This is a pure-go implementation of using direct syscalls to do windowsy stuff. Don't be silly and try this on not-Windows, it won't work and I honestly don't know why you'd even think it would?
8
+
This is a pure-go implementation of using direct syscalls to do Windowsy stuff. Don't be silly and try this on not-Windows, it won't work and I honestly don't know why you'd even think it would?
9
9
10
10
Several useful functions in dealing with process things are provided by this lib. Namely:
11
11
- `Syscall` with a provided `sysid` and `uintptr`s to parameters, you're able to do a Windows syscall for pretty much any defined kernel call. I only tried with a handful, but it should work with any/most.
12
-
- `GetPEB` return the memory location of the PEB wihtout performing any API calls. At it's core, just does this: `MOVQ 0x60(GS), AX ; MOVQ AX, ret+0(FP)`(this is the Go ASM syntax, incase you're confused.)
12
+
- `GetPEB` return the memory location of the PEB without performing any API calls. At it's core, just does this: `MOVQ 0x60(GS), AX ; MOVQ AX, ret+0(FP)`(this is the Go ASM syntax, incase you're confused.)
13
13
- `GetNtdllStart` return the start address of ntdll loaded in process memory. Does not make any API calls (see asm_x64.s for details)
14
14
- `WriteMemory` take a byte slice, and write it to a certain memory address (may panic if not writable etc lol)
15
15
- A handful of predefined kernel calls like `NtAllocateVirtualMemory` etc. See source for more details and whatnot.
16
16
17
-
17
+
All of the PE parsing and extraction of interesting information is provided by https://github.com/Binject/debug, which adds on to the stdlib `pe` library in some very cool ways.