winapi

package module
v1.3.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 13, 2025 License: MIT Imports: 16 Imported by: 1

README

go-native-syscall

available api

winapi
  • func UnhookNtdll() error
  • func DirectSyscall(functionName string, args ...uintptr) (uintptr, error)
  • func DirectSyscallByHash(functionHash uint32, args ...uintptr) (uintptr, error)
  • func GetCurrentProcessHandle() uintptr
  • func GetCurrentThreadHandle() uintptr
  • func GetCurrentProcessId() uintptr
  • func GetSyscallNumber(functionName string) uint16
  • func GetFunctionHash(functionName string) uint32
  • func GetSyscallWithValidation(functionName string) (uint16, bool, error)
  • func GuessSyscallNumber(functionName string) uint16
  • func PrewarmSyscallCache() error
  • func GetSyscallCacheSize() int
  • func GetSyscallCacheStats() map[string]interface{}
  • func SelfDel()
  • func StringToUTF16(s string) *uint16
  • func NtAllocateVirtualMemory(...) (uintptr, error)
  • func NtWriteVirtualMemory(...) (uintptr, error)
  • func NtReadVirtualMemory(...) (uintptr, error)
  • func NtProtectVirtualMemory(...) (uintptr, error)
  • func NtCreateThreadEx(...) (uintptr, error)
  • func NtOpenProcess(...) (uintptr, error)
  • func NtClose(handle uintptr) (uintptr, error)
  • func NtQuerySystemInformation(...) (uintptr, error)
  • func NtQueryInformationProcess(...) (uintptr, error)
  • func NtSetInformationProcess(...) (uintptr, error)
  • func NtCreateFile(...) (uintptr, error)
  • func NtWriteFile(...) (uintptr, error)
  • func NtReadFile(...) (uintptr, error)
  • func NtTerminateProcess(...) (uintptr, error)
  • func NtSuspendProcess(processHandle uintptr) (uintptr, error)
  • func NtResumeProcess(processHandle uintptr) (uintptr, error)
  • func NtCreateProcess(...) (uintptr, error)
  • func NtCreateThread(...) (uintptr, error)
  • func NtOpenThread(...) (uintptr, error)
  • func NtSuspendThread(...) (uintptr, error)
  • func NtResumeThread(...) (uintptr, error)
  • func NtTerminateThread(...) (uintptr, error)
  • func NtCreateSection(...) (uintptr, error)
  • func NtMapViewOfSection(...) (uintptr, error)
  • func NtUnmapViewOfSection(...) (uintptr, error)
  • func NtFreeVirtualMemory(...) (uintptr, error)
  • func NtQueryVirtualMemory(...) (uintptr, error)
  • func NtCreateKey(...) (uintptr, error)
  • func NtOpenKey(...) (uintptr, error)
  • func NtDeleteKey(keyHandle uintptr) (uintptr, error)
  • func NtSetValueKey(...) (uintptr, error)
  • func NtQueryValueKey(...) (uintptr, error)
  • func NtDeleteValueKey(...) (uintptr, error)
  • func NtOpenProcessToken(...) (uintptr, error)
  • func NtOpenThreadToken(...) (uintptr, error)
  • func NtQueryInformationToken(...) (uintptr, error)
  • func NtSetInformationToken(...) (uintptr, error)
  • func NtAdjustPrivilegesToken(...) (uintptr, error)
  • func NtDuplicateObject(...) (uintptr, error)
  • func NtQueryObject(...) (uintptr, error)
  • func NtSetSystemInformation(...) (uintptr, error)
  • func NtQuerySystemTime(systemTime *uint64) (uintptr, error)
  • func NtSetSystemTime(...) (uintptr, error)
  • func NtCreateEvent(...) (uintptr, error)
  • func NtOpenEvent(...) (uintptr, error)
  • func NtSetEvent(...) (uintptr, error)
  • func NtResetEvent(...) (uintptr, error)
  • func NtWaitForSingleObject(...) (uintptr, error)
  • func NtWaitForMultipleObjects(...) (uintptr, error)
  • func NtDeleteFile(objectAttributes uintptr) (uintptr, error)
  • func NtQueryDirectoryFile(...) (uintptr, error)
  • func NtQueryInformationFile(...) (uintptr, error)
  • func NtSetInformationFile(...) (uintptr, error)
  • func NtDeviceIoControlFile(...) (uintptr, error)
  • func NtRemoveIoCompletion(...) (uintptr, error)
  • func NtReleaseSemaphore(...) (uintptr, error)
  • func NtReplyWaitReceivePort(...) (uintptr, error)
  • func NtReplyPort(...) (uintptr, error)
  • func NtSetInformationThread(...) (uintptr, error)
  • func NtQueryInformationThread(...) (uintptr, error)
  • func NtFlushInstructionCache(...) (uintptr, error)
  • func NtSetEventBoostPriority(eventHandle uintptr) (uintptr, error)
  • func NtQueryPerformanceCounter(...) (uintptr, error)
  • func NtOpenThreadTokenEx(...) (uintptr, error)
  • func NtOpenProcessTokenEx(...) (uintptr, error)
  • func DumpAllSyscalls() ([]SyscallInfo, error)
  • func DumpAllNtdllFunctions() ([]FunctionInfo, error)
  • func PrewarmNtdllCache() error
  • func GetNtdllCacheSize() int
  • func GetNtdllCacheStats() map[string]interface{}
  • func ClearNtdllCache()
  • func DumpAllSyscallsWithFiles() ([]SyscallInfo, error)
  • func NtInjectSelfShellcode(shellcode []byte) error
  • func NtInjectRemote(processHandle uintptr, payload []byte) error
winapi_indirect
  • func IndirectSyscall(functionName string, args ...uintptr) (uintptr, error)
  • func IndirectSyscallByHash(functionHash uint32, args ...uintptr) (uintptr, error)
  • func SelfDelIndirect()
  • func NtInjectSelfShellcodeIndirect(shellcode []byte) error
  • func OriginalNtInjectSelfShellcodeIndirect(payload []byte) error
  • func NtInjectRemoteIndirect(processHandle uintptr, payload []byte) error
  • (Provides indirect-call versions of all Nt functions, e.g., NtAllocateVirtualMemoryIndirect)*
winapi_privesc
  • func ScanPrivilegeEscalationVectors() (*PrivEscMap, error)
  • func ScanWeakPermissions() ([]WeakPermission, error)
  • func FindPrivilegedProcesses() ([]ProcessInfo, error)
  • func ImpersonateAndExecute(targetProcess ProcessInfo, shellcode []byte) error
winapi_exp
  • func ExploitBinaryPlanting(vectors []EscalationVector, options ExploitOptions) []ExploitResult
  • func ExploitServiceReplacement(vectors []EscalationVector, options ExploitOptions) []ExploitResult
  • func ExploitTaskScheduler(vectors []EscalationVector, options ExploitOptions) []ExploitResult
  • func ExploitVectors(vectors []EscalationVector, options ExploitOptions) *ExploitSession
  • func AutoExploit(escMap *PrivEscMap, payload []byte, testMode bool) *ExploitSession
  • func GetExploitableVectors(escMap *PrivEscMap) []EscalationVector
patches
  • func PatchAMSI() error
  • func PatchETW() error
  • func PatchDbgUiRemoteBreakin() error
  • func PatchNtTraceEvent() error
  • func PatchNtSystemDebugControl() error
  • func ApplyAllPatches() (successful []string, failed map[string]error)
  • func ApplyCriticalPatches() (successful []string, failed map[string]error)
  • func CreateRunKey() error
pkg/obf
  • func GetHash(input string) uint32
  • func GetHashW(input *uint16) uint32
  • func GetWString(s string) *uint16
pkg/syscall
  • func HashSyscall(functionHash uint32, args ...uintptr) (r1, r2 uintptr, err error)
  • func HashIndirectSyscall(functionHash uint32, args ...uintptr) (r1, r2 uintptr, err error)
pkg/syscallresolve
  • func GetSyscallNumber(functionHash uint32) uint16
  • func GetSyscallWithValidation(functionHash uint32) (uint16, bool, error)
  • func GuessSyscallNumber(functionHash uint32) uint16
  • func GetFunctionAddress(moduleBase uintptr, functionHash uint32) uintptr
  • func GetModuleBase(moduleHash uint32) uintptr
  • func PrewarmSyscallCache() error
  • func GetSyscallCacheSize() int
pkg/unhook
  • func UnhookNtdll() error
constants
  • provides various windows constants for memory, process/thread access, files, tokens, and other objects. also includes core data structures like unicode_string, object_attributes, and process_basic_information.

technical details

this project provides a comprehensive toolkit for low-level windows interaction in go, focusing on direct and indirect syscall execution. it dynamically resolves syscall numbers by parsing ntdll.dll from memory, using djb2 hashing for function name obfuscation. this method avoids reliance on the standard library and makes it resilient to api hooking by user-mode edr solutions. the library includes functionality for memory operations, process and thread manipulation, token impersonation, and registry modification. it also features defensive capabilities such as amsi and etw patching, along with offensive modules for discovering and exploiting privilege escalation vectors like binary planting, service replacement, and task hijacking. the design emphasizes performance and operational security, with features like syscall caching, function pre-warming, and robust error handling.

