From 7dbb7930de976b9e2ecbae801e3c080f053d5bb5 Mon Sep 17 00:00:00 2001 From: Pedro Walter Date: Sat, 16 Jul 2022 05:35:22 -0300 Subject: [PATCH] First --- go.mod | 10 ++++ go.sum | 23 +++++++++ readmemory/memory.go | 111 ++++++++++++++++++++++++++++++++++++++++ readmemory/processes.go | 84 ++++++++++++++++++++++++++++++ 4 files changed, 228 insertions(+) create mode 100644 go.mod create mode 100644 go.sum create mode 100644 readmemory/memory.go create mode 100644 readmemory/processes.go diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..a350c23 --- /dev/null +++ b/go.mod @@ -0,0 +1,10 @@ +module github.com/pedro-walter/golang-readmemory + +go 1.18 + +require ( + github.com/0xrawsec/golang-win32 v1.0.14 + golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 +) + +require github.com/0xrawsec/golang-utils v1.3.0 // indirect diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..ea3452e --- /dev/null +++ b/go.sum @@ -0,0 +1,23 @@ +github.com/0xrawsec/golang-utils v1.3.0 h1:fMgwKu5M2PXFwEfwN9B2T1bfg7LPCaV9fL6Xs/nf2Ps= +github.com/0xrawsec/golang-utils v1.3.0/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0= +github.com/0xrawsec/golang-win32 v1.0.14 h1:Lj45Cd7qnhCbtnrNCBI3twefRVh759q/rDXrutxQQOo= +github.com/0xrawsec/golang-win32 v1.0.14/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg= +github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/sftp v1.10.0/go.mod h1:NxmoDg/QLVWluQDUYG7XBZTLUpKeFa8e3aMf1BfjyHk= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190320215829-36c10c0a621f/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190625160430-252024b82959/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= diff --git a/readmemory/memory.go b/readmemory/memory.go new file mode 100644 index 0000000..a04237b --- /dev/null +++ b/readmemory/memory.go @@ -0,0 +1,111 @@ +package readmemory + +import ( + "encoding/binary" + "math" + "path/filepath" + "strconv" + "unsafe" + + "github.com/0xrawsec/golang-win32/win32" + kernel32 "github.com/0xrawsec/golang-win32/win32/kernel32" + windows "golang.org/x/sys/windows" +) + +func MemoryReadInit(pid uint32, targetModuleFilename string) (int64, bool) { + win32handle, _ := kernel32.OpenProcess(0x0010|windows.PROCESS_VM_READ|windows.PROCESS_QUERY_INFORMATION, win32.BOOL(0), win32.DWORD(pid)) + moduleHandles, _ := kernel32.EnumProcessModules(win32handle) + for _, moduleHandle := range moduleHandles { + s, _ := kernel32.GetModuleFilenameExW(win32handle, moduleHandle) + if filepath.Base(s) == targetModuleFilename { + info, _ := kernel32.GetModuleInformation(win32handle, moduleHandle) + baseAddress := int64(info.LpBaseOfDll) + return baseAddress, true + } + } + return 0, false +} + +func readMemoryAt(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) float32 { + var ( + data [4]byte + length uint32 + ) + + procReadProcessMemory.Call( + uintptr(handle), + uintptr(address), + uintptr(unsafe.Pointer(&data[0])), + uintptr(len(data)), + uintptr(unsafe.Pointer(&length)), + ) + + bits := binary.LittleEndian.Uint32(data[:]) + float := math.Float32frombits(bits) + return float +} + +func readMemoryAtByte8(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) uint64 { + var ( + data [8]byte + length uint32 + ) + + procReadProcessMemory.Call( + uintptr(handle), + uintptr(address), + uintptr(unsafe.Pointer(&data[0])), + uintptr(len(data)), + uintptr(unsafe.Pointer(&length)), + ) + + byte8 := binary.LittleEndian.Uint64(data[:]) + return byte8 +} + +func ReadMemoryAtByte1(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) byte { + var ( + data [1]byte + length uint32 + ) + + procReadProcessMemory.Call( + uintptr(handle), + uintptr(address), + uintptr(unsafe.Pointer(&data[0])), + uintptr(len(data)), + uintptr(unsafe.Pointer(&length)), + ) + + return data[0] +} + +func ReadMemoryAtByte2(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) uint16 { + var ( + data [2]byte + length uint32 + ) + + procReadProcessMemory.Call( + uintptr(handle), + uintptr(address), + uintptr(unsafe.Pointer(&data[0])), + uintptr(len(data)), + uintptr(unsafe.Pointer(&length)), + ) + + return binary.LittleEndian.Uint16(data[:]) +} + +type staticPointer struct { + baseOffset int64 + offsets []string +} + +func sumHex(aHex string, bHex string) string { + aDecimal, _ := strconv.ParseInt(aHex, 16, 0) + bDecimal, _ := strconv.ParseInt(bHex, 16, 0) + resultDecimal := aDecimal + bDecimal + resultHex := strconv.FormatInt(resultDecimal, 16) + return resultHex +} diff --git a/readmemory/processes.go b/readmemory/processes.go new file mode 100644 index 0000000..b0a2575 --- /dev/null +++ b/readmemory/processes.go @@ -0,0 +1,84 @@ +package readmemory + +import ( + "strings" + "syscall" + "unsafe" + + windows "golang.org/x/sys/windows" +) + +const TH32CS_SNAPPROCESS = 0x00000002 + +type WindowsProcess struct { + ProcessID int + ParentProcessID int + Exe string +} + +func processes() ([]WindowsProcess, error) { + handle, err := windows.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) + if err != nil { + return nil, err + } + defer windows.CloseHandle(handle) + + var entry windows.ProcessEntry32 + entry.Size = uint32(unsafe.Sizeof(entry)) + err = windows.Process32First(handle, &entry) + if err != nil { + return nil, err + } + + results := make([]WindowsProcess, 0, 50) + for { + results = append(results, newWindowsProcess(&entry)) + + err = windows.Process32Next(handle, &entry) + if err != nil { + if err == syscall.ERROR_NO_MORE_FILES { + return results, nil + } + return nil, err + } + } +} + +func findProcessByName(processes []WindowsProcess, name string) *WindowsProcess { + for _, p := range processes { + if strings.ToLower(p.Exe) == strings.ToLower(name) { + return &p + } + } + return nil +} + +func newWindowsProcess(e *windows.ProcessEntry32) WindowsProcess { + end := 0 + for { + if e.ExeFile[end] == 0 { + break + } + end++ + } + + return WindowsProcess{ + ProcessID: int(e.ProcessID), + ParentProcessID: int(e.ParentProcessID), + Exe: syscall.UTF16ToString(e.ExeFile[:end]), + } +} + +func BindDefaultProcess(defaultName string) (uint32, bool) { + procs, err := processes() + if err != nil { + return 0, false + } + + explorer := findProcessByName(procs, defaultName) + if explorer == nil { + return 0, false + } + + return uint32(explorer.ProcessID), true +}