initial version

Author: codeyourweb

LICENCE

@@ -0,0 +1,38 @@
+# Go-win-process-injector
+
+## Description
+During my researches on process injection in Go, i have only found shellcode injections. But, in my case, I needed to include complex code in the process i was injecting into without instability linked to my action.
+
+This complex code was compiled in a Go DLL. However, Go does not incorporate logic similar to DllMain to allow direct execution of a function once the code has been injected. This program therefore takes care of finding the address of the target function and then executing it in the context of the process where the injection took place. 
+
+## Instruction, example and sequence of the injection
+
+Quick and easy way:
+* Use injectInProcess() to inject in the specified PID and call any selected function inside the memory space of this process
+* Use GetInjectedLibraryModuleHandle() to check if your library already is injected to avoid multiple useless injection
+
+If you want more details on how it works:
+* It first OpenProcess() your target PID
+* Then, injectDLL() create a remote thread an load your DLL inside it
+* findSymbolRVA() identify the relative virtual address of your function in the dll
+* Finally, callRemoteFunction() execute it in a new thread of your target PID
+
+Process output:
+```
+[INFO] Starting process injection...
+[INFO] Found process: Notepad.exe (PID: 17472)
+[DEBUG] PID: 17472 - Opening process Notepad.exe with 0x2a access...
+[DEBUG] PID: 17472 - Process Handle: 0x228
+[DEBUG] Loading DLL: C:\Temp\MyDll.dll
+[DEBUG] PID: 17472 - DLL Path Length: 40
+[INFO] PID: 17472 - VirtualAllocEx...
+[DEBUG] PID: 17472 - Allocating memory at:  0x21a60370000
+[DEBUG] PID: 17472 - Bytes written: 82
+[DEBUG] PID: 17472 - CreateRemoteThread...
+[DEBUG] PID: 17472 - Thread Handle: 556
+[DEBUG] PID: 17472 - Waiting for thread to finish...
+[DEBUG] PID: 17472 - DLL address in the remote process: 0x7ffe1eab0000
+[INFO] PID: 17472 - DLL injected successfully.
+[DEBUG] PID: 17472 - Function 'MyInjectFunction' RVA: 0xb2e60
+[INFO] PID: 17472 - Function 'MyInjectFunction' successfully called.
+```

README.md

@@ -0,0 +1,115 @@
+package main
+
+import (
+	"bytes"
+	"debug/pe"
+	"encoding/binary"
+	"fmt"
+	"os"
+)
+
+func findSymbolRVA(PEpath string, symbolName string) (uint32, error) {
+	f, err := os.Open(PEpath)
+	if err != nil {
+		return 0, err
+	}
+	defer f.Close()
+
+	peFile, err := pe.NewFile(f)
+	if err != nil {
+		return 0, err
+	}
+	defer peFile.Close()
+
+	exportDir := peFile.OptionalHeader.(*pe.OptionalHeader64).DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_EXPORT]
+	if exportDir.VirtualAddress == 0 {
+		exportDir = peFile.OptionalHeader.(*pe.OptionalHeader32).DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_EXPORT]
+		if exportDir.VirtualAddress == 0 {
+			return 0, fmt.Errorf("no export directory found")
+		}
+	}
+
+	var exportTable *pe.Section
+	for _, section := range peFile.Sections {
+		if uint32(exportDir.VirtualAddress) >= section.VirtualAddress &&
+			uint32(exportDir.VirtualAddress) < section.VirtualAddress+section.Size {
+			exportTable = section
+			break
+		}
+	}
+	if exportTable == nil {
+		return 0, fmt.Errorf("could not find export section")
+	}
+
+	exportData, err := exportTable.Data()
+	if err != nil {
+		return 0, fmt.Errorf("could not read export data: %w", err)
+	}
+
+	exportDirRVA := uint32(exportDir.VirtualAddress)
+	exportDirOffset := exportDirRVA - exportTable.VirtualAddress
+
+	exportDirectory := struct {
+		Characteristics       uint32
+		TimeDateStamp         uint32
+		MajorVersion          uint16
+		MinorVersion          uint16
+		Name                  uint32
+		Base                  uint32
+		NumberOfFunctions     uint32
+		NumberOfNames         uint32
+		AddressOfFunctions    uint32
+		AddressOfNames        uint32
+		AddressOfNameOrdinals uint32
+	}{}
+
+	err = binary.Read(bytes.NewReader(exportData[exportDirOffset:]), binary.LittleEndian, &exportDirectory)
+	if err != nil {
+		return 0, fmt.Errorf("could not read export directory: %w", err)
+	}
+
+	namesOffset := exportDirectory.AddressOfNames - exportTable.VirtualAddress
+	ordinalsOffset := exportDirectory.AddressOfNameOrdinals - exportTable.VirtualAddress
+
+	for i := 0; i < int(exportDirectory.NumberOfNames); i++ {
+		var nameRVA uint32
+		err = binary.Read(bytes.NewReader(exportData[namesOffset+uint32(i)*4:]), binary.LittleEndian, &nameRVA)
+		if err != nil {
+			return 0, fmt.Errorf("could not read name RVA: %w", err)
+		}
+
+		nameOffset := nameRVA - exportTable.VirtualAddress
+		name := ""
+		for j := nameOffset; j < uint32(len(exportData)); j++ {
+			if exportData[j] == 0 {
+				break
+			}
+			name += string(exportData[j])
+		}
+
+		if name == symbolName {
+			var ordinal uint16
+			err = binary.Read(bytes.NewReader(exportData[ordinalsOffset+uint32(i)*2:]), binary.LittleEndian, &ordinal)
+			if err != nil {
+				return 0, fmt.Errorf("could not read ordinal: %w", err)
+			}
+
+			functionsTableOffsetInData := (exportDirectory.AddressOfFunctions) - (exportTable.VirtualAddress)
+			functionAddressOffset := functionsTableOffsetInData + uint32(ordinal)*4
+
+			if int(functionAddressOffset)+4 > len(exportData) {
+				return 0, fmt.Errorf("reading outside limit of exportedData")
+			}
+
+			var rawFunctionAddress uint32
+			err = binary.Read(bytes.NewReader(exportData[functionAddressOffset:]), binary.LittleEndian, &rawFunctionAddress)
+			if err != nil {
+				return 0, fmt.Errorf("could not read raw function address: %w", err)
+			}
+
+			return rawFunctionAddress, nil
+		}
+	}
+
+	return 0, fmt.Errorf("symbol %s not found in export table", symbolName)
+}

