STRLCPY/BananaPhone

■ ■ ■ ■ ■ ■

example/modules/main.go

1	+	package main
2	+
3	+	import (
4	+	"fmt"
5	+
6	+	bananaphone "github.com/C-Sto/BananaPhone/pkg/BananaPhone"
7	+	)
8	+
9	+	func main() {
10	+	fmt.Println("modules!")
11	+	x, y, z := bananaphone.GetModuleLoadedOrder(0)
12	+	fmt.Printf("%x, %x %+v\n", x, y, z)
13	+	x, y, z = bananaphone.GetModuleLoadedOrder(1)
14	+	fmt.Printf("%x, %x %+v\n", x, y, z)
15	+	x, y, z = bananaphone.GetModuleLoadedOrder(2)
16	+	fmt.Printf("%x, %x %+v\n", x, y, z)
17	+
18	+	fmt.Println("end modules!")
19	+	fmt.Println(bananaphone.InMemLoads())
20	+
21	+	fmt.Printf("%+v\n", bananaphone.GetModuleLoadedOrderPtr(1))
22	+	fmt.Println("end modules!")
23	+	}
24	+

■ ■ ■ ■ ■ ■

pkg/BananaPhone/asm_x64.s

		skipped 28 lines
29	29
30	30		RET
31	31
	32	+	//func getModuleLoadedOrder(i int) (start uintptr, size uintptr)
	33	+	TEXT ·getModuleLoadedOrder(SB), $0-32
	34	+	//All operations push values into AX
	35	+	//PEB
	36	+	MOVQ 0x60(GS), AX
	37	+	//PEB->LDR
	38	+	MOVQ 0x18(AX),AX
	39	+
	40	+	//LDR->InMemoryOrderModuleList
	41	+	MOVQ 0x20(AX),AX
	42	+
	43	+	//loop things
	44	+	XORQ R10,R10
	45	+	startloop:
	46	+	CMPQ R10,i+0(FP)
	47	+	JE endloop
	48	+	//Flink (get next element)
	49	+	MOVQ (AX),AX
	50	+	INCQ R10
	51	+	JMP startloop
	52	+	endloop:
	53	+	//Flink - 0x10 -> _LDR_DATA_TABLE_ENTRY
	54	+	//_LDR_DATA_TABLE_ENTRY->DllBase (offset 0x30)
	55	+	MOVQ 0x20(AX),CX
	56	+	MOVQ CX, start+8(FP)
	57	+
	58	+	MOVQ 0x30(AX),CX
	59	+	MOVQ CX, size+16(FP)
	60	+	MOVQ AX,CX
	61	+	ADDQ $0x38,CX
	62	+	MOVQ CX, modulepath+24(FP)
	63	+	//SYSCALL
	64	+	RET
	65	+
	66	+	//func GetModuleLoadedOrderPtr(i int) *LdrTableThing
	67	+	TEXT ·GetModuleLoadedOrderPtr(SB), $0-16
	68	+	//All operations push values into AX
	69	+	//PEB
	70	+	MOVQ 0x60(GS), AX
	71	+	//PEB->LDR
	72	+	MOVQ 0x18(AX),AX
	73	+
	74	+	//LDR->InMemoryOrderModuleList
	75	+	MOVQ 0x20(AX),AX
	76	+
	77	+	//loop things
	78	+	XORQ R10,R10
	79	+	startloop:
	80	+	CMPQ R10,i+0(FP)
	81	+	JE endloop
	82	+	//Flink (get next element)
	83	+	MOVQ (AX),AX
	84	+	INCQ R10
	85	+	JMP startloop
	86	+	endloop:
	87	+	MOVQ AX,CX
	88	+	SUBQ $0x10,CX
	89	+	MOVQ CX, ret+8(FP)
	90	+
	91	+	RET
	92	+
32	93		//based on https://golang.org/src/runtime/sys_windows_amd64.s
33	94		#define maxargs 16
34	95		//func Syscall(callid uint16, argh ...uintptr) (uint32, error)
		skipped 53 lines

