https://learn.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapcreate
func I_QueryTagInformation ¶
func I_QueryTagInformation(pszMachineName uintptr, eInfoLevel uintptr, pTagInfo uintptr) (value uintptr, err error)
I_QueryTagInformation
_Must_inspect_result_ DWORD WINAPI I_QueryTagInformation(_In_opt_ LPCWSTR pszMachineName,
_In_ TAG_INFO_LEVEL eInfoLevel, _Inout_ PVOID pTagInfo );
func NtAllocateVirtualMemory ¶
func NtAllocateVirtualMemory(processHandle windows.Handle, baseAddress *byte, zeroBits uintptr, regionSize uintptr, allocationType uintptr, protect uintptr) (value uintptr, err error)
NtAllocateVirtualMemory 在指定进程的用户模式虚拟地址空间中保留和/或提交页面区域。
__kernel_entry NTSYSCALLAPI NTSTATUS NtAllocateVirtualMemory(
[in] HANDLE ProcessHandle, [in, out] PVOID *BaseAddress, [in] ULONG_PTR ZeroBits, [in, out] PSIZE_T RegionSize, [in] ULONG AllocationType, [in] ULONG Protect );
NtAllocateVirtualMemory returns either STATUS_SUCCESS or an error status code
func NtCreateSection ¶
func NtCreateSection(sectionHandle *windows.Handle, desiredAccess uint32, objectAttributes *OBJECT_ATTRIBUTES, maximumSize *int64, sectionPageProtection uint32, allocationAttributes uint32, fileHandle windows.Handle) (err error)
NtCreateSection 例程创建一个节对象**
__kernel_entry NTSYSCALLAPI NTSTATUS NtCreateSection(
[out] PHANDLE SectionHandle, [in] ACCESS_MASK DesiredAccess, [in, optional] POBJECT_ATTRIBUTES ObjectAttributes, [in, optional] PLARGE_INTEGER MaximumSize, [in] ULONG SectionPageProtection, [in] ULONG AllocationAttributes, [in, optional] HANDLE FileHandle );
NtCreateSection 在成功时返回STATUS_SUCCESS,或在失败时返回相应的 NTSTATUS 错误代码
link: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatesection Github: https://github.com/hillu/go-ntdll/blob/f8894bfa00af/section_generated.go#L24
func NtQueryInformationThread ¶
func NtQueryInformationThread(threadHandle windows.Handle, threadInformationClass uintptr, threadInformation uintptr, threadInformationLength uintptr, returnLength uintptr) (value uintptr, err error)
NtQueryInformationThread 在 Windows 的未来版本中可能已更改或不可用。 应用程序应使用本主题中列出的备用函数。 检索有关指定线程的信息。
__kernel_entry NTSTATUS NtQueryInformationThread(
[in] HANDLE ThreadHandle, [in] THREADINFOCLASS ThreadInformationClass, [in, out] PVOID ThreadInformation, [in] ULONG ThreadInformationLength, [out, optional] PULONG ReturnLength );
返回 NTSTATUS 成功或错误代码。 NTSTATUS 错误代码的形式和意义列在 DDK 中提供的 Ntstatus.h 头文件中,并在 DDK 文档中 Kernel-Mode 驱动程序体系结构/设计指南/驱动程序编程技术/日志记录错误下进行了介绍。
func NtQueueApcThreadEx ¶
func NtQueueApcThreadEx(threadHandle windows.Handle, userApcOption uintptr, apcRoutine uintptr, args ...uintptr) (err error)
NtQueueApcThreadEx Each time NtQueueApcThread is called, a new KAPC object is allocated in kernel mode (from the kernel pool) to store the data about the APC object. Let’s say there’s a component that queues a lot of APCs, one after another. This can have performance implications because a lot of non-paged memory is used and also allocating memory takes some time.
NTSTATUS NtQueueApcThreadEx(
IN HANDLE ThreadHandle, IN USER_APC_OPTION UserApcOption, IN PPS_APC_ROUTINE ApcRoutine, IN PVOID SystemArgument1 OPTIONAL, IN PVOID SystemArgument2 OPTIONAL, IN PVOID SystemArgument3 OPTIONAL );
Link: https://repnz.github.io/posts/apc/user-apc/#ntqueueapcthreadex-reusing-kernel-memory Gitlab: https://gitlab.com/mjwhitta/runsc/-/blob/v1.3.4/api_windows.go#L157 Github: https://github.com/mjwhitta/win/blob/v0.15.2/api/ntdll_windows.go#L171
func NtWriteVirtualMemory ¶
func NtWriteVirtualMemory(processHandle windows.Handle, baseAddress *byte, buffer *byte, BufferSize uintptr, numberOfBytesWritten *uintptr) (value uintptr, err error)
NtWriteVirtualMemory is similar to WINAPI WriteProcessMemory.
