gorwmem

package module

v0.0.0-...-a799320 Latest Latest Go to latest Published: Nov 18, 2023 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/maxwelbm/gorwmem

Links

Open Source Insights

README ¶

gorwmem

Package developed in Golang that allows reading and writing processes in the operating system's memory. This is done through read and write operations in the process memory, which can be useful in scenarios such as debugging, malware analysis and reverse engineering.

Motivation

motivation created to meet a need to open and read, get the value and rewrite the value in memory, I wanted to replicate something I already did in C++ using the Windows api

About

It's still an initial idea that only works in a windows environment, but I have some plans for this package

Reference

Documentation ¶

Index ¶

Constants
func AdjustTokenPrivileges(tokenHandle HANDLE, disableAllPrivileges BOOL, newState *TOKEN_PRIVILEGES, ...) bool
func CloseHandle(object HANDLE) bool
func GetAsyncKeyState(vKey int) uint16
func IsKeyDown(v int) bool
func LookupPrivilegeValue(lpSystemName string, lpName string, lpLuid *LUID) bool
func Module32First(snapshot HANDLE, me *MODULEENTRY32) bool
func Module32Next(snapshot HANDLE, me *MODULEENTRY32) bool
func OpenProcessToken(processHandle HANDLE, desiredAccess uint32, tokenHandle *HANDLE) bool
func Process32First(snapshot HANDLE, procEntry *PROCESSENTRY32) (err error)
func Process32Next(snapshot HANDLE, procEntry *PROCESSENTRY32) (err error)
func ReadProcessMemory(hProcess HANDLE, lpBaseAddress uint32, size uint) (data []byte, err error)
func UTF16PtrToString(cstr *uint16) string
func WriteProcessMemory(hProcess HANDLE, lpBaseAddress uint32, data []byte, size uint) (err error)
type BOOL
type DWORD
type Data
type DataException
type DataManager
- func GetDataManager(processName string) *DataManager
- func (dm *DataManager) GetModuleFromName(module string) (address uintptr, err ProcessException)
- func (dm *DataManager) Read(address, size uint, dataType DataType) (data Data, err DataException)
- func (dm *DataManager) Write(address uint, data Data) (err DataException)
type DataType
- func (dataType DataType) String() string
type HANDLE
- func CreateToolhelp32Snapshot(flags, processId uint32) HANDLE
- func GetCurrentProcess() (pseudoHandle HANDLE, err error)
- func OpenProcess(desiredAccess uint32, inheritHandle bool, processId uint32) (handle HANDLE, err error)
type HMODULE
type LONG
type LUID
type LUID_AND_ATTRIBUTES
type MODULEENTRY32
type PROCESSENTRY32
type Process
type ProcessException
- func ProcessHandler(processName string) (hProcess *processHandler, err ProcessException)
type TOKEN_PRIVILEGES

Constants ¶

View Source

const (
	STANDARD_RIGHTS_REQUIRED = 0x000F
	STANDARD_RIGHTS_READ     = 0x20000
	STANDARD_RIGHTS_WRITE    = 0x20000
	STANDARD_RIGHTS_EXECUTE  = 0x20000
	STANDARD_RIGHTS_ALL      = 0x1F0000
)

View Source

const (
	Th32csSnapprocess  = 0x00000002
	MaxPath            = 260
	PROCESS_ALL_ACCESS = 2035711 //This is not recommended.
)

View Source

const (
	// do not reorder
	TOKEN_ASSIGN_PRIMARY = 1 << iota
	TOKEN_DUPLICATE
	TOKEN_IMPERSONATE
	TOKEN_QUERY
	TOKEN_QUERY_SOURCE
	TOKEN_ADJUST_PRIVILEGES
	TOKEN_ADJUST_GROUPS
	TOKEN_ADJUST_DEFAULT
	TOKEN_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED |
		TOKEN_ASSIGN_PRIMARY |
		TOKEN_DUPLICATE |
		TOKEN_IMPERSONATE |
		TOKEN_QUERY |
		TOKEN_QUERY_SOURCE |
		TOKEN_ADJUST_PRIVILEGES |
		TOKEN_ADJUST_GROUPS |
		TOKEN_ADJUST_DEFAULT
	TOKEN_READ  = STANDARD_RIGHTS_READ | TOKEN_QUERY
	TOKEN_WRITE = STANDARD_RIGHTS_WRITE |
		TOKEN_ADJUST_PRIVILEGES |
		TOKEN_ADJUST_GROUPS |
		TOKEN_ADJUST_DEFAULT
	TOKEN_EXECUTE = STANDARD_RIGHTS_EXECUTE
)

