First

3 years ago · 7dbb7930de
4 changed files with 228 additions and 0 deletions
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,10 @@
 module github.com/pedro-walter/golang-readmemory
 go 1.18
 require (
 	github.com/0xrawsec/golang-win32 v1.0.14
 	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
 )
 require github.com/0xrawsec/golang-utils v1.3.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,23 @@
 github.com/0xrawsec/golang-utils v1.3.0 h1:fMgwKu5M2PXFwEfwN9B2T1bfg7LPCaV9fL6Xs/nf2Ps=
 github.com/0xrawsec/golang-utils v1.3.0/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0=
 github.com/0xrawsec/golang-win32 v1.0.14 h1:Lj45Cd7qnhCbtnrNCBI3twefRVh759q/rDXrutxQQOo=
 github.com/0xrawsec/golang-win32 v1.0.14/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.0/go.mod h1:NxmoDg/QLVWluQDUYG7XBZTLUpKeFa8e3aMf1BfjyHk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190320215829-36c10c0a621f/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190625160430-252024b82959/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
--- a/readmemory/memory.go
+++ b/readmemory/memory.go
@ -0,0 +1,111 @@
 package readmemory
 import (
 	"encoding/binary"
 	"math"
 	"path/filepath"
 	"strconv"
 	"unsafe"
 	"github.com/0xrawsec/golang-win32/win32"
 	kernel32 "github.com/0xrawsec/golang-win32/win32/kernel32"
 	windows "golang.org/x/sys/windows"
 )
 func MemoryReadInit(pid uint32, targetModuleFilename string) (int64, bool) {
 	win32handle, _ := kernel32.OpenProcess(0x0010|windows.PROCESS_VM_READ|windows.PROCESS_QUERY_INFORMATION, win32.BOOL(0), win32.DWORD(pid))
 	moduleHandles, _ := kernel32.EnumProcessModules(win32handle)
 	for _, moduleHandle := range moduleHandles {
 		s, _ := kernel32.GetModuleFilenameExW(win32handle, moduleHandle)
 		if filepath.Base(s) == targetModuleFilename {
 			info, _ := kernel32.GetModuleInformation(win32handle, moduleHandle)
 			baseAddress := int64(info.LpBaseOfDll)
 			return baseAddress, true
 		}
 	}
 	return 0, false
 }
 func readMemoryAt(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) float32 {
 	var (
 		data   [4]byte
 		length uint32
 	)
 	procReadProcessMemory.Call(
 		uintptr(handle),
 		uintptr(address),
 		uintptr(unsafe.Pointer(&data[0])),
 		uintptr(len(data)),
 		uintptr(unsafe.Pointer(&length)),
 	)
 	bits := binary.LittleEndian.Uint32(data[:])
 	float := math.Float32frombits(bits)
 	return float
 }
 func readMemoryAtByte8(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) uint64 {
 	var (
 		data   [8]byte
 		length uint32
 	)
 	procReadProcessMemory.Call(
 		uintptr(handle),
 		uintptr(address),
 		uintptr(unsafe.Pointer(&data[0])),
 		uintptr(len(data)),
 		uintptr(unsafe.Pointer(&length)),
 	)
 	byte8 := binary.LittleEndian.Uint64(data[:])
 	return byte8
 }
 func ReadMemoryAtByte1(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) byte {
 	var (
 		data   [1]byte
 		length uint32
 	)
 	procReadProcessMemory.Call(
 		uintptr(handle),
 		uintptr(address),
 		uintptr(unsafe.Pointer(&data[0])),
 		uintptr(len(data)),
 		uintptr(unsafe.Pointer(&length)),
 	)
 	return data[0]
 }
 func ReadMemoryAtByte2(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) uint16 {
 	var (
 		data   [2]byte
 		length uint32
 	)
 	procReadProcessMemory.Call(
 		uintptr(handle),
 		uintptr(address),
 		uintptr(unsafe.Pointer(&data[0])),
 		uintptr(len(data)),
 		uintptr(unsafe.Pointer(&length)),
 	)
 	return binary.LittleEndian.Uint16(data[:])
 }
 type staticPointer struct {
 	baseOffset int64
 	offsets    []string
 }
 func sumHex(aHex string, bHex string) string {
 	aDecimal, _ := strconv.ParseInt(aHex, 16, 0)
 	bDecimal, _ := strconv.ParseInt(bHex, 16, 0)
 	resultDecimal := aDecimal + bDecimal
 	resultHex := strconv.FormatInt(resultDecimal, 16)
 	return resultHex
 }
--- a/readmemory/processes.go
+++ b/readmemory/processes.go
@ -0,0 +1,84 @@
 package readmemory
 import (
 	"strings"
 	"syscall"
 	"unsafe"
 	windows "golang.org/x/sys/windows"
 )
 const TH32CS_SNAPPROCESS = 0x00000002
 type WindowsProcess struct {
 	ProcessID       int
 	ParentProcessID int
 	Exe             string
 }
 func processes() ([]WindowsProcess, error) {
 	handle, err := windows.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
 	if err != nil {
 		return nil, err
 	}
 	defer windows.CloseHandle(handle)
 	var entry windows.ProcessEntry32
 	entry.Size = uint32(unsafe.Sizeof(entry))
 	err = windows.Process32First(handle, &entry)
 	if err != nil {
 		return nil, err
 	}
 	results := make([]WindowsProcess, 0, 50)
 	for {
 		results = append(results, newWindowsProcess(&entry))
 		err = windows.Process32Next(handle, &entry)
 		if err != nil {
 			if err == syscall.ERROR_NO_MORE_FILES {
 				return results, nil
 			}
 			return nil, err
 		}
 	}
 }
 func findProcessByName(processes []WindowsProcess, name string) *WindowsProcess {
 	for _, p := range processes {
 		if strings.ToLower(p.Exe) == strings.ToLower(name) {
 			return &p
 		}
 	}
 	return nil
 }
 func newWindowsProcess(e *windows.ProcessEntry32) WindowsProcess {
 	end := 0
 	for {
 		if e.ExeFile[end] == 0 {
 			break
 		}
 		end++
 	}
 	return WindowsProcess{
 		ProcessID:       int(e.ProcessID),
 		ParentProcessID: int(e.ParentProcessID),
 		Exe:             syscall.UTF16ToString(e.ExeFile[:end]),
 	}
 }
 func BindDefaultProcess(defaultName string) (uint32, bool) {
 	procs, err := processes()
 	if err != nil {
 		return 0, false
 	}
 	explorer := findProcessByName(procs, defaultName)
 	if explorer == nil {
 		return 0, false
 	}
 	return uint32(explorer.ProcessID), true
 }