Documentation
¶
Index ¶
- Variables
- func AutoCheck() (bool, error)
- func BlockDLLs() error
- func CheckBytes(b []byte) (uint16, error)
- func CheckCpu() bool
- func CheckDisk() (bool, error)
- func CheckDrivers() bool
- func CheckHostname() (bool, error)
- func CheckInternet() bool
- func CheckMemory() (bool, error)
- func CheckProcess() (bool, error)
- func CheckUsername() (bool, error)
- func ClassicUnhook(funcnames []string, dllpath string) error
- func CreateProcessBlockDLLs(cmd string) error
- func DetectHooks() ([]string, error)
- func DumpLsass(output_file string) error
- func ElevateProcessToken() error
- func EnableACG() error
- func FullUnhook(dlls_to_unhook []string) error
- func GetEventLogPid() (int, error)
- func GetFuncPtr(hash string, dll string, hashing_function func(str string) string) (*windows.LazyProc, string, error)
- func GetNtdllStart() (start uintptr, size uintptr)
- func GetSysId(funcname string) (uint16, error)
- func GetSysIdHash(hash string, dll string, hashing_func func(str string) string) (uint16, string, error)
- func GetSysIdHashHalos(hash string, hashing_func func(str string) string) (uint16, string, error)
- func IsHooked(funcname string) (bool, error)
- func PatchAmsi() error
- func PatchAmsi2() error
- func PatchEtw() error
- func PatchEtw2() error
- func PerunsUnhook() error
- func Phant0m(eventlog_pid int) error
- func Sha1(str string) string
- func Sleep()
- func Syscall(callid uint16, argh ...uintptr) (errcode uint32, err error)
- type CLIENT_ID
- type Export
- type ExportDirectory
- type Handle
- type IMAGE_DATA_DIRECTORY
- type IMAGE_DOS_HEADER
- type IMAGE_FILE_HEADER
- type IMAGE_NT_HEADER
- type IMAGE_OPTIONAL_HEADER
- type IMAGE_OPTIONAL_HEADER32
- type IMAGE_OPTIONAL_HEADER64
- type MayBeHookedError
- type PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY
- type PROCESS_MITIGATION_DYNAMIC_CODE_POLICY
- type PROC_THREAD_ATTRIBUTE_ENTRY
- type PROC_THREAD_ATTRIBUTE_LIST
- type PTHREAD_BASIC_INFORMATION
- type ProcessInformation
- type SC_SERVICE_TAG_QUERY
- type StartupInfoEx
Constants ¶
This section is empty.
Variables ¶
View Source
var HookCheck = []byte{0x4c, 0x8b, 0xd1, 0xb8} // Define hooked bytes to look for
Functions ¶
func BlockDLLs ¶
func BlockDLLs() error
block non Microsoft-signed DLLs to inject in current process
func CheckBytes ¶
func CheckDrivers ¶
func CheckDrivers() bool
func CheckHostname ¶
func CheckInternet ¶
func CheckInternet() bool
func CheckMemory ¶
func CheckProcess ¶
func CheckUsername ¶
func ClassicUnhook ¶
This function unhooks given functions of especified dll
func CreateProcessBlockDLLs ¶
launch a program (C:\Windows\System32\notepad.exe) with BlockDLLs enabled
func DetectHooks ¶
func GetEventLogPid ¶
func GetFuncPtr ¶
func GetFuncPtr(hash string, dll string, hashing_function func(str string) string) (*windows.LazyProc, string, error)
Receive a hash, the full path to DLL and the hashing function used to encode the function, then you use the pointer like GetCurrentProccess.Call()
func GetNtdllStart ¶
func GetSysId ¶
Return syscall from memory, if it fails it tries to get syscall from disk (using halo's gate technique)
func GetSysIdHash ¶
func GetSysIdHash(hash string, dll string, hashing_func func(str string) string) (uint16, string, error)
retrieve syscall using hashing to use it later like Syscall(sysid, ...)
