gabh

package

v1.9.3 Latest Latest Go to latest Published: Mar 17, 2023 License: MIT Imports: 16 Imported by: 6

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/timwhitez/Doge-Gabh

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func CMDUnhook(DLLname []string) error
func DiskFuncPtr(moduleName string, funcnamehash string, hash func(string) string) (uint64, string, error)
func DiskHgate(funcname string, hash func(string) string) (uint16, error)
func EggCall(callid uint16, argh ...uintptr) (errcode uint32, err error)
func FullUnhook(DLLname []string) error
func GetRecyCall(tarApi string, blacklist []string, hash func(string) string) uintptr
func GetSSNByNameExcept(fname string, hash func(string) string) (uintptr, error)
func HgSyscall(callid uint16, argh ...uintptr) (errcode uint32, err error)
func KDllunhook(DLLname []string) error
func MemFuncPtr(moduleName string, funcnamehash string, hash func(string) string) (uint64, string, error)
func MemHgate(funcname string, hash func(string) string) (uint16, error)
func Memcpy(dst, src, size uintptr)
func Memset(ptr uintptr, c byte, n uintptr)
func NvA(addr, size uintptr, allocType, protect uint32) (uintptr, error)
func PerunsFart() error
func ReCycall(callid uint16, syscallA uintptr, argh ...uintptr) (errcode uint32, err error)
func ReMapNtdll() (*unNtd, error)
func Uint16Down(b []byte, idx uint16) uint16
func Uint16Up(b []byte, idx uint16) uint16
type BYTE
type Count_LIST
type DWORD
type DW_SYSCALL_LIST
- func DWhisper(hash func(string) string) *DW_SYSCALL_LIST
- func (dl *DW_SYSCALL_LIST) GetSysid(s string) uint16
type Export
- func GetExport(pModuleBase uintptr) []Export
type IMAGE_DATA_DIRECTORY
type IMAGE_DOS_HEADER
type IMAGE_FILE_HEADER
type IMAGE_NT_HEADERS
type IMAGE_NT_HEADERS64
type IMAGE_OPTIONAL_HEADER
type IMAGE_OPTIONAL_HEADER64
type IMAGE_RUNTIME_FUNCTION_ENTRY
type LONG
type Library
- func LoadLibraryImpl(image *[]byte, hash func(string) string) (*Library, error)
- func Universal(hash func(string) string) (*Library, error)
- func (l *Library) FindProc(funcname string) (uintptr, bool)
- func (l *Library) UniversalFindProc(funcname string) (uintptr, error)
type SPFG
- func SpfGate(sysid uint16, none []string) (*SPFG, error)
- func (f *SPFG) Recover()
type SYSCALL_LIST
type ULONGLONG
type WORD

Constants ¶

View Source

const (
	MEM_COMMIT  = 0x001000
	MEM_RESERVE = 0x002000
	IDX         = 32
)

View Source

const (
	IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
)

Variables ¶

This section is empty.

Functions ¶

func CMDUnhook ¶ added in v1.7.6

func CMDUnhook(DLLname []string) error

func DiskFuncPtr ¶ added in v1.7.0

func DiskFuncPtr(moduleName string, funcnamehash string, hash func(string) string) (uint64, string, error)

DiskFuncPtr returns a pointer to the function (Virtual Address)

func DiskHgate ¶ added in v1.6.1

func DiskHgate(funcname string, hash func(string) string) (uint16, error)

NtdllHgate takes the exported syscall name and gets the ID it refers to. This function will access the ntdll file _on disk_, and relevant events/logs will be generated for those actions.

func EggCall ¶ added in v1.7.8

func EggCall(callid uint16, argh ...uintptr) (errcode uint32, err error)

EggCall calls the system function specified by callid with n arguments. Works much the same as syscall.Syscall - return value is the call error code and optional error text. All args are uintptrs to make it easy.

func FullUnhook ¶ added in v1.4.0

func FullUnhook(DLLname []string) error

func GetRecyCall ¶ added in v1.7.9

func GetRecyCall(tarApi string, blacklist []string, hash func(string) string) uintptr

func GetSSNByNameExcept ¶ added in v1.8.3

func GetSSNByNameExcept(fname string, hash func(string) string) (uintptr, error)

func HgSyscall ¶

func HgSyscall(callid uint16, argh ...uintptr) (errcode uint32, err error)

HgSyscall calls the system function specified by callid with n arguments. Works much the same as syscall.Syscall - return value is the call error code and optional error text. All args are uintptrs to make it easy.

func KDllunhook ¶ added in v1.8.2

func KDllunhook(DLLname []string) error

func MemFuncPtr ¶ added in v1.7.0

func MemFuncPtr(moduleName string, funcnamehash string, hash func(string) string) (uint64, string, error)

MemFuncPtr returns a pointer to the function (Virtual Address)

func MemHgate ¶ added in v1.6.1

func MemHgate(funcname string, hash func(string) string) (uint16, error)

NtdllHgate takes the exported syscall name and gets the ID it refers to. This function will access the ntdll file _on disk_, and relevant events/logs will be generated for those actions.

