Golang for infosec — Building an EDR #Part1 —processes memory

First of all, force yourself to love the Win32 API

List processes and read their memory

// GetProcessesList return PID from running processesfunc GetProcessesList() (procsIds []uint32, bytesReturned uint32, err error) {
procsIds = make([]uint32, 2048)
err = windows.EnumProcesses(procsIds, &bytesReturned)
return procsIds, bytesReturned, err
}
procHandle, err := GetProcessHandle(procsIds[i], windows.PROCESS_QUERY_INFORMATION|windows.PROCESS_VM_READ)if err != nil && verbose {
log.Println("[ERROR]", "PID", procsIds[i], err)
}
// GetProcessModulesHandles list modules handles from a process handle
func GetProcessModulesHandles(procHandle windows.Handle) (processFilename string, modules []syscall.Handle, err error) {
var processRawName []byte
processRawName, err = GetProcessImageFileName(procHandle, 512)
if err != nil {
return "", nil, err
}
processRawName = bytes.Trim(processRawName, "\x00")
processPath := strings.Split(string(processRawName), "\\")
processFilename = processPath[len(processPath)-1]
modules, err = EnumProcessModules(procHandle, 32) if err != nil {
return "", nil, err
}
return processFilename, modules, nil
}
procFilename, modules, err := GetProcessModulesHandles(procHandle)if err == nil {    for _, moduleHandle := range modules {
if moduleHandle != 0 {
moduleRawName, err := GetModuleFileNameEx(procHandle, moduleHandle, 512)
if err != nil{
log.Println("[ERROR]", err)
}
moduleRawName = bytes.Trim(moduleRawName, "\x00")
modulePath := strings.Split(string(moduleRawName), "\\")
moduleFileName := modulePath[len(modulePath)-1]
}
}
// DumpModuleMemory dump a process module memory and return it as a byte slicefunc DumpModuleMemory(procHandle windows.Handle, modHandle syscall.Handle, verbose bool) []byte {    moduleInfos, err := GetModuleInformation(procHandle, modHandle)
if err != nil{
log.Println("[ERROR]", err)
}
memdump, err := ReadProcessMemory(procHandle, moduleInfos.BaseOfDll, uintptr(moduleInfos.SizeOfImage)) if err != nil {
log.Println("[ERROR]", err)
}
memdump = bytes.Trim(memdump, "\x00")
return memdump
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store