NTSYSAPI NTSTATUS NTAPI NtWriteVirtualMemory(
IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL );
func OpenProcess ¶
func OpenProcess(desiredAccess uint32, inheritHandle bool, processId uint32) (handle windows.Handle, err error)
OpenProcess 打开现有的本地进程对象
HANDLE OpenProcess(
[in] DWORD dwDesiredAccess, [in] BOOL bInheritHandle, [in] DWORD dwProcessId );
如果函数成功,则返回值是指定进程的打开句柄; 如果函数失败,则返回值为 NULL
func OpenThread ¶
func OpenThread(desiredAccess uint32, inheritHandle bool, threadId uint32) (handle windows.Handle, err error)
OpenThread 打开现有线程对象
HANDLE OpenThread(
[in] DWORD dwDesiredAccess, [in] BOOL bInheritHandle, [in] DWORD dwThreadId );
如果函数成功,则返回值是指定线程的打开句柄。 如果函数失败,则返回值为 NULL。
func QueueUserAPC ¶
QueueUserAPC 将用户模式 异步过程调用 (APC) 对象添加到指定线程的 APC 队列
DWORD QueueUserAPC(
[in] PAPCFUNC pfnAPC, [in] HANDLE hThread, [in] ULONG_PTR dwData );
如果该函数成功,则返回值为非零值。 如果函数失败,则返回值为零。
func ReadProcessMemory ¶
func ReadProcessMemory(process windows.Handle, baseAddress uintptr, buffer *byte, size uintptr, numberOfBytesRead *uintptr) (err error)
ReadProcessMemory BOOL ReadProcessMemory(
[in] HANDLE hProcess, [in] LPCVOID lpBaseAddress, [out] LPVOID lpBuffer, [in] SIZE_T nSize, [out] SIZE_T *lpNumberOfBytesRead );
如果该函数成功,则返回值为非零值。 如果函数失败,则返回值为 0。 如果请求的读取操作交叉到无法访问的进程区域,函数将失败。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory
func RtlCopyBytes ¶
RtlCopyBytes The RtlCopyBytes routine copies the specified number of bytes from a source memory block to a destination memory block.
VOID RtlCopyBytes(
_Out_ PVOID Destination, _In_ const VOID *Source, _In_ SIZE_T Length );
Return value None ¶
Link: https://learn.microsoft.com/en-us/previous-versions/windows/hardware/kernel/ff561806(v=vs.85)
func RtlCopyMemory ¶
RtlCopyMemory 例程将源内存块的内容复制到目标内存块
void RtlCopyMemory(
void* Destination, const void* Source, size_t Length );
无返回值
Link: https://learn.microsoft.com/zh-cn/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlcopymemory
func RtlEthernetAddressToStringA ¶
RtlEthernetAddressToStringA 将二进制以太网地址转换为以太网 MAC 地址的字符串表示形式
NTSYSAPI PSTR RtlEthernetAddressToStringA(
[in] const DL_EUI48 *Addr, [out] PSTR S );
指向插入到以太网 MAC 地址字符串表示形式的末尾的 NULL 字符的指针。 调用方可以使用它轻松地将更多信息追加到字符串。
func RtlEthernetStringToAddressA ¶
func RtlEthernetStringToAddressA(s uintptr, terminator *byte, addr *byte) (value uintptr, err error)
RtlEthernetStringToAddressA 将以太网 MAC 地址的字符串表示形式转换为以太网地址的二进制格式
NTSYSAPI NTSTATUS RtlEthernetStringToAddressA(
[in] PCSTR S, [out] PCSTR *Terminator, [out] DL_EUI48 *Addr );
如果函数成功,则返回值 STATUS_SUCCESS。
func RtlIpv4AddressToStringA ¶
RtlIpv4AddressToStringA 将 IPv4 地址转换为 Internet 标准点十进制格式的字符串
NTSYSAPI PSTR RtlIpv4AddressToStringA(
[in] const in_addr *Addr, [out] PSTR S );
指向在 IPv4 地址的字符串表示形式末尾插入的 NULL 字符的指针。 调用方可以使用它轻松将更多信息追加到字符串。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/ip2string/nf-ip2string-rtlipv4addresstostringa
func RtlIpv4StringToAddressA ¶
func RtlIpv4StringToAddressA(s uintptr, strict uintptr, terminator *byte, addr *byte) (value uintptr, err error)
RtlIpv4StringToAddressA 将 IPv4 地址的字符串表示形式转换为二进制 IPv4 地址
NTSYSAPI NTSTATUS RtlIpv4StringToAddressA(
[in] PCSTR S, [in] BOOLEAN Strict, [out] PCSTR *Terminator, [out] in_addr *Addr );
如果函数成功,则返回值 STATUS_SUCCESS。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/ip2string/nf-ip2string-rtlipv4stringtoaddressa
func RtlMoveMemory ¶
RtlMoveMemory 将源内存块的内容复制到目标内存块,并支持重叠的源内存块和目标内存块
VOID RtlMoveMemory(
_Out_ VOID UNALIGNED *Destination, _In_ const VOID UNALIGNED *Source, _In_ SIZE_T Length );
无返回值
Link: https://learn.microsoft.com/en-us/windows/win32/devnotes/rtlmovememory
func SwitchToFiber ¶
SwitchToFiber Schedules a fiber. The function must be called on a fiber.
void SwitchToFiber(
[in] LPVOID lpFiber );
None return value.
