github.com/iDigitalFlame/xmt@v0.5.4/device/winapi/xy_procs_crypt.go (about)

     1  //go:build windows && (altload || crypt)
     2  // +build windows
     3  // +build altload crypt
     4  
     5  // Copyright (C) 2020 - 2023 iDigitalFlame
     6  //
     7  // This program is free software: you can redistribute it and/or modify
     8  // it under the terms of the GNU General Public License as published by
     9  // the Free Software Foundation, either version 3 of the License, or
    10  // any later version.
    11  //
    12  // This program is distributed in the hope that it will be useful,
    13  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    14  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15  // GNU General Public License for more details.
    16  //
    17  // You should have received a copy of the GNU General Public License
    18  // along with this program.  If not, see <https://www.gnu.org/licenses/>.
    19  //
    20  
    21  package winapi
    22  
    23  // All hashes are in the FNV format.
    24  /*
    25  def fnv(v):
    26      h = 2166136261
    27      for n in v:
    28          h *= 16777619
    29          h ^= ord(n)
    30          h = h&0xFFFFFFFF
    31      return "0x" + hex(h).upper()[2:]
    32  */
    33  
    34  var (
    35  	funcLoadLibraryEx = dllKernelBase.proc(0x68D28778)
    36  	funcFormatMessage = dllKernelBase.proc(0x8233A148)
    37  
    38  	funcNtClose                     = dllNtdll.sysProc(0x36291E41)
    39  	funcNtSetEvent                  = dllNtdll.sysProc(0x5E5D5E5B)
    40  	funcRtlFreeHeap                 = dllNtdll.proc(0xBC880A2D)
    41  	funcNtTraceEvent                = dllNtdll.sysProc(0x89F984CE)
    42  	funcNtOpenThread                = dllNtdll.sysProc(0x7319665F)
    43  	funcRtlCreateHeap               = dllNtdll.proc(0xA1846AB)
    44  	funcEtwEventWrite               = dllNtdll.proc(0xD32A6690) // >= WinVista
    45  	funcDbgBreakPoint               = dllNtdll.proc(0x6861210F)
    46  	funcNtOpenProcess               = dllNtdll.sysProc(0x57367582)
    47  	funcRtlDestroyHeap              = dllNtdll.proc(0x167E8613)
    48  	funcNtResumeThread              = dllNtdll.sysProc(0xA6F798EA)
    49  	funcNtCreateSection             = dllNtdll.sysProc(0x40A2511C)
    50  	funcNtSuspendThread             = dllNtdll.sysProc(0x9D419019)
    51  	funcNtResumeProcess             = dllNtdll.sysProc(0xB5333DBD)
    52  	funcRtlAllocateHeap             = dllNtdll.proc(0x50AA445E)
    53  	funcNtDuplicateToken            = dllNtdll.sysProc(0x7A75D3A1)
    54  	funcEtwEventRegister            = dllNtdll.proc(0xC0B4D94C) // >= WinVista
    55  	funcNtSuspendProcess            = dllNtdll.sysProc(0x8BD95BF8)
    56  	funcNtCreateThreadEx            = dllNtdll.sysProc(0x8E6261C)  // >= WinVista (Xp sub = RtlCreateUserThread)
    57  	funcNtCancelIoFileEx            = dllNtdll.sysProc(0xD4909C18) // >= WinVista (Xp sub = NtCancelIoFile)
    58  	funcNtDuplicateObject           = dllNtdll.sysProc(0xAD2BC047)
    59  	funcNtTerminateThread           = dllNtdll.sysProc(0x18157A24)
    60  	funcNtOpenThreadToken           = dllNtdll.sysProc(0x82EEAAFE)
    61  	funcEtwEventWriteFull           = dllNtdll.proc(0xAC8A097) // >= WinVista
    62  	funcRtlReAllocateHeap           = dllNtdll.proc(0xA51D1975)
    63  	funcNtMapViewOfSection          = dllNtdll.sysProc(0x704A2F2C)
