yaml config & windows service mode

Author: codeyourweb

go.mod

@@ -1,10 +1,12 @@
-module go-win-process-injector
+module goprocinjector
 
 go 1.23.6
 
 require (
+	github.com/akamensky/argparse v1.4.0
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	golang.org/x/sys v0.32.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (

go.sum

@@ -1,3 +1,5 @@
+github.com/akamensky/argparse v1.4.0 h1:YGzvsTqCvbEZhL8zZu2AiA5nq805NZh75JNj4ajn1xc=
+github.com/akamensky/argparse v1.4.0/go.mod h1:S5kwC7IuDcEr5VeXtGPRVZ5o/FdhcMlQz4IZQuw64xA=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
@@ -17,5 +19,7 @@ github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQ
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
 golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

goprocinjector.yaml

@@ -0,0 +1,16 @@
+injector_log_level: "LOGLEVEL_INFO"
+injector_log_file: "C:\\Windows\\Temp\\goprocinjector.log"
+process_injections: 
+  - name: "ClipboardMonitor_WebBrowser"
+    processes: 
+      - "firefox.exe"
+      - "chrome.exe"
+    process_injection_dll_path: "C:\\Users\\shado\\Desktop\\clipboardMonitor\\ClipboardMonitor.dll"
+    process_injection_dll_function: "ClipboardMonitor"
+    process_injection_refresh_interval: 5
+  - name: "ClipboardMonitor_Explorer"
+    processes: 
+      - "explorer.exe"
+    process_injection_dll_path: "C:\\Users\\shado\\Desktop\\clipboardMonitor\\ClipboardMonitor.dll"
+    process_injection_dll_function: "ClipboardMonitor"
+    process_injection_refresh_interval: 30

injector.go

@@ -14,6 +14,7 @@ var (
 	virtualAllocEx           = kernel32DLL.NewProc("VirtualAllocEx")
 	writeProcessMemory       = kernel32DLL.NewProc("WriteProcessMemory")
 	createRemoteThread       = kernel32DLL.NewProc("CreateRemoteThread")
+	getThreadId              = kernel32DLL.NewProc("GetThreadId")
 	createToolhelp32Snapshot = kernel32DLL.NewProc("CreateToolhelp32Snapshot")
 	process32FirstW          = kernel32DLL.NewProc("Process32FirstW")
 	process32NextW           = kernel32DLL.NewProc("Process32NextW")
@@ -54,8 +55,8 @@ func injectDLL(processID uint32, processHandle windows.Handle, dllPath string) (
 	if remoteAlloc == 0 {
 		return 0, fmt.Errorf("VirtualAllocEx failed: %v", err)
 	}
-	logMessage(LOGLEVEL_INFO, fmt.Sprintf("PID: %d - VirtualAllocEx...\n", processID))
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Allocating memory at:  0x%x\n", processID, remoteAlloc))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - VirtualAllocEx...", processID))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Allocating memory at:  0x%x", processID, remoteAlloc))
 
 	bytesWritten := uint(0)
 	_, _, err = writeProcessMemory.Call(
@@ -66,9 +67,9 @@ func injectDLL(processID uint32, processHandle windows.Handle, dllPath string) (
 		uintptr(unsafe.Pointer(&bytesWritten)),
 	)
 	if bytesWritten == 0 {
-		return 0, fmt.Errorf("PID: %d WriteProcessMemory failed: %v", processID, err)
+		return 0, fmt.Errorf("WriteProcessMemory failed: %v", err)
 	}
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Bytes written: %d\n", processID, bytesWritten))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Bytes written: %d", processID, bytesWritten))
 
 	threadHandle, _, err := createRemoteThread.Call(
 		uintptr(processHandle),
@@ -80,40 +81,40 @@ func injectDLL(processID uint32, processHandle windows.Handle, dllPath string) (
 		0,
 	)
 	if threadHandle == 0 {
-		return 0, fmt.Errorf("PID: %d - CreateRemoteThread failed: %v", processID, err)
+		return 0, fmt.Errorf("CreateRemoteThread failed: %v", err)
 	}
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - CreateRemoteThread...\n", processID))
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Thread Handle: %d\n", processID, threadHandle))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - CreateRemoteThread...", processID))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Thread Handle: %d", processID, threadHandle))
 	defer syscall.CloseHandle(syscall.Handle(threadHandle))
 
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Waiting for thread to finish...\n", processID))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Waiting for thread to finish...", processID))
 	_, err = syscall.WaitForSingleObject(syscall.Handle(threadHandle), syscall.INFINITE)
 	if err != nil {
-		return 0, fmt.Errorf("PID: %d - WaitForSingleObject failed: %v", processID, err)
+		return 0, fmt.Errorf("WaitForSingleObject failed: %v", err)
 	}
 