Documentation

Overview

Package winapi provides direct Windows API syscalls using assembly and PE parsing

Package winapi - Exploitation Module Provides core functionality for exploiting privilege escalation vectors

Package winapi provides indirect Windows API syscalls using assembly and PE parsing This module implements indirect syscalls that jump to syscall instructions in ntdll

Package winapi - Privilege Escalation Discovery Module Provides core functionality for discovering privilege escalation vectors

Index

Constants

View Source 
const (
	MEM_COMMIT      = 0x1000
	MEM_RESERVE     = 0x2000
	MEM_DECOMMIT    = 0x4000
	MEM_RELEASE     = 0x8000
	MEM_FREE        = 0x10000
	MEM_PRIVATE     = 0x20000
	MEM_MAPPED      = 0x40000
	MEM_RESET       = 0x80000
	MEM_TOP_DOWN    = 0x100000
	MEM_WRITE_WATCH = 0x200000
	MEM_PHYSICAL    = 0x400000
	MEM_LARGE_PAGES = 0x20000000
)

Memory allocation types

View Source 
const (
	PAGE_NOACCESS          = 0x01
	PAGE_READONLY          = 0x02
	PAGE_READWRITE         = 0x04
	PAGE_WRITECOPY         = 0x08
	PAGE_EXECUTE           = 0x10
	PAGE_EXECUTE_READ      = 0x20
	PAGE_EXECUTE_READWRITE = 0x40
	PAGE_EXECUTE_WRITECOPY = 0x80
	PAGE_GUARD             = 0x100
	PAGE_NOCACHE           = 0x200
	PAGE_WRITECOMBINE      = 0x400
)

Memory protection constants

View Source 
const (
	PROCESS_TERMINATE                 = 0x0001
	PROCESS_CREATE_THREAD             = 0x0002
	PROCESS_SET_SESSIONID             = 0x0004
	PROCESS_VM_OPERATION              = 0x0008
	PROCESS_VM_READ                   = 0x0010
	PROCESS_VM_WRITE                  = 0x0020
	PROCESS_DUP_HANDLE                = 0x0040
	PROCESS_CREATE_PROCESS            = 0x0080
	PROCESS_SET_QUOTA                 = 0x0100
	PROCESS_SET_INFORMATION           = 0x0200
	PROCESS_QUERY_INFORMATION         = 0x0400
	PROCESS_SUSPEND_RESUME            = 0x0800
	PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
	PROCESS_ALL_ACCESS                = 0x000F0000 | 0x00100000 | 0xFFFF
)

Process access rights

View Source 
const (
	THREAD_TERMINATE                 = 0x0001
	THREAD_SUSPEND_RESUME            = 0x0002
	THREAD_GET_CONTEXT               = 0x0008
	THREAD_SET_CONTEXT               = 0x0010
	THREAD_SET_INFORMATION           = 0x0020
	THREAD_QUERY_INFORMATION         = 0x0040
	THREAD_SET_THREAD_TOKEN          = 0x0080
	THREAD_IMPERSONATE               = 0x0100
	THREAD_DIRECT_IMPERSONATION      = 0x0200
	THREAD_SET_LIMITED_INFORMATION   = 0x0400
	THREAD_QUERY_LIMITED_INFORMATION = 0x0800
	THREAD_ALL_ACCESS                = 0x000F0000 | 0x00100000 | 0xFFFF
)

Thread access rights

View Source 
const (
	DELETE                   = 0x00010000
	READ_CONTROL             = 0x00020000
	WRITE_DAC                = 0x00040000
	WRITE_OWNER              = 0x00080000
	SYNCHRONIZE              = 0x00100000
	STANDARD_RIGHTS_REQUIRED = 0x000F0000
	STANDARD_RIGHTS_READ     = READ_CONTROL
	STANDARD_RIGHTS_WRITE    = READ_CONTROL
	STANDARD_RIGHTS_EXECUTE  = READ_CONTROL
	STANDARD_RIGHTS_ALL      = 0x001F0000
	SPECIFIC_RIGHTS_ALL      = 0x0000FFFF
	ACCESS_SYSTEM_SECURITY   = 0x01000000
	MAXIMUM_ALLOWED          = 0x02000000
	GENERIC_READ             = 0x80000000
	GENERIC_WRITE            = 0x40000000
	GENERIC_EXECUTE          = 0x20000000
	GENERIC_ALL              = 0x10000000
)

Generic access rights

View Source 
const (
	FILE_READ_DATA            = 0x0001
	FILE_LIST_DIRECTORY       = 0x0001
	FILE_WRITE_DATA           = 0x0002
	FILE_ADD_FILE             = 0x0002
	FILE_APPEND_DATA          = 0x0004
	FILE_ADD_SUBDIRECTORY     = 0x0004
	FILE_CREATE_PIPE_INSTANCE = 0x0004
	FILE_READ_EA              = 0x0008
	FILE_WRITE_EA             = 0x0010
	FILE_EXECUTE              = 0x0020
	FILE_TRAVERSE             = 0x0020
	FILE_DELETE_CHILD         = 0x0040
	FILE_READ_ATTRIBUTES      = 0x0080
	FILE_WRITE_ATTRIBUTES     = 0x0100
	FILE_ALL_ACCESS           = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF
	FILE_GENERIC_READ         = STANDARD_RIGHTS_READ | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | SYNCHRONIZE
	FILE_GENERIC_WRITE        = STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE
	FILE_GENERIC_EXECUTE      = STANDARD_RIGHTS_EXECUTE | FILE_READ_ATTRIBUTES | FILE_EXECUTE | SYNCHRONIZE
)

File access rights

View Source 
const (
	FILE_SHARE_READ   = 0x00000001
	FILE_SHARE_WRITE  = 0x00000002
	FILE_SHARE_DELETE = 0x00000004
)

File share access

View Source 
const (
	FILE_SUPERSEDE    = 0x00000000
	FILE_OPEN         = 0x00000001
	FILE_CREATE       = 0x00000002
	FILE_OPEN_IF      = 0x00000003
	FILE_OVERWRITE    = 0x00000004
	FILE_OVERWRITE_IF = 0x00000005
)

File creation disposition

View Source 
const (
	FILE_DIRECTORY_FILE            = 0x00000001
	FILE_WRITE_THROUGH             = 0x00000002
	FILE_SEQUENTIAL_ONLY           = 0x00000004
	FILE_NO_INTERMEDIATE_BUFFERING = 0x00000008
	FILE_SYNCHRONOUS_IO_ALERT      = 0x00000010
	FILE_SYNCHRONOUS_IO_NONALERT   = 0x00000020
	FILE_NON_DIRECTORY_FILE        = 0x00000040
	FILE_CREATE_TREE_CONNECTION    = 0x00000080
	FILE_COMPLETE_IF_OPLOCKED      = 0x00000100
	FILE_NO_EA_KNOWLEDGE           = 0x00000200
	FILE_OPEN_FOR_RECOVERY         = 0x00000400
	FILE_RANDOM_ACCESS             = 0x00000800
	FILE_DELETE_ON_CLOSE           = 0x00001000
	FILE_OPEN_BY_FILE_ID           = 0x00002000
	FILE_OPEN_FOR_BACKUP_INTENT    = 0x00004000
	FILE_NO_COMPRESSION            = 0x00008000
	FILE_RESERVE_OPFILTER          = 0x00100000
	FILE_OPEN_REPARSE_POINT        = 0x00200000
	FILE_OPEN_NO_RECALL            = 0x00400000
	FILE_OPEN_FOR_FREE_SPACE_QUERY = 0x00800000
)

File creation options

View Source 
const (
	FILE_ATTRIBUTE_READONLY              = 0x00000001
	FILE_ATTRIBUTE_HIDDEN                = 0x00000002
	FILE_ATTRIBUTE_SYSTEM                = 0x00000004
	FILE_ATTRIBUTE_DIRECTORY             = 0x00000010
	FILE_ATTRIBUTE_ARCHIVE               = 0x00000020
	FILE_ATTRIBUTE_DEVICE                = 0x00000040
	FILE_ATTRIBUTE_NORMAL                = 0x00000080
	FILE_ATTRIBUTE_TEMPORARY             = 0x00000100
	FILE_ATTRIBUTE_SPARSE_FILE           = 0x00000200
	FILE_ATTRIBUTE_REPARSE_POINT         = 0x00000400
	FILE_ATTRIBUTE_COMPRESSED            = 0x00000800
	FILE_ATTRIBUTE_OFFLINE               = 0x00001000
	FILE_ATTRIBUTE_NOT_CONTENT_INDEXED   = 0x00002000
	FILE_ATTRIBUTE_ENCRYPTED             = 0x00004000
	FILE_ATTRIBUTE_INTEGRITY_STREAM      = 0x00008000
	FILE_ATTRIBUTE_VIRTUAL               = 0x00010000
	FILE_ATTRIBUTE_NO_SCRUB_DATA         = 0x00020000
	FILE_ATTRIBUTE_RECALL_ON_OPEN        = 0x00040000
	FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS = 0x00400000
)

File attributes

View Source 
const (
	SystemBasicInformation                = 0
	SystemProcessorInformation            = 1
	SystemPerformanceInformation          = 2
	SystemTimeOfDayInformation            = 3
	SystemPathInformation                 = 4
	SystemProcessInformation              = 5
	SystemCallCountInformation            = 6
	SystemDeviceInformation               = 7
	SystemProcessorPerformanceInformation = 8
	SystemFlagsInformation                = 9
	SystemCallTimeInformation             = 10
	SystemModuleInformation               = 11
)

System information classes

View Source 
const (
	ProcessBasicInformation           = 0
	ProcessQuotaLimits                = 1
	ProcessIoCounters                 = 2
	ProcessVmCounters                 = 3
	ProcessTimes                      = 4
	ProcessBasePriority               = 5
	ProcessRaisePriority              = 6
	ProcessDebugPort                  = 7
	ProcessExceptionPort              = 8
	ProcessAccessToken                = 9
	ProcessLdtInformation             = 10
	ProcessLdtSize                    = 11
	ProcessDefaultHardErrorMode       = 12
	ProcessIoPortHandlers             = 13
	ProcessPooledUsageAndLimits       = 14
	ProcessWorkingSetWatch            = 15
	ProcessUserModeIOPL               = 16
	ProcessEnableAlignmentFaultFixup  = 17
	ProcessPriorityClass              = 18
	ProcessWx86Information            = 19
	ProcessHandleCount                = 20
	ProcessAffinityMask               = 21
	ProcessPriorityBoost              = 22
	ProcessDeviceMap                  = 23
	ProcessSessionInformation         = 24
	ProcessForegroundInformation      = 25
	ProcessWow64Information           = 26
	ProcessImageFileName              = 27
	ProcessLUIDDeviceMapsEnabled      = 28
	ProcessBreakOnTermination         = 29
	ProcessDebugObjectHandle          = 30
	ProcessDebugFlags                 = 31
	ProcessHandleTracing              = 32
	ProcessIoPriority                 = 33
	ProcessExecuteFlags               = 34
	ProcessResourceManagement         = 35
	ProcessCookie                     = 36
	ProcessImageInformation           = 37
	ProcessCycleTime                  = 38
	ProcessPagePriority               = 39
	ProcessInstrumentationCallback    = 40
	ProcessThreadStackAllocation      = 41
	ProcessWorkingSetWatchEx          = 42
	ProcessImageFileNameWin32         = 43
	ProcessImageFileMapping           = 44
	ProcessAffinityUpdateMode         = 45
	ProcessMemoryAllocationMode       = 46
	ProcessGroupInformation           = 47
	ProcessTokenVirtualizationEnabled = 48
	ProcessConsoleHostProcess         = 49
	ProcessWindowInformation          = 50
)

