First

3 years ago · 7dbb7930de
4 changed files with 228 additions and 0 deletions
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,10 @@
+module github.com/pedro-walter/golang-readmemory
+
+go 1.18
+
+require (
+	github.com/0xrawsec/golang-win32 v1.0.14
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
+)
+
+require github.com/0xrawsec/golang-utils v1.3.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,23 @@
+github.com/0xrawsec/golang-utils v1.3.0 h1:fMgwKu5M2PXFwEfwN9B2T1bfg7LPCaV9fL6Xs/nf2Ps=
+github.com/0xrawsec/golang-utils v1.3.0/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0=
+github.com/0xrawsec/golang-win32 v1.0.14 h1:Lj45Cd7qnhCbtnrNCBI3twefRVh759q/rDXrutxQQOo=
+github.com/0xrawsec/golang-win32 v1.0.14/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg=
+github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/sftp v1.10.0/go.mod h1:NxmoDg/QLVWluQDUYG7XBZTLUpKeFa8e3aMf1BfjyHk=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190320215829-36c10c0a621f/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190625160430-252024b82959/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
--- a/readmemory/memory.go
+++ b/readmemory/memory.go
@ -0,0 +1,111 @@
+package readmemory
+
+import (
+	"encoding/binary"
+	"math"
+	"path/filepath"
+	"strconv"
+	"unsafe"
+
+	"github.com/0xrawsec/golang-win32/win32"
+	kernel32 "github.com/0xrawsec/golang-win32/win32/kernel32"
+	windows "golang.org/x/sys/windows"
+)
+
+func MemoryReadInit(pid uint32, targetModuleFilename string) (int64, bool) {
+	win32handle, _ := kernel32.OpenProcess(0x0010|windows.PROCESS_VM_READ|windows.PROCESS_QUERY_INFORMATION, win32.BOOL(0), win32.DWORD(pid))
+	moduleHandles, _ := kernel32.EnumProcessModules(win32handle)
+	for _, moduleHandle := range moduleHandles {
+		s, _ := kernel32.GetModuleFilenameExW(win32handle, moduleHandle)
+		if filepath.Base(s) == targetModuleFilename {
+			info, _ := kernel32.GetModuleInformation(win32handle, moduleHandle)
+			baseAddress := int64(info.LpBaseOfDll)
+			return baseAddress, true
+		}
+	}
+	return 0, false
+}
+
+func readMemoryAt(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) float32 {
+	var (
+		data   [4]byte
+		length uint32
+	)
+
+	procReadProcessMemory.Call(
+		uintptr(handle),
+		uintptr(address),
+		uintptr(unsafe.Pointer(&data[0])),
+		uintptr(len(data)),
+		uintptr(unsafe.Pointer(&length)),
+	)
+
+	bits := binary.LittleEndian.Uint32(data[:])
+	float := math.Float32frombits(bits)
+	return float
+}
+
+func readMemoryAtByte8(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) uint64 {
+	var (
+		data   [8]byte
+		length uint32
+	)
+
+	procReadProcessMemory.Call(
+		uintptr(handle),
+		uintptr(address),
+		uintptr(unsafe.Pointer(&data[0])),
+		uintptr(len(data)),
+		uintptr(unsafe.Pointer(&length)),
+	)
+
+	byte8 := binary.LittleEndian.Uint64(data[:])
+	return byte8
+}
+
+func ReadMemoryAtByte1(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) byte {
+	var (
+		data   [1]byte
+		length uint32
+	)
+
+	procReadProcessMemory.Call(
+		uintptr(handle),
+		uintptr(address),
+		uintptr(unsafe.Pointer(&data[0])),
+		uintptr(len(data)),
+		uintptr(unsafe.Pointer(&length)),
+	)
+
+	return data[0]
+}
+
+func ReadMemoryAtByte2(handle windows.Handle, procReadProcessMemory *windows.Proc, address int64) uint16 {
+	var (
+		data   [2]byte
+		length uint32
+	)
+
+	procReadProcessMemory.Call(
+		uintptr(handle),
+		uintptr(address),
+		uintptr(unsafe.Pointer(&data[0])),
+		uintptr(len(data)),
+		uintptr(unsafe.Pointer(&length)),
+	)
+
+	return binary.LittleEndian.Uint16(data[:])
+}
+
+type staticPointer struct {
+	baseOffset int64
+	offsets    []string
+}
+
+func sumHex(aHex string, bHex string) string {
+	aDecimal, _ := strconv.ParseInt(aHex, 16, 0)
+	bDecimal, _ := strconv.ParseInt(bHex, 16, 0)
+	resultDecimal := aDecimal + bDecimal
+	resultHex := strconv.FormatInt(resultDecimal, 16)
+	return resultHex
+}
--- a/readmemory/processes.go
+++ b/readmemory/processes.go
@ -0,0 +1,84 @@
+package readmemory
+
+import (
+	"strings"
+	"syscall"
+	"unsafe"
+
+	windows "golang.org/x/sys/windows"
+)
+
+const TH32CS_SNAPPROCESS = 0x00000002
+
+type WindowsProcess struct {
+	ProcessID       int
+	ParentProcessID int
+	Exe             string
+}
+
+func processes() ([]WindowsProcess, error) {
+	handle, err := windows.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer windows.CloseHandle(handle)
+
+	var entry windows.ProcessEntry32
+	entry.Size = uint32(unsafe.Sizeof(entry))
+	err = windows.Process32First(handle, &entry)
+	if err != nil {
+		return nil, err
+	}
+
+	results := make([]WindowsProcess, 0, 50)
+	for {
+		results = append(results, newWindowsProcess(&entry))
+
+		err = windows.Process32Next(handle, &entry)
+		if err != nil {
+			if err == syscall.ERROR_NO_MORE_FILES {
+				return results, nil
+			}
+			return nil, err
+		}
+	}
+}
+
+func findProcessByName(processes []WindowsProcess, name string) *WindowsProcess {
+	for _, p := range processes {
+		if strings.ToLower(p.Exe) == strings.ToLower(name) {
+			return &p
+		}
+	}
+	return nil
+}
+
+func newWindowsProcess(e *windows.ProcessEntry32) WindowsProcess {
+	end := 0
+	for {
+		if e.ExeFile[end] == 0 {
+			break
+		}
+		end++
+	}
+
+	return WindowsProcess{
+		ProcessID:       int(e.ProcessID),
+		ParentProcessID: int(e.ParentProcessID),
+		Exe:             syscall.UTF16ToString(e.ExeFile[:end]),
+	}
+}
+
+func BindDefaultProcess(defaultName string) (uint32, bool) {
+	procs, err := processes()
+	if err != nil {
+		return 0, false
+	}
+
+	explorer := findProcessByName(procs, defaultName)
+	if explorer == nil {
+		return 0, false
+	}
+
+	return uint32(explorer.ProcessID), true
+}