github.com/iDigitalFlame/xmt@v0.5.4/device/winapi/xy_procs_crypt.go (about) 1 //go:build windows && (altload || crypt) 2 // +build windows 3 // +build altload crypt 4 5 // Copyright (C) 2020 - 2023 iDigitalFlame 6 // 7 // This program is free software: you can redistribute it and/or modify 8 // it under the terms of the GNU General Public License as published by 9 // the Free Software Foundation, either version 3 of the License, or 10 // any later version. 11 // 12 // This program is distributed in the hope that it will be useful, 13 // but WITHOUT ANY WARRANTY; without even the implied warranty of 14 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 // GNU General Public License for more details. 16 // 17 // You should have received a copy of the GNU General Public License 18 // along with this program. If not, see <https://www.gnu.org/licenses/>. 19 // 20 21 package winapi 22 23 // All hashes are in the FNV format. 24 /* 25 def fnv(v): 26 h = 2166136261 27 for n in v: 28 h *= 16777619 29 h ^= ord(n) 30 h = h&0xFFFFFFFF 31 return "0x" + hex(h).upper()[2:] 32 */ 33 34 var ( 35 funcLoadLibraryEx = dllKernelBase.proc(0x68D28778) 36 funcFormatMessage = dllKernelBase.proc(0x8233A148) 37 38 funcNtClose = dllNtdll.sysProc(0x36291E41) 39 funcNtSetEvent = dllNtdll.sysProc(0x5E5D5E5B) 40 funcRtlFreeHeap = dllNtdll.proc(0xBC880A2D) 41 funcNtTraceEvent = dllNtdll.sysProc(0x89F984CE) 42 funcNtOpenThread = dllNtdll.sysProc(0x7319665F) 43 funcRtlCreateHeap = dllNtdll.proc(0xA1846AB) 44 funcEtwEventWrite = dllNtdll.proc(0xD32A6690) // >= WinVista 45 funcDbgBreakPoint = dllNtdll.proc(0x6861210F) 46 funcNtOpenProcess = dllNtdll.sysProc(0x57367582) 47 funcRtlDestroyHeap = dllNtdll.proc(0x167E8613) 48 funcNtResumeThread = dllNtdll.sysProc(0xA6F798EA) 49 funcNtCreateSection = dllNtdll.sysProc(0x40A2511C) 50 funcNtSuspendThread = dllNtdll.sysProc(0x9D419019) 51 funcNtResumeProcess = dllNtdll.sysProc(0xB5333DBD) 52 funcRtlAllocateHeap = dllNtdll.proc(0x50AA445E) 53 funcNtDuplicateToken = dllNtdll.sysProc(0x7A75D3A1) 54 funcEtwEventRegister = dllNtdll.proc(0xC0B4D94C) // >= WinVista 55 funcNtSuspendProcess = dllNtdll.sysProc(0x8BD95BF8) 56 funcNtCreateThreadEx = dllNtdll.sysProc(0x8E6261C) // >= WinVista (Xp sub = RtlCreateUserThread) 57 funcNtCancelIoFileEx = dllNtdll.sysProc(0xD4909C18) // >= WinVista (Xp sub = NtCancelIoFile) 58 funcNtDuplicateObject = dllNtdll.sysProc(0xAD2BC047) 59 funcNtTerminateThread = dllNtdll.sysProc(0x18157A24) 60 funcNtOpenThreadToken = dllNtdll.sysProc(0x82EEAAFE) 61 funcEtwEventWriteFull = dllNtdll.proc(0xAC8A097) // >= WinVista 62 funcRtlReAllocateHeap = dllNtdll.proc(0xA51D1975) 63 funcNtMapViewOfSection = dllNtdll.sysProc(0x704A2F2C) 64 funcNtTerminateProcess = dllNtdll.sysProc(0xB3AC5173) 65 funcNtOpenProcessToken = dllNtdll.sysProc(0xB2CA3641) 66 funcRtlCopyMappedMemory = dllNtdll.proc(0x381752E6) // >= WinS2003 (Not in XP sub = RtlMoveMemory) 67 funcNtFreeVirtualMemory = dllNtdll.sysProc(0x8C399853) 68 funcNtImpersonateThread = dllNtdll.sysProc(0x12724B12) 69 funcNtUnmapViewOfSection = dllNtdll.sysProc(0x19B022D) 70 funcNtWriteVirtualMemory = dllNtdll.sysProc(0x2012F428) 71 funcNtDeviceIoControlFile = dllNtdll.sysProc(0x5D0C9026) 72 funcNtWaitForSingleObject = dllNtdll.sysProc(0x46D9033C) 73 funcNtSetInformationToken = dllNtdll.sysProc(0x43623A4) 74 funcNtProtectVirtualMemory = dllNtdll.sysProc(0xD86AFCB8) 75 funcNtSetInformationThread = dllNtdll.sysProc(0x5F74B08D) 76 funcRtlGetNtVersionNumbers = dllNtdll.proc(0xD476F98B) 77 funcEtwNotificationRegister = dllNtdll.proc(0x7B7F821F) // >= WinVista 78 funcNtAllocateVirtualMemory = dllNtdll.sysProc(0x46D22D36) 79 funcRtlSetProcessIsCritical = dllNtdll.proc(0xEE7639E9) 80 funcNtFlushInstructionCache = dllNtdll.sysProc(0xEFB80179) 81 funcNtAdjustTokenPrivileges = dllNtdll.sysProc(0x6CCF6931) 82 funcNtQueryInformationToken = dllNtdll.sysProc(0x63C176C4) 83 funcNtQueryInformationThread = dllNtdll.sysProc(0x115412D) 84 funcNtQuerySystemInformation = dllNtdll.sysProc(0x337C7C64) 85 funcNtWaitForMultipleObjects = dllNtdll.sysProc(0x5DF74043) 86 funcNtQueryInformationProcess = dllNtdll.sysProc(0xC88AB8C) 87 funcRtlWow64GetProcessMachines = dllNtdll.proc(0x982D219D) // == 64bit/ARM64 88 funcRtlLengthSecurityDescriptor = dllNtdll.proc(0xF5677F7C) 89 90 funcReadFile = dllKernelBase.proc(0xEBE8E9AF) 91 funcWriteFile = dllKernelBase.proc(0x567775AC) 92 funcOpenMutex = dllKernelBase.proc(0x56F8CC91) 93 funcLocalFree = dllKernelBase.proc(0x3A5DD394) 94 funcOpenEvent = dllKernelBase.proc(0x3D0B286) 95 funcCreateFile = dllKernelBase.proc(0xBD1BFDAE) 96 funcDebugBreak = dllKernelBase.proc(0x7F7E4A57) 97 funcCreateMutex = dllKernelBase.proc(0x3FFF8555) 98 funcCreateEvent = dllKernelBase.proc(0x9C12E8F2) 99 funcWaitNamedPipe = dllKernelBase.proc(0x7851B108) 100 funcOpenSemaphore = dllKernelBase.proc(0xEFE004) 101 funcCreateNamedPipe = dllKernelBase.proc(0xF05E3B8B) 102 funcConnectNamedPipe = dllKernelBase.proc(0xEE1FF6A8) 103 funcGetModuleHandleEx = dllKernelBase.proc(0x2FFDCF65) 104 funcOutputDebugString = dllKernelBase.proc(0x58448029) 105 funcGetCurrentThreadID = dllKernelBase.proc(0x3C31D725) 106 funcGetOverlappedResult = dllKernelBase.proc(0x1C7ADC04) 107 funcDisconnectNamedPipe = dllKernelBase.proc(0xCC9E66D6) 108 funcGetCurrentProcessID = dllKernelBase.proc(0x75FCB062) 109 funcUpdateProcThreadAttribute = dllKernelBase.proc(0xEB87DE36) // >= WinVista 110 111 funcIsWellKnownSID = dllKernelOrAdvapi.proc(0xF855936A) // >= Win7 kernelbase.dll else advapi32.dll 112 funcCreateWellKnownSid = dllKernelOrAdvapi.proc(0x25F61A8E) // >= Win7 kernelbase.dll else advapi32.dll 113 funcImpersonateNamedPipeClient = dllKernelOrAdvapi.proc(0x2BA3D9CE) // >= Win7 kernelbase.dll else advapi32.dll 114 115 funcCreateProcess = dllKernel32.proc(0x19C69863) 116 funcCreateMailslot = dllKernel32.proc(0xB10785BB) 117 funcCreateSemaphore = dllKernel32.proc(0xE540398) 118 funcK32EnumDeviceDrivers = dllKernel32.proc(0x779D5EFF) // >= Win7 (Xp sub = psapi.EnumDeviceDrivers) 119 funcK32GetModuleInformation = dllKernel32.proc(0xFD5B63D5) // >= Win7 (Xp sub = psapi.GetModuleInformation) 120 funcSetProcessWorkingSetSizeEx = dllKernel32.proc(0xAB634AE1) // >= WinS2003 (Not in XP sub = SetProcessWorkingSetSize) 121 funcK32GetDeviceDriverFileName = dllKernel32.proc(0x9EF6FF6D) // >= Win7 (Xp sub = psapi.GetDeviceDriverFileNameW) 122 123 funcLsaClose = dllAdvapi32.proc(0xB9C1C829) 124 funcLogonUser = dllAdvapi32.proc(0x5BAC4A5A) 125 funcRegFlushKey = dllAdvapi32.proc(0x8177DB3A) 126 funcRegEnumValue = dllAdvapi32.proc(0x42EC9414) 127 funcRegSetValueEx = dllAdvapi32.proc(0xC0050EDC) 128 funcLsaOpenPolicy = dllAdvapi32.proc(0x34D221F9) 129 funcRegDeleteTree = dllAdvapi32.proc(0x35CED63F) // >= WinVista 130 funcRegDeleteKeyEx = dllAdvapi32.proc(0xF888EF35) // >= WinVista (Xp sub = RegDeleteKey) 131 funcRegDeleteValue = dllAdvapi32.proc(0x717D1086) 132 funcRegCreateKeyEx = dllAdvapi32.proc(0xA656F848) 133 funcSetServiceStatus = dllAdvapi32.proc(0xC09B613A) 134 funcLookupAccountSid = dllAdvapi32.proc(0x59E27333) 135 funcLookupPrivilegeValue = dllAdvapi32.proc(0xEC6FF8D6) 136 funcConvertSIDToStringSID = dllAdvapi32.proc(0x7AAB722D) 137 funcCreateProcessWithToken = dllAdvapi32.proc(0xC20739FE) // >= WinS2003 (Not in XP) 138 funcCreateProcessWithLogon = dllAdvapi32.proc(0x62F9BC50) 139 funcInitiateSystemShutdownEx = dllAdvapi32.proc(0xDA8731DD) 140 funcLsaQueryInformationPolicy = dllAdvapi32.proc(0xD67C4D8B) 141 funcStartServiceCtrlDispatcher = dllAdvapi32.proc(0x99A279E7) 142 funcRegisterServiceCtrlHandlerEx = dllAdvapi32.proc(0x5046FA66) 143 funcQueryServiceDynamicInformation = dllAdvapi32.proc(0x2F5CB537) // >= Win8 144 funcConvertStringSecurityDescriptorToSecurityDescriptor = dllAdvapi32.proc(0x9EF78621) 145 146 funcGetDC = dllUser32.proc(0xC9AB9064) 147 funcSetFocus = dllUser32.proc(0x1AF3F781) 148 funcReleaseDC = dllUser32.proc(0x934A6B3) 149 funcSendInput = dllUser32.proc(0xB22A0065) 150 funcBlockInput = dllUser32.proc(0x1359E3BC) 151 funcShowWindow = dllUser32.proc(0xB408886A) 