func GetSysIdHashHalos ¶
retrieve syscall using hashing and Hell's Gate + Halo's Gate technique like GetSysId() function
func PatchAmsi2 ¶
func PatchAmsi2() error
func PerunsUnhook ¶
func PerunsUnhook() error
Get a clean copy of ntdll from a suspended process (e.g. notepad.exe) and copy it to current process
Types ¶
type ExportDirectory ¶
type ExportDirectory struct {
ExportFlags uint32 // reserved, must be zero
TimeDateStamp uint32
MajorVersion uint16
MinorVersion uint16
NameRVA uint32 // pointer to the name of the DLL
OrdinalBase uint32
NumberOfFunctions uint32
NumberOfNames uint32 // also Ordinal Table Len
AddressTableAddr uint32 // RVA of EAT, relative to image base
NameTableAddr uint32 // RVA of export name pointer table, relative to image base
OrdinalTableAddr uint32 // address of the ordinal table, relative to iamge base
DllName string
}
type IMAGE_DATA_DIRECTORY ¶
type IMAGE_DOS_HEADER ¶
type IMAGE_DOS_HEADER struct {
E_magic uint16 // Magic number
E_cblp uint16 // Bytes on last page of file
E_cp uint16 // Pages in file
E_crlc uint16 // Relocations
E_cparhdr uint16 // Size of header in paragraphs
E_minalloc uint16 // Minimum extra paragraphs needed
E_maxalloc uint16 // Maximum extra paragraphs needed
E_ss uint16 // Initial (relative) SS value
E_sp uint16 // Initial SP value
E_csum uint16 // Checksum
E_ip uint16 // Initial IP value
E_cs uint16 // Initial (relative) CS value
E_lfarlc uint16 // File address of relocation table
E_ovno uint16 // Overlay number
E_res [4]uint16 // Reserved words
E_oemid uint16 // OEM identifier (for E_oeminfo)
E_oeminfo uint16 // OEM information; E_oemid specific
E_res2 [10]uint16 // Reserved words
E_lfanew uint16 // File address of new exe header
}
type IMAGE_FILE_HEADER ¶
type IMAGE_NT_HEADER ¶
type IMAGE_NT_HEADER struct {
Signature uint32
FileHeader IMAGE_FILE_HEADER
OptionalHeader IMAGE_OPTIONAL_HEADER
}
type IMAGE_OPTIONAL_HEADER ¶
type IMAGE_OPTIONAL_HEADER struct {
Magic uint16
MajorLinkerVersion uint8
MinorLinkerVersion uint8
SizeOfCode uint32
SizeOfInitializedData uint32
SizeOfUninitializedData uint32
AddressOfEntryPoint uint32
BaseOfCode uint32
ImageBase uint64
SectionAlignment uint32
FileAlignment uint32
MajorOperatingSystemVersion uint16
MinorOperatingSystemVersion uint16
MajorImageVersion uint16
MinorImageVersion uint16
MajorSubsystemVersion uint16
MinorSubsystemVersion uint16
Win32VersionValue uint32
SizeOfImage uint32
SizeOfHeaders uint32
CheckSum uint32
Subsystem uint16
DllCharacteristics uint16
SizeOfStackReserve uint64
SizeOfStackCommit uint64
SizeOfHeapReserve uint64
SizeOfHeapCommit uint64
LoaderFlags uint32
NumberOfRvaAndSizes uint32
DataDirectory [16]IMAGE_DATA_DIRECTORY
}
type IMAGE_OPTIONAL_HEADER32 ¶
type IMAGE_OPTIONAL_HEADER32 struct {
Magic uint16
MajorLinkerVersion byte
MinorLinkerVersion byte
SizeOfCode uint32
SizeOfInitializedData uint32
SizeOfUninitializedData uint32
AddressOfEntryPoint uint32
BaseOfCode uint32
BaseOfData uint32 // Different from 64 bit header
ImageBase uint64
SectionAlignment uint32
FileAlignment uint32
MajorOperatingSystemVersion uint16
MinorOperatingSystemVersion uint16
MajorImageVersion uint16
MinorImageVersion uint16
MajorSubsystemVersion uint16
MinorSubsystemVersion uint16
Win32VersionValue uint32
SizeOfImage uint32
SizeOfHeaders uint32
CheckSum uint32
Subsystem uint16
DllCharacteristics uint16
SizeOfStackReserve uint64
SizeOfStackCommit uint64
SizeOfHeapReserve uint64
SizeOfHeapCommit uint64
LoaderFlags uint32
NumberOfRvaAndSizes uint32
DataDirectory uintptr
}
type IMAGE_OPTIONAL_HEADER64 ¶
type IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER
type MayBeHookedError ¶
type MayBeHookedError struct {
Foundbytes []byte
}
func (MayBeHookedError) Error ¶
func (e MayBeHookedError) Error() string
type PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY ¶
type PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY struct {
Flags uint32
}
type PROCESS_MITIGATION_DYNAMIC_CODE_POLICY ¶
type PROCESS_MITIGATION_DYNAMIC_CODE_POLICY struct {
ProhibitDynamicCode uint32
}
type PROC_THREAD_ATTRIBUTE_ENTRY ¶
type PROC_THREAD_ATTRIBUTE_ENTRY struct {
// contains filtered or unexported fields
}
type PROC_THREAD_ATTRIBUTE_LIST ¶
type PROC_THREAD_ATTRIBUTE_LIST struct {
// contains filtered or unexported fields
}
type ProcessInformation ¶
type SC_SERVICE_TAG_QUERY ¶
type SC_SERVICE_TAG_QUERY struct {
// contains filtered or unexported fields
}
type StartupInfoEx ¶
type StartupInfoEx struct {
windows.StartupInfo
AttributeList *PROC_THREAD_ATTRIBUTE_LIST
}
Source Files
Click to show internal directories.
Click to hide internal directories.