Process information classes

View Source 
const (
	STATUS_SUCCESS                  = 0x00000000
	STATUS_BUFFER_OVERFLOW          = 0x80000005
	STATUS_INFO_LENGTH_MISMATCH     = 0xC0000004
	STATUS_ACCESS_VIOLATION         = 0xC0000005
	STATUS_INVALID_HANDLE           = 0xC0000008
	STATUS_INVALID_PARAMETER        = 0xC000000D
	STATUS_NO_MEMORY                = 0xC0000017
	STATUS_ACCESS_DENIED            = 0xC0000022
	STATUS_BUFFER_TOO_SMALL         = 0xC0000023
	STATUS_OBJECT_TYPE_MISMATCH     = 0xC0000024
	STATUS_OBJECT_NAME_INVALID      = 0xC0000033
	STATUS_OBJECT_PATH_SYNTAX_BAD   = 0xC000003B
	STATUS_INVALID_PAGE_PROTECTION  = 0xC0000045
	STATUS_MUTANT_NOT_OWNED         = 0xC0000046
	STATUS_SEMAPHORE_LIMIT_EXCEEDED = 0xC0000047
	STATUS_PORT_ALREADY_SET         = 0xC0000048
	STATUS_SECTION_NOT_EXTENDED     = 0xC0000087
	STATUS_INVALID_VIEW_SIZE        = 0xC000001F
	STATUS_ALREADY_COMMITTED        = 0xC0000021
	STATUS_TIMEOUT                  = 0xC0000102
)

NTSTATUS codes

View Source 
const (
	INFINITE = 0xFFFFFFFF

	// Wait result constants
	WAIT_OBJECT_0  = 0x00000000
	WAIT_ABANDONED = 0x00000080
	WAIT_TIMEOUT   = 0x00000102
	WAIT_FAILED    = 0xFFFFFFFF

	// Timeout values (in 100ns units)
	// Negative values indicate relative timeouts
	TIMEOUT_10_SECONDS = uint64(0xFFFFFFFF9502F900) // -100,000,000 as uint64 (10 seconds relative)
)

Wait constants

View Source 
const (
	THREAD_CREATE_FLAGS_CREATE_SUSPENDED        = 0x00000001
	THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH      = 0x00000002
	THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER      = 0x00000004
	THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR = 0x00000010
	THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET  = 0x00000020
	THREAD_CREATE_FLAGS_INITIAL_THREAD          = 0x00000080
)

Thread creation flags

View Source 
const (
	TOKEN_ASSIGN_PRIMARY    = 0x0001
	TOKEN_DUPLICATE         = 0x0002
	TOKEN_IMPERSONATE       = 0x0004
	TOKEN_QUERY             = 0x0008
	TOKEN_QUERY_SOURCE      = 0x0010
	TOKEN_ADJUST_PRIVILEGES = 0x0020
	TOKEN_ADJUST_GROUPS     = 0x0040
	TOKEN_ADJUST_DEFAULT    = 0x0080
	TOKEN_ADJUST_SESSIONID  = 0x0100
	TOKEN_ALL_ACCESS        = STANDARD_RIGHTS_REQUIRED |
		TOKEN_ASSIGN_PRIMARY |
		TOKEN_DUPLICATE |
		TOKEN_IMPERSONATE |
		TOKEN_QUERY |
		TOKEN_QUERY_SOURCE |
		TOKEN_ADJUST_PRIVILEGES |
		TOKEN_ADJUST_GROUPS |
		TOKEN_ADJUST_DEFAULT |
		TOKEN_ADJUST_SESSIONID
)

Token access rights

View Source 
const (
	CURRENT_PROCESS = ^uintptr(0) // 0xFFFFFFFFFFFFFFFF
	CURRENT_THREAD  = ^uintptr(1) // 0xFFFFFFFFFFFFFFFE
)

Pseudo-handle constants

View Source 
const (
	SECTION_QUERY                = 0x0001
	SECTION_MAP_WRITE            = 0x0002
	SECTION_MAP_READ             = 0x0004
	SECTION_MAP_EXECUTE          = 0x0008
	SECTION_EXTEND_SIZE          = 0x0010
	SECTION_MAP_EXECUTE_EXPLICIT = 0x0020
	SECTION_ALL_ACCESS           = STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_WRITE | SECTION_MAP_READ | SECTION_MAP_EXECUTE | SECTION_EXTEND_SIZE
)

Section access rights

View Source 
const (
	SEC_BASED           = 0x00200000
	SEC_NO_CHANGE       = 0x00400000
	SEC_FILE            = 0x00800000
	SEC_IMAGE           = 0x01000000
	SEC_PROTECTED_IMAGE = 0x02000000
	SEC_RESERVE         = 0x04000000
	SEC_COMMIT          = 0x08000000
	SEC_NOCACHE         = 0x10000000
	SEC_WRITECOMBINE    = 0x40000000
	SEC_LARGE_PAGES     = 0x80000000
)

Section allocation attributes

View Source 
const (
	ViewShare = 1
	ViewUnmap = 2
)

Section inherit disposition

View Source 
const (
	OBJ_INHERIT            = 0x00000002
	OBJ_PERMANENT          = 0x00000010
	OBJ_EXCLUSIVE          = 0x00000020
	OBJ_CASE_INSENSITIVE   = 0x00000040
	OBJ_OPENIF             = 0x00000080
	OBJ_OPENLINK           = 0x00000100
	OBJ_KERNEL_HANDLE      = 0x00000200
	OBJ_FORCE_ACCESS_CHECK = 0x00000400
	OBJ_VALID_ATTRIBUTES   = 0x000007F2
)

Object attributes flags

View Source 
const (
	FileDirectoryInformation       = 1
	FileFullDirectoryInformation   = 2
	FileBothDirectoryInformation   = 3
	FileBasicInformation           = 4
	FileStandardInformation        = 5
	FileInternalInformation        = 6
	FileEaInformation              = 7
	FileAccessInformation          = 8
	FileNameInformation            = 9
	FileRenameInformation          = 10
	FileLinkInformation            = 11
	FileNamesInformation           = 12
	FileDispositionInformation     = 13
	FilePositionInformation        = 14
	FileFullEaInformation          = 15
	FileModeInformation            = 16
	FileAlignmentInformation       = 17
	FileAllInformation             = 18
	FileAllocationInformation      = 19
	FileEndOfFileInformation       = 20
	FileAlternateNameInformation   = 21
	FileStreamInformation          = 22
	FilePipeInformation            = 23
	FilePipeLocalInformation       = 24
	FilePipeRemoteInformation      = 25
	FileMailslotQueryInformation   = 26
	FileMailslotSetInformation     = 27
	FileCompressionInformation     = 28
	FileObjectIdInformation        = 29
	FileCompletionInformation      = 30
	FileMoveClusterInformation     = 31
	FileQuotaInformation           = 32
	FileReparsePointInformation    = 33
	FileNetworkOpenInformation     = 34
	FileAttributeTagInformation    = 35
	FileTrackingInformation        = 36
	FileIdBothDirectoryInformation = 37
	FileIdFullDirectoryInformation = 38
	FileValidDataLengthInformation = 39
	FileShortNameInformation       = 40
)

File information classes for NtSetInformationFile

View Source 
const (
	ThreadBasicInformation = iota
	ThreadTimes
	ThreadPriority
	ThreadBasePriority
	ThreadAffinityMask
	ThreadImpersonationToken
	ThreadDescriptorTableEntry
	ThreadEnableAlignmentFaultFixup
	ThreadEventPair
	ThreadQuerySetWin32StartAddress
	ThreadZeroTlsCell
	ThreadPerformanceCount
	ThreadAmILastThread
	ThreadIdealProcessor
	ThreadPriorityBoost
	ThreadSetTlsArrayAddress
	ThreadIsIoPending
	ThreadHideFromDebugger
)

Thread information classes

View Source 
const (
	TokenUser = iota + 1
	TokenGroups
	TokenPrivileges
	TokenOwner
	TokenPrimaryGroup
	TokenDefaultDacl
	TokenSource
	TokenType
	TokenImpersonationLevel
	TokenStatistics
	TokenRestrictedSids
	TokenSessionId
	TokenGroupsAndPrivileges
	TokenSessionReference
	TokenSandBoxInert
	TokenAuditPolicy
	TokenOrigin
)

Token information classes

View Source 
const (
	SE_CREATE_TOKEN_PRIVILEGE        = 2
	SE_ASSIGNPRIMARYTOKEN_PRIVILEGE  = 3
	SE_LOCK_MEMORY_PRIVILEGE         = 4
	SE_INCREASE_QUOTA_PRIVILEGE      = 5
	SE_MACHINE_ACCOUNT_PRIVILEGE     = 6
	SE_TCB_PRIVILEGE                 = 7
	SE_SECURITY_PRIVILEGE            = 8
	SE_TAKE_OWNERSHIP_PRIVILEGE      = 9
	SE_LOAD_DRIVER_PRIVILEGE         = 10
	SE_SYSTEM_PROFILE_PRIVILEGE      = 11
	SE_SYSTEMTIME_PRIVILEGE          = 12
	SE_PROF_SINGLE_PROCESS_PRIVILEGE = 13
	SE_INC_BASE_PRIORITY_PRIVILEGE   = 14
	SE_CREATE_PAGEFILE_PRIVILEGE     = 15
	SE_CREATE_PERMANENT_PRIVILEGE    = 16
	SE_BACKUP_PRIVILEGE              = 17
	SE_RESTORE_PRIVILEGE             = 18
	SE_SHUTDOWN_PRIVILEGE            = 19
	SE_DEBUG_PRIVILEGE               = 20
	SE_AUDIT_PRIVILEGE               = 21
	SE_SYSTEM_ENVIRONMENT_PRIVILEGE  = 22
	SE_CHANGE_NOTIFY_PRIVILEGE       = 23
	SE_REMOTE_SHUTDOWN_PRIVILEGE     = 24
)

Privilege constants (LUID values)

View Source 
const (
	KEY_ALL_ACCESS          = 0xF003F
	REG_OPTION_NON_VOLATILE = 0
	REG_SZ                  = 1
)

Registry constants

View Source 
const (
	STATUS_NO_TOKEN = 0xC000007C
)

Additional NTSTATUS codes for token operations

Variables

This section is empty.

