Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/zimnyaa/xdvoke
d/invoke function resolver in Golang
https://github.com/zimnyaa/xdvoke
go malware windows
Last synced: 3 months ago
JSON representation
d/invoke function resolver in Golang
- Host: GitHub
- URL: https://github.com/zimnyaa/xdvoke
- Owner: zimnyaa
- License: mit
- Created: 2023-05-14T18:09:49.000Z (over 1 year ago)
- Default Branch: master
- Last Pushed: 2023-05-15T23:57:38.000Z (over 1 year ago)
- Last Synced: 2024-05-18T02:04:51.224Z (6 months ago)
- Topics: go, malware, windows
- Language: Go
- Homepage:
- Size: 14.6 KB
- Stars: 0
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-golang-repositories - xdvoke
README
# `xdvoke` function resolver
```
xdvoke is designed as a drop-in replacement for Golang default "windows" package.
This is a PoC implementation. `go run .` to run it.
it dynamically resolves the functions by walking the DLL headers.
DLLs are loaded indirectly with RtlQueueWorkItem, waiting a bit, and then calling the legitimate LoadLibrary function.
nothing is new, code heavily inspired (stolen) from WireGuard memmod and rad9800.
Yes, you can yoink the resolver Go assembly stubs from acheron, but why would you want to do assembly for it?
```
# code comparison
```go
// xdvoke
dll, _ := NewProxyDLL(testMod)
fmt.Printf("ProxyDLL handle: %x\n", dll.Handle)
proc, _ := dll.NewProc(testName)
fmt.Printf("%s -(dyn)> 0x%x\n", testName, proc.Addr())
```
```go
// default windows package
defdll := windows.NewLazySystemDLL(testMod)
fmt.Printf("LazyDLL handle: %x\n", defdll.Handle())
defproc := defdll.NewProc(testName)
fmt.Printf("%s -(std)> 0x%x\n", testName, defproc.Addr())
```