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374905(v=vs.85).aspx

View Source

const (
	SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001
	SE_PRIVILEGE_ENABLED            = 0x00000002
	SE_PRIVILEGE_REMOVED            = 0x00000004
	SE_PRIVILEGE_USED_FOR_ACCESS    = 0x80000000
	SE_PRIVILEGE_VALID_ATTRIBUTES   = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_REMOVED | SE_PRIVILEGE_USED_FOR_ACCESS
)

https://msdn.microsoft.com/en-us/library/windows/desktop/aa379630(v=vs.85).aspx

View Source

const (
	TH32CS_SNAPHEAPLIST = 0x00000001
	TH32CS_SNAPPROCESS  = 0x00000002
	TH32CS_SNAPTHREAD   = 0x00000004
	TH32CS_SNAPMODULE   = 0x00000008
	TH32CS_SNAPMODULE32 = 0x00000010
	TH32CS_INHERIT      = 0x80000000
	TH32CS_SNAPALL      = TH32CS_SNAPHEAPLIST | TH32CS_SNAPMODULE | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD
)

CreateToolhelp32Snapshot flags

View Source

const (
	MAX_MODULE_NAME32 = 255
	MAX_PATH          = 260
)

View Source

const (
	ANYSIZE_ARRAY = 1
)

Winnt.h

View Source

const SE_DEBUG_NAME = "SeDebugPrivilege"

Variables ¶

This section is empty.

Functions ¶

func AdjustTokenPrivileges ¶

func AdjustTokenPrivileges(tokenHandle HANDLE, disableAllPrivileges BOOL, newState *TOKEN_PRIVILEGES, bufferLength uint32, previousState *TOKEN_PRIVILEGES, returnLength *uint32) bool

func CloseHandle ¶

func CloseHandle(object HANDLE) bool

func GetAsyncKeyState ¶

func GetAsyncKeyState(vKey int) uint16

GetAsyncKeyState get the status of a specific keyboard key

func IsKeyDown ¶

func IsKeyDown(v int) bool

IsKeyDown https://docs.microsoft.com/en-gb/windows/win32/inputdev/virtual-key-codes

func LookupPrivilegeValue ¶

func LookupPrivilegeValue(lpSystemName string, lpName string, lpLuid *LUID) bool

func Module32First ¶

func Module32First(snapshot HANDLE, me *MODULEENTRY32) bool

func Module32Next ¶

func Module32Next(snapshot HANDLE, me *MODULEENTRY32) bool

func OpenProcessToken ¶

func OpenProcessToken(processHandle HANDLE, desiredAccess uint32, tokenHandle *HANDLE) bool

func Process32First ¶

func Process32First(snapshot HANDLE, procEntry *PROCESSENTRY32) (err error)

func Process32Next ¶

func Process32Next(snapshot HANDLE, procEntry *PROCESSENTRY32) (err error)

func ReadProcessMemory ¶

func ReadProcessMemory(hProcess HANDLE, lpBaseAddress uint32, size uint) (data []byte, err error)

ReadProcessMemory Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails. https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx

func UTF16PtrToString ¶

func UTF16PtrToString(cstr *uint16) string

func WriteProcessMemory ¶

func WriteProcessMemory(hProcess HANDLE, lpBaseAddress uint32, data []byte, size uint) (err error)

WriteProcessMemory Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails. https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674(v=vs.85).aspx

Types ¶

type BOOL ¶

type BOOL int32

type DWORD ¶

type DWORD uint32

type Data ¶

type Data struct {
	Value    interface{} // Any type value.
	DataType DataType    // Unwarp value.
}

Data This type warp the read and write values.

type DataException ¶

type DataException error

DataException Exception type of DataManager.

type DataManager ¶

type DataManager struct {
	ProcessName string //Name of the process.

