github.com/Asutorufa/yuhaiin@v0.3.6-0.20240502055049-7984da7023a0/pkg/utils/memmod/syscall_windows.go (about) 1 /* SPDX-License-Identifier: MIT 2 * 3 * Copyright (C) 2017-2022 WireGuard LLC. All Rights Reserved. 4 */ 5 6 package memmod 7 8 import "unsafe" 9 10 const ( 11 IMAGE_DOS_SIGNATURE = 0x5A4D // MZ 12 IMAGE_OS2_SIGNATURE = 0x454E // NE 13 IMAGE_OS2_SIGNATURE_LE = 0x454C // LE 14 IMAGE_VXD_SIGNATURE = 0x454C // LE 15 IMAGE_NT_SIGNATURE = 0x00004550 // PE00 16 ) 17 18 // DOS .EXE header 19 type IMAGE_DOS_HEADER struct { 20 E_magic uint16 // Magic number 21 E_cblp uint16 // Bytes on last page of file 22 E_cp uint16 // Pages in file 23 E_crlc uint16 // Relocations 24 E_cparhdr uint16 // Size of header in paragraphs 25 E_minalloc uint16 // Minimum extra paragraphs needed 26 E_maxalloc uint16 // Maximum extra paragraphs needed 27 E_ss uint16 // Initial (relative) SS value 28 E_sp uint16 // Initial SP value 29 E_csum uint16 // Checksum 30 E_ip uint16 // Initial IP value 31 E_cs uint16 // Initial (relative) CS value 32 E_lfarlc uint16 // File address of relocation table 33 E_ovno uint16 // Overlay number 34 E_res [4]uint16 // Reserved words 35 E_oemid uint16 // OEM identifier (for e_oeminfo) 36 E_oeminfo uint16 // OEM information; e_oemid specific 37 E_res2 [10]uint16 // Reserved words 38 E_lfanew int32 // File address of new exe header 39 } 40 41 // File header format 42 type IMAGE_FILE_HEADER struct { 43 Machine uint16 44 NumberOfSections uint16 45 TimeDateStamp uint32 46 PointerToSymbolTable uint32 47 NumberOfSymbols uint32 48 SizeOfOptionalHeader uint16 49 Characteristics uint16 50 } 51 52 const ( 53 IMAGE_SIZEOF_FILE_HEADER = 20 54 55 IMAGE_FILE_RELOCS_STRIPPED = 0x0001 // Relocation info stripped from file. 56 IMAGE_FILE_EXECUTABLE_IMAGE = 0x0002 // File is executable (i.e. no unresolved external references). 57 IMAGE_FILE_LINE_NUMS_STRIPPED = 0x0004 // Line nunbers stripped from file. 58 IMAGE_FILE_LOCAL_SYMS_STRIPPED = 0x0008 // Local symbols stripped from file. 59 IMAGE_FILE_AGGRESIVE_WS_TRIM = 0x0010 // Aggressively trim working set 60 IMAGE_FILE_LARGE_ADDRESS_AWARE = 0x0020 // App can handle >2gb addresses 61 IMAGE_FILE_BYTES_REVERSED_LO = 0x0080 // Bytes of machine word are reversed. 62 IMAGE_FILE_32BIT_MACHINE = 0x0100 // 32 bit word machine. 63 IMAGE_FILE_DEBUG_STRIPPED = 0x0200 // Debugging info stripped from file in .DBG file 64 IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = 0x0400 // If Image is on removable media, copy and run from the swap file. 65 IMAGE_FILE_NET_RUN_FROM_SWAP = 0x0800 // If Image is on Net, copy and run from the swap file. 66 IMAGE_FILE_SYSTEM = 0x1000 // System File. 67 IMAGE_FILE_DLL = 0x2000 // File is a DLL. 68 IMAGE_FILE_UP_SYSTEM_ONLY = 0x4000 // File should only be run on a UP machine 69 IMAGE_FILE_BYTES_REVERSED_HI = 0x8000 // Bytes of machine word are reversed. 70 71 IMAGE_FILE_MACHINE_UNKNOWN = 0 72 IMAGE_FILE_MACHINE_TARGET_HOST = 0x0001 // Useful for indicating we want to interact with the host and not a WoW guest. 73 IMAGE_FILE_MACHINE_I386 = 0x014c // Intel 386. 