    64  	funcNtTerminateProcess          = dllNtdll.sysProc(0xB3AC5173)
    65  	funcNtOpenProcessToken          = dllNtdll.sysProc(0xB2CA3641)
    66  	funcRtlCopyMappedMemory         = dllNtdll.proc(0x381752E6) // >= WinS2003 (Not in XP sub = RtlMoveMemory)
    67  	funcNtFreeVirtualMemory         = dllNtdll.sysProc(0x8C399853)
    68  	funcNtImpersonateThread         = dllNtdll.sysProc(0x12724B12)
    69  	funcNtUnmapViewOfSection        = dllNtdll.sysProc(0x19B022D)
    70  	funcNtWriteVirtualMemory        = dllNtdll.sysProc(0x2012F428)
    71  	funcNtDeviceIoControlFile       = dllNtdll.sysProc(0x5D0C9026)
    72  	funcNtWaitForSingleObject       = dllNtdll.sysProc(0x46D9033C)
    73  	funcNtSetInformationToken       = dllNtdll.sysProc(0x43623A4)
    74  	funcNtProtectVirtualMemory      = dllNtdll.sysProc(0xD86AFCB8)
    75  	funcNtSetInformationThread      = dllNtdll.sysProc(0x5F74B08D)
    76  	funcRtlGetNtVersionNumbers      = dllNtdll.proc(0xD476F98B)
    77  	funcEtwNotificationRegister     = dllNtdll.proc(0x7B7F821F) // >= WinVista
    78  	funcNtAllocateVirtualMemory     = dllNtdll.sysProc(0x46D22D36)
    79  	funcRtlSetProcessIsCritical     = dllNtdll.proc(0xEE7639E9)
    80  	funcNtFlushInstructionCache     = dllNtdll.sysProc(0xEFB80179)
    81  	funcNtAdjustTokenPrivileges     = dllNtdll.sysProc(0x6CCF6931)
    82  	funcNtQueryInformationToken     = dllNtdll.sysProc(0x63C176C4)
    83  	funcNtQueryInformationThread    = dllNtdll.sysProc(0x115412D)
    84  	funcNtQuerySystemInformation    = dllNtdll.sysProc(0x337C7C64)
    85  	funcNtWaitForMultipleObjects    = dllNtdll.sysProc(0x5DF74043)
    86  	funcNtQueryInformationProcess   = dllNtdll.sysProc(0xC88AB8C)
    87  	funcRtlWow64GetProcessMachines  = dllNtdll.proc(0x982D219D) // == 64bit/ARM64
    88  	funcRtlLengthSecurityDescriptor = dllNtdll.proc(0xF5677F7C)
    89  
    90  	funcReadFile                  = dllKernelBase.proc(0xEBE8E9AF)
    91  	funcWriteFile                 = dllKernelBase.proc(0x567775AC)
    92  	funcOpenMutex                 = dllKernelBase.proc(0x56F8CC91)
    93  	funcLocalFree                 = dllKernelBase.proc(0x3A5DD394)
    94  	funcOpenEvent                 = dllKernelBase.proc(0x3D0B286)
    95  	funcCreateFile                = dllKernelBase.proc(0xBD1BFDAE)
    96  	funcDebugBreak                = dllKernelBase.proc(0x7F7E4A57)
    97  	funcCreateMutex               = dllKernelBase.proc(0x3FFF8555)
    98  	funcCreateEvent               = dllKernelBase.proc(0x9C12E8F2)
    99  	funcWaitNamedPipe             = dllKernelBase.proc(0x7851B108)
   100  	funcOpenSemaphore             = dllKernelBase.proc(0xEFE004)
   101  	funcCreateNamedPipe           = dllKernelBase.proc(0xF05E3B8B)
   102  	funcConnectNamedPipe          = dllKernelBase.proc(0xEE1FF6A8)
   103  	funcGetModuleHandleEx         = dllKernelBase.proc(0x2FFDCF65)
   104  	funcOutputDebugString         = dllKernelBase.proc(0x58448029)
   105  	funcGetCurrentThreadID        = dllKernelBase.proc(0x3C31D725)
   106  	funcGetOverlappedResult       = dllKernelBase.proc(0x1C7ADC04)
   107  	funcDisconnectNamedPipe       = dllKernelBase.proc(0xCC9E66D6)
   108  	funcGetCurrentProcessID       = dllKernelBase.proc(0x75FCB062)
   109  	funcUpdateProcThreadAttribute = dllKernelBase.proc(0xEB87DE36) // >= WinVista
   110  
   111  	funcIsWellKnownSID             = dllKernelOrAdvapi.proc(0xF855936A) // >= Win7 kernelbase.dll else advapi32.dll