Functions

func ApplyAllPatches 

func ApplyAllPatches() (successful []string, failed map[string]error)

ApplyAllPatches applies all security bypass patches and returns a summary

func ApplyCriticalPatches 

func ApplyCriticalPatches() (successful []string, failed map[string]error)

ApplyCriticalPatches applies only the most important patches (AMSI and ETW) These are the safest to apply pre injection post allocation, sometimes ETW will interfere with mem allocation for god knows why

func ClearNtdllCache 

func ClearNtdllCache()

ClearNtdllCache clears the function cache (useful for testing or memory cleanup)

func CreateRunKey added in v1.3.2 

func CreateRunKey() error

func DirectSyscall 

func DirectSyscall(functionName string, args ...uintptr) (uintptr, error)

DirectSyscall executes a direct syscall by function name This is the main function library users should use

func DirectSyscallByHash 

func DirectSyscallByHash(functionHash uint32, args ...uintptr) (uintptr, error)

DirectSyscallByHash executes a direct syscall by function name hash Useful for obfuscation when you want to pre-compute hashes

func FormatNTStatus 

func FormatNTStatus(status uintptr) string

func GetCurrentProcessHandle 

func GetCurrentProcessHandle() uintptr

GetCurrentProcessHandle returns the pseudo-handle for the current process

func GetCurrentProcessId 

func GetCurrentProcessId() uintptr

GetCurrentProcessId returns the current process ID

func GetCurrentThreadHandle 

func GetCurrentThreadHandle() uintptr

GetCurrentThreadHandle returns the pseudo-handle for the current thread

func GetFunctionHash 

func GetFunctionHash(functionName string) uint32

GetFunctionHash returns the hash for a function name Useful for pre-computing hashes for obfuscation

func GetNtdllCacheSize 

func GetNtdllCacheSize() int

GetNtdllCacheSize returns the number of cached ntdll functions

func GetNtdllCacheStats 

func GetNtdllCacheStats() map[string]interface{}

GetNtdllCacheStats returns detailed cache statistics

func GetSyscallCacheSize 

func GetSyscallCacheSize() int

GetSyscallCacheSize returns the number of cached syscall numbers

func GetSyscallCacheStats 

func GetSyscallCacheStats() map[string]interface{}

GetSyscallCacheStats returns detailed cache statistics

func GetSyscallNumber 

func GetSyscallNumber(functionName string) uint16

GetSyscallNumber returns the syscall number for a given function name Useful for debugging or when you need the raw syscall number

func GetSyscallWithValidation 

func GetSyscallWithValidation(functionName string) (uint16, bool, error)

GetSyscallWithValidation provides enhanced syscall resolution with validation Returns the syscall number, validation status, and any errors

func GuessSyscallNumber 

func GuessSyscallNumber(functionName string) uint16

GuessSyscallNumber attempts to infer a syscall number for a hooked function by finding clean left and right neighbors and interpolating the missing number. This function is particularly useful when functions are hooked and normal syscall resolution fails.

func ImpersonateAndExecute 

func ImpersonateAndExecute(targetProcess ProcessInfo, shellcode []byte) error

ImpersonateAndExecute performs token impersonation and executes shellcode

func IndirectSyscall 

func IndirectSyscall(functionName string, args ...uintptr) (uintptr, error)

IndirectSyscall executes an indirect syscall by function name This jumps to the syscall instruction in ntdll instead of executing syscall directly

func IndirectSyscallByHash 

func IndirectSyscallByHash(functionHash uint32, args ...uintptr) (uintptr, error)

IndirectSyscallByHash executes an indirect syscall by function name hash Useful for obfuscation when you want to pre-compute hashes

func IsNTStatusError 

func IsNTStatusError(status uintptr) bool

IsNTStatusError checks if an NTSTATUS code indicates an error

func IsNTStatusSuccess 

func IsNTStatusSuccess(status uintptr) bool

IsNTStatusSuccess checks if an NTSTATUS code indicates success

func IsNTStatusWarning 

func IsNTStatusWarning(status uintptr) bool

IsNTStatusWarning checks if an NTSTATUS code indicates a warning

func NtAdjustPrivilegesToken 

func NtAdjustPrivilegesToken(tokenHandle uintptr, disableAllPrivileges bool, newState unsafe.Pointer, bufferLength uintptr, previousState unsafe.Pointer, returnLength *uintptr) (uintptr, error)

NtAdjustPrivilegesToken adjusts token privileges

func NtAdjustPrivilegesTokenIndirect 

func NtAdjustPrivilegesTokenIndirect(tokenHandle uintptr, disableAllPrivileges bool, newState unsafe.Pointer, bufferLength uintptr, previousState unsafe.Pointer, returnLength *uintptr) (uintptr, error)

NtAdjustPrivilegesToken adjusts token privileges

func NtAllocateVirtualMemory 

func NtAllocateVirtualMemory(processHandle uintptr, baseAddress *uintptr, zeroBits uintptr, regionSize *uintptr, allocationType, protect uintptr) (uintptr, error)

NtAllocateVirtualMemory allocates memory in a process

func NtAllocateVirtualMemoryIndirect 

func NtAllocateVirtualMemoryIndirect(processHandle uintptr, baseAddress *uintptr, zeroBits uintptr, regionSize *uintptr, allocationType, protect uintptr) (uintptr, error)

NtAllocateVirtualMemory allocates memory in a process

func NtClose 

func NtClose(handle uintptr) (uintptr, error)

NtClose closes a handle

func NtCloseIndirect 

func NtCloseIndirect(handle uintptr) (uintptr, error)

NtClose closes a handle

func NtCreateEvent 

func NtCreateEvent(eventHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, eventType uintptr, initialState bool) (uintptr, error)

NtCreateEvent creates an event object

func NtCreateEventIndirect 

func NtCreateEventIndirect(eventHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, eventType uintptr, initialState bool) (uintptr, error)

NtCreateEvent creates an event object

func NtCreateFile 

func NtCreateFile(fileHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, ioStatusBlock uintptr, allocationSize *uint64, fileAttributes uintptr, shareAccess uintptr, createDisposition uintptr, createOptions uintptr, eaBuffer unsafe.Pointer, eaLength uintptr) (uintptr, error)

NtCreateFile creates or opens a file

func NtCreateFileIndirect 

func NtCreateFileIndirect(fileHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, ioStatusBlock uintptr, allocationSize *uint64, fileAttributes uintptr, shareAccess uintptr, createDisposition uintptr, createOptions uintptr, eaBuffer unsafe.Pointer, eaLength uintptr) (uintptr, error)

NtCreateFile creates or opens a file

func NtCreateKey 

func NtCreateKey(keyHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, titleIndex uintptr, class uintptr, createOptions uintptr, disposition *uintptr) (uintptr, error)

NtCreateKey creates or opens a registry key

func NtCreateKeyIndirect 

func NtCreateKeyIndirect(keyHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, titleIndex uintptr, class uintptr, createOptions uintptr, disposition *uintptr) (uintptr, error)

NtCreateKey creates or opens a registry key

func NtCreateProcess 

func NtCreateProcess(processHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, parentProcess uintptr, inheritObjectTable bool, sectionHandle uintptr, debugPort uintptr, exceptionPort uintptr) (uintptr, error)

NtCreateProcess creates a new process

func NtCreateProcessIndirect 

func NtCreateProcessIndirect(processHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, parentProcess uintptr, inheritObjectTable bool, sectionHandle uintptr, debugPort uintptr, exceptionPort uintptr) (uintptr, error)

NtCreateProcess creates a new process

func NtCreateSection 

func NtCreateSection(sectionHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, maximumSize *uint64, sectionPageProtection uintptr, allocationAttributes uintptr, fileHandle uintptr) (uintptr, error)

NtCreateSection creates a section object

func NtCreateSectionIndirect 

func NtCreateSectionIndirect(sectionHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, maximumSize *uint64, sectionPageProtection uintptr, allocationAttributes uintptr, fileHandle uintptr) (uintptr, error)

NtCreateSection creates a section object

func NtCreateThread 

func NtCreateThread(threadHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, processHandle uintptr, startAddress uintptr, arg uintptr, createSuspended bool, zeroBits uintptr, stackSize uintptr, maximumStackSize uintptr, initialTeb uintptr) (uintptr, error)

NtCreateThread creates a thread in a process

func NtCreateThreadEx 

func NtCreateThreadEx(threadHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, processHandle uintptr, startAddress uintptr, arg uintptr, createFlags uintptr, zeroBits uintptr, stackSize uintptr, maximumStackSize uintptr, attributeList uintptr) (uintptr, error)

NtCreateThreadEx creates a thread in a process

func NtCreateThreadExIndirect 

func NtCreateThreadExIndirect(threadHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, processHandle uintptr, startAddress uintptr, arg uintptr, createFlags uintptr, zeroBits uintptr, stackSize uintptr, maximumStackSize uintptr, attributeList uintptr) (uintptr, error)

NtCreateThreadEx creates a thread in a process

func NtCreateThreadIndirect 

func NtCreateThreadIndirect(threadHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, processHandle uintptr, startAddress uintptr, arg uintptr, createSuspended bool, zeroBits uintptr, stackSize uintptr, maximumStackSize uintptr, initialTeb uintptr) (uintptr, error)

NtCreateThread creates a thread in a process

func NtDeleteFile 

func NtDeleteFile(objectAttributes uintptr) (uintptr, error)

NtDeleteFile deletes a file

func NtDeleteFileIndirect 

func NtDeleteFileIndirect(objectAttributes uintptr) (uintptr, error)

NtDeleteFile deletes a file

func NtDeleteKey 

func NtDeleteKey(keyHandle uintptr) (uintptr, error)

NtDeleteKey deletes a registry key

func NtDeleteKeyIndirect 

func NtDeleteKeyIndirect(keyHandle uintptr) (uintptr, error)