74 IMAGE_FILE_MACHINE_R3000 = 0x0162 // MIPS little-endian, 0x160 big-endian 75 IMAGE_FILE_MACHINE_R4000 = 0x0166 // MIPS little-endian 76 IMAGE_FILE_MACHINE_R10000 = 0x0168 // MIPS little-endian 77 IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x0169 // MIPS little-endian WCE v2 78 IMAGE_FILE_MACHINE_ALPHA = 0x0184 // Alpha_AXP 79 IMAGE_FILE_MACHINE_SH3 = 0x01a2 // SH3 little-endian 80 IMAGE_FILE_MACHINE_SH3DSP = 0x01a3 81 IMAGE_FILE_MACHINE_SH3E = 0x01a4 // SH3E little-endian 82 IMAGE_FILE_MACHINE_SH4 = 0x01a6 // SH4 little-endian 83 IMAGE_FILE_MACHINE_SH5 = 0x01a8 // SH5 84 IMAGE_FILE_MACHINE_ARM = 0x01c0 // ARM Little-Endian 85 IMAGE_FILE_MACHINE_THUMB = 0x01c2 // ARM Thumb/Thumb-2 Little-Endian 86 IMAGE_FILE_MACHINE_ARMNT = 0x01c4 // ARM Thumb-2 Little-Endian 87 IMAGE_FILE_MACHINE_AM33 = 0x01d3 88 IMAGE_FILE_MACHINE_POWERPC = 0x01F0 // IBM PowerPC Little-Endian 89 IMAGE_FILE_MACHINE_POWERPCFP = 0x01f1 90 IMAGE_FILE_MACHINE_IA64 = 0x0200 // Intel 64 91 IMAGE_FILE_MACHINE_MIPS16 = 0x0266 // MIPS 92 IMAGE_FILE_MACHINE_ALPHA64 = 0x0284 // ALPHA64 93 IMAGE_FILE_MACHINE_MIPSFPU = 0x0366 // MIPS 94 IMAGE_FILE_MACHINE_MIPSFPU16 = 0x0466 // MIPS 95 IMAGE_FILE_MACHINE_AXP64 = IMAGE_FILE_MACHINE_ALPHA64 96 IMAGE_FILE_MACHINE_TRICORE = 0x0520 // Infineon 97 IMAGE_FILE_MACHINE_CEF = 0x0CEF 98 IMAGE_FILE_MACHINE_EBC = 0x0EBC // EFI Byte Code 99 IMAGE_FILE_MACHINE_AMD64 = 0x8664 // AMD64 (K8) 100 IMAGE_FILE_MACHINE_M32R = 0x9041 // M32R little-endian 101 IMAGE_FILE_MACHINE_ARM64 = 0xAA64 // ARM64 Little-Endian 102 IMAGE_FILE_MACHINE_CEE = 0xC0EE 103 ) 104 105 // Directory format 106 type IMAGE_DATA_DIRECTORY struct { 107 VirtualAddress uint32 108 Size uint32 109 } 110 111 const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16 112 113 type IMAGE_NT_HEADERS struct { 114 Signature uint32 115 FileHeader IMAGE_FILE_HEADER 116 OptionalHeader IMAGE_OPTIONAL_HEADER 117 } 118 119 func (ntheader *IMAGE_NT_HEADERS) Sections() []IMAGE_SECTION_HEADER { 120 return (*[0xffff]IMAGE_SECTION_HEADER)(unsafe.Pointer( 121 (uintptr)(unsafe.Pointer(ntheader)) + 122 unsafe.Offsetof(ntheader.OptionalHeader) + 123 uintptr(ntheader.FileHeader.SizeOfOptionalHeader)))[:ntheader.FileHeader.NumberOfSections] 124 } 125 126 const ( 127 IMAGE_DIRECTORY_ENTRY_EXPORT = 0 // Export Directory 128 IMAGE_DIRECTORY_ENTRY_IMPORT = 1 // Import Directory 129 IMAGE_DIRECTORY_ENTRY_RESOURCE = 2 // Resource Directory 130 IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3 // Exception Directory 131 IMAGE_DIRECTORY_ENTRY_SECURITY = 4 // Security Directory 132 IMAGE_DIRECTORY_ENTRY_BASERELOC = 5 // Base Relocation Table 133 IMAGE_DIRECTORY_ENTRY_DEBUG = 6 // Debug Directory 134 IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7 // (X86 usage) 135 IMAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7 // Architecture Specific Data 136 IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8 // RVA of GP 137 IMAGE_DIRECTORY_ENTRY_TLS = 9 // TLS Directory 138 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10 // Load Configuration Directory 139 