-
Notifications
You must be signed in to change notification settings - Fork 474
/
winapi.go
261 lines (209 loc) · 8.96 KB
/
winapi.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
//go:build windows
// +build windows
package process
import (
"reflect"
"syscall"
"unsafe"
"golang.org/x/sys/windows"
)
var (
modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
modntdll = windows.NewLazySystemDLL("ntdll.dll")
procIsProcessInJob = modkernel32.NewProc("IsProcessInJob")
procIsProcessInJobErr = procIsProcessInJob.Find()
procNtQueryObject = modntdll.NewProc("NtQueryObject")
procNtQueryObjectErr = procNtQueryObject.Find()
procNtQuerySystemInformation = modntdll.NewProc("NtQuerySystemInformation")
procNtQuerySystemInformationErr = procNtQuerySystemInformation.Find()
)
const (
// ObjectInformationClass values used to call NtQueryObject (https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryobject)
ObjectNameInformationClass = 0x1
ObjectTypeInformationClass = 0x2
// Includes all processes in the system in the snapshot. (https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot)
Th32csSnapProcess uint32 = 0x00000002
)
type API interface {
// IsProcessInJob determines whether the process is running in the specified job.
IsProcessInJob(procHandle windows.Handle, jobHandle windows.Handle, result *bool) error
// GetObjectType gets the object type of the given handle
GetObjectType(handle windows.Handle) (string, error)
// GetObjectName gets the object name of the given handle
GetObjectName(handle windows.Handle) (string, error)
// QuerySystemExtendedHandleInformation retrieves Extended handle system information.
QuerySystemExtendedHandleInformation() ([]SystemHandleInformationExItem, error)
// CurrentProcess returns the handle for the current process.
// It is a pseudo handle that does not need to be closed.
CurrentProcess() windows.Handle
// CloseHandle closes an open object handle.
CloseHandle(h windows.Handle) error
// OpenProcess returns an open handle
OpenProcess(desiredAccess uint32, inheritHandle bool, pID uint32) (windows.Handle, error)
// DuplicateHandle duplicates an object handle.
DuplicateHandle(hSourceProcessHandle windows.Handle, hSourceHandle windows.Handle, hTargetProcessHandle windows.Handle, lpTargetHandle *windows.Handle, dwDesiredAccess uint32, bInheritHandle bool, dwOptions uint32) error
// CreateToolhelp32Snapshot takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes.
CreateToolhelp32Snapshot(flags uint32, pID uint32) (windows.Handle, error)
// Process32First retrieves information about the first process encountered in a system snapshot.
Process32First(snapshot windows.Handle, procEntry *windows.ProcessEntry32) error
// Process32Next retrieves information about the next process recorded in a system snapshot.
Process32Next(snapshot windows.Handle, procEntry *windows.ProcessEntry32) error
}
type api struct {
}
func (a *api) IsProcessInJob(procHandle windows.Handle, jobHandle windows.Handle, result *bool) error {
if procIsProcessInJobErr != nil {
return procIsProcessInJobErr
}
r1, _, e1 := syscall.SyscallN(procIsProcessInJob.Addr(), uintptr(procHandle), uintptr(jobHandle), uintptr(unsafe.Pointer(result)))
if r1 == 0 {
if e1 != 0 {
return e1
}
return syscall.EINVAL
}
return nil
}
// GetObjectType gets the object type of the given handle
func (a *api) GetObjectType(handle windows.Handle) (string, error) {
buffer := make([]byte, 1024*10)
length := uint32(0)
status := ntQueryObject(handle, ObjectTypeInformationClass,
&buffer[0], uint32(len(buffer)), &length)
if status != windows.STATUS_SUCCESS {
return "", status
}
return (*ObjectTypeInformation)(unsafe.Pointer(&buffer[0])).TypeName.String(), nil
}
// GetObjectName gets the object name of the given handle
func (a *api) GetObjectName(handle windows.Handle) (string, error) {
buffer := make([]byte, 1024*2)
var length uint32
status := ntQueryObject(handle, ObjectNameInformationClass,
&buffer[0], uint32(len(buffer)), &length)
if status != windows.STATUS_SUCCESS {
return "", status
}
return (*UnicodeString)(unsafe.Pointer(&buffer[0])).String(), nil
}
func (a *api) QuerySystemExtendedHandleInformation() ([]SystemHandleInformationExItem, error) {
buffer := make([]byte, 1024)
var retLen uint32
var status windows.NTStatus
for {
status = ntQuerySystemInformation(
windows.SystemExtendedHandleInformation,
unsafe.Pointer(&buffer[0]),
uint32(len(buffer)),
&retLen,
)
if status == windows.STATUS_BUFFER_OVERFLOW ||
status == windows.STATUS_BUFFER_TOO_SMALL ||
status == windows.STATUS_INFO_LENGTH_MISMATCH {
if int(retLen) <= cap(buffer) {
(*reflect.SliceHeader)(unsafe.Pointer(&buffer)).Len = int(retLen)
} else {
buffer = make([]byte, int(retLen))
}
continue
} else {
// if no error
break
}
}
if status>>30 != 3 {
buffer = (buffer)[:int(retLen)]
handlesList := (*SystemExtendedHandleInformation)(unsafe.Pointer(&buffer[0]))
handles := make([]SystemHandleInformationExItem, int(handlesList.NumberOfHandles))
hdr := (*reflect.SliceHeader)(unsafe.Pointer(&handles))
hdr.Data = uintptr(unsafe.Pointer(&handlesList.Handles[0]))
return handles, nil
}
return nil, status
}
func (a *api) OpenProcess(desiredAccess uint32, inheritHandle bool, pID uint32) (windows.Handle, error) {
return windows.OpenProcess(desiredAccess, inheritHandle, pID)
}
func (a *api) CloseHandle(h windows.Handle) error {
return windows.CloseHandle(h)
}
// CurrentProcess returns the handle for the current process.