	IsOpen bool //True if we are in process.
	// contains filtered or unexported fields
}

DataManager This type is the Facade for read and write.

func GetDataManager ¶

func GetDataManager(processName string) *DataManager

GetDataManager Constructor of DataManager Param (processName) : The name of process to handle. Returns (*dataManager) : A dataManager object.

func (*DataManager) GetModuleFromName ¶

func (dm *DataManager) GetModuleFromName(module string) (address uintptr, err ProcessException)

GetModuleFromName Specific method for read a byte.

func (*DataManager) Read ¶

func (dm *DataManager) Read(address, size uint, dataType DataType) (data Data, err DataException)

Read Facade to Read methods. Public function of (data_manager) package. Param (address) : The process memory address in hexadecimal. EX: (0X0057F0F0). Param (size) : Size array Param (dataType) : The type of data that want to retrieve. Returns (data) : The data from memory. If low level facade fails, this will be nil. Errors (err) : This will be not nil if handle is not opened or the type is invalid.

func (*DataManager) Write ¶

func (dm *DataManager) Write(address uint, data Data) (err DataException)

Write Facade to Write methods. Public function of (data_manager) package. Param (address) : The process memory address in hexadecimal. EX: (0X0057F0F0). Param (data) : The data to write. Errors (err) : This will be not nil if handle is not opened or the type is invalid.

type DataType ¶

type DataType int

DataType Type of the data.

const (
	UINT DataType = iota
	INT
	BYTE
	STRING
	FLOAT
	ARRAY
)

Enum of data types.

func (DataType) String ¶

func (dataType DataType) String() string

String Get the string value from enum value.

type HANDLE ¶

type HANDLE uintptr

func CreateToolhelp32Snapshot ¶

func CreateToolhelp32Snapshot(flags, processId uint32) HANDLE

func GetCurrentProcess ¶

func GetCurrentProcess() (pseudoHandle HANDLE, err error)

func OpenProcess ¶

func OpenProcess(desiredAccess uint32, inheritHandle bool, processId uint32) (handle HANDLE, err error)

type HMODULE ¶

type HMODULE HANDLE

type LONG ¶

type LONG int32

type LUID ¶

type LUID struct {
	LowPart  DWORD
	HighPart LONG
}

LUID https://msdn.microsoft.com/en-us/library/windows/desktop/aa379261(v=vs.85).aspx

type LUID_AND_ATTRIBUTES ¶

type LUID_AND_ATTRIBUTES struct {
	Luid       LUID
	Attributes DWORD
}

LUID_AND_ATTRIBUTES https://msdn.microsoft.com/en-us/library/windows/desktop/aa379263(v=vs.85).aspx

type MODULEENTRY32 ¶

type MODULEENTRY32 struct {
	Size         uint32
	ModuleID     uint32
	ProcessID    uint32
	GlblcntUsage uint32
	ProccntUsage uint32
	ModBaseAddr  *uint8
	ModBaseSize  uint32
	HModule      HMODULE
	SzModule     [MAX_MODULE_NAME32 + 1]uint16
	SzExePath    [MAX_PATH]uint16
}

MODULEENTRY32 http://msdn.microsoft.com/en-us/library/windows/desktop/ms684225.aspx

type PROCESSENTRY32 ¶

type PROCESSENTRY32 struct {
	Size            uint32
	Usage           uint32
	ProcessID       uint32
	DefaultHeapID   uintptr
	ModuleID        uint32
	Threads         uint32
	ParentProcessID uint32
	PriClassBase    int32
	Flags           uint32
	ExeFile         [MaxPath]uint16
}

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684839(v=vs.85).aspx

type Process ¶

type Process struct {
	Name string
	Pid  uint32
}

Process Type of simple process.

type ProcessException ¶

type ProcessException error

ProcessException Exception type of ProcessHandler.

func ProcessHandler ¶

func ProcessHandler(processName string) (hProcess *processHandler, err ProcessException)

ProcessHandler Constructor of ProcessHandler Param (processName) : The name of process to handle. Returns (*processHandler) : A processHandler object. Errors (err) : Error if you don't exist process with passed name.

type TOKEN_PRIVILEGES ¶

type TOKEN_PRIVILEGES struct {
	PrivilegeCount DWORD
	Privileges     [ANYSIZE_ARRAY]LUID_AND_ATTRIBUTES
}

TOKEN_PRIVILEGES https://msdn.microsoft.com/en-us/library/windows/desktop/aa379630(v=vs.85).aspx

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
example

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL