From 1af041850e47d99d64389b0e27c72565b17a0ddf Mon Sep 17 00:00:00 2001 From: Vinicius Rangel Date: Sat, 10 Aug 2019 10:12:40 -0300 Subject: [PATCH 1/5] Kernel32 CreateFile --- AUTHORS | 1 + constants.go | 2 ++ kernel32.go | 25 +++++++++++++++++++++++++ typedef.go | 8 ++++++++ 4 files changed, 36 insertions(+) diff --git a/AUTHORS b/AUTHORS index 1bb25dd..795d067 100644 --- a/AUTHORS +++ b/AUTHORS @@ -18,4 +18,5 @@ James Hovious @jameshovious Liam Bowen Michael Henke Paul Maddox +Vinicius Rangel Xackery Xtal \ No newline at end of file diff --git a/constants.go b/constants.go index d48e688..d61a7d4 100644 --- a/constants.go +++ b/constants.go @@ -36,6 +36,8 @@ const ( ERROR_SERVICE_DEPENDENCY_DELETED = 1075 ) +const INVALID_HANDLE = ^HANDLE(0) + const ( WAIT_ABANDONED = 0x00000080 WAIT_OBJECT_0 = 0x00000000 diff --git a/kernel32.go b/kernel32.go index b2d0be2..9192c34 100644 --- a/kernel32.go +++ b/kernel32.go @@ -14,6 +14,7 @@ var ( modkernel32 = syscall.NewLazyDLL("kernel32.dll") procCopyMemory = modkernel32.NewProc("RtlCopyMemory") procCloseHandle = modkernel32.NewProc("CloseHandle") + procCreateFileW = modkernel32.NewProc("CreateFileW") procCreateProcessA = modkernel32.NewProc("CreateProcessA") procCreateProcessW = modkernel32.NewProc("CreateProcessW") procCreateRemoteThread = modkernel32.NewProc("CreateRemoteThread") @@ -217,6 +218,30 @@ func VirtualProtect(lpAddress uintptr, dwSize int, flNewProtect int, lpflOldProt return ret != 0 } +func CreateFile( + name string, + desiredAccess DWORD, + shareMode DWORD, + securityAttributes *SECURITY_ATTRIBUTES, + creationDisposition DWORD, + flagsAndAttributes DWORD, + templateFile HANDLE, +) (HANDLE, error) { + handle, _, err := procCreateFileW.Call( + uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(name))), + uintptr(desiredAccess), + uintptr(shareMode), + uintptr(unsafe.Pointer(securityAttributes)), + uintptr(creationDisposition), + uintptr(flagsAndAttributes), + uintptr(templateFile), + ) + if !IsErrSuccess(err) { + return HANDLE(handle), err + } + return HANDLE(handle), err +} + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx func CreateProcessA(lpApplicationName *string, lpCommandLine string, diff --git a/typedef.go b/typedef.go index ace2ca8..386e956 100644 --- a/typedef.go +++ b/typedef.go @@ -971,6 +971,14 @@ type SECURITY_DESCRIPTOR struct { Dacl *ACL } +type OVERLAPPED struct { + Internal uintptr + InternalHigh uintptr + Offset uint32 + OffsetHigh uint32 + HEvent HANDLE +} + type SID_IDENTIFIER_AUTHORITY struct { Value [6]byte } From c91e1c32b27add1e5db8eb78ce3fa64e5122bbb9 Mon Sep 17 00:00:00 2001 From: Vinicius Rangel Date: Sat, 10 Aug 2019 10:14:03 -0300 Subject: [PATCH 2/5] Kernel32 CreateNamedPipe replaced CreateRemoteThread syscall.Handle by w32.Handle --- kernel32.go | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/kernel32.go b/kernel32.go index 9192c34..2a02783 100644 --- a/kernel32.go +++ b/kernel32.go @@ -15,6 +15,7 @@ var ( procCopyMemory = modkernel32.NewProc("RtlCopyMemory") procCloseHandle = modkernel32.NewProc("CloseHandle") procCreateFileW = modkernel32.NewProc("CreateFileW") + procCreateNamedPipeW = modkernel32.NewProc("CreateNamedPipeW") procCreateProcessA = modkernel32.NewProc("CreateProcessA") procCreateProcessW = modkernel32.NewProc("CreateProcessW") procCreateRemoteThread = modkernel32.NewProc("CreateRemoteThread") @@ -242,6 +243,32 @@ func CreateFile( return HANDLE(handle), err } +func CreateNamedPipe( + name string, + openMode DWORD, + pipeMode DWORD, + maxInstances DWORD, + outBufferSize DWORD, + inBufferSize DWORD, + defaultTimeOut DWORD, + securityAttributes *SECURITY_ATTRIBUTES, +) (HANDLE, error) { + handle, _, err := procCreateNamedPipeW.Call( + uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(name))), + uintptr(openMode), + uintptr(pipeMode), + uintptr(maxInstances), + uintptr(outBufferSize), + uintptr(inBufferSize), + uintptr(defaultTimeOut), + uintptr(unsafe.Pointer(securityAttributes)), + ) + if !IsErrSuccess(err) { + return INVALID_HANDLE, err + } + return HANDLE(handle), nil +} + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx func CreateProcessA(lpApplicationName *string, lpCommandLine string, @@ -331,7 +358,7 @@ func GetProcAddress(hProcess HANDLE, procname string) (addr uintptr, err error) // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx // Credit: https://github.com/contester/runlib/blob/master/win32/win32_windows.go#L577 func CreateRemoteThread(hprocess HANDLE, sa *syscall.SecurityAttributes, - stackSize uint32, startAddress uint32, parameter uintptr, creationFlags uint32) (syscall.Handle, uint32, error) { + stackSize uint32, startAddress uint32, parameter uintptr, creationFlags uint32) (HANDLE, uint32, error) { var threadId uint32 r1, _, e1 := procCreateRemoteThread.Call( uintptr(hprocess), @@ -343,9 +370,9 @@ func CreateRemoteThread(hprocess HANDLE, sa *syscall.SecurityAttributes, uintptr(unsafe.Pointer(&threadId))) if int(r1) == 0 { - return syscall.InvalidHandle, 0, e1 + return INVALID_HANDLE, 0, e1 } - return syscall.Handle(r1), threadId, nil + return HANDLE(r1), threadId, nil } func GetModuleHandle(modulename string) HINSTANCE { From b8cffec111e361831d316205af9932b2e5d192b2 Mon Sep 17 00:00:00 2001 From: Vinicius Rangel Date: Sat, 10 Aug 2019 10:15:27 -0300 Subject: [PATCH 3/5] Kernel32 ConnectNamedPipe --- kernel32.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/kernel32.go b/kernel32.go index 2a02783..e70ae66 100644 --- a/kernel32.go +++ b/kernel32.go @@ -14,6 +14,7 @@ var ( modkernel32 = syscall.NewLazyDLL("kernel32.dll") procCopyMemory = modkernel32.NewProc("RtlCopyMemory") procCloseHandle = modkernel32.NewProc("CloseHandle") + procConnectNamedPipe = modkernel32.NewProc("ConnectNamedPipe") procCreateFileW = modkernel32.NewProc("CreateFileW") procCreateNamedPipeW = modkernel32.NewProc("CreateNamedPipeW") procCreateProcessA = modkernel32.NewProc("CreateProcessA") @@ -243,6 +244,17 @@ func CreateFile( return HANDLE(handle), err } +func ConnectNamedPipe(handle HANDLE, overlapped *OVERLAPPED) (bool, error) { + ok, _, err := procConnectNamedPipe.Call( + uintptr(handle), + uintptr(unsafe.Pointer(overlapped)), + ) + if IsErrSuccess(err) { + return ok != 0, err + } + return ok != 0, nil +} + func CreateNamedPipe( name string, openMode DWORD, From 23871a90c511e576a09f911b8c3fc625c803751b Mon Sep 17 00:00:00 2001 From: Vinicius Rangel Date: Sat, 10 Aug 2019 10:16:20 -0300 Subject: [PATCH 4/5] Pipe/File constants --- constants.go | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/constants.go b/constants.go index