152 funcMessageBox = dllUser32.proc(0x1C4E3F6C) 153 funcEnumWindows = dllUser32.proc(0x9A29AD49) 154 funcEnableWindow = dllUser32.proc(0x64DED01C) 155 funcSetWindowPos = dllUser32.proc(0x57C8D93B) 156 funcGetWindowText = dllUser32.proc(0x123362FD) 157 funcGetWindowInfo = dllUser32.proc(0x971B836B) 158 funcGetMonitorInfo = dllUser32.proc(0x9B68BE4A) 159 funcGetWindowLongW = dllUser32.proc(0x31A5F5B0) 160 funcSetWindowLongW = dllUser32.proc(0x8BD0F82C) 161 funcGetDesktopWindow = dllUser32.proc(0x1921BE95) 162 funcSendNotifyMessage = dllUser32.proc(0xDEBEDBC0) 163 funcEnumDisplayMonitors = dllUser32.proc(0x6FA69AB9) 164 funcEnumDisplaySettings = dllUser32.proc(0x83B28A2E) 165 funcGetWindowTextLength = dllUser32.proc(0x85381939) 166 funcSetForegroundWindow = dllUser32.proc(0x52EF9094) 167 funcSystemParametersInfo = dllUser32.proc(0xF1855EA9) 168 funcSetLayeredWindowAttributes = dllUser32.proc(0x950A5A2E) 169 170 funcCryptMsgClose = dllCrypt32.proc(0x9B5720EA) 171 funcCertCloseStore = dllCrypt32.proc(0xF614DAC4) 172 funcCryptQueryObject = dllCrypt32.proc(0xEAEDD248) 173 funcCryptMsgGetParam = dllCrypt32.proc(0xEE8C1C55) 174 funcCertGetNameString = dllCrypt32.proc(0x3F6B7692) 175 funcCertFindCertificateInStore = dllCrypt32.proc(0x38707435) 176 funcCertFreeCertificateContext = dllCrypt32.proc(0x6F27DE27) 177 178 funcBitBlt = dllGdi32.proc(0x4C7E7258) 179 funcDeleteDC = dllGdi32.proc(0x3C53364B) 180 funcGetDIBits = dllGdi32.proc(0x35F5C026) 181 funcSelectObject = dllGdi32.proc(0xFBC3B004) 182 funcDeleteObject = dllGdi32.proc(0x2AAC1D49) 183 funcCreateCompatibleDC = dllGdi32.proc(0xD5203D54) 184 funcCreateCompatibleBitmap = dllGdi32.proc(0xC2BE1C3E) 185 186 funcWTSOpenServer = dllWtsapi32.proc(0xFE2B3B89) 187 funcWTSCloseServer = dllWtsapi32.proc(0x1BCAB670) 188 funcWTSSendMessage = dllWtsapi32.proc(0xACD5E389) 189 funcWTSLogoffSession = dllWtsapi32.proc(0xE355D47E) 190 funcWTSEnumerateSessions = dllWtsapi32.proc(0x81A0698B) 191 funcWTSDisconnectSession = dllWtsapi32.proc(0x9A352247) 192 funcWTSEnumerateProcesses = dllWtsapi32.proc(0x9BC0257D) 193 funcWTSQuerySessionInformation = dllWtsapi32.proc(0xCEFF39A) 194 195 funcMiniDumpWriteDump = dllDbgHelp.proc(0x499916F9) 196 197 funcWinHTTPGetDefaultProxyConfiguration = dllWinhttp.proc(0xFD091ACC) // >= WinXP_SP3 198 199 funcAmsiScanBuffer = dllAmsi.proc(0x7AB1BB42) // >= Win10 200 funcAmsiInitialize = dllAmsi.proc(0xBFB2E53D) // >= Win10 201 funcAmsiScanString = dllAmsi.proc(0x18AB3DF) // >= Win10 202 ) 203 204 func doSearchSystem32() bool { 205 searchSystem32.Do(func() { 206 searchSystem32.v = funcAddDllDirectory > 0 // >= Win8 / ~Win7 207 }) 208 return searchSystem32.v 209 }