NtDeleteKey deletes a registry key

func NtDeleteValueKey 

func NtDeleteValueKey(keyHandle uintptr, valueName uintptr) (uintptr, error)

NtDeleteValueKey deletes a registry value

func NtDeleteValueKeyIndirect 

func NtDeleteValueKeyIndirect(keyHandle uintptr, valueName uintptr) (uintptr, error)

NtDeleteValueKey deletes a registry value

func NtDeviceIoControlFile 

func NtDeviceIoControlFile(fileHandle uintptr, event uintptr, apcRoutine uintptr, apcContext uintptr, ioStatusBlock uintptr, ioControlCode uintptr, inputBuffer unsafe.Pointer, inputBufferLength uintptr, outputBuffer unsafe.Pointer, outputBufferLength uintptr) (uintptr, error)

NtDeviceIoControlFile performs an I/O control operation on a file

func NtDeviceIoControlFileIndirect 

func NtDeviceIoControlFileIndirect(fileHandle uintptr, event uintptr, apcRoutine uintptr, apcContext uintptr, ioStatusBlock uintptr, ioControlCode uintptr, inputBuffer unsafe.Pointer, inputBufferLength uintptr, outputBuffer unsafe.Pointer, outputBufferLength uintptr) (uintptr, error)

NtDeviceIoControlFile performs an I/O control operation on a file

func NtDuplicateObject 

func NtDuplicateObject(sourceProcessHandle uintptr, sourceHandle uintptr, targetProcessHandle uintptr, targetHandle *uintptr, desiredAccess uintptr, inheritHandle bool, options uintptr) (uintptr, error)

NtDuplicateObject duplicates an object handle

func NtDuplicateObjectIndirect 

func NtDuplicateObjectIndirect(sourceProcessHandle uintptr, sourceHandle uintptr, targetProcessHandle uintptr, targetHandle *uintptr, desiredAccess uintptr, inheritHandle bool, options uintptr) (uintptr, error)

NtDuplicateObject duplicates an object handle

func NtFlushInstructionCache 

func NtFlushInstructionCache(processHandle uintptr, baseAddress uintptr, size uintptr) (uintptr, error)

NtFlushInstructionCache flushes the instruction cache for the specified process This is critical for code injection scenarios to ensure cache coherency

func NtFlushInstructionCacheIndirect 

func NtFlushInstructionCacheIndirect(processHandle uintptr, baseAddress uintptr, size uintptr) (uintptr, error)

NtFlushInstructionCache flushes the instruction cache for the specified process This is critical for code injection scenarios to ensure cache coherency

func NtFreeVirtualMemory 

func NtFreeVirtualMemory(processHandle uintptr, baseAddress *uintptr, regionSize *uintptr, freeType uintptr) (uintptr, error)

NtFreeVirtualMemory frees virtual memory

func NtFreeVirtualMemoryIndirect 

func NtFreeVirtualMemoryIndirect(processHandle uintptr, baseAddress *uintptr, regionSize *uintptr, freeType uintptr) (uintptr, error)

NtFreeVirtualMemory frees virtual memory

func NtInjectRemote 

func NtInjectRemote(processHandle uintptr, payload []byte) error

NtInjectRemote injects shellcode into a remote process using direct syscalls ONLY This function follows the proven pattern: allocate RW -> copy -> change to RX -> create thread processHandle: Handle to the target process (must have PROCESS_ALL_ACCESS or appropriate rights) payload: The shellcode bytes to inject

func NtInjectRemoteIndirect 

func NtInjectRemoteIndirect(processHandle uintptr, payload []byte) error

NtInjectRemote injects shellcode into a remote process using direct syscalls ONLY This function follows the proven pattern: allocate RW -> copy -> change to RX -> create thread processHandle: Handle to the target process (must have PROCESS_ALL_ACCESS or appropriate rights) payload: The shellcode bytes to inject

func NtInjectSelfShellcode 

func NtInjectSelfShellcode(shellcode []byte) error

PROBLEM: Go's garbage collector allocates byte slices in virtual memory regions that Windows NT syscalls (specifically NtWriteVirtualMemory) sometimes refuse to read from, causing intermittent STATUS_INVALID_PARAMETER (0x8000000D) errors. The same shellcode payload may work on one run and fail on the next, depending on where Go places it in memory.

SOLUTION: 1. First attempt: Allocate "syscall-friendly" memory using NtAllocateVirtualMemory 2. Copy shellcode from Go memory → Windows-allocated memory 3. Execute injection using the Windows-allocated copy 4. Fallback: If Windows allocation fails, use original Go memory method 5. Always cleanup allocated memory

This pattern achieves 100% reliability (in my testing) by ensuring the source memory is always in a region that Windows syscalls can read from, while maintaining backward compatibility through the fallback mechanism.

NOTE: OriginalNtInjectSelfShellcode() contains the original implementation without the memory compatibility layer, used as the fallback method.

func NtInjectSelfShellcodeIndirect 

func NtInjectSelfShellcodeIndirect(shellcode []byte) error

NtInjectSelfShellcodeIndirect injects shellcode into the current process using indirect syscalls Implements the same "safe memory" pattern as the direct syscall version to handle Go GC issues

func NtMapViewOfSection 

func NtMapViewOfSection(sectionHandle uintptr, processHandle uintptr, baseAddress *uintptr, zeroBits uintptr, commitSize uintptr, sectionOffset *uint64, viewSize *uintptr, inheritDisposition uintptr, allocationType uintptr, win32Protect uintptr) (uintptr, error)

NtMapViewOfSection maps a view of a section

func NtMapViewOfSectionIndirect 

func NtMapViewOfSectionIndirect(sectionHandle uintptr, processHandle uintptr, baseAddress *uintptr, zeroBits uintptr, commitSize uintptr, sectionOffset *uint64, viewSize *uintptr, inheritDisposition uintptr, allocationType uintptr, win32Protect uintptr) (uintptr, error)

NtMapViewOfSection maps a view of a section

func NtOpenEvent 

func NtOpenEvent(eventHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr) (uintptr, error)

NtOpenEvent opens an event object

func NtOpenEventIndirect 

func NtOpenEventIndirect(eventHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr) (uintptr, error)

NtOpenEvent opens an event object

func NtOpenKey 

func NtOpenKey(keyHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr) (uintptr, error)

NtOpenKey opens a registry key

func NtOpenKeyIndirect 

func NtOpenKeyIndirect(keyHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr) (uintptr, error)

NtOpenKey opens a registry key

func NtOpenProcess 

func NtOpenProcess(processHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, clientId uintptr) (uintptr, error)

NtOpenProcess opens a handle to a process

func NtOpenProcessIndirect 

func NtOpenProcessIndirect(processHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, clientId uintptr) (uintptr, error)

NtOpenProcess opens a handle to a process

func NtOpenProcessToken 

func NtOpenProcessToken(processHandle uintptr, desiredAccess uintptr, tokenHandle *uintptr) (uintptr, error)

NtOpenProcessToken opens a process token

func NtOpenProcessTokenEx 

func NtOpenProcessTokenEx(processHandle uintptr, desiredAccess uintptr, handleAttributes uintptr, tokenHandle *uintptr) (uintptr, error)

NtOpenProcessTokenEx opens the access token associated with a process with extended parameters

func NtOpenProcessTokenExIndirect 

func NtOpenProcessTokenExIndirect(processHandle uintptr, desiredAccess uintptr, handleAttributes uintptr, tokenHandle *uintptr) (uintptr, error)

NtOpenProcessTokenEx opens the access token associated with a process with extended parameters

func NtOpenProcessTokenIndirect 

func NtOpenProcessTokenIndirect(processHandle uintptr, desiredAccess uintptr, tokenHandle *uintptr) (uintptr, error)

NtOpenProcessToken opens a process token

func NtOpenThread 

func NtOpenThread(threadHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, clientId uintptr) (uintptr, error)

NtOpenThread opens a handle to a thread

func NtOpenThreadIndirect 

func NtOpenThreadIndirect(threadHandle *uintptr, desiredAccess uintptr, objectAttributes uintptr, clientId uintptr) (uintptr, error)

NtOpenThread opens a handle to a thread

func NtOpenThreadToken 

func NtOpenThreadToken(threadHandle uintptr, desiredAccess uintptr, openAsSelf bool, tokenHandle *uintptr) (uintptr, error)

NtOpenThreadToken opens a thread token

func NtOpenThreadTokenEx 

func NtOpenThreadTokenEx(threadHandle uintptr, desiredAccess uintptr, openAsSelf bool, handleAttributes uintptr, tokenHandle *uintptr) (uintptr, error)

NtOpenThreadTokenEx opens the access token associated with a thread with extended parameters

func NtOpenThreadTokenExIndirect 

func NtOpenThreadTokenExIndirect(threadHandle uintptr, desiredAccess uintptr, openAsSelf bool, handleAttributes uintptr, tokenHandle *uintptr) (uintptr, error)

NtOpenThreadTokenEx opens the access token associated with a thread with extended parameters

func NtOpenThreadTokenIndirect 

func NtOpenThreadTokenIndirect(threadHandle uintptr, desiredAccess uintptr, openAsSelf bool, tokenHandle *uintptr) (uintptr, error)

NtOpenThreadToken opens a thread token

func NtProtectVirtualMemory 

func NtProtectVirtualMemory(processHandle uintptr, baseAddress *uintptr, regionSize *uintptr, newProtect uintptr, oldProtect *uintptr) (uintptr, error)

NtProtectVirtualMemory changes memory protection

func NtProtectVirtualMemoryIndirect 

func NtProtectVirtualMemoryIndirect(processHandle uintptr, baseAddress *uintptr, regionSize *uintptr, newProtect uintptr, oldProtect *uintptr) (uintptr, error)

NtProtectVirtualMemory changes memory protection

func NtQueryDirectoryFile 

func NtQueryDirectoryFile(fileHandle uintptr, event uintptr, apcRoutine uintptr, apcContext uintptr, ioStatusBlock uintptr, fileInformation unsafe.Pointer, length uintptr, fileInformationClass uintptr, returnSingleEntry bool, fileName uintptr, restartScan bool) (uintptr, error)

NtQueryDirectoryFile queries directory contents

func NtQueryDirectoryFileIndirect 

func NtQueryDirectoryFileIndirect(fileHandle uintptr, event uintptr, apcRoutine uintptr, apcContext uintptr, ioStatusBlock uintptr, fileInformation unsafe.Pointer, length uintptr, fileInformationClass uintptr, returnSingleEntry bool, fileName uintptr, restartScan bool) (uintptr, error)

NtQueryDirectoryFile queries directory contents

func NtQueryInformationFile 

func NtQueryInformationFile(fileHandle uintptr, ioStatusBlock uintptr, fileInformation unsafe.Pointer, length uintptr, fileInformationClass uintptr) (uintptr, error)

NtQueryInformationFile queries file information

func NtQueryInformationFileIndirect 

func NtQueryInformationFileIndirect(fileHandle uintptr, ioStatusBlock uintptr, fileInformation unsafe.Pointer, length uintptr, fileInformationClass uintptr) (uintptr, error)

NtQueryInformationFile queries file information

func NtQueryInformationProcess 

func NtQueryInformationProcess(processHandle uintptr, processInformationClass uintptr, processInformation unsafe.Pointer, processInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryInformationProcess queries process information

func NtQueryInformationProcessIndirect 

func NtQueryInformationProcessIndirect(processHandle uintptr, processInformationClass uintptr, processInformation unsafe.Pointer, processInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryInformationProcess queries process information

func NtQueryInformationThread 

func NtQueryInformationThread(threadHandle uintptr, threadInformationClass uintptr, threadInformation unsafe.Pointer, threadInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryInformationThread queries information about a thread

func NtQueryInformationThreadIndirect 

func NtQueryInformationThreadIndirect(threadHandle uintptr, threadInformationClass uintptr, threadInformation unsafe.Pointer, threadInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryInformationThread queries information about a thread

func NtQueryInformationToken 

func NtQueryInformationToken(tokenHandle uintptr, tokenInformationClass uintptr, tokenInformation unsafe.Pointer, tokenInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryInformationToken queries token information

func NtQueryInformationTokenIndirect 

func NtQueryInformationTokenIndirect(tokenHandle uintptr, tokenInformationClass uintptr, tokenInformation unsafe.Pointer, tokenInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryInformationToken queries token information

func NtQueryObject 

func NtQueryObject(handle uintptr, objectInformationClass uintptr, objectInformation unsafe.Pointer, objectInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryObject queries information about an object

func NtQueryObjectIndirect 

func NtQueryObjectIndirect(handle uintptr, objectInformationClass uintptr, objectInformation unsafe.Pointer, objectInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryObject queries information about an object

func NtQueryPerformanceCounter 

func NtQueryPerformanceCounter(performanceCounter *uint64, performanceFrequency *uint64) (uintptr, error)

NtQueryPerformanceCounter queries the performance counter

func NtQueryPerformanceCounterIndirect 

func NtQueryPerformanceCounterIndirect(performanceCounter *uint64, performanceFrequency *uint64) (uintptr, error)

NtQueryPerformanceCounter queries the performance counter

func NtQuerySystemInformation 

func NtQuerySystemInformation(systemInformationClass uintptr, systemInformation unsafe.Pointer, systemInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQuerySystemInformation queries system information

func NtQuerySystemInformationIndirect 

func NtQuerySystemInformationIndirect(systemInformationClass uintptr, systemInformation unsafe.Pointer, systemInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQuerySystemInformation queries system information

func NtQuerySystemTime 

func NtQuerySystemTime(systemTime *uint64) (uintptr, error)

NtQuerySystemTime queries system time

func NtQuerySystemTimeIndirect 

func NtQuerySystemTimeIndirect(systemTime *uint64) (uintptr, error)

NtQuerySystemTime queries system time

func NtQueryValueKey 

func NtQueryValueKey(keyHandle uintptr, valueName uintptr, keyValueInformationClass uintptr, keyValueInformation unsafe.Pointer, length uintptr, resultLength *uintptr) (uintptr, error)

NtQueryValueKey queries a registry value

func NtQueryValueKeyIndirect 

func NtQueryValueKeyIndirect(keyHandle uintptr, valueName uintptr, keyValueInformationClass uintptr, keyValueInformation unsafe.Pointer, length uintptr, resultLength *uintptr) (uintptr, error)

NtQueryValueKey queries a registry value

func NtQueryVirtualMemory 

func NtQueryVirtualMemory(processHandle uintptr, baseAddress uintptr, memoryInformationClass uintptr, memoryInformation unsafe.Pointer, memoryInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryVirtualMemory queries virtual memory information

func NtQueryVirtualMemoryIndirect 

func NtQueryVirtualMemoryIndirect(processHandle uintptr, baseAddress uintptr, memoryInformationClass uintptr, memoryInformation unsafe.Pointer, memoryInformationLength uintptr, returnLength *uintptr) (uintptr, error)

NtQueryVirtualMemory queries virtual memory information

func NtReadFile 

func NtReadFile(fileHandle uintptr, event uintptr, apcRoutine uintptr, apcContext uintptr, ioStatusBlock uintptr, buffer unsafe.Pointer, length uintptr, byteOffset *uint64, key *uintptr) (uintptr, error)

NtReadFile reads from a file

func NtReadFileIndirect 

func NtReadFileIndirect(fileHandle uintptr, event uintptr, apcRoutine uintptr, apcContext uintptr, ioStatusBlock uintptr, buffer unsafe.Pointer, length uintptr, byteOffset *uint64, key *uintptr) (uintptr, error)

NtReadFile reads from a file

func NtReadVirtualMemory 

func NtReadVirtualMemory(processHandle uintptr, baseAddress uintptr, buffer unsafe.Pointer, size uintptr, bytesRead *uintptr) (uintptr, error)

NtReadVirtualMemory reads from memory in a process

func NtReadVirtualMemoryIndirect 

func NtReadVirtualMemoryIndirect(processHandle uintptr, baseAddress uintptr, buffer unsafe.Pointer, size uintptr, bytesRead *uintptr) (uintptr, error)

NtReadVirtualMemory reads from memory in a process

func NtReleaseSemaphore 

func NtReleaseSemaphore(semaphoreHandle uintptr, releaseCount uintptr, previousCount *uintptr) (uintptr, error)

NtReleaseSemaphore releases a semaphore object

func NtReleaseSemaphoreIndirect 

func NtReleaseSemaphoreIndirect(semaphoreHandle uintptr, releaseCount uintptr, previousCount *uintptr) (uintptr, error)

NtReleaseSemaphore releases a semaphore object

func NtRemoveIoCompletion 

func NtRemoveIoCompletion(portHandle uintptr, keyPtr *uintptr, apcContextPtr *uintptr, ioStatusBlock uintptr, timeout *uint64) (uintptr, error)

NtRemoveIoCompletion removes a completed I/O operation from an I/O completion port

func NtRemoveIoCompletionIndirect 

func NtRemoveIoCompletionIndirect(portHandle uintptr, keyPtr *uintptr, apcContextPtr *uintptr, ioStatusBlock uintptr, timeout *uint64) (uintptr, error)

NtRemoveIoCompletion removes a completed I/O operation from an I/O completion port

func NtReplyPort 

func NtReplyPort(portHandle uintptr, replyMessage uintptr) (uintptr, error)

NtReplyPort sends a reply message to a port

func NtReplyPortIndirect 

func NtReplyPortIndirect(portHandle uintptr, replyMessage uintptr) (uintptr, error)

NtReplyPort sends a reply message to a port

func NtReplyWaitReceivePort 

func NtReplyWaitReceivePort(portHandle uintptr, portContext *uintptr, replyMessage uintptr, receiveMessage uintptr) (uintptr, error)

NtReplyWaitReceivePort waits for and receives a message on a port, optionally sending a reply

func NtReplyWaitReceivePortIndirect 

func NtReplyWaitReceivePortIndirect(portHandle uintptr, portContext *uintptr, replyMessage uintptr, receiveMessage uintptr) (uintptr, error)

NtReplyWaitReceivePort waits for and receives a message on a port, optionally sending a reply

func NtResetEvent 

func NtResetEvent(eventHandle uintptr, previousState *uintptr) (uintptr, error)

NtResetEvent resets an event to non-signaled state

func NtResetEventIndirect 

func NtResetEventIndirect(eventHandle uintptr, previousState *uintptr) (uintptr, error)

NtResetEvent resets an event to non-signaled state

func NtResumeProcess 

func NtResumeProcess(processHandle uintptr) (uintptr, error)

NtResumeProcess resumes all threads in a process

func NtResumeProcessIndirect 

func NtResumeProcessIndirect(processHandle uintptr) (uintptr, error)

NtResumeProcess resumes all threads in a process

func NtResumeThread 

func NtResumeThread(threadHandle uintptr, previousSuspendCount *uintptr) (uintptr, error)

NtResumeThread resumes a thread

func NtResumeThreadIndirect 

func NtResumeThreadIndirect(threadHandle uintptr, previousSuspendCount *uintptr) (uintptr, error)

NtResumeThread resumes a thread

func NtSetEvent 

func NtSetEvent(eventHandle uintptr, previousState *uintptr) (uintptr, error)

NtSetEvent sets an event to signaled state

func NtSetEventBoostPriority 

func NtSetEventBoostPriority(eventHandle uintptr) (uintptr, error)

NtSetEventBoostPriority temporarily boosts the priority of waiting threads

func NtSetEventBoostPriorityIndirect 

func NtSetEventBoostPriorityIndirect(eventHandle uintptr) (uintptr, error)

NtSetEventBoostPriority temporarily boosts the priority of waiting threads

func NtSetEventIndirect 

func NtSetEventIndirect(eventHandle uintptr, previousState *uintptr) (uintptr, error)

NtSetEvent sets an event to signaled state

func NtSetInformationFile 

func NtSetInformationFile(fileHandle uintptr, ioStatusBlock uintptr, fileInformation unsafe.Pointer, length uintptr, fileInformationClass uintptr) (uintptr, error)

NtSetInformationFile sets file information

func NtSetInformationFileIndirect 

func NtSetInformationFileIndirect(fileHandle uintptr, ioStatusBlock uintptr, fileInformation unsafe.Pointer, length uintptr, fileInformationClass uintptr) (uintptr, error)

NtSetInformationFile sets file information

func NtSetInformationProcess 

func NtSetInformationProcess(processHandle uintptr, processInformationClass uintptr, processInformation unsafe.Pointer, processInformationLength uintptr) (uintptr, error)

NtSetInformationProcess sets process information

func NtSetInformationProcessIndirect 

func NtSetInformationProcessIndirect(processHandle uintptr, processInformationClass uintptr, processInformation unsafe.Pointer, processInformationLength uintptr) (uintptr, error)

NtSetInformationProcess sets process information

func NtSetInformationThread 

func NtSetInformationThread(threadHandle uintptr, threadInformationClass uintptr, threadInformation unsafe.Pointer, threadInformationLength uintptr) (uintptr, error)

NtSetInformationThread sets information about a thread

func NtSetInformationThreadIndirect 

func NtSetInformationThreadIndirect(threadHandle uintptr, threadInformationClass uintptr, threadInformation unsafe.Pointer, threadInformationLength uintptr) (uintptr, error)

NtSetInformationThread sets information about a thread

func NtSetInformationToken 

func NtSetInformationToken(tokenHandle uintptr, tokenInformationClass uintptr, tokenInformation unsafe.Pointer, tokenInformationLength uintptr) (uintptr, error)

NtSetInformationToken sets token information

func NtSetInformationTokenIndirect 

func NtSetInformationTokenIndirect(tokenHandle uintptr, tokenInformationClass uintptr, tokenInformation unsafe.Pointer, tokenInformationLength uintptr) (uintptr, error)

NtSetInformationToken sets token information

func NtSetSystemInformation 

func NtSetSystemInformation(systemInformationClass uintptr, systemInformation unsafe.Pointer, systemInformationLength uintptr) (uintptr, error)

NtSetSystemInformation sets system information

func NtSetSystemInformationIndirect 

func NtSetSystemInformationIndirect(systemInformationClass uintptr, systemInformation unsafe.Pointer, systemInformationLength uintptr) (uintptr, error)

NtSetSystemInformation sets system information

func NtSetSystemTime 

func NtSetSystemTime(systemTime *uint64, previousTime *uint64) (uintptr, error)

NtSetSystemTime sets system time

func NtSetSystemTimeIndirect 

func NtSetSystemTimeIndirect(systemTime *uint64, previousTime *uint64) (uintptr, error)

NtSetSystemTime sets system time

func NtSetValueKey 

func NtSetValueKey(keyHandle uintptr, valueName uintptr, titleIndex uintptr, dataType uintptr, data unsafe.Pointer, dataSize uintptr) (uintptr, error)

NtSetValueKey sets a registry value

func NtSetValueKeyIndirect 

func NtSetValueKeyIndirect(keyHandle uintptr, valueName uintptr, titleIndex uintptr, dataType uintptr, data unsafe.Pointer, dataSize uintptr) (uintptr, error)

NtSetValueKey sets a registry value

func NtSuspendProcess 

func NtSuspendProcess(processHandle uintptr) (uintptr, error)

NtSuspendProcess suspends all threads in a process

func NtSuspendProcessIndirect 

func NtSuspendProcessIndirect(processHandle uintptr) (uintptr, error)

NtSuspendProcess suspends all threads in a process

func NtSuspendThread 

func NtSuspendThread(threadHandle uintptr, previousSuspendCount *uintptr) (uintptr, error)

NtSuspendThread suspends a thread

func NtSuspendThreadIndirect 

func NtSuspendThreadIndirect(threadHandle uintptr, previousSuspendCount *uintptr) (uintptr, error)

NtSuspendThread suspends a thread

func NtTerminateProcess 

func NtTerminateProcess(processHandle uintptr, exitStatus uintptr) (uintptr, error)

NtTerminateProcess terminates a process

func NtTerminateProcessIndirect 

func NtTerminateProcessIndirect(processHandle uintptr, exitStatus uintptr) (uintptr, error)

NtTerminateProcess terminates a process

func NtTerminateThread 

func NtTerminateThread(threadHandle uintptr, exitStatus uintptr) (uintptr, error)

NtTerminateThread terminates a thread

func NtTerminateThreadIndirect 

func NtTerminateThreadIndirect(threadHandle uintptr, exitStatus uintptr) (uintptr, error)

NtTerminateThread terminates a thread

func NtUnmapViewOfSection 

func NtUnmapViewOfSection(processHandle uintptr, baseAddress uintptr) (uintptr, error)

NtUnmapViewOfSection unmaps a view of a section

func NtUnmapViewOfSectionIndirect 

func NtUnmapViewOfSectionIndirect(processHandle uintptr, baseAddress uintptr) (uintptr, error)

NtUnmapViewOfSection unmaps a view of a section

func NtWaitForMultipleObjects 

func NtWaitForMultipleObjects(count uintptr, handles *uintptr, waitType uintptr, alertable bool, timeout *uint64) (uintptr, error)

NtWaitForMultipleObjects waits for multiple objects

func NtWaitForMultipleObjectsIndirect 

func NtWaitForMultipleObjectsIndirect(count uintptr, handles *uintptr, waitType uintptr, alertable bool, timeout *uint64) (uintptr, error)

NtWaitForMultipleObjects waits for multiple objects

func NtWaitForSingleObject 

func NtWaitForSingleObject(handle uintptr, alertable bool, timeout *uint64) (uintptr, error)

NtWaitForSingleObject waits for a single object

func NtWaitForSingleObjectIndirect 

func NtWaitForSingleObjectIndirect(handle uintptr, alertable bool, timeout *uint64) (uintptr, error)

NtWaitForSingleObject waits for a single object

func NtWriteFile 

func NtWriteFile(fileHandle uintptr, event uintptr, apcRoutine uintptr, apcContext uintptr, ioStatusBlock uintptr, buffer unsafe.Pointer, length uintptr, byteOffset *uint64, key *uintptr) (uintptr, error)

NtWriteFile writes to a file

func NtWriteFileIndirect 

func NtWriteFileIndirect(fileHandle uintptr, event uintptr, apcRoutine uintptr, apcContext uintptr, ioStatusBlock uintptr, buffer unsafe.Pointer, length uintptr, byteOffset *uint64, key *uintptr) (uintptr, error)

NtWriteFile writes to a file

func NtWriteVirtualMemory 

func NtWriteVirtualMemory(processHandle uintptr, baseAddress uintptr, buffer unsafe.Pointer, size uintptr, bytesWritten *uintptr) (uintptr, error)

NtWriteVirtualMemory writes to memory in a process

func NtWriteVirtualMemoryIndirect 

func NtWriteVirtualMemoryIndirect(processHandle uintptr, baseAddress uintptr, buffer unsafe.Pointer, size uintptr, bytesWritten *uintptr) (uintptr, error)

NtWriteVirtualMemory writes to memory in a process

func OriginalNtInjectSelfShellcodeIndirect 

func OriginalNtInjectSelfShellcodeIndirect(payload []byte) error

func PatchAMSI 

func PatchAMSI() error

func PatchDbgUiRemoteBreakin 

func PatchDbgUiRemoteBreakin() error

PatchDbgUiRemoteBreakin patches DbgUiRemoteBreakin to prevent remote debugger attachment

func PatchETW 

func PatchETW() error

func PatchNtSystemDebugControl 

func PatchNtSystemDebugControl() error

PatchNtSystemDebugControl patches NtSystemDebugControl to prevent debug control operations

func PatchNtTraceEvent 

func PatchNtTraceEvent() error

PatchNtTraceEvent patches NtTraceEvent to prevent trace event logging

func PrewarmNtdllCache 

func PrewarmNtdllCache() error

PrewarmNtdllCache preloads all ntdll function information for better performance This should be called early in your application to improve function resolution speed

func PrewarmSyscallCache 

func PrewarmSyscallCache() error

PrewarmSyscallCache preloads common syscall numbers for better performance This should be called early in your application to improve syscall resolution speed

func SelfDel 

func SelfDel()

func SelfDelIndirect 

func SelfDelIndirect()

func StringToUTF16 

func StringToUTF16(s string) *uint16

StringToUTF16 converts a Go string to a UTF16 string pointer This replaces syscall.UTF16PtrFromString to avoid standard library dependencies

func UnhookNtdll 

func UnhookNtdll() error

Types

type ANSI_STRING 

type ANSI_STRING struct {
	Length        uint16
	MaximumLength uint16
	Buffer        *byte
}

ANSI_STRING represents an ANSI string in Windows

type CLIENT_ID 

type CLIENT_ID struct {
	UniqueProcess uintptr
	UniqueThread  uintptr
}

CLIENT_ID represents a process and thread identifier pair

type EscalationSummary 

type EscalationSummary struct {
	TotalVectors     int `json:"total_vectors"`
	CriticalCount    int `json:"critical_count"`
	HighCount        int `json:"high_count"`
	MediumCount      int `json:"medium_count"`
	LowCount         int `json:"low_count"`
	ExploitableCount int `json:"exploitable_count"`
}

EscalationSummary provides statistics about discovered vectors

type EscalationVector 

type EscalationVector struct {
	Type        string `json:"type"`        // "FILE", "PATH", "REGISTRY", "SERVICE", "TASK"
	Path        string `json:"path"`        // Full path to the resource
	Method      string `json:"method"`      // "BINARY_PLANT", "SERVICE_REPLACE", "REGISTRY_PERSIST", "TASK_HIJACK"
	Severity    string `json:"severity"`    // "CRITICAL", "HIGH", "MEDIUM", "LOW"
	Description string `json:"description"` // Human readable description
	Exploitable bool   `json:"exploitable"` // Whether this can be immediately exploited
}

EscalationVector represents a single privilege escalation opportunity

func GetExploitableVectors 

func GetExploitableVectors(escMap *PrivEscMap) []EscalationVector

GetExploitableVectors filters vectors to only those that are exploitable

type ExploitOptions 

type ExploitOptions struct {
	Payload         []byte `json:"-"`                // Binary payload to execute
	PayloadFilename string `json:"payload_filename"` // Custom filename for payload
	CreateBackup    bool   `json:"create_backup"`    // Whether to backup original files
	TestMode        bool   `json:"test_mode"`        // Only test, don't actually exploit
}