   112  	funcCreateWellKnownSid         = dllKernelOrAdvapi.proc(0x25F61A8E) // >= Win7 kernelbase.dll else advapi32.dll
   113  	funcImpersonateNamedPipeClient = dllKernelOrAdvapi.proc(0x2BA3D9CE) // >= Win7 kernelbase.dll else advapi32.dll
   114  
   115  	funcCreateProcess              = dllKernel32.proc(0x19C69863)
   116  	funcCreateMailslot             = dllKernel32.proc(0xB10785BB)
   117  	funcCreateSemaphore            = dllKernel32.proc(0xE540398)
   118  	funcK32EnumDeviceDrivers       = dllKernel32.proc(0x779D5EFF) // >= Win7 (Xp sub = psapi.EnumDeviceDrivers)
   119  	funcK32GetModuleInformation    = dllKernel32.proc(0xFD5B63D5) // >= Win7 (Xp sub = psapi.GetModuleInformation)
   120  	funcSetProcessWorkingSetSizeEx = dllKernel32.proc(0xAB634AE1) // >= WinS2003 (Not in XP sub = SetProcessWorkingSetSize)
   121  	funcK32GetDeviceDriverFileName = dllKernel32.proc(0x9EF6FF6D) // >= Win7 (Xp sub = psapi.GetDeviceDriverFileNameW)
   122  
   123  	funcLsaClose                                            = dllAdvapi32.proc(0xB9C1C829)
   124  	funcLogonUser                                           = dllAdvapi32.proc(0x5BAC4A5A)
   125  	funcRegFlushKey                                         = dllAdvapi32.proc(0x8177DB3A)
   126  	funcRegEnumValue                                        = dllAdvapi32.proc(0x42EC9414)
   127  	funcRegSetValueEx                                       = dllAdvapi32.proc(0xC0050EDC)
   128  	funcLsaOpenPolicy                                       = dllAdvapi32.proc(0x34D221F9)
   129  	funcRegDeleteTree                                       = dllAdvapi32.proc(0x35CED63F) // >= WinVista
   130  	funcRegDeleteKeyEx                                      = dllAdvapi32.proc(0xF888EF35) // >= WinVista (Xp sub = RegDeleteKey)
   131  	funcRegDeleteValue                                      = dllAdvapi32.proc(0x717D1086)
   132  	funcRegCreateKeyEx                                      = dllAdvapi32.proc(0xA656F848)
   133  	funcSetServiceStatus                                    = dllAdvapi32.proc(0xC09B613A)
   134  	funcLookupAccountSid                                    = dllAdvapi32.proc(0x59E27333)
   135  	funcLookupPrivilegeValue                                = dllAdvapi32.proc(0xEC6FF8D6)
   136  	funcConvertSIDToStringSID                               = dllAdvapi32.proc(0x7AAB722D)
   137  	funcCreateProcessWithToken                              = dllAdvapi32.proc(0xC20739FE) // >= WinS2003 (Not in XP)
   138  	funcCreateProcessWithLogon                              = dllAdvapi32.proc(0x62F9BC50)
   139  	funcInitiateSystemShutdownEx                            = dllAdvapi32.proc(0xDA8731DD)
   140  	funcLsaQueryInformationPolicy                           = dllAdvapi32.proc(0xD67C4D8B)
   141  	funcStartServiceCtrlDispatcher                          = dllAdvapi32.proc(0x99A279E7)
   142  	funcRegisterServiceCtrlHandlerEx                        = dllAdvapi32.proc(0x5046FA66)
   143  	funcQueryServiceDynamicInformation                      = dllAdvapi32.proc(0x2F5CB537) // >= Win8
   144  	funcConvertStringSecurityDescriptorToSecurityDescriptor = dllAdvapi32.proc(0x9EF78621)
   145  
   146  	funcGetDC                      = dllUser32.proc(0xC9AB9064)
   147  	funcSetFocus                   = dllUser32.proc(0x1AF3F781)
   148  	funcReleaseDC                  = dllUser32.proc(0x934A6B3)
   149  	funcSendInput                  = dllUser32.proc(0xB22A0065)