 	// Récupérer l'adresse de la DLL chargée dans le processus distant
 	remoteDLLHandle, err := GetInjectedLibraryModuleHandle(processID, dllPath)
 	if err != nil {
-		return 0, fmt.Errorf("PID: %d - GetModuleHandle failed: %v", processID, err)
+		return 0, fmt.Errorf("GetModuleHandle failed: %v", err)
 	}
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - DLL address in the remote process: 0x%x\n", processID, remoteDLLHandle))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - DLL address in the remote process: 0x%x", processID, remoteDLLHandle))
 
 	return remoteDLLHandle, nil
 }
 
 func GetInjectedLibraryModuleHandle(processID uint32, injectedDllPath string) (uintptr, error) {
 	handle, err := syscall.OpenProcess(windows.PROCESS_QUERY_INFORMATION|windows.PROCESS_VM_READ, false, processID)
 	if err != nil {
-		return 0, fmt.Errorf("PID: %d - error opening process: %w", processID, err)
+		return 0, fmt.Errorf("error opening process: %w", err)
 	}
 	defer syscall.CloseHandle(syscall.Handle(handle))
 
 	var modules [1024]windows.Handle
 	var needed uint32
 	err = windows.EnumProcessModules(windows.Handle(handle), &modules[0], uint32(unsafe.Sizeof(modules)), &needed)
 	if err != nil {
-		return 0, fmt.Errorf("PID: %d - error enumerating process modules: %v", processID, err)
+		return 0, fmt.Errorf("error enumerating process modules: %v", err)
 	}
 
 	numModules := needed / uint32(unsafe.Sizeof(windows.Handle(0)))
@@ -128,16 +129,16 @@ func GetInjectedLibraryModuleHandle(processID uint32, injectedDllPath string) (u
 }
 
 func callRemoteFunction(processID uint32, dllBaseAddress uintptr, functionName string, functionRVA uintptr) error {
-	handle, err := syscall.OpenProcess(windows.PROCESS_QUERY_INFORMATION|windows.PROCESS_VM_READ, false, processID)
+	processHandle, err := syscall.OpenProcess(windows.PROCESS_QUERY_INFORMATION|windows.PROCESS_VM_READ, false, processID)
 	if err != nil {
-		return fmt.Errorf("PID: %d - error opening process: %w", processID, err)
+		return fmt.Errorf("error opening process: %w", err)
 	}
-	defer syscall.CloseHandle(syscall.Handle(handle))
+	defer syscall.CloseHandle(syscall.Handle(processHandle))
 
 	remoteFunctionAddress := dllBaseAddress + functionRVA
 
 	threadHandle, _, err := createRemoteThread.Call(
-		uintptr(handle),
+		uintptr(processHandle),
 		0,
 		0,
 		remoteFunctionAddress,
@@ -146,43 +147,54 @@ func callRemoteFunction(processID uint32, dllBaseAddress uintptr, functionName s
 		0,
 	)
 	if threadHandle == 0 {
-		return fmt.Errorf("PID: %d - CreateRemoteThread failed while calling '%s'- %v", processID, functionName, err)
+		return fmt.Errorf("CreateRemoteThread failed while calling '%s'- %v", functionName, err)
 	}
 	defer syscall.CloseHandle(syscall.Handle(threadHandle))
 
+	threadId, _, err := getThreadId.Call(uintptr(threadHandle))
+
+	if threadId == 0 {
+		return fmt.Errorf("GetThreadId failed: %v", err)
+	}
+
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Remote Thread ID: %d", processID, threadId))
+
 	return nil
 }
 
 func injectInProcess(processID uint32, processName string, dllPath string, dllFunction string) error {
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Opening process %s with 0x%x access...\n", processID, processName, windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_OPERATION))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Opening process %s with 0x%x access...", processID, processName, windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_OPERATION))
 	processHandle, err := syscall.OpenProcess(windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_OPERATION, false, processID)
 	if err != nil {
-		return fmt.Errorf("PID: %d - OpenProcess failed: %v", processID, err)
+		return fmt.Errorf("OpenProcess failed: %v", err)
 	}
 	defer syscall.CloseHandle(processHandle)
 
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Process Handle: 0x%x\n", processID, processHandle))
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Loading DLL: %s\n", processID, dllPath))
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - DLL Path Length: %d\n", processID, len(dllPath)))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Process Handle: 0x%x", processID, processHandle))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Loading DLL: %s", processID, dllPath))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - DLL Path Length: %d", processID, len(dllPath)))
 
 	dllBaseAddress, err := injectDLL(processID, windows.Handle(processHandle), dllPath)
-	if err != nil {
-		return fmt.Errorf("PID: %d - DLL injection failed: %v", processID, err)
+	if err != nil || dllBaseAddress == 0 {
+		if err == nil {
+			err = fmt.Errorf("DLL base address is 0")
+		}
+		return fmt.Errorf("DLL injection failed: %v", err)
 	}
-	logMessage(LOGLEVEL_INFO, fmt.Sprintf("PID: %d - DLL injected successfully.\n", processID))
+	logMessage(LOGLEVEL_INFO, fmt.Sprintf("PID: %d - DLL injected successfully.", processID))
 