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-switchtofiber
func TerminateThread ¶
TerminateThread 终止线程
BOOL TerminateThread(
[in, out] HANDLE hThread, [in] DWORD dwExitCode );
如果该函数成功,则返回值为非零值。 如果函数失败,则返回值为零。
func Thread32First ¶
Thread32First 检索系统快照中遇到的任何进程的第一个线程的相关信息
BOOL Thread32First(
[in] HANDLE hSnapshot, [in, out] LPTHREADENTRY32 lpte );
如果线程列表的第一个条目已复制到缓冲区,则返回 TRUE ,否则返回 FALSE 。 如果不存在线程或快照不包含线程信息,则 GetLastError 函数返回ERROR_NO_MORE_FILES错误值。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/tlhelp32/nf-tlhelp32-thread32first
func UuidFromStringA ¶
UuidFromStringA UuidFromString 函数将字符串转换为 UUID。
RPC_STATUS UuidFromStringA(
RPC_CSTR StringUuid, UUID *Uuid );
返回值 RPC_S_OK: 调用成功。 RPC_S_INVALID_STRING_UUID: 字符串 UUID 无效。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/rpcdce/nf-rpcdce-uuidfromstringa
func VirtualAlloc ¶
func VirtualAlloc(address uintptr, size uintptr, allocType uint32, protect uint32) (value uintptr, err error)
VirtualAlloc 保留、提交或更改调用进程的虚拟地址空间中页面区域的状态, 此函数分配的内存会自动初始化为零 若要在另一个进程的地址空间中分配内存,请使用 VirtualAllocEx 函数
LPVOID VirtualAlloc(
[in, optional] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flAllocationType, (MEM_COMMIT | MEM_RESERVE) [in] DWORD flProtect (PAGE_READWRITE or PAGE_EXECUTE_READWRITE) );
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
func VirtualAllocEx ¶
func VirtualAllocEx(hProcess windows.Handle, lpAddress uintptr, dwSize uintptr, allocType uint32, protect uint32) (value uintptr, err error)
VirtualAllocEx 在指定进程的虚拟地址空间中保留、提交或更改内存区域的状态。 函数将它分配的内存初始化为零 若要为物理内存指定 NUMA 节点,请参阅 VirtualAllocExNuma
LPVOID VirtualAllocEx(
[in] HANDLE hProcess, [in, optional] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flAllocationType, [in] DWORD flProtect );
如果函数成功,则返回值是已分配页区域的基址 如果函数失败,则返回值为 NULL
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
func VirtualProtect ¶
func VirtualProtect(address uintptr, size uintptr, newProtect uint32, oldProtect *uint32) (value uintptr, err error)
VirtualProtect 更改调用进程的虚拟地址空间中已提交页面区域的保护 若要更改任何进程的访问保护,请使用 VirtualProtectEx 函数
BOOL VirtualProtect(
[in] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flNewProtect, [out] DWORD lpflOldProtect );
如果该函数成功,则返回值为非零值
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect
func VirtualProtectEx ¶
func VirtualProtectEx(process windows.Handle, address uintptr, size uintptr, newProtect uint32, oldProtect *uint32) (err error)
VirtualProtectEx 更改指定进程的虚拟地址空间中已提交页面区域的保护
BOOL VirtualProtectEx(
[in] HANDLE hProcess, [in] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flNewProtect, [out] PDWORD lpflOldProtect );
如果该函数成功,则返回值为非零值
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex
func WaitForSingleObject ¶
WaitForSingleObject Waits until the specified object is in the signaled state or the time-out interval elapses. To enter an alertable wait state, use the WaitForSingleObjectEx function. To wait for multiple objects, use WaitForMultipleObjects.
DWORD WaitForSingleObject(
[in] HANDLE hHandle, [in] DWORD dwMilliseconds );
If the function succeeds, the return value indicates the event that caused the function to return. It can be one of the following values.
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject
func WriteProcessMemory ¶
func WriteProcessMemory(process windows.Handle, baseAddress uintptr, buffer *byte, size uintptr, numberOfBytesWritten *uintptr) (err error)
WriteProcessMemory 将数据写入到指定进程中的内存区域。 要写入的整个区域必须可访问,否则操作将失败
BOOL WriteProcessMemory(
[in] HANDLE hProcess, [in] LPVOID lpBaseAddress, [in] LPCVOID lpBuffer, [in] SIZE_T nSize, [out] SIZE_T *lpNumberOfBytesWritten );
如果该函数成功,则返回值为非零值。 如果函数失败,则返回值为 0(零)。 要获得更多的错误信息,请调用 GetLastError。 如果请求的写入操作交叉到无法访问的进程区域,函数将失败。
Link: https://learn.microsoft.com/zh-cn/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory
Types ¶
This section is empty.
Source Files