dllutils.go

@@ -0,0 +1,16 @@
+module go-win-process-injector
+
+go 1.23.6
+
+require (
+	github.com/shirou/gopsutil v3.21.11+incompatible
+	golang.org/x/sys v0.32.0
+)
+
+require (
+	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/stretchr/testify v1.10.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+)

go.mod

@@ -0,0 +1,21 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI=
+github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
+github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
+github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
+github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

go.sum

@@ -0,0 +1,188 @@
+package main
+
+import (
+	"fmt"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var (
+	kernel32DLL              = syscall.NewLazyDLL("kernel32.dll")
+	loadLibraryW             = kernel32DLL.NewProc("LoadLibraryW")
+	virtualAllocEx           = kernel32DLL.NewProc("VirtualAllocEx")
+	writeProcessMemory       = kernel32DLL.NewProc("WriteProcessMemory")
+	createRemoteThread       = kernel32DLL.NewProc("CreateRemoteThread")
+	createToolhelp32Snapshot = kernel32DLL.NewProc("CreateToolhelp32Snapshot")
+	process32FirstW          = kernel32DLL.NewProc("Process32FirstW")
+	process32NextW           = kernel32DLL.NewProc("Process32NextW")
+)
+
+type PROCESSENTRY32 struct {
+	DwSize              uint32
+	CntUsage            uint32
+	Th32ProcessID       uint32
+	Th32DefaultHeapID   uintptr
+	Th32ModuleID        uint32
+	CntThreads          uint32
+	Th32ParentProcessID uint32
+	PcPriClassBase      int32
+	DwFlags             uint32
+	SzExeFile           [syscall.MAX_PATH]uint8
+}
+
+const (
+	MEM_RESERVE        = 0x00002000
+	MEM_COMMIT         = 0x00001000
+	TH32CS_SNAPPROCESS = 0x00000002
+)
+
+func injectDLL(processID uint32, processHandle windows.Handle, dllPath string) (uintptr, error) {
+	dllPathPtr, err := windows.UTF16PtrFromString(dllPath)
+	if err != nil {
+		return 0, err
+	}
+
+	remoteAlloc, _, err := virtualAllocEx.Call(
+		uintptr(processHandle),
+		0,
+		uintptr(len(dllPath)*2+2),
+		uintptr(MEM_RESERVE|MEM_COMMIT),
+		uintptr(windows.PAGE_READWRITE),
+	)
+	if remoteAlloc == 0 {
+		return 0, fmt.Errorf("VirtualAllocEx failed: %v", err)
+	}
+	logMessage(LOGLEVEL_INFO, fmt.Sprintf("PID: %d - VirtualAllocEx...\n", processID))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Allocating memory at:  0x%x\n", processID, remoteAlloc))
+
+	bytesWritten := uint(0)
+	_, _, err = writeProcessMemory.Call(
+		uintptr(processHandle),
+		remoteAlloc,
+		uintptr(unsafe.Pointer(dllPathPtr)),
+		uintptr(len(dllPath)*2+2),
+		uintptr(unsafe.Pointer(&bytesWritten)),
+	)
+	if bytesWritten == 0 {
+		return 0, fmt.Errorf("PID: %d WriteProcessMemory failed: %v", processID, err)
+	}
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Bytes written: %d\n", processID, bytesWritten))
+
+	threadHandle, _, err := createRemoteThread.Call(
+		uintptr(processHandle),
+		0,
+		0,
+		uintptr(loadLibraryW.Addr()),
+		remoteAlloc,
+		0,
+		0,
+	)
+	if threadHandle == 0 {
+		return 0, fmt.Errorf("PID: %d - CreateRemoteThread failed: %v", processID, err)
+	}
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - CreateRemoteThread...\n", processID))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Thread Handle: %d\n", processID, threadHandle))
+	defer syscall.CloseHandle(syscall.Handle(threadHandle))
+
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Waiting for thread to finish...\n", processID))
+	_, err = syscall.WaitForSingleObject(syscall.Handle(threadHandle), syscall.INFINITE)
+	if err != nil {
+		return 0, fmt.Errorf("PID: %d - WaitForSingleObject failed: %v", processID, err)
+	}
+
+	// Récupérer l'adresse de la DLL chargée dans le processus distant
+	remoteDLLHandle, err := GetInjectedLibraryModuleHandle(processID, dllPath)
+	if err != nil {