 	FunctionRVA, err := findSymbolRVA(dllPath, dllFunction)
 	if err != nil {
-		return fmt.Errorf("PID: %d - Error finding symbol RVA: %v", processID, err)
+		return fmt.Errorf("error finding symbol RVA: %v", err)
 	}
-	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Function '%s' RVA: 0x%x\n", processID, dllFunction, FunctionRVA))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Function '%s' RVA: 0x%x", processID, dllFunction, FunctionRVA))
 
 	err = callRemoteFunction(processID, dllBaseAddress, dllFunction, uintptr(FunctionRVA))
 	if err != nil {
 
-		return fmt.Errorf("PID: %d - Error calling remote function %v", processID, err)
+		return fmt.Errorf("error calling remote function %v", err)
 	}
-	logMessage(LOGLEVEL_INFO, fmt.Sprintf("PID: %d - Function '%s' successfully called.\n", processID, dllFunction))
+	logMessage(LOGLEVEL_DEBUG, fmt.Sprintf("PID: %d - Function '%s' successfully called.", processID, dllFunction))
 
 	return nil
 }

logger.go

@@ -2,32 +2,106 @@ package main
 
 import (
 	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
 	"time"
 )
 
 const (
-	LOGLEVEL_ERROR   = 0
+	LOGLEVEL_DEBUG   = 0
 	LOGLEVEL_INFO    = 1
 	LOGLEVEL_WARNING = 2
-	LOGLEVEL_DEBUG   = 3
+	LOGLEVEL_ERROR   = 3
+	LOGLEVEL_FATAL   = 4
+
+	LOGLEVEL_DEV_DEBUG_VERBOSE = -1
+)
+
+var (
+	logFile         *os.File
+	currentLogLevel int
+	hostname        string
+	username        string
+	processName     string
+	pid             int
 )
 
-var currentLogLevel = LOGLEVEL_INFO
+func InitLogger(level int) {
+	currentLogLevel = level
+	hostname, _ = os.Hostname()
+	username = os.Getenv("USERNAME")
+	pid = os.Getpid()
+	processName = filepath.Base(os.Args[0])
+}
+
+func SetLogToFile(filePath string) {
+
+	if logFile != nil {
+		logFile.Close()
+	}
+
+	var err error
+	logFile, err = os.OpenFile(filePath, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0666)
+	if err != nil {
+		fmt.Printf("Error opening log file: %v\n", err)
+		logFile = nil
+	}
+}
 
-func SetLogLevel(logLevel int) {
-	if logLevel >= LOGLEVEL_INFO && logLevel <= LOGLEVEL_DEBUG {
-		currentLogLevel = logLevel
-	} else {
-		fmt.Println("Niveau de logging invalide. Utilisation du niveau INFO par défaut.")
-		currentLogLevel = LOGLEVEL_INFO
+func CloseLogger() {
+	if logFile != nil {
+		logFile.Sync()
+		logFile.Close()
+		logFile = nil
 	}
 }
 
-func logMessage(logLevel int, message string) {
-	if logLevel <= currentLogLevel {
-		currentTime := time.Now().Format("2006-01-02 15:04:05")
-		logLevels := []string{"ERROR", "INFO", "WARNING", "DEBUG"}
-		logMessage := fmt.Sprintf("[%s] [%s] %s", currentTime, logLevels[logLevel], message)
-		fmt.Print(logMessage)
+func CleanData(message string) string {
+	cleanedData := strings.ReplaceAll(message, "\n", "\\n")
+	cleanedData = strings.ReplaceAll(cleanedData, "\r", "\\r")
+
+	return cleanedData
+}
+
+func logMessage(level int, message string) {
+	if level < currentLogLevel {
+		return
+	}
+
+	logPrefix := ""
+	switch level {
+	case LOGLEVEL_DEBUG:
+		logPrefix = "DEBUG"
+	case LOGLEVEL_INFO:
+		logPrefix = "INFO"
+	case LOGLEVEL_WARNING:
+		logPrefix = "WARNING"
+	case LOGLEVEL_ERROR:
+		logPrefix = "ERROR"
+	case LOGLEVEL_FATAL:
+		logPrefix = "FATAL"
+	case LOGLEVEL_DEV_DEBUG_VERBOSE:
+		logPrefix = "DEV_DEBUG_VERBOSE"
+	}
+
+	logEntry := fmt.Sprintf("[%s] [%s] Hostname: %s - Username: %s - ProcessName: %s - PID: %d - Message: %s\n",
+		time.Now().Format("2006-01-02 15:04:05.000000"),
+		logPrefix,
+		hostname,
+		username,
+		processName,
+		pid,
+		CleanData(message),
+	)
+
+	fmt.Print(logEntry)
+
+	if logFile != nil {
+		_, err := logFile.WriteString(logEntry)
+
+		if err != nil {
+			fmt.Printf("Error writing to log file: %v\n", err)
+		}
 	}
 }