-
Notifications
You must be signed in to change notification settings - Fork 1
/
dllinquent.go
87 lines (70 loc) · 2.12 KB
/
dllinquent.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
// Package dllinquent provides the ability to search through loaded modules and functions
// withing a process' PEB
package dllinquent
import (
"strings"
"github.com/audibleblink/memutils"
"golang.org/x/sys/windows"
)
// FindInProcess will walk the PEB of a given process and search for the provided dll name and function.
// Dll names must end with '.dll' and functionName is case-sensitive
func FindInProcess(pid int, dllName, functionName string) (dll Dll, err error) {
dll = Dll{
DllBaseName: dllName,
FuncName: functionName,
}
err = findDll(pid, &dll)
if err != nil {
return
}
return
}
// FindInProcesses will enumerate all current process, searching for provided function and returns a map of Process
// structs as keys and Dll structs as keys
func FindInProcesses(dllName, funcionName string) (funcAddrs map[memutils.WindowsProcess]Dll, err error) {
funcAddrs = make(map[memutils.WindowsProcess]Dll)
processes, err := memutils.Processes()
if err != nil {
return
}
for _, proc := range processes {
dll, err := FindInProcess(proc.Pid, dllName, funcionName)
if err != nil {
continue
}
funcAddrs[proc] = dll
}
return
}
// FindInSelf delegates to FindInProcess, passing its own PID
func FindInSelf(dllName, functionName string) (dll Dll, err error) {
return FindInProcess(0, dllName, functionName)
}
func findDll(pid int, dll *Dll) (err error) {
walker, err := NewPebWalker(pid)
if err != nil {
return
}
for walker.Walk() {
currentDll := walker.Dll()
currentDllName := strings.ToLower(currentDll.DllFullName)
dll.DllBaseName = strings.ToLower(dll.DllBaseName)
if strings.HasSuffix(currentDllName, dll.DllBaseName) {
currDll := walker.Dll()
dll.DllFullName = currDll.DllFullName
dll.DllBaseAddr = currDll.DllBaseAddr
dll.FuncAddress, err = windows.GetProcAddress(windows.Handle(dll.DllBaseAddr), dll.FuncName)
if err != nil {
return
}
dll.FuncOffset = uint64(dll.FuncAddress) - dll.DllBaseAddr
if dll.DllBaseName == "" {
dll.DllBaseName = currDll.DllBaseName
}
dll.LdrDataTableEntry = currDll.LdrDataTableEntry
return
}
}
err = walker.Err()
return
}