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11 // Bound Import Directory in headers 140 IMAGE_DIRECTORY_ENTRY_IAT = 12 // Import Address Table 141 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13 // Delay Load Import Descriptors 142 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14 // COM Runtime descriptor 143 ) 144 145 const IMAGE_SIZEOF_SHORT_NAME = 8 146 147 // Section header format 148 type IMAGE_SECTION_HEADER struct { 149 Name [IMAGE_SIZEOF_SHORT_NAME]byte 150 physicalAddressOrVirtualSize uint32 151 VirtualAddress uint32 152 SizeOfRawData uint32 153 PointerToRawData uint32 154 PointerToRelocations uint32 155 PointerToLinenumbers uint32 156 NumberOfRelocations uint16 157 NumberOfLinenumbers uint16 158 Characteristics uint32 159 } 160 161 func (ishdr *IMAGE_SECTION_HEADER) PhysicalAddress() uint32 { 162 return ishdr.physicalAddressOrVirtualSize 163 } 164 165 func (ishdr *IMAGE_SECTION_HEADER) SetPhysicalAddress(addr uint32) { 166 ishdr.physicalAddressOrVirtualSize = addr 167 } 168 169 func (ishdr *IMAGE_SECTION_HEADER) VirtualSize() uint32 { 170 return ishdr.physicalAddressOrVirtualSize 171 } 172 173 func (ishdr *IMAGE_SECTION_HEADER) SetVirtualSize(addr uint32) { 174 ishdr.physicalAddressOrVirtualSize = addr 175 } 176 177 const ( 178 // Dll characteristics. 179 IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA = 0x0020 180 IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040 181 IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080 182 IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100 183 IMAGE_DLL_CHARACTERISTICS_NO_ISOLATION = 0x0200 184 IMAGE_DLL_CHARACTERISTICS_NO_SEH = 0x0400 185 IMAGE_DLL_CHARACTERISTICS_NO_BIND = 0x0800 186 IMAGE_DLL_CHARACTERISTICS_APPCONTAINER = 0x1000 187 IMAGE_DLL_CHARACTERISTICS_WDM_DRIVER = 0x2000 188 IMAGE_DLL_CHARACTERISTICS_GUARD_CF = 0x4000 189 IMAGE_DLL_CHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000 190 ) 191 192 const ( 193 // Section characteristics. 194 IMAGE_SCN_TYPE_REG = 0x00000000 // Reserved. 195 IMAGE_SCN_TYPE_DSECT = 0x00000001 // Reserved. 196 IMAGE_SCN_TYPE_NOLOAD = 0x00000002 // Reserved. 197 IMAGE_SCN_TYPE_GROUP = 0x00000004 // Reserved. 198 IMAGE_SCN_TYPE_NO_PAD = 0x00000008 // Reserved. 199 IMAGE_SCN_TYPE_COPY = 0x00000010 // Reserved. 200 201 IMAGE_SCN_CNT_CODE = 0x00000020 // Section contains code. 202 IMAGE_SCN_CNT_INITIALIZED_DATA = 0x00000040 // Section contains initialized data. 203 IMAGE_SCN_CNT_UNINITIALIZED_DATA = 0x00000080 // Section contains uninitialized data. 204 205 IMAGE_SCN_LNK_OTHER = 0x00000100 // Reserved. 206 IMAGE_SCN_LNK_INFO = 0x00000200 // Section contains comments or some other type of information. 207 IMAGE_SCN_TYPE_OVER = 0x00000400 // Reserved. 208 IMAGE_SCN_LNK_REMOVE = 0x00000800 // Section contents will not become part of image. 209 IMAGE_SCN_LNK_COMDAT = 0x00001000 // Section contents comdat. 210 IMAGE_SCN_MEM_PROTECTED = 0x00004000 // Obsolete. 211 IMAGE_SCN_NO_DEFER_SPEC_EXC = 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section. 