d61a7d4..63726f9 100644 --- a/constants.go +++ b/constants.go @@ -3050,3 +3050,64 @@ const ( SCALE_450_PERCENT = 450 SCALE_500_PERCENT = 500 ) + +// https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea +const ( + PIPE_ACCESS_INBOUND DWORD = 0x00000001 + PIPE_ACCESS_OUTBOUND = 0x00000002 + PIPE_ACCESS_DUPLEX = 0x00000003 + FILE_FLAG_FIRST_PIPE_INSTANCE = 0x00080000 + WRITE_DAC = 0x00040000 + WRITE_OWNER = 0x00080000 + ACCESS_SYSTEM_SECURITY = 0x01000000 + + PIPE_TYPE_BYTE = 0x00000000 + PIPE_TYPE_MESSAGE = 0x00000004 + PIPE_READMODE_BYTE = 0x00000000 + PIPE_READMODE_MESSAGE = 0x00000002 + PIPE_WAIT = 0x00000000 + PIPE_NOWAIT = 0x00000001 + PIPE_ACCEPT_REMOTE_CLIENTS = 0x00000000 + PIPE_REJECT_REMOTE_CLIENTS = 0x00000008 + + PIPE_UNLIMITED_INSTANCES = 255 +) + +// https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea +const ( + GENERIC_READ DWORD = 0x80000000 + GENERIC_WRITE = 0x40000000 + GENERIC_EXECUTE = 0x20000000 + GENERIC_ALL = 0x10000000 + + FILE_SHARE_DELETE = 0x00000004 + FILE_SHARE_READ = 0x00000001 + FILE_SHARE_WRITE = 0x00000002 + + CREATE_ALWAYS = 2 + CREATE_NEW = 1 + OPEN_ALWAYS = 4 + OPEN_EXISTING = 3 + TRUNCATE_EXISTING = 5 + + FILE_ATTRIBUTE_ARCHIVE = 0x20 + FILE_ATTRIBUTE_ENCRYPTED = 0x4000 + FILE_ATTRIBUTE_HIDDEN = 0x2 + FILE_ATTRIBUTE_NORMAL = 0x80 + FILE_ATTRIBUTE_OFFLINE = 0x1000 + FILE_ATTRIBUTE_READONLY = 0x1 + FILE_ATTRIBUTE_SYSTEM = 0x4 + FILE_ATTRIBUTE_TEMPORARY = 0x100 + + FILE_FLAG_BACKUP_SEMANTICS = 0x02000000 + FILE_FLAG_DELETE_ON_CLOSE = 0x04000000 + FILE_FLAG_NO_BUFFERING = 0x20000000 + FILE_FLAG_OPEN_NO_RECALL = 0x00100000 + FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000 + FILE_FLAG_OVERLAPPED = 0x40000000 + FILE_FLAG_POSIX_SEMANTICS = 0x0100000 + FILE_FLAG_RANDOM_ACCESS = 0x10000000 + FILE_FLAG_SESSION_AWARE = 0x00800000 + FILE_FLAG_SEQUENTIAL_SCAN = 0x08000000 + FILE_FLAG_WRITE_THROUGH = 0x80000000 +) From 71f0e0c7f613152665d23e48d26fa5b4d21eacbc Mon Sep 17 00:00:00 2001 From: Vinicius Rangel Date: Sat, 10 Aug 2019 10:16:33 -0300 Subject: [PATCH 5/5] Kernel32 WriteFile --- kernel32.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/kernel32.go b/kernel32.go index e70ae66..db31c43 100644 --- a/kernel32.go +++ b/kernel32.go @@ -67,6 +67,7 @@ var ( procVirtualQuery = modkernel32.NewProc("VirtualQuery") procVirtualQueryEx = modkernel32.NewProc("VirtualQueryEx") procWaitForSingleObject = modkernel32.NewProc("WaitForSingleObject") + procWriteFile = modkernel32.NewProc("WriteFile") procWriteProcessMemory = modkernel32.NewProc("WriteProcessMemory") procResumeThread = modkernel32.NewProc("ResumeThread") @@ -693,6 +694,20 @@ func SetSystemTime(time *SYSTEMTIME) (err error) { return } +func WriteFile(handle HANDLE, buf []byte, written *uint32, overlapped *OVERLAPPED) (bool, error) { + ok, _, err := procWriteFile.Call( + uintptr(handle), + uintptr(unsafe.Pointer(&buf[0])), + uintptr(len(buf)), + uintptr(unsafe.Pointer(&written)), + uintptr(unsafe.Pointer(overlapped)), + ) + if !IsErrSuccess(err) { + return ok != 0, err + } + return ok != 0, err +} + //Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails. //https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674(v=vs.85).aspx func WriteProcessMemory(hProcess HANDLE, lpBaseAddress uint32, data []byte, size uint) (err error) {