+		return 0, fmt.Errorf("PID: %d - GetModuleHandle failed: %v", processID, err)
+	}
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - DLL address in the remote process: 0x%x\n", processID, remoteDLLHandle))
+
+	return remoteDLLHandle, nil
+}
+
+func GetInjectedLibraryModuleHandle(processID uint32, injectedDllPath string) (uintptr, error) {
+	handle, err := syscall.OpenProcess(windows.PROCESS_QUERY_INFORMATION|windows.PROCESS_VM_READ, false, processID)
+	if err != nil {
+		return 0, fmt.Errorf("PID: %d - error opening process: %w", processID, err)
+	}
+	defer syscall.CloseHandle(syscall.Handle(handle))
+
+	var modules [1024]windows.Handle
+	var needed uint32
+	err = windows.EnumProcessModules(windows.Handle(handle), &modules[0], uint32(unsafe.Sizeof(modules)), &needed)
+	if err != nil {
+		return 0, fmt.Errorf("PID: %d - error enumerating process modules: %v", processID, err)
+	}
+
+	numModules := needed / uint32(unsafe.Sizeof(windows.Handle(0)))
+	for i := uint32(0); i < numModules; i++ {
+		var filename [windows.MAX_PATH]uint16
+		err = windows.GetModuleFileNameEx(windows.Handle(handle), modules[i], &filename[0], windows.MAX_PATH)
+		if err == nil && windows.UTF16ToString(filename[:]) == injectedDllPath {
+			return uintptr(modules[i]), nil
+		}
+	}
+	return 0, nil
+}
+
+func callRemoteFunction(processID uint32, dllBaseAddress uintptr, functionName string, functionRVA uintptr) error {
+	handle, err := syscall.OpenProcess(windows.PROCESS_QUERY_INFORMATION|windows.PROCESS_VM_READ, false, processID)
+	if err != nil {
+		return fmt.Errorf("PID: %d - error opening process: %w", processID, err)
+	}
+	defer syscall.CloseHandle(syscall.Handle(handle))
+
+	remoteFunctionAddress := dllBaseAddress + functionRVA
+
+	threadHandle, _, err := createRemoteThread.Call(
+		uintptr(handle),
+		0,
+		0,
+		remoteFunctionAddress,
+		0,
+		0,
+		0,
+	)
+	if threadHandle == 0 {
+		return fmt.Errorf("PID: %d - CreateRemoteThread failed while calling '%s'- %v", processID, functionName, err)
+	}
+	defer syscall.CloseHandle(syscall.Handle(threadHandle))
+
+	return nil
+}
+
+func injectInProcess(processID uint32, processName string, dllPath string, dllFunction string) error {
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Opening process %s with 0x%x access...\n", processID, processName, windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_OPERATION))
+	processHandle, err := syscall.OpenProcess(windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_OPERATION, false, processID)
+	if err != nil {
+		return fmt.Errorf("PID: %d - OpenProcess failed: %v", processID, err)
+	}
+	defer syscall.CloseHandle(processHandle)
+
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Process Handle: 0x%x\n", processID, processHandle))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Loading DLL: %s\n", processID, dllPath))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - DLL Path Length: %d\n", processID, len(dllPath)))
+
+	dllBaseAddress, err := injectDLL(processID, windows.Handle(processHandle), dllPath)
+	if err != nil {
+		return fmt.Errorf("PID: %d - DLL injection failed: %v", processID, err)
+	}
+	logMessage(LOGLEVEL_INFO, fmt.Sprintf("PID: %d - DLL injected successfully.\n", processID))
+
+	FunctionRVA, err := findSymbolRVA(dllPath, dllFunction)
+	if err != nil {
+		return fmt.Errorf("PID: %d - Error finding symbol RVA: %v", processID, err)
+	}
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Function '%s' RVA: 0x%x\n", processID, dllFunction, FunctionRVA))
+
+	err = callRemoteFunction(processID, dllBaseAddress, dllFunction, uintptr(FunctionRVA))
+	if err != nil {
+
+		return fmt.Errorf("PID: %d - Error calling remote function %v", processID, err)
+	}
+	logMessage(LOGLEVEL_INFO, fmt.Sprintf("PID: %d - Function '%s' successfully called.\n", processID, dllFunction))
+
+	return nil
+}