212 IMAGE_SCN_GPREL = 0x00008000 // Section content can be accessed relative to GP 213 IMAGE_SCN_MEM_FARDATA = 0x00008000 214 IMAGE_SCN_MEM_SYSHEAP = 0x00010000 // Obsolete. 215 IMAGE_SCN_MEM_PURGEABLE = 0x00020000 216 IMAGE_SCN_MEM_16BIT = 0x00020000 217 IMAGE_SCN_MEM_LOCKED = 0x00040000 218 IMAGE_SCN_MEM_PRELOAD = 0x00080000 219 220 IMAGE_SCN_ALIGN_1BYTES = 0x00100000 // 221 IMAGE_SCN_ALIGN_2BYTES = 0x00200000 // 222 IMAGE_SCN_ALIGN_4BYTES = 0x00300000 // 223 IMAGE_SCN_ALIGN_8BYTES = 0x00400000 // 224 IMAGE_SCN_ALIGN_16BYTES = 0x00500000 // Default alignment if no others are specified. 225 IMAGE_SCN_ALIGN_32BYTES = 0x00600000 // 226 IMAGE_SCN_ALIGN_64BYTES = 0x00700000 // 227 IMAGE_SCN_ALIGN_128BYTES = 0x00800000 // 228 IMAGE_SCN_ALIGN_256BYTES = 0x00900000 // 229 IMAGE_SCN_ALIGN_512BYTES = 0x00A00000 // 230 IMAGE_SCN_ALIGN_1024BYTES = 0x00B00000 // 231 IMAGE_SCN_ALIGN_2048BYTES = 0x00C00000 // 232 IMAGE_SCN_ALIGN_4096BYTES = 0x00D00000 // 233 IMAGE_SCN_ALIGN_8192BYTES = 0x00E00000 // 234 IMAGE_SCN_ALIGN_MASK = 0x00F00000 235 236 IMAGE_SCN_LNK_NRELOC_OVFL = 0x01000000 // Section contains extended relocations. 237 IMAGE_SCN_MEM_DISCARDABLE = 0x02000000 // Section can be discarded. 238 IMAGE_SCN_MEM_NOT_CACHED = 0x04000000 // Section is not cachable. 239 IMAGE_SCN_MEM_NOT_PAGED = 0x08000000 // Section is not pageable. 240 IMAGE_SCN_MEM_SHARED = 0x10000000 // Section is shareable. 241 IMAGE_SCN_MEM_EXECUTE = 0x20000000 // Section is executable. 242 IMAGE_SCN_MEM_READ = 0x40000000 // Section is readable. 243 IMAGE_SCN_MEM_WRITE = 0x80000000 // Section is writeable. 244 245 // TLS Characteristic Flags 246 IMAGE_SCN_SCALE_INDEX = 0x00000001 // Tls index is scaled. 247 ) 248 249 // Based relocation format 250 type IMAGE_BASE_RELOCATION struct { 251 VirtualAddress uint32 252 SizeOfBlock uint32 253 } 254 255 const ( 256 IMAGE_REL_BASED_ABSOLUTE = 0 257 IMAGE_REL_BASED_HIGH = 1 258 IMAGE_REL_BASED_LOW = 2 259 IMAGE_REL_BASED_HIGHLOW = 3 260 IMAGE_REL_BASED_HIGHADJ = 4 261 IMAGE_REL_BASED_MACHINE_SPECIFIC_5 = 5 262 IMAGE_REL_BASED_RESERVED = 6 263 IMAGE_REL_BASED_MACHINE_SPECIFIC_7 = 7 264 IMAGE_REL_BASED_MACHINE_SPECIFIC_8 = 8 265 IMAGE_REL_BASED_MACHINE_SPECIFIC_9 = 9 266 IMAGE_REL_BASED_DIR64 = 10 267 268 IMAGE_REL_BASED_IA64_IMM64 = 9 269 270 IMAGE_REL_BASED_MIPS_JMPADDR = 5 271 IMAGE_REL_BASED_MIPS_JMPADDR16 = 9 272 273 IMAGE_REL_BASED_ARM_MOV32 = 5 274 IMAGE_REL_BASED_THUMB_MOV32 = 7 275 ) 276 277 // Export Format 278 type IMAGE_EXPORT_DIRECTORY struct { 279 Characteristics uint32 280 TimeDateStamp uint32 281 MajorVersion uint16 282 MinorVersion uint16 283 Name uint32 284 Base uint32 285 NumberOfFunctions uint32 286 NumberOfNames uint32 287 AddressOfFunctions uint32 // RVA from base of image 288 AddressOfNames uint32 // RVA from base of image 289 AddressOfNameOrdinals uint32 // RVA from base of image 290 } 291 292 type IMAGE_IMPORT_BY_NAME struct { 293 Hint uint16 294 Name [1]byte 295 } 296 297 func IMAGE_ORDINAL(ordinal uintptr) uintptr { 298 return ordinal & 0xffff 299 } 300 301 func IMAGE_SNAP_BY_ORDINAL(ordinal uintptr) bool { 302 return (ordinal & IMAGE_ORDINAL_FLAG) != 0 303 } 304 305 // Thread Local Storage 306 type IMAGE_TLS_DIRECTORY struct { 307 StartAddressOfRawData uintptr 308 EndAddressOfRawData uintptr 309 AddressOfIndex uintptr // PDWORD 310 AddressOfCallbacks uintptr // PIMAGE_TLS_CALLBACK *; 311 SizeOfZeroFill uint32 312 Characteristics uint32 313 } 314 315 type IMAGE_IMPORT_DESCRIPTOR struct { 316 characteristicsOrOriginalFirstThunk uint32 // 0 for terminating null import descriptor 317 // RVA to original unbound IAT (PIMAGE_THUNK_DATA) 318 TimeDateStamp uint32 // 0 if not bound, 319 // -1 if bound, and real date\time stamp 320 // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) 321 // O.W. date/time stamp of DLL bound to (Old BIND) 322 ForwarderChain uint32 // -1 if no forwarders 323 Name uint32 324 FirstThunk uint32 // RVA to IAT (if bound this IAT has actual addresses) 325 } 326 327 func (imgimpdesc *IMAGE_IMPORT_DESCRIPTOR) Characteristics() uint32 { 328 return imgimpdesc.characteristicsOrOriginalFirstThunk 329 } 330 331 func (imgimpdesc *IMAGE_IMPORT_DESCRIPTOR) OriginalFirstThunk() uint32 { 332 return imgimpdesc.characteristicsOrOriginalFirstThunk 333 } 334 335 type IMAGE_DELAYLOAD_DESCRIPTOR struct { 336 Attributes uint32 337 DllNameRVA uint32 338 ModuleHandleRVA uint32 339 ImportAddressTableRVA uint32 340 ImportNameTableRVA uint32 341 BoundImportAddressTableRVA uint32 342 UnloadInformationTableRVA uint32 343 TimeDateStamp uint32 344 } 345 346 type IMAGE_LOAD_CONFIG_CODE_INTEGRITY struct { 347 Flags uint16 348 Catalog uint16 349 CatalogOffset uint32 350 Reserved uint32 351 } 352 353 const ( 354 IMAGE_GUARD_CF_INSTRUMENTED = 0x00000100 355 IMAGE_GUARD_CFW_INSTRUMENTED = 0x00000200 356 IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT = 0x00000400 357 IMAGE_GUARD_SECURITY_COOKIE_UNUSED = 0x00000800 358 IMAGE_GUARD_PROTECT_DELAYLOAD_IAT = 0x00001000 359 IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION = 0x00002000 360 IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT = 0x00004000 361 IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION = 0x00008000 362 IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT = 0x00010000 363 IMAGE_GUARD_RF_INSTRUMENTED = 0x00020000 364 IMAGE_GUARD_RF_ENABLE = 0x00040000 365 IMAGE_GUARD_RF_STRICT = 0x00080000 366 IMAGE_GUARD_RETPOLINE_PRESENT = 0x00100000 367 IMAGE_GUARD_EH_CONTINUATION_TABLE_PRESENT = 0x00400000 368 IMAGE_GUARD_XFG_ENABLED = 0x00800000 369 IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK = 0xF0000000 370 IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT = 28 371 ) 372 373 const ( 374 DLL_PROCESS_ATTACH = 1 375 DLL_THREAD_ATTACH = 2 376 DLL_THREAD_DETACH = 3 377 DLL_PROCESS_DETACH = 0 378 ) 379 380 type SYSTEM_INFO struct { 381 ProcessorArchitecture uint16 382 Reserved uint16 383 PageSize uint32 384 MinimumApplicationAddress uintptr 385 MaximumApplicationAddress uintptr 386 ActiveProcessorMask uintptr 387 NumberOfProcessors uint32 388 ProcessorType uint32 389 AllocationGranularity uint32 390 ProcessorLevel uint16 391 ProcessorRevision uint16 392 }