■ ■ ■ ■ ■ ■

pkg/BananaPhone/functions.go

		skipped 17 lines
18	18		//GetNtdllStart returns the start address of ntdll in memory
19	19		func GetNtdllStart() (start uintptr, size uintptr)
20	20
	21	+	//getModuleLoadedOrder returns the start address of module located at i in the load order. This might be useful if there is a function you need that isn't in ntdll, or if some rude individual has loaded themselves before ntdll.
	22	+	func getModuleLoadedOrder(i int) (start uintptr, size uintptr, modulepath *stupidstring)
	23	+
	24	+	//GetModuleLoadedOrderPtr returns a pointer to the ldr data table entry in full, incase there is something interesting in there you want to see.
	25	+	func GetModuleLoadedOrderPtr(i int) *LdrDataTableEntry
	26	+
	27	+	//GetModuleLoadedOrder returns the start address of module located at i in the load order. This might be useful if there is a function you need that isn't in ntdll, or if some rude individual has loaded themselves before ntdll.
	28	+	func GetModuleLoadedOrder(i int) (start uintptr, size uintptr, modulepath string) {
	29	+	var badstring *stupidstring
	30	+	start, size, badstring = getModuleLoadedOrder(i)
	31	+	modulepath = badstring.String()
	32	+	return
	33	+	}
	34	+
	35	+	//Image contains info about a loaded image. Literally just a Base Addr and a Size - it should allow someone with a handy PE parser to pull the image out of memory...
	36	+	type Image struct {
	37	+	BaseAddr uint64
	38	+	Size uint64
	39	+	}
	40	+
	41	+	//InMemLoads returns a map of loaded dll paths to current process offsets (aka images) in the current process. No syscalls are made.
	42	+	func InMemLoads() (map[string]Image, error) {
	43	+	ret := make(map[string]Image)
	44	+	s, si, p := GetModuleLoadedOrder(0)
	45	+	start := p
	46	+	i := 1
	47	+	ret[p] = Image{uint64(s), uint64(si)}
	48	+	for {
	49	+	s, si, p = GetModuleLoadedOrder(i)
	50	+	if p != "" {
	51	+	ret[p] = Image{uint64(s), uint64(si)}
	52	+	}
	53	+	if p == start {
	54	+	break
	55	+	}
	56	+	i++
	57	+	}
	58	+
	59	+	return ret, nil
	60	+	}
	61	+
21	62		//GetSysIDFromMemory takes the exported syscall name or ordinal and gets the ID it refers to (try not to supply both, it might not work how you expect). This function will not use a clean version of the dll, if AV has hooked the in-memory ntdll module, the results of this call may be bad.
22	63		func GetSysIDFromMemory(funcname string) (uint16, error) {
23	64		return getSysIDFromMemory(funcname, 0, false)
		skipped 219 lines

■ ■ ■ ■ ■ ■

pkg/BananaPhone/internal.go

		skipped 6 lines
7	7
8	8		"github.com/awgh/rawreader"
9	9		"github.com/binject/debug/pe"
	10	+	"golang.org/x/sys/windows"
10	11		)
11	12
12	13		//rvaToOffset converts an RVA value from a PE file into the file offset. When using binject/debug, this should work fine even with in-memory files.
		skipped 72 lines
85	86		return binary.LittleEndian.Uint16(b[4:8]), nil
86	87		}
87	88
	89	+	//stupidstring is the stupid internal windows definiton of a unicode string. I hate it.
	90	+	type stupidstring struct {
	91	+	Length uint16
	92	+	MaxLength uint16
	93	+	PWstr *uint16
	94	+	}
	95	+
	96	+	func (s stupidstring) String() string {
	97	+	return windows.UTF16PtrToString(s.PWstr)
	98	+	}
	99	+

■ ■ ■ ■ ■ ■

pkg/BananaPhone/ldr.go

1	+	package bananaphone
2	+
3	+	type LdrDataTableEntry struct {
4	+	InLoadOrderLinks ListEntry
5	+	InMemoryOrderLinks ListEntry
6	+	InInitializationOrderLinks ListEntry
7	+	DllBase *uintptr
8	+	EntryPoint *uintptr
9	+	SizeOfImage *uintptr
10	+	FullDllName stupidstring
11	+	BaseDllName stupidstring
12	+	Flags uint32
13	+	LoadCount uint16
14	+	TlsIndex uint16
15	+	HashLinks ListEntry
16	+	TimeDateStamp uint64
17	+	}
18	+
19	+	type ListEntry struct {
20	+	Flink *ListEntry
21	+	Blink *ListEntry
22	+	//Awful struct I hate it
23	+	}
24	+
25	+	/*
26	+	typedef struct _LDR_DATA_TABLE_ENTRY
27	+	{
28	+	LIST_ENTRY InLoadOrderLinks;
29	+	LIST_ENTRY InMemoryOrderLinks;
30	+	LIST_ENTRY InInitializationOrderLinks;
31	+	PVOID DllBase;
32	+	PVOID EntryPoint;
33	+	ULONG SizeOfImage;
34	+	UNICODE_STRING FullDllName;
35	+	UNICODE_STRING BaseDllName;
36	+	ULONG Flags;
37	+	WORD LoadCount;
38	+	WORD TlsIndex;
39	+	union
40	+	{
41	+	LIST_ENTRY HashLinks;
42	+	struct
43	+	{
44	+	PVOID SectionPointer;
45	+	ULONG CheckSum;
46	+	};
47	+	};
48	+	union
49	+	{
50	+	ULONG TimeDateStamp;
51	+	PVOID LoadedImports;
52	+	};
53	+	_ACTIVATION_CONTEXT * EntryPointActivationContext;
54	+	PVOID PatchInformation;
55	+	LIST_ENTRY ForwarderLinks;
56	+	LIST_ENTRY ServiceTagLinks;
57	+	LIST_ENTRY StaticLinks;
58	+	} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
59	+	*/
60	+

more ldr stuff