// It is a pseudo handle that does not need to be closed.
func (a *api) CurrentProcess() windows.Handle {
return windows.CurrentProcess()
}
func (a *api) DuplicateHandle(hSourceProcessHandle windows.Handle, hSourceHandle windows.Handle, hTargetProcessHandle windows.Handle, lpTargetHandle *windows.Handle, dwDesiredAccess uint32, bInheritHandle bool, dwOptions uint32) error {
return windows.DuplicateHandle(hSourceProcessHandle, hSourceHandle, hTargetProcessHandle, lpTargetHandle, dwDesiredAccess, bInheritHandle, dwOptions)
}
func (a *api) CreateToolhelp32Snapshot(flags uint32, pID uint32) (windows.Handle, error) {
return windows.CreateToolhelp32Snapshot(flags, pID)
}
func (a *api) Process32First(snapshot windows.Handle, procEntry *windows.ProcessEntry32) error {
return windows.Process32First(snapshot, procEntry)
}
func (a *api) Process32Next(snapshot windows.Handle, procEntry *windows.ProcessEntry32) error {
return windows.Process32Next(snapshot, procEntry)
}
// System handle extended information item, returned by NtQuerySystemInformation (https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation)
type SystemHandleInformationExItem struct {
Object uintptr
UniqueProcessID uintptr
HandleValue uintptr
GrantedAccess uint32
CreatorBackTraceIndex uint16
ObjectTypeIndex uint16
HandleAttributes uint32
Reserved uint32
}
// System extended handle information summary, returned by NtQuerySystemInformation (https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation)
type SystemExtendedHandleInformation struct {
NumberOfHandles uintptr
Reserved uintptr
Handles [1]SystemHandleInformationExItem
}
// Object type returned by calling NtQueryObject function
type ObjectTypeInformation struct {
TypeName UnicodeString
TotalNumberOfObjects uint32
TotalNumberOfHandles uint32
TotalPagedPoolUsage uint32
TotalNonPagedPoolUsage uint32
}
// Unicode string returned by NtQueryObject calls (https://docs.microsoft.com/en-us/windows/win32/api/subauth/ns-subauth-unicode_string)
type UnicodeString struct {
Length uint16
AllocatedSize uint16
WString *byte
}
func (u UnicodeString) String() string {
defer func() {
// TODO: may we recover?
_ = recover()
}()
var data []uint16
sh := (*reflect.SliceHeader)(unsafe.Pointer(&data))
sh.Data = uintptr(unsafe.Pointer(u.WString))
sh.Len = int(u.Length * 2)
sh.Cap = int(u.Length * 2)
return windows.UTF16ToString(data)
}
func ntQueryObject(handle windows.Handle, objectInformationClass uint32, objectInformation *byte, objectInformationLength uint32, returnLength *uint32) (ntStatus windows.NTStatus) {
if procNtQueryObjectErr != nil {
return windows.STATUS_PROCEDURE_NOT_FOUND
}
r0, _, _ := syscall.SyscallN(procNtQueryObject.Addr(), uintptr(handle), uintptr(objectInformationClass), uintptr(unsafe.Pointer(objectInformation)), uintptr(objectInformationLength), uintptr(unsafe.Pointer(returnLength)), 0)
if r0 != 0 {
ntStatus = windows.NTStatus(r0)
}
return
}
func ntQuerySystemInformation(sysInfoClass int32, sysInfo unsafe.Pointer, sysInfoLen uint32, retLen *uint32) (ntstatus windows.NTStatus) {
if procNtQuerySystemInformationErr != nil {
return windows.STATUS_PROCEDURE_NOT_FOUND
}
r0, _, _ := syscall.SyscallN(procNtQuerySystemInformation.Addr(), uintptr(sysInfoClass), uintptr(sysInfo), uintptr(sysInfoLen), uintptr(unsafe.Pointer(retLen)), 0, 0)
if r0 != 0 {
ntstatus = windows.NTStatus(r0)
}
return
}