func Memcpy ¶ added in v1.9.0

func Memcpy(dst, src, size uintptr)

func Memset ¶ added in v1.6.2

func Memset(ptr uintptr, c byte, n uintptr)

func NvA ¶ added in v1.7.0

func NvA(addr, size uintptr, allocType, protect uint32) (uintptr, error)

NtAllocateVirtualMemory

func PerunsFart ¶ added in v1.5.0

func PerunsFart() error

Perun's Fart unhook function todo: change syscall package into gabh

func ReCycall ¶ added in v1.7.9

func ReCycall(callid uint16, syscallA uintptr, argh ...uintptr) (errcode uint32, err error)

ReCycall calls the system function specified by callid with n arguments. Works much the same as syscall.Syscall - return value is the call error code and optional error text. All args are uintptrs to make it easy.

func ReMapNtdll ¶ added in v1.2.0

func ReMapNtdll() (*unNtd, error)

func Uint16Down ¶ added in v1.4.0

func Uint16Down(b []byte, idx uint16) uint16

func Uint16Up ¶ added in v1.4.0

func Uint16Up(b []byte, idx uint16) uint16

Types ¶

type BYTE ¶ added in v1.5.0

type BYTE uint8

type Count_LIST ¶ added in v1.8.0

type Count_LIST struct {
	Address uintptr
	// contains filtered or unexported fields
}

type DWORD ¶ added in v1.5.0

type DWORD uint32

type DW_SYSCALL_LIST ¶ added in v1.8.0

type DW_SYSCALL_LIST struct {
	// contains filtered or unexported fields
}

func DWhisper ¶ added in v1.8.0

func DWhisper(hash func(string) string) *DW_SYSCALL_LIST

func (*DW_SYSCALL_LIST) GetSysid ¶ added in v1.8.0

func (dl *DW_SYSCALL_LIST) GetSysid(s string) uint16

type Export ¶ added in v1.9.0

type Export struct {
	Name           string
	VirtualAddress uintptr
}

Export - describes a single export entry

func GetExport ¶ added in v1.9.0

func GetExport(pModuleBase uintptr) []Export

type IMAGE_DATA_DIRECTORY ¶ added in v1.5.0

type IMAGE_DATA_DIRECTORY _IMAGE_DATA_DIRECTORY

type IMAGE_DOS_HEADER ¶ added in v1.5.0

type IMAGE_DOS_HEADER _IMAGE_DOS_HEADER

type IMAGE_FILE_HEADER ¶ added in v1.5.0

type IMAGE_FILE_HEADER _IMAGE_FILE_HEADER

type IMAGE_NT_HEADERS ¶ added in v1.5.0

type IMAGE_NT_HEADERS IMAGE_NT_HEADERS64

type IMAGE_NT_HEADERS64 ¶ added in v1.5.0

type IMAGE_NT_HEADERS64 _IMAGE_NT_HEADERS64

type IMAGE_OPTIONAL_HEADER ¶ added in v1.5.0

type IMAGE_OPTIONAL_HEADER IMAGE_OPTIONAL_HEADER64

type IMAGE_OPTIONAL_HEADER64 ¶ added in v1.5.0

type IMAGE_OPTIONAL_HEADER64 _IMAGE_OPTIONAL_HEADER64

type IMAGE_RUNTIME_FUNCTION_ENTRY ¶ added in v1.8.3

type IMAGE_RUNTIME_FUNCTION_ENTRY struct {
	BeginAddress      uint32
	EndAddress        uint32
	UnwindInfoAddress uint32
}

type LONG ¶ added in v1.5.0

type LONG uint32

type Library ¶ added in v1.3.0

type Library struct {
	Name        string
	BaseAddress uintptr
	Exports     map[string]uint64
}

Library - describes a loaded library

func LoadLibraryImpl ¶ added in v1.3.0

func LoadLibraryImpl(image *[]byte, hash func(string) string) (*Library, error)

LoadLibraryImpl - loads a single library to memory, without trying to check or load required imports

func Universal ¶ added in v1.3.0

func Universal(hash func(string) string) (*Library, error)

func (*Library) FindProc ¶ added in v1.3.0

func (l *Library) FindProc(funcname string) (uintptr, bool)

FindProc - returns the address of the given function in this library

func (*Library) UniversalFindProc ¶ added in v1.3.0

func (l *Library) UniversalFindProc(funcname string) (uintptr, error)

type SPFG ¶ added in v1.7.4

type SPFG struct {
	Fakename string
	Pointer  uintptr
	Fakeid   uint16
	Realid   uint16
}

func SpfGate ¶ added in v1.7.4

func SpfGate(sysid uint16, none []string) (*SPFG, error)

func (*SPFG) Recover ¶ added in v1.7.4

func (f *SPFG) Recover()

type SYSCALL_LIST ¶ added in v1.8.0

type SYSCALL_LIST struct {
	Count   uint16
	Address uintptr
}

type ULONGLONG ¶ added in v1.5.0

type ULONGLONG uint64

type WORD ¶ added in v1.5.0

type WORD uint16

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL