Documentation
¶
Index ¶
- Constants
- Variables
- func CloseTrace(handle windows.Handle) error
- func DumpProcess(pid uint32, filePath string, fullMem bool) error
- func EnableTraceEx2(traceHandle windows.Handle, providerId *windows.GUID, controlCode uint32, ...) error
- func GetProcessListBruteForce() ([]int, error)
- func GetProcessListNative() (map[int]string, error)
- func GetProtString(protect uint32) string
- func OpenProcessForMemory(pid uint32) (windows.Handle, error)
- func OpenTrace(logfile *EVENT_TRACE_LOGFILE) (windows.Handle, error)
- func ProcessTrace(handle windows.Handle) error
- func ReadProcessMemory(handle windows.Handle, address uintptr, size int) ([]byte, error)
- func StackWalk64(machineType uint32, hProcess windows.Handle, hThread windows.Handle, ...) (bool, error)
- func StartTrace(sessionName string, props *EVENT_TRACE_PROPERTIES) (windows.Handle, error)
- func StopTrace(handle windows.Handle, sessionName string, props *EVENT_TRACE_PROPERTIES) error
- func SymCleanup(hProcess windows.Handle) error
- func SymInitialize(hProcess windows.Handle) error
- func VerifySignature(filePath string) error
- func VirtualQueryEx(handle windows.Handle, address uintptr) (windows.MemoryBasicInformation, error)
- type ADDRESS64
- type ETW_BUFFER_CONTEXT
- type EVENT_DESCRIPTOR
- type EVENT_HEADER
- type EVENT_RECORD
- type EVENT_TRACE
- type EVENT_TRACE_HEADER
- type EVENT_TRACE_LOGFILE
- type EVENT_TRACE_PROPERTIES
- type KDHELP64
- type MemoryRegionInfo
- type STACKFRAME64
- type SYSTEMTIME
- type SystemProcessInformationStruct
- type TIME_ZONE_INFORMATION
- type TRACE_LOGFILE_HEADER
- type UnicodeString
- type WINTRUST_DATA
- type WINTRUST_FILE_INFO
- type WNODE_HEADER
Constants ¶
View Source
const ( WTD_UI_NONE = 2 WTD_REVOKE_NONE = 0x00000000 WTD_CHOICE_FILE = 1 WTD_STATEACTION_VERIFY = 0x00000001 WTD_SA_IGNORE_REVOCATION_CHECKS_TOTAL = 0x00000020 // Optimize speed )
View Source
const ( IMAGE_FILE_MACHINE_I386 = 0x014c IMAGE_FILE_MACHINE_AMD64 = 0x8664 AddrMode1616 = 0 AddrMode1632 = 1 AddrModeReal = 2 AddrModeFlat = 3 )
View Source
const ( PROCESS_TRACE_MODE_REAL_TIME = 0x00000100 PROCESS_TRACE_MODE_EVENT_RECORD = 0x10000000 EVENT_CONTROL_CODE_DISABLE_PROVIDER = 0 EVENT_CONTROL_CODE_ENABLE_PROVIDER = 1 TRACE_LEVEL_INFORMATION = 4 EVENT_TRACE_CONTROL_STOP = 1 )
View Source
const ( MiniDumpNormal = 0x00000000 MiniDumpWithFullMemory = 0x00000002 )
MiniDumpType flags
View Source
const ( SystemProcessInformation = 5 STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 STATUS_SUCCESS = 0x00000000 )
Variables ¶
View Source
var ( WINTRUST_ACTION_GENERIC_VERIFY_V2 = syscall.GUID{ Data1: 0x00aac56b, Data2: 0xcd44, Data3: 0x11d0, Data4: [8]byte{0x8c, 0xc2, 0x00, 0xc0, 0x4f, 0xc2, 0x95, 0xee}, } )
Functions ¶
func DumpProcess ¶
DumpProcess 创建指定进程的内存转储 (MiniDump) dumpType: MiniDumpNormal (小) 或 MiniDumpWithFullMemory (完整)
func EnableTraceEx2 ¶
func EnableTraceEx2(traceHandle windows.Handle, providerId *windows.GUID, controlCode uint32, level uint8, matchAnyKeyword uint64, matchAllKeyword uint64, timeout uint32, enableParameters uintptr) error
EnableTraceEx2
func GetProcessListBruteForce ¶
GetProcessListBruteForce 暴力枚举 PID (0-65535) 返回存在的 PID 列表
func GetProcessListNative ¶
GetProcessListNative 使用 NtQuerySystemInformation 枚举进程 (Native API)
func GetProtString ¶
GetProtString converts memory protection constants to string
func OpenProcessForMemory ¶
OpenProcessForMemory 打开进程以进行内存读取
func ReadProcessMemory ¶
ReadProcessMemory 读取指定进程内存
func StackWalk64 ¶
func StackWalk64(machineType uint32, hProcess windows.Handle, hThread windows.Handle, stackFrame *STACKFRAME64, context unsafe.Pointer) (bool, error)
StackWalk64 context MUST be a pointer to windows.CONTEXT (aligned)
func StartTrace ¶
func StartTrace(sessionName string, props *EVENT_TRACE_PROPERTIES) (windows.Handle, error)
StartTraceW
func StopTrace ¶
func StopTrace(handle windows.Handle, sessionName string, props *EVENT_TRACE_PROPERTIES) error
ControlTraceW (Code 1 = Stop)
func SymCleanup ¶
func SymInitialize ¶
func VerifySignature ¶
VerifySignature 验证指定文件的数字签名 返回 nil 表示验证通过,否则返回错误
func VirtualQueryEx ¶
VirtualQueryEx wrappers
Types ¶
type ETW_BUFFER_CONTEXT ¶
type EVENT_DESCRIPTOR ¶
type EVENT_HEADER ¶
type EVENT_RECORD ¶
type EVENT_RECORD struct {
Header EVENT_HEADER
BufferContext ETW_BUFFER_CONTEXT
ExtendedDataCount uint16
UserDataLength uint16
ExtendedData uintptr
UserData uintptr
UserContext uintptr
}
type EVENT_TRACE ¶
type EVENT_TRACE_HEADER ¶
type EVENT_TRACE_LOGFILE ¶
type EVENT_TRACE_LOGFILE struct {
LogFileName *uint16
LoggerName *uint16
CurrentTime int64
BuffersRead uint32
LogFileMode uint32
CurrentEvent EVENT_TRACE
LogfileHeader TRACE_LOGFILE_HEADER
BufferCallback uintptr
BufferSize uint32
Filled uint32
EventsLost uint32
EventCallback uintptr // PEVENT_RECORD_CALLBACK
IsKernelTrace uint32
Context unsafe.Pointer
}
type EVENT_TRACE_PROPERTIES ¶
type EVENT_TRACE_PROPERTIES struct {
Wnode WNODE_HEADER
BufferSize uint32
MinimumBuffers uint32
MaximumBuffers uint32
MaximumFileSize uint32
LogFileMode uint32
FlushTimer uint32
EnableFlags uint32
AgeLimit int32
NumberOfBuffers uint32
FreeBuffers uint32
EventsLost uint32
BuffersWritten uint32
LogBuffersLost uint32
RealTimeBuffersLost uint32
LoggerThreadId windows.Handle
LogFileNameOffset uint32
LoggerNameOffset uint32
}
type MemoryRegionInfo ¶
type MemoryRegionInfo struct {
BaseAddress uintptr
RegionSize uintptr
State uint32
Protect uint32
Type uint32
}
MemoryRegionInfo 简化的内存区域信息
func ScanMemoryRegions ¶
func ScanMemoryRegions(handle windows.Handle) ([]MemoryRegionInfo, error)
ScanMemoryRegions 扫描进程的内存区域,返回可读的区域列表
type STACKFRAME64 ¶
type SYSTEMTIME ¶
type SystemProcessInformationStruct ¶
type SystemProcessInformationStruct struct {
NextEntryOffset uint32
NumberOfThreads uint32
WorkingSetPrivateSize int64 // diff size
HardFaultCount uint32
NumberOfThreadsHighWatermark uint32
CycleTime uint64
CreateTime int64
UserTime int64
KernelTime int64
ImageName UnicodeString // windows.UnicodeString not always available
BasePriority int32
UniqueProcessId uintptr
InheritedFromUniqueProcessId uintptr
HandleCount uint32
SessionId uint32
UniqueProcessKey uintptr
PeakVirtualSize uintptr
VirtualSize uintptr
PageFaultCount uint32
PeakWorkingSetSize uintptr
WorkingSetSize uintptr
QuotaPeakPagedPoolUsage uintptr
QuotaPagedPoolUsage uintptr
QuotaPeakNonPagedPoolUsage uintptr
QuotaNonPagedPoolUsage uintptr
PagefileUsage uintptr
PeakPagefileUsage uintptr
PrivatePageCount uintptr
ReadOperationCount int64
WriteOperationCount int64
OtherOperationCount int64
ReadTransferCount int64
WriteTransferCount int64
OtherTransferCount int64
}
SystemProcessInformationStruct 简化定义,只取我们需要的 PID 和 Name 完整结构较为复杂,包含线程信息等
type TIME_ZONE_INFORMATION ¶
type TIME_ZONE_INFORMATION struct {
Bias int32
StandardName [32]uint16
StandardDate SYSTEMTIME
StandardBias int32
DaylightName [32]uint16
DaylightDate SYSTEMTIME
DaylightBias int32
}
type TRACE_LOGFILE_HEADER ¶
type TRACE_LOGFILE_HEADER struct {
BufferSize uint32
Version uint32
ProviderVersion uint32
NumberOfProcessors uint32
EndTime int64
TimerResolution uint32
MaximumFileSize uint32
LogFileMode uint32
BuffersWritten uint32
StartBuffers uint32
PointerSize uint32
EventsLost uint32
CpuSpeedInMHz uint32
LoggerName *uint16
LogFileName *uint16
TimeZone TIME_ZONE_INFORMATION
BootTime int64
PerfFreq int64
StartTime int64
ReservedFlags uint32
BuffersLost uint32
}
type UnicodeString ¶
type WINTRUST_DATA ¶
type WINTRUST_DATA struct {
// contains filtered or unexported fields
}
type WINTRUST_FILE_INFO ¶
type WINTRUST_FILE_INFO struct {
// contains filtered or unexported fields
}
Source Files
Click to show internal directories.
Click to hide internal directories.