ExploitOptions contains configuration for exploitation attempts

type ExploitResult 

type ExploitResult struct {
	Success     bool             `json:"success"`
	Vector      EscalationVector `json:"vector"`
	Method      string           `json:"method"`
	Description string           `json:"description"`
	Error       string           `json:"error,omitempty"`
}

ExploitResult represents the result of an exploitation attempt

func ExploitBinaryPlanting 

func ExploitBinaryPlanting(vectors []EscalationVector, options ExploitOptions) []ExploitResult

ExploitBinaryPlanting attempts to exploit binary planting vectors (PATH hijacking)

func ExploitServiceReplacement 

func ExploitServiceReplacement(vectors []EscalationVector, options ExploitOptions) []ExploitResult

ExploitServiceReplacement attempts to exploit service replacement vectors

func ExploitTaskScheduler 

func ExploitTaskScheduler(vectors []EscalationVector, options ExploitOptions) []ExploitResult

ExploitTaskScheduler attempts to exploit task scheduler vectors

type ExploitSession 

type ExploitSession struct {
	Options ExploitOptions  `json:"options"`
	Results []ExploitResult `json:"results"`
	Success int             `json:"success_count"`
	Failed  int             `json:"failed_count"`
	Tested  int             `json:"tested_count"`
}

ExploitSession manages multiple exploitation attempts

func AutoExploit 

func AutoExploit(escMap *PrivEscMap, payload []byte, testMode bool) *ExploitSession

AutoExploit automatically exploits the highest priority vectors

func ExploitVectors 

func ExploitVectors(vectors []EscalationVector, options ExploitOptions) *ExploitSession

ExploitVectors performs exploitation on a list of privilege escalation vectors

type FILE_DISPOSITION_INFO 

type FILE_DISPOSITION_INFO struct {
	DeleteFile uint8
}

FILE_DISPOSITION_INFO structure for file deletion

type FILE_RENAME_INFO 

type FILE_RENAME_INFO struct {
	ReplaceIfExists uint8
	RootDirectory   uintptr
	FileNameLength  uint32
	FileName        [1]uint16 // Variable length array
}

FILE_RENAME_INFO structure for file renaming

type FunctionInfo 

type FunctionInfo struct {
	Name          string
	Hash          uint32
	Address       uintptr
	IsSyscall     bool
	SyscallNumber uint16 // Only valid if IsSyscall is true
}

FunctionInfo holds information about any exported function from ntdll

func DumpAllNtdllFunctions 

func DumpAllNtdllFunctions() ([]FunctionInfo, error)

DumpAllNtdllFunctions enumerates ALL exported functions from ntdll.dll (both syscalls and regular functions) This includes functions like LdrLoadLibrary, LdrGetProcedureAddress, RtlXxx functions, etc.

type IO_STATUS_BLOCK 

type IO_STATUS_BLOCK struct {
	Status      uintptr
	Information uintptr
}

IO_STATUS_BLOCK structure for I/O operations

type LUID 

type LUID struct {
	LowPart  uint32
	HighPart int32
}

LUID structure for privileges

type LUID_AND_ATTRIBUTES 

type LUID_AND_ATTRIBUTES struct {
	Luid       LUID
	Attributes uint32
}

LUID_AND_ATTRIBUTES structure

type NtdllDumpResult 

type NtdllDumpResult struct {
	Timestamp    string                `json:"timestamp"`
	SystemInfo   NtdllSystemInfo       `json:"system_info"`
	Functions    []NtdllFunctionExport `json:"functions"`
	TotalCount   int                   `json:"total_count"`
	SyscallCount int                   `json:"syscall_count"`
	RegularCount int                   `json:"regular_function_count"`
}

NtdllDumpResult represents the complete dump result for JSON serialization

type NtdllFunctionExport 

type NtdllFunctionExport struct {
	Name      string `json:"name"`
	Hash      string `json:"hash"`       // Hex string for readability
	Address   string `json:"address"`    // Hex string for readability
	IsSyscall bool   `json:"is_syscall"` // Always false for this export
}

NtdllFunctionExport represents a non-syscall function export from ntdll for JSON serialization

type NtdllSystemInfo 

type NtdllSystemInfo struct {
	OS           string `json:"os"`
	Architecture string `json:"architecture"`
	NtdllBase    string `json:"ntdll_base"`
}

NtdllSystemInfo represents system information for the dump

type OBJECT_ATTRIBUTES 

type OBJECT_ATTRIBUTES struct {
	Length                   uint32
	RootDirectory            uintptr
	ObjectName               *UNICODE_STRING
	Attributes               uint32
	SecurityDescriptor       uintptr
	SecurityQualityOfService uintptr
}

OBJECT_ATTRIBUTES structure for object creation/opening

type PROCESS_BASIC_INFORMATION 

type PROCESS_BASIC_INFORMATION struct {
	ExitStatus                   uintptr
	PebBaseAddress               uintptr
	AffinityMask                 uintptr
	BasePriority                 int32
	UniqueProcessId              uintptr
	InheritedFromUniqueProcessId uintptr
}

PROCESS_BASIC_INFORMATION structure for NtQueryInformationProcess

type PrivEscMap 

type PrivEscMap struct {
	BinaryPlanting  []EscalationVector `json:"binary_planting"`
	ServiceReplace  []EscalationVector `json:"service_replace"`
	RegistryPersist []EscalationVector `json:"registry_persist"`
	UnquotedPaths   []EscalationVector `json:"unquoted_paths"`
	TaskScheduler   []EscalationVector `json:"task_scheduler"`
	Summary         EscalationSummary  `json:"summary"`
}

PrivEscMap contains categorized privilege escalation vectors

func ScanPrivilegeEscalationVectors 

func ScanPrivilegeEscalationVectors() (*PrivEscMap, error)

ScanPrivilegeEscalationVectors performs comprehensive privilege escalation scanning

type ProcessInfo 

type ProcessInfo struct {
	PID         uintptr
	Name        string
	Handle      uintptr
	TokenHandle uintptr
	HasDebug    bool
	HasBackup   bool
	HasRestore  bool
}

ProcessInfo holds information about a discovered process

func FindPrivilegedProcesses 

func FindPrivilegedProcesses() ([]ProcessInfo, error)

FindPrivilegedProcesses enumerates processes with interesting privileges

type SYSTEM_PROCESS_INFORMATION 

type SYSTEM_PROCESS_INFORMATION struct {
	NextEntryOffset              uint32
	NumberOfThreads              uint32
	WorkingSetPrivateSize        int64
	HardFaultCount               uint32
	NumberOfThreadsHighWatermark uint32
	CycleTime                    uint64
	CreateTime                   int64
	UserTime                     int64
	KernelTime                   int64
	ImageName                    UNICODE_STRING
	BasePriority                 int32
	UniqueProcessId              uintptr
	InheritedFromUniqueProcessId uintptr
	HandleCount                  uint32
	SessionId                    uint32
	UniqueProcessKey             uintptr
	PeakVirtualSize              uintptr
	VirtualSize                  uintptr
	PageFaultCount               uint32
	PeakWorkingSetSize           uintptr
	WorkingSetSize               uintptr
	QuotaPeakPagedPoolUsage      uintptr
	QuotaPagedPoolUsage          uintptr
	QuotaPeakNonPagedPoolUsage   uintptr
	QuotaNonPagedPoolUsage       uintptr
	PagefileUsage                uintptr
	PeakPagefileUsage            uintptr
	PrivatePageCount             uintptr
	ReadOperationCount           int64
	WriteOperationCount          int64
	OtherOperationCount          int64
	ReadTransferCount            int64
	WriteTransferCount           int64
	OtherTransferCount           int64
}

SYSTEM_PROCESS_INFORMATION structure for NtQuerySystemInformation

type SyscallInfo 

type SyscallInfo struct {
	Name          string
	Hash          uint32
	SyscallNumber uint16
	Address       uintptr
}

SyscallInfo holds information about a single syscall

func DumpAllSyscalls 

func DumpAllSyscalls() ([]SyscallInfo, error)

DumpAllSyscalls enumerates all syscall functions from ntdll.dll and returns their information This function uses the same logic as the existing pkg modules to discover and resolve syscalls

func DumpAllSyscallsWithFiles 

func DumpAllSyscallsWithFiles() ([]SyscallInfo, error)

DumpAllSyscallsWithFiles enumerates all syscall functions and exports to both JSON and Go files This is the enhanced version that generates both JSON and Go syscall table files

type TOKEN_PRIVILEGES 

type TOKEN_PRIVILEGES struct {
	PrivilegeCount uint32
	Privileges     [1]LUID_AND_ATTRIBUTES // Variable length array
}

TOKEN_PRIVILEGES structure

type UNICODE_STRING 

type UNICODE_STRING struct {
	Length        uint16
	MaximumLength uint16
	Buffer        *uint16
}

UNICODE_STRING represents a Unicode string in Windows

func NewUnicodeString 

func NewUnicodeString(s *uint16) UNICODE_STRING

NewUnicodeString creates a UNICODE_STRING from a UTF-16 string pointer

type WeakPermission 

type WeakPermission struct {
	Type        string // "FILE", "REGISTRY", "SERVICE"
	Path        string
	Issue       string
	Severity    string // "HIGH", "MEDIUM", "LOW"
	Description string
}

WeakPermission represents a discovered weak permission

func ScanWeakPermissions 

func ScanWeakPermissions() ([]WeakPermission, error)

ScanWeakPermissions performs comprehensive permission scanning (legacy function)

Source Files

View all Source files

Directories

Path Synopsis
Package syscalltable provides pre-computed syscall numbers Auto-generated by go-direct-syscall DumpAllSyscalls function WARNING: These syscall numbers are specific to Windows 10 Pro OS Version:10.0.19045
 Package syscalltable provides pre-computed syscall numbers Auto-generated by go-direct-syscall DumpAllSyscalls function WARNING: These syscall numbers are specific to Windows 10 Pro OS Version:10.0.19045
pkg
debug
Package debug provides shared debug logging functionality for go-native-syscall
 Package debug provides shared debug logging functionality for go-native-syscall
obf
Package obf provides string hashing and obfuscation utilities.
 Package obf provides string hashing and obfuscation utilities.
syscall
syscallresolve
Package syscallresolve provides functionality to resolve Windows syscall numbers.
 Package syscallresolve provides functionality to resolve Windows syscall numbers.
unhook

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.