   150  	funcBlockInput                 = dllUser32.proc(0x1359E3BC)
   151  	funcShowWindow                 = dllUser32.proc(0xB408886A)
   152  	funcMessageBox                 = dllUser32.proc(0x1C4E3F6C)
   153  	funcEnumWindows                = dllUser32.proc(0x9A29AD49)
   154  	funcEnableWindow               = dllUser32.proc(0x64DED01C)
   155  	funcSetWindowPos               = dllUser32.proc(0x57C8D93B)
   156  	funcGetWindowText              = dllUser32.proc(0x123362FD)
   157  	funcGetWindowInfo              = dllUser32.proc(0x971B836B)
   158  	funcGetMonitorInfo             = dllUser32.proc(0x9B68BE4A)
   159  	funcGetWindowLongW             = dllUser32.proc(0x31A5F5B0)
   160  	funcSetWindowLongW             = dllUser32.proc(0x8BD0F82C)
   161  	funcGetDesktopWindow           = dllUser32.proc(0x1921BE95)
   162  	funcSendNotifyMessage          = dllUser32.proc(0xDEBEDBC0)
   163  	funcEnumDisplayMonitors        = dllUser32.proc(0x6FA69AB9)
   164  	funcEnumDisplaySettings        = dllUser32.proc(0x83B28A2E)
   165  	funcGetWindowTextLength        = dllUser32.proc(0x85381939)
   166  	funcSetForegroundWindow        = dllUser32.proc(0x52EF9094)
   167  	funcSystemParametersInfo       = dllUser32.proc(0xF1855EA9)
   168  	funcSetLayeredWindowAttributes = dllUser32.proc(0x950A5A2E)
   169  
   170  	funcCryptMsgClose              = dllCrypt32.proc(0x9B5720EA)
   171  	funcCertCloseStore             = dllCrypt32.proc(0xF614DAC4)
   172  	funcCryptQueryObject           = dllCrypt32.proc(0xEAEDD248)
   173  	funcCryptMsgGetParam           = dllCrypt32.proc(0xEE8C1C55)
   174  	funcCertGetNameString          = dllCrypt32.proc(0x3F6B7692)
   175  	funcCertFindCertificateInStore = dllCrypt32.proc(0x38707435)
   176  	funcCertFreeCertificateContext = dllCrypt32.proc(0x6F27DE27)
   177  
   178  	funcBitBlt                 = dllGdi32.proc(0x4C7E7258)
   179  	funcDeleteDC               = dllGdi32.proc(0x3C53364B)
   180  	funcGetDIBits              = dllGdi32.proc(0x35F5C026)
   181  	funcSelectObject           = dllGdi32.proc(0xFBC3B004)
   182  	funcDeleteObject           = dllGdi32.proc(0x2AAC1D49)
   183  	funcCreateCompatibleDC     = dllGdi32.proc(0xD5203D54)
   184  	funcCreateCompatibleBitmap = dllGdi32.proc(0xC2BE1C3E)
   185  
   186  	funcWTSOpenServer              = dllWtsapi32.proc(0xFE2B3B89)
   187  	funcWTSCloseServer             = dllWtsapi32.proc(0x1BCAB670)
   188  	funcWTSSendMessage             = dllWtsapi32.proc(0xACD5E389)
   189  	funcWTSLogoffSession           = dllWtsapi32.proc(0xE355D47E)
   190  	funcWTSEnumerateSessions       = dllWtsapi32.proc(0x81A0698B)
   191  	funcWTSDisconnectSession       = dllWtsapi32.proc(0x9A352247)
   192  	funcWTSEnumerateProcesses      = dllWtsapi32.proc(0x9BC0257D)
   193  	funcWTSQuerySessionInformation = dllWtsapi32.proc(0xCEFF39A)
   194  
   195  	funcMiniDumpWriteDump = dllDbgHelp.proc(0x499916F9)
   196  
   197  	funcWinHTTPGetDefaultProxyConfiguration = dllWinhttp.proc(0xFD091ACC) // >= WinXP_SP3
   198  
   199  	funcAmsiScanBuffer = dllAmsi.proc(0x7AB1BB42) // >= Win10
   200  	funcAmsiInitialize = dllAmsi.proc(0xBFB2E53D) // >= Win10
   201  	funcAmsiScanString = dllAmsi.proc(0x18AB3DF)  // >= Win10
   202  )
   203  
   204  func doSearchSystem32() bool {
   205  	searchSystem32.Do(func() {
   206  		searchSystem32.v = funcAddDllDirectory > 0 // >= Win8 / ~Win7
   207  	})
   